Thoroughly update versions and methodology

For hash-pinned dependencies, adds comments documenting the associated
versions.

Adds a pin to `slither-analyzer` which was prior missing.

Updates to Monero 0.18.4.4.

`mimalloc` now has the correct option set when building for `musl`. A C++
compiler is no longer required in its Docker image.

The runtime's `Dockerfile` now symlinks a `libc.so` already present on the
image instead of creating one itself. It also builds the runtime within the
image to ensure it only happens once. The test to ensure the methodology is
reproducible has been updated to not simply create containers from the image,
yet rebuild the image entirely, accordingly. This also is more robust and
arguably should have already been done.

The pin to the exact hash of the `patch-polkadot-sdk` repo in every
`Cargo.toml` has been removed. The lockfile already serves that role,
simplifying updating in the future.

The latest Rust nightly is adopted as well (superseding
https://github.com/serai-dex/serai/pull/697).

The `librocksdb-sys` patch is replaced with a `kvdb-rocksdb` patch, removing a
git dependency, thanks to https://github.com/paritytech/parity-common/pull/950.

orchestration/src/coordinator.rs

@@ -16,7 +16,7 @@ pub fn coordinator(
 ) {
   let db = network.db();
   let longer_reattempts = if network == Network::Dev { "longer-reattempts" } else { "" };
-  let setup = mimalloc(Os::Debian).to_string() +
+  let setup = mimalloc(Os::Debian) +
     &build_serai_service(
       "",
       Os::Debian,

orchestration/src/ethereum_relayer.rs

@@ -3,7 +3,7 @@ use std::path::Path;
 use crate::{Network, Os, mimalloc, os, build_serai_service, write_dockerfile};
 
 pub fn ethereum_relayer(orchestration_path: &Path, network: Network) {
-  let setup = mimalloc(Os::Debian).to_string() +
+  let setup = mimalloc(Os::Debian) +
     &build_serai_service(
       "",
       Os::Debian,

orchestration/src/message_queue.rs

@@ -13,7 +13,7 @@ pub fn message_queue(
   ethereum_key: <Ristretto as WrappedGroup>::G,
   monero_key: <Ristretto as WrappedGroup>::G,
 ) {
-  let setup = mimalloc(Os::Alpine).to_string() +
+  let setup = mimalloc(Os::Alpine) +
     &build_serai_service("", Os::Alpine, network.release(), network.db(), "serai-message-queue");
 
   let env_vars = [

orchestration/src/mimalloc.rs

@@ -1,36 +1,85 @@
 use crate::Os;
 
-pub fn mimalloc(os: Os) -> &'static str {
-  const ALPINE_MIMALLOC: &str = r#"
+// 2.2.4
+const MIMALLOC_VERSION: &str = "fbd8b99c2b828428947d70fdc046bb55609be93e";
+const FLAGS: &str =
+  "-DMI_SECURE=ON -DMI_GUARDED=ON -DMI_BUILD_STATIC=OFF -DMI_BUILD_OBJECT=OFF -DMI_BUILD_TESTS=OFF";
+
+pub fn mimalloc(os: Os) -> String {
+  let build_script = |env, flags| {
+    format!(
+      r#"
+#!/bin/sh
+set -e
+
+git clone https://github.com/microsoft/mimalloc
+cd mimalloc
+git checkout {MIMALLOC_VERSION}
+
+# For some reason, `mimalloc` contains binary blobs in the repository, so we remove those now
+rm -rf .git ./bin
+
+mkdir -p out/secure
+cd out/secure
+
+# `CMakeLists.txt` requires a C++ compiler but `mimalloc` does not use one by default. We claim
+# there is a working C++ compiler so CMake doesn't complain, allowing us to not unnecessarily
+# install one. If it was ever invoked, our choice of `false` would immediately let us know.
+# https://github.com/microsoft/mimalloc/issues/1179
+{env} CXX=false cmake -DCMAKE_CXX_COMPILER_WORKS=1 {FLAGS} ../..
+make
+
+cd ../..
+
+# Copy the built library to the original directory
+cd ..
+cp mimalloc/out/secure/libmimalloc-secure.so ./libmimalloc.so
+# Clean up the source directory
+rm -rf ./mimalloc
+  "#
+    )
+  };
+
+  let build_commands = |env, flags| {
+    let mut result = String::new();
+    for line in build_script(env, flags)
+      .lines()
+      .map(|line| {
+        assert!(!line.contains('"'));
+        format!(r#"RUN echo "{line}" >> ./mimalloc.sh"#)
+      })
+      .chain(["RUN /bin/sh ./mimalloc.sh", "RUN rm ./mimalloc.sh"].into_iter().map(str::to_string))
+    {
+      result.push_str(&line);
+      result.push('\n');
+    }
+    result
+  };
+  let alpine_build = build_commands("CC=$(uname -m)-alpine-linux-musl-gcc", "-DMI_LIBC_MUSL=ON");
+  let debian_build = build_commands("", "");
+
+  let alpine_mimalloc = format!(
+    r#"
 FROM alpine:latest AS mimalloc-alpine
 
