It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
Before I was just grabbing the immediate dependencies. I _think_ this
will do the right thing by using the pre-existing setup hook to avoid
having to compute the transitive closure myself.
Some changes to be more idiomatic and use stdenv building blocks more.
I also added a `buildbot.withPlugins` instead of the current plugins
mechanism, which forces an unnecessary rebuild of the package and reruns
all the tests. This should be equivalent and more pleasant to use in
practice.
So the thinking is: anything that needs `haskell-gi-base` is going to
need `gobjectIntrospection` in order to work correctly; by adding this
one `buildDepends` (which therefore gets propagated), we put ourselves
in a position to simplify away a bunch of code in `cabal2nix`.
Firefox requires new version of the icu to build:
```
checking for icu-i18n >= 58.1... Requested 'icu-i18n >= 58.1' but version of icu-i18n is 57.1
configure: error: Library requirements (icu-i18n >= 58.1) not met; consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.
```