Previously, the list of CA certificates was generated with a perl script
which is included in curl. As this script is not very flexible, this commit
refactors the expression to use the python script that Debian uses to
generate their CA certificates from Mozilla's trust store in NSS.
Additionally, an option was added to the cacerts derivation and the
`security.pki` module to blacklist specific CAs.
The cmake based build system did not install the pkg-config files for
capstone, which made builds depending on capstone harder to write as
they cannot automatically find the location of the capstone library.
The Yama Linux Security Module restricts the use of ptrace so that
processes cannot ptrace processes that are not their children. This
prevents attackers from compromising one user-level processes and
snooping on the memory and runtime state of other processes owned
by the same user.
These tools are commonly used but don't require the other bind binaries.
Bind's libs are used, so they've also been split into an extra output.
The old version of host isn't maintained anymore and was removed From Debian
back in 2009: https://packages.qa.debian.org/h/host.html
This reverts commit ec8b816154. The change told
the Cabal build system to use the hash-part of $out as the internal identifier
for the library it's building (rather than generating such an ID itself). While
a good idea in theory, this choice had an unfortunate side-effect: When Cabal
links libraries X, Y, and Z into an executable, then the generated binary
contains their respective IDs. Now, Nix finds those strings and treats them as
an indication that there is a *run-time dependency* on the corresponding store
paths. This means that the generated executable will always depend on the store
paths of all the Haskell libraries that went into it, even when linked
statically.
