Don't statically depend on cacert for certificates

This reverts commit cd52c04456 and
others.

Managing certificates (including revoking certificates and adding
custom certificates) becomes extremely painful if every package in the
system potentially depends on a different copy of cacert. Also, it
makes updating cacert rather expensive.

pkgs/applications/graphics/shotwell/default.nix

@@ -1,7 +1,7 @@
 { fetchurl, stdenv, m4, glibc, gtk3, libexif, libgphoto2, libsoup, libxml2, vala, sqlite
 , webkitgtk24x, pkgconfig, gnome3, gst_all_1, which, udev, libraw, glib, json_glib
 , gettext, desktop_file_utils, lcms2, gdk_pixbuf, librsvg, makeWrapper
-, gnome_doc_utils, hicolor_icon_theme, cacert }:
+, gnome_doc_utils, hicolor_icon_theme }:
 
 # for dependencies see http://www.yorba.org/projects/shotwell/install/
 
@@ -15,9 +15,9 @@ stdenv.mkDerivation rec {
   };
 
   NIX_CFLAGS_COMPILE = "-I${glib}/include/glib-2.0 -I${glib}/lib/glib-2.0/include";
-  
+
   configureFlags = [ "--disable-gsettings-convert-install" ];
-  
+
   preConfigure = ''
     patchShebangs .
   '';

pkgs/applications/networking/browsers/vimb/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, libsoup, webkit, gtk, glib_networking
-, gsettings_desktop_schemas, makeWrapper, cacert
+, gsettings_desktop_schemas, makeWrapper
 }:
 
 stdenv.mkDerivation rec {
@@ -11,11 +11,6 @@ stdenv.mkDerivation rec {
     sha256 = "0h9m5qfs09lb0dz8a79yccmm3a5rv6z8gi5pkyfh8fqkgkh2940p";
   };
 
-  # Nixos default ca bundle
-  patchPhase = ''
-    sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, src/config.def.h
-  '';
-
   buildInputs = [ makeWrapper gtk libsoup pkgconfig webkit gsettings_desktop_schemas ];
 
   makeFlags = [ "PREFIX=$(out)" ];

pkgs/applications/networking/browsers/vimprobable2/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, makeWrapper, glib, glib_networking, gtk, libsoup, libX11, perl,
-  pkgconfig, webkit, gsettings_desktop_schemas, cacert }:
+  pkgconfig, webkit, gsettings_desktop_schemas }:
 
 stdenv.mkDerivation rec {
   version = "1.4.2";
@@ -9,11 +9,6 @@ stdenv.mkDerivation rec {
     sha256 = "13jdximksh9r3cgd2f8vms0pbsn3x0gxvyqdqiw16xp5fmdx5kzr";
   };
 
-  # Nixos default ca bundle
-  patchPhase = ''
-    sed -i s,/etc/ssl/certs/ca-certificates.crt,${cacert}/etc/ssl/certs/ca-bundle.crt, config.h
-  '';
-
   buildInputs = [ makeWrapper gtk libsoup libX11 perl pkgconfig webkit gsettings_desktop_schemas ];
 
   installPhase = ''

pkgs/applications/networking/cluster/panamax/api/default.nix

@@ -1,5 +1,5 @@
 { stdenv, buildEnv, fetchgit, fetchurl, makeWrapper, bundlerEnv, bundler_HEAD
-, ruby, libxslt, libxml2, sqlite, openssl, cacert, docker
+, ruby, libxslt, libxml2, sqlite, openssl, docker
 , dataDir ? "/var/lib/panamax-api" }:
 
 with stdenv.lib;
@@ -62,7 +62,7 @@ stdenv.mkDerivation rec {
       --prefix "PATH" : "$out/share/panamax-api/bin:${env.ruby}/bin:$PATH" \
       --prefix "HOME" : "$out/share/panamax-api" \
       --prefix "GEM_HOME" : "${env}/${env.ruby.gemPath}" \
-      --prefix "SSL_CERT_FILE" : "${cacert}/etc/ssl/certs/ca-bundle.crt" \
+      --prefix "SSL_CERT_FILE" : /etc/ssl/certs/ca-certificates.crt \
       --prefix "GEM_PATH" : "$out/share/panamax-api:${bundler}/${env.ruby.gemPath}"
   '';
 

pkgs/applications/networking/instant-messengers/fuze/default.nix

@@ -1,12 +1,12 @@
 { stdenv, fetchurl, dpkg, openssl, alsaLib, libXext, libXfixes, libXrandr
 , libjpeg, curl, libX11, libXmu, libXv, libXtst, qt4, mesa, zlib
-, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper, cacert
+, gnome, libidn, rtmpdump, c-ares, openldap, makeWrapper
 }:
 assert stdenv.system == "x86_64-linux";
 let
   curl_custom =
     stdenv.lib.overrideDerivation curl (args: { 
-      configureFlags = args.configureFlags ++ ["--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt"] ; 
+      configureFlags = args.configureFlags ++ ["--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt"] ; 
     } );
 in
 stdenv.mkDerivation {

