###### Motivation for this change
Update to latest upstream version
###### Things done
* [ ] Tested using sandboxing ([nix.useSandbox](http://nixos.org/nixos/manual/options.html#opt-nix.useSandbox) on NixOS, or option `sandbox` in [`nix.conf`](http://nixos.org/nix/manual/#sec-conf-file) on non-NixOS linux)
* Built on platform(s)
* [x] NixOS
* [ ] macOS
* [ ] other Linux distributions
* [ ] Tested via one or more NixOS test(s) if existing and applicable for the change (look inside [nixos/tests](https://github.com/NixOS/nixpkgs/blob/master/nixos/tests))
* [ ] Tested compilation of all pkgs that depend on this change using `nix-shell -p nix-review --run "nix-review wip"`
* [x] Tested execution of all binary files (usually in `./result/bin/`)
* [ ] Determined the impact on package closure size (by running `nix path-info -S` before and after)
* [ ] Ensured that relevant documentation is up to date
* [x] Fits [CONTRIBUTING.md](https://github.com/NixOS/nixpkgs/blob/master/.github/CONTRIBUTING.md).
###### Notify maintainers
cc @worldofpeace @tfc @jtraue
Updates `gitea` to the latest version available[1]. Also ensured that
upgrading from `gitea-1.9` (used on NixOS 19.09) to `1.11.3` works
seamlessly.
The derivation required a few more changes this time since `gitea` uses
`npm` now to build the frontend[2]. When using the default tarball from
GitHub, we'd have to build the frontend manually. By fetching a custom
tarball published on every release, we get a prebuilt frontend
(as it was the case on previous versions) and build the backend only from
source.
Co-authored-by: kolaente <k@knt.li>
Closes #80175
[1] https://github.com/go-gitea/gitea/releases/tag/v1.11.3
[2] https://github.com/go-gitea/gitea/issues/10253
In 6733ece `-DUSE_HTTP_PARSER=system` was introduced, which does not seem
to work with this fork. So instead fallback to the `builtin`.
Also sync with upstream cmake flags.
See inline comment; this does not build on Hydra and either requires custom
patching or a new release from upstream before it will build.
Note that we can still recompute the `cargoSha256` for #79975; the package
is broken in the identical way.
Includes multiple security fixes mentioned in
https://about.gitlab.com/releases/2020/03/04/gitlab-12-dot-8-dot-2-released/
(unfortunately, no CVE numbers as of yet)
- Directory Traversal to Arbitrary File Read
- Account Takeover Through Expired Link
- Server Side Request Forgery Through Deprecated Service
- Group Two-Factor Authentication Requirement Bypass
- Stored XSS in Merge Request Pages
- Stored XSS in Merge Request Submission Form
- Stored XSS in File View
- Stored XSS in Grafana Integration
- Contribution Analytics Exposed to Non-members
- Incorrect Access Control in Docker Registry via Deploy Tokens
- Denial of Service via Permission Checks
- Denial of Service in Design For Public Issue
- GitHub Tokens Displayed in Plaintext on Integrations Page
- Incorrect Access Control via LFS Import
- Unescaped HTML in Header
- Private Merge Request Titles Leaked via Widget
- Project Namespace Exposed via Vulnerability Feedback Endpoint
- Denial of Service Through Recursive Requests
- Project Authorization Not Being Updated
- Incorrect Permission Level For Group Invites
- Disclosure of Private Group Epic Information
- User IP Address Exposed via Badge images
- Update postgresql (GitLab Omnibus)