-RUN apk update && apk upgrade && apk --no-cache add gcc g++ libc-dev make cmake git
-RUN git clone https://github.com/microsoft/mimalloc && \
-  cd mimalloc && \
-  git checkout fbd8b99c2b828428947d70fdc046bb55609be93e && \
-  mkdir -p out/secure && \
-  cd out/secure && \
-  cmake -DMI_SECURE=ON -DMI_GUARDED=on ../.. && \
-  make && \
-  cp ./libmimalloc-secure.so ../../../libmimalloc.so
-"#;
+RUN apk update && apk upgrade && apk --no-cache add musl-dev gcc make cmake git
 
-  const DEBIAN_MIMALLOC: &str = r#"
+{alpine_build}
+"#
+  );
+
+  let debian_mimalloc = format!(
+    r#"
 FROM debian:trixie-slim AS mimalloc-debian
 
-RUN apt update && apt upgrade -y && apt install -y gcc g++ make cmake git
-RUN git clone https://github.com/microsoft/mimalloc && \
-  cd mimalloc && \
-  git checkout fbd8b99c2b828428947d70fdc046bb55609be93e && \
-  mkdir -p out/secure && \
-  cd out/secure && \
-  cmake -DMI_SECURE=ON -DMI_GUARDED=on ../.. && \
-  make && \
-  cp ./libmimalloc-secure.so ../../../libmimalloc.so
-"#;
+RUN apt update && apt upgrade -y && apt install -y gcc make cmake git
+
+{debian_build}
+"#
+  );
 
   match os {
-    Os::Alpine => ALPINE_MIMALLOC,
-    Os::Debian => DEBIAN_MIMALLOC,
+    Os::Alpine => alpine_mimalloc,
+    Os::Debian => debian_mimalloc,
   }
 }

orchestration/src/networks/bitcoin.rs

@@ -29,7 +29,7 @@ RUN tar xzvf bitcoin-${BITCOIN_VERSION}-$(uname -m)-linux-gnu.tar.gz
 RUN mv bitcoin-${BITCOIN_VERSION}/bin/bitcoind .
 "#;
 
-  let setup = mimalloc(Os::Debian).to_string() + DOWNLOAD_BITCOIN;
+  let setup = mimalloc(Os::Debian) + DOWNLOAD_BITCOIN;
 
   let run_bitcoin = format!(
     r#"

orchestration/src/networks/ethereum/mod.rs

@@ -17,7 +17,7 @@ pub fn ethereum(orchestration_path: &Path, network: Network) {
       (reth(network), nimbus(network))
     };
 
-  let download = mimalloc(Os::Alpine).to_string() + &el_download + &cl_download;
+  let download = mimalloc(Os::Alpine) + &el_download + &cl_download;
 
   let run = format!(
     r#"
@@ -26,7 +26,7 @@ CMD ["/run.sh"]
 "#,
     network.label()
   );
-  let run = mimalloc(Os::Debian).to_string() +
+  let run = mimalloc(Os::Debian) +
     &os(Os::Debian, &(el_run_as_root + "\r\n" + &cl_run_as_root), "ethereum") +
     &el_run +
     &cl_run +

orchestration/src/networks/monero.rs

@@ -10,7 +10,7 @@ fn monero_internal(
   monero_binary: &str,
   ports: &str,
 ) {
-  const MONERO_VERSION: &str = "0.18.4.3";
+  const MONERO_VERSION: &str = "0.18.4.4";
 
   let arch = match std::env::consts::ARCH {
     // We probably would run this without issues yet it's not worth needing to provide support for
@@ -41,7 +41,7 @@ RUN tar -xvjf monero-linux-{arch}-v{MONERO_VERSION}.tar.bz2 --strip-components=1
     network.label(),
   );
 
-  let setup = mimalloc(os).to_string() + &download_monero;
+  let setup = mimalloc(os) + &download_monero;
 
   let run_monero = format!(
     r#"

orchestration/src/processor.rs

@@ -17,7 +17,7 @@ pub fn processor(
   substrate_evrf_key: Zeroizing<Vec<u8>>,
   network_evrf_key: Zeroizing<Vec<u8>>,
 ) {
-  let setup = mimalloc(Os::Debian).to_string() +
+  let setup = mimalloc(Os::Debian) +
     &build_serai_service(
       if coin == "ethereum" {
         r#"

orchestration/src/serai.rs

@@ -12,8 +12,7 @@ pub fn serai(
   serai_key: &Zeroizing<<Ristretto as WrappedGroup>::F>,
 ) {
   // Always builds in release for performance reasons
-  let setup =
-    mimalloc(Os::Debian).to_string() + &build_serai_service("", Os::Debian, true, "", "serai-node");
+  let setup = mimalloc(Os::Debian) + &build_serai_service("", Os::Debian, true, "", "serai-node");
 
   let env_vars = [("KEY", hex::encode(serai_key.to_repr()))];
   let mut env_vars_str = String::new();