Nitpicks:
- The timestamps there were useless.
- The generator now switched the two keys; I don't know why.
I intentionally remove the comments like "state=1 [ ADDPEND ]".
The problem is that keys e.g. in ADDPEND state are *not* immediately
usable for validation - see RFC5011 for details. I verified that Unbound
does disregard this on the format we and Debian use ATM, presumably due
to removing parts of the comments, but it would be confusing nevertheless.
Restructure the nixos-artwork to make it easy to selectively
incorporate other components from upstream without needing to download
the full package.
Until now only the Gnome_Dark wallpaper was included. Add other
wallpapers available in the package repository.
This commit changes callHackage to use a deterministic version of the Hackage
checkout from https://github.com/commercialhaskell/all-cabal-hashes by default.
This means that packages uploaded to Hackage after today will be available to
callHackage only after "pkgs/data/misc/hackage/default.nix" has been updated.
People who want the previous behavior where we always had the latest version of
Hackage available -- at the cost of frequent downloads from Github --, can add
the following override to their "~/.nixpkgs/config.nix" file:
{
packageOverrides = super: {
all-cabal-hashes = builtins.fetchTarball "https://github.com/commercialhaskell/all-cabal-hashes/archive/hackage.tar.gz";
};
}
Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.
Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
The `mk-ca-bundle.pl` script manages quite well using only curl but
fails without LWP being present due to a `use` statement. This removes
the Perl import of the LWP library and adds curl as a build input.