From 78e4f9d8d7f6124713a7694140e44713fe70e209 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Mon, 27 Feb 2017 18:03:34 +0100
Subject: [PATCH 1/2] libevent: split _openssl into a separate output

... to save ~3.4 MB of openssl from the default closure.
---
 pkgs/development/libraries/libevent/default.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkgs/development/libraries/libevent/default.nix b/pkgs/development/libraries/libevent/default.nix
index 4abd0b033757..d2ba84bb5dd9 100644
--- a/pkgs/development/libraries/libevent/default.nix
+++ b/pkgs/development/libraries/libevent/default.nix
@@ -23,11 +23,21 @@ stdenv.mkDerivation {
                           | grep -v '^dh-autoreconf' | sed 's|^|debian/patches/|')"
     '';
 
-  outputs = [ "out" "dev" ];
+  # libevent_openssl is moved into its own output, so that openssl isn't present
+  # in the default closure.
+  outputs = [ "out" "dev" "openssl" ];
   outputBin = "dev";
+  propagatedBuildOutputs = [ "out" "openssl" ];
 
   buildInputs = [ openssl ] ++ stdenv.lib.optional stdenv.isCygwin findutils;
 
+  postInstall = ''
+    moveToOutput "lib/libevent_openssl*" "$openssl"
+    substituteInPlace "$dev/lib/pkgconfig/libevent_openssl.pc" \
+      --replace "$out" "$openssl"
+    sed "/^libdir=/s|$out|$openssl|" -i "$openssl"/lib/libevent_openssl.la
+  '';
+
   meta = with stdenv.lib; {
     description = "Event notification library";
     longDescription = ''

From d00c26a59570d7cd93470808cc38def83a523762 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Vladim=C3=ADr=20=C4=8Cun=C3=A1t?= <vcunat@gmail.com>
Date: Mon, 27 Feb 2017 17:41:35 +0100
Subject: [PATCH 2/2] unbound: lighten direct security deps of libunbound

Unfortunately, it seems easiest to build all twice.
Debian testing does this in a very similar way.

Tested briefly some individual queries and resperf :-)
---
 pkgs/tools/networking/unbound/default.nix | 19 ++++++++++++++-----
 1 file changed, 14 insertions(+), 5 deletions(-)

diff --git a/pkgs/tools/networking/unbound/default.nix b/pkgs/tools/networking/unbound/default.nix
index 83d3d88729df..f32a90a871ae 100644
--- a/pkgs/tools/networking/unbound/default.nix
+++ b/pkgs/tools/networking/unbound/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, openssl, expat, libevent }:
+{ stdenv, fetchurl, openssl, nettle, expat, libevent }:
 
 stdenv.mkDerivation rec {
   name = "unbound-${version}";
@@ -11,7 +11,7 @@ stdenv.mkDerivation rec {
 
   outputs = [ "out" "lib" "man" ]; # "dev" would only split ~20 kB
 
-  buildInputs = [ openssl expat libevent ];
+  buildInputs = [ openssl nettle expat libevent ];
 
   configureFlags = [
     "--with-ssl=${openssl.dev}"
@@ -26,11 +26,20 @@ stdenv.mkDerivation rec {
 
   installFlags = [ "configfile=\${out}/etc/unbound/unbound.conf" ];
 
-  # get rid of runtime dependencies on $dev outputs
-  postInstall = ''substituteInPlace "$lib/lib/libunbound.la" ''
+  preFixup =
+    # Build libunbound again, but only against nettle instead of openssl.
+    # This avoids gnutls.out -> unbound.lib -> openssl.out.
+    ''
+      configureFlags="$configureFlags --with-nettle=${nettle.dev} --with-libunbound-only"
+      configurePhase
+      buildPhase
+      installPhase
+    ''
+    # get rid of runtime dependencies on $dev outputs
+  + ''substituteInPlace "$lib/lib/libunbound.la" ''
     + stdenv.lib.concatMapStrings
       (pkg: " --replace '-L${pkg.dev}/lib' '-L${pkg.out}/lib' ")
-      [ openssl expat libevent ];
+      buildInputs;
 
   meta = with stdenv.lib; {
     description = "Validating, recursive, and caching DNS resolver";