pkgs/applications/networking/instant-messengers/telepathy/gabble/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, libxslt, telepathy_glib, libxml2, dbus_glib, dbus_daemon
-, sqlite, libsoup, libnice, gnutls, cacert }:
+, sqlite, libsoup, libnice, gnutls }:
 
 stdenv.mkDerivation rec {
   name = "telepathy-gabble-0.18.2";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
   buildInputs = [ libxml2 dbus_glib sqlite libsoup libnice telepathy_glib gnutls ]
     ++ stdenv.lib.optional doCheck dbus_daemon;
 
-  configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt";
+  configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
 
   enableParallelBuilding = true;
   doCheck = true;

pkgs/applications/networking/irc/weechat/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, ncurses, openssl, perl, python, aspell, gnutls
 , zlib, curl , pkgconfig, libgcrypt, ruby, lua5, tcl, guile
-, pythonPackages, cacert, cmake, makeWrapper, libobjc
+, pythonPackages, cmake, makeWrapper, libobjc
 , extraBuildInputs ? [] }:
 
 stdenv.mkDerivation rec {
@@ -15,11 +15,11 @@ stdenv.mkDerivation rec {
   buildInputs = 
     [ ncurses perl python openssl aspell gnutls zlib curl pkgconfig
       libgcrypt ruby lua5 tcl guile pythonPackages.pycrypto makeWrapper
-      cacert cmake ]
+      cmake ]
     ++ stdenv.lib.optionals stdenv.isDarwin [ pythonPackages.pync libobjc ]
     ++ extraBuildInputs;
 
-  NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt";
+  NIX_CFLAGS_COMPILE = "-I${python}/include/${python.libPrefix} -DCA_FILE=/etc/ssl/certs/ca-certificates.crt";
 
   postInstall = ''
     NIX_PYTHONPATH="$out/lib/${python.libPrefix}/site-packages"

pkgs/applications/version-management/bazaar/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pythonPackages, cacert }:
+{ stdenv, fetchurl, pythonPackages }:
 
 stdenv.mkDerivation rec {
   version = "2.6";
@@ -19,10 +19,9 @@ stdenv.mkDerivation rec {
   patches = [ ./add_certificates.patch ];
   postPatch = ''
     substituteInPlace bzrlib/transport/http/_urllib2_wrappers.py \
-      --subst-var-by "certPath" "${cacert}/etc/ssl/certs/ca-bundle.crt"
+      --subst-var-by certPath /etc/ssl/certs/ca-certificates.crt
   '';
 
-
   installPhase = ''
     python setup.py install --prefix=$out
     wrapPythonPrograms

pkgs/applications/version-management/mercurial/default.nix

@@ -1,6 +1,5 @@
 { stdenv, fetchurl, python, makeWrapper, docutils, unzip, hg-git, dulwich
-, guiSupport ? false, tk ? null, curses, cacert
-
+, guiSupport ? false, tk ? null, curses
 , ApplicationServices }:
 
 let
@@ -48,7 +47,7 @@ stdenv.mkDerivation {
       mkdir -p $out/etc/mercurial
       cat >> $out/etc/mercurial/hgrc << EOF
       [web]
-      cacerts = ${cacert}/etc/ssl/certs/ca-bundle.crt
+      cacerts = /etc/ssl/certs/ca-certificates.crt
       EOF
 
       # copy hgweb.cgi to allow use in apache

pkgs/desktops/gnome-3/3.16/core/gnome-keyring/default.nix

@@ -1,6 +1,6 @@
 { stdenv, fetchurl, pkgconfig, dbus, libgcrypt, libtasn1, pam, python, glib, libxslt
 , intltool, pango, gcr, gdk_pixbuf, atk, p11_kit, makeWrapper
-, docbook_xsl_ns, docbook_xsl, gnome3, cacert }:
+, docbook_xsl_ns, docbook_xsl, gnome3 }:
 
 let
   majVer = gnome3.version;
@@ -22,7 +22,7 @@ in stdenv.mkDerivation rec {
   nativeBuildInputs = [ pkgconfig intltool docbook_xsl_ns docbook_xsl ];
 
   configureFlags = [
-    "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt" # NixOS hardcoded path
+    "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt" # NixOS hardcoded path
     "--with-pkcs11-config=$$out/etc/pkcs11/" # installation directories
     "--with-pkcs11-modules=$$out/lib/pkcs11/"
   ];

pkgs/desktops/gnome-3/3.16/core/rest/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, cacert, gnome3 }:
+{ stdenv, fetchurl, pkgconfig, glib, libsoup, gobjectIntrospection, gnome3 }:
 
 stdenv.mkDerivation rec {
   name = "rest-0.7.92";
@@ -10,7 +10,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig glib libsoup gobjectIntrospection];
 
