This allows for a less blanket approach than nuke-refs, targetting specific
references that we know we don't want rather than all references that we don't
know we want.
Let's just be consistent with 8. At some point we'll get a proper build
of it from source but until then we might as well standardize on 8, which
has been out for years now and seems to work fine on Darwin.
It'd be better to do the update as an unprivileged user; for
now, we do our best to minimize the surface available. We
filter mount syscalls to prevent the process from undoing the fs
isolation.
Resolve download.dnscrypt.org using hostip with a bootstrap
resolver (hard-coded to Google Public DNS for now), to ensure
that we can get an up-to-date resolver list without working name
service lookups. This makes us more robust to the upstream
resolver list getting out of date and other DNS configuration
problems.
We use the curl --resolver switch to allow https cert validation
(we'd need to do --insecure if using just the ip addr). Note
that we don't rely on https for security but it's nice to have
it ...
Use mkMerge to make the code a little more ergonomic and easier
to follow (to my eyes, anyway ...). Also take the opportunity
to do some minor cleanups & tweaks, but no functional changes.
Before I was just grabbing the immediate dependencies. I _think_ this
will do the right thing by using the pre-existing setup hook to avoid
having to compute the transitive closure myself.
Some changes to be more idiomatic and use stdenv building blocks more.
I also added a `buildbot.withPlugins` instead of the current plugins
mechanism, which forces an unnecessary rebuild of the package and reruns
all the tests. This should be equivalent and more pleasant to use in
practice.
So the thinking is: anything that needs `haskell-gi-base` is going to
need `gobjectIntrospection` in order to work correctly; by adding this
one `buildDepends` (which therefore gets propagated), we put ourselves
in a position to simplify away a bunch of code in `cabal2nix`.