-  configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt";
+  configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
 
   meta = with stdenv.lib; {
     platforms = platforms.linux;

pkgs/development/interpreters/elixir/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash, cacert }:
+{ stdenv, fetchurl, erlang, rebar, makeWrapper, coreutils, curl, bash }:
 
 let
   version = "1.0.5";
@@ -32,8 +32,8 @@ stdenv.mkDerivation {
      b=$(basename $f)
       if [ $b == "mix" ]; then continue; fi
       wrapProgram $f \
-      --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \
-      --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt"
+        --prefix PATH ":" "${erlang}/bin:${coreutils}/bin:${curl}/bin:${bash}/bin" \
+        --set CURL_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
     done
   '';
 

pkgs/development/libraries/glib-networking/default.nix

@@ -1,5 +1,5 @@
 { stdenv, fetchurl, pkgconfig, glib, intltool, gnutls, libproxy
-, gsettings_desktop_schemas, cacert }:
+, gsettings_desktop_schemas }:
 
 let
   ver_maj = "2.44";
@@ -13,7 +13,7 @@ stdenv.mkDerivation rec {
     sha256 = "8f8a340d3ba99bfdef38b653da929652ea6640e27969d29f7ac51fbbe11a4346";
   };
 
-  configureFlags = "--with-ca-certificates=${cacert}/etc/ssl/certs/ca-bundle.crt";
+  configureFlags = "--with-ca-certificates=/etc/ssl/certs/ca-certificates.crt";
 
   preBuild = ''
     sed -e "s@${glib}/lib/gio/modules@$out/lib/gio/modules@g" -i $(find . -name Makefile)

pkgs/servers/mail/opensmtpd/default.nix

@@ -23,7 +23,7 @@ stdenv.mkDerivation rec {
     "--with-sock-dir=/run"
     "--with-privsep-user=smtpd"
     "--with-queue-user=smtpq"
-    "--with-ca-file=${cacert}/etc/ssl/certs/ca-bundle.crt"
+    "--with-ca-file=/etc/ssl/certs/ca-certificates.crt"
   ];
 
   installFlags = [

pkgs/tools/misc/pipelight/pipelight.patch

@@ -43,7 +43,7 @@ diff -urN pipelight.old/bin/pipelight-plugin.in pipelight.new/bin/pipelight-plug
 -fi
 +download_file()
 +{
-+	curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2"
++	curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2"
 +}
 
  # Use shasum instead of sha256sum on MacOS / *BSD
@@ -111,7 +111,7 @@ diff -urN pipelight.old/share/install-dependency pipelight.new/share/install-dep
 -fi
 +download_file()
 +{
-+	curl --cacert /etc/ssl/certs/ca-bundle.crt -o "$1" "$2"
++	curl --cacert /etc/ssl/certs/ca-certificates.crt -o "$1" "$2"
 +}
 +get_download_size()
 +{

pkgs/tools/networking/aria2/default.nix

@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pkgconfig, cacert, c-ares, openssl, libxml2, sqlite, zlib }:
+{ stdenv, fetchurl, pkgconfig, c-ares, openssl, libxml2, sqlite, zlib }:
 
 stdenv.mkDerivation rec {
   name = "aria2-${version}";
@@ -11,9 +11,7 @@ stdenv.mkDerivation rec {
 
   buildInputs = [ pkgconfig c-ares openssl libxml2 sqlite zlib ];
 
-  propagatedBuildInputs = [ cacert ];
-
-  configureFlags = [ "--with-ca-bundle=${cacert}/etc/ssl/certs/ca-bundle.crt" ];
+  configureFlags = [ "--with-ca-bundle=/etc/ssl/certs/ca-certificates.crt" ];
 
   meta = with stdenv.lib; {
     homepage = http://aria2.sourceforge.net/;

pkgs/tools/security/prey/default.nix

@@ -1,5 +1,4 @@
-{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils
-, makeWrapper, coreutils, cacert
+{ stdenv, fetchurl, fetchgit, curl, scrot, imagemagick, xawtv, inetutils, makeWrapper, coreutils
 , apiKey ? ""
 , deviceKey ? "" }:
 
@@ -36,7 +35,7 @@ in stdenv.mkDerivation rec {
     cp -R ${modulesSrc}/* $out/modules/
     wrapProgram "$out/prey.sh" \
       --prefix PATH ":" "${xawtv}/bin:${imagemagick}/bin:${curl}/bin:${scrot}/bin:${inetutils}/bin:${coreutils}/bin" \
-      --set CURL_CA_BUNDLE "${cacert}/etc/ssl/certs/ca-bundle.crt"
+      --set CURL_CA_BUNDLE "/etc/ssl/certs/ca-certificates.crt"
   '';
 
   meta = with stdenv.lib; {