In preparation for the deprecation of `stdenv.isX`.
These shorthands are not conducive to cross-compilation because they
hide the platforms.
Darwin might get cross-compilation for which the continued usage of `stdenv.isDarwin` will get in the way
One example of why this is bad and especially affects compiler packages
https://www.github.com/NixOS/nixpkgs/pull/343059
There are too many files to go through manually but a treewide should
get users thinking when they see a `hostPlatform.isX` in a place where it
doesn't make sense.
```
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv.is" "stdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenv'.is" "stdenv'.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "clangStdenv.is" "clangStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "gccStdenv.is" "gccStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "stdenvNoCC.is" "stdenvNoCC.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "inherit (stdenv) is" "inherit (stdenv.hostPlatform) is"
fd --type f "\.nix" | xargs sd --fixed-strings "buildStdenv.is" "buildStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "effectiveStdenv.is" "effectiveStdenv.hostPlatform.is"
fd --type f "\.nix" | xargs sd --fixed-strings "originalStdenv.is" "originalStdenv.hostPlatform.is"
```
We can't apply the upstream patch, because we'd have to redo the
bootstrap that's already done in the release tarball, and that's very
complicated.
Fixes: b6d2a4294e ("gnutls: 3.8.3 -> 3.8.4 (medium security)")
The patch for `withSecurity = false` wouldn't apply anymore,
and it didn't seem sufficient for several months already.
Noone's shown interest in fixing that.
I've been keeping an eye on it for years due to day job at knot-resolver
Eelco apparently hasn't touched gnutls since 2016,
so let's drop him from the list.
GnuTLS has a single hard-coded location for the system trust store,
currently set to the path used by NixOS, Debian, Arch, Gentoo, etc.
Since not all distributions use the same path, notably Fedora and RHEL,
the certificate validation will break on some non-NixOS system.
This can be solved by enabling the p11-kit integration, so that by
default p11-kit (properly configured for all major distos) will provide
GnuTLS with the CA roots though the PKCS #11 API.
The point is to reduce rebuild amount when updating cacert/nss,
though at *this* point it remains quite high - before & after:
Estimating rebuild amount by counting changed Hydra jobs (parallel=unset).
13109 x86_64-darwin
21567 x86_64-linux
Estimating rebuild amount by counting changed Hydra jobs (parallel=unset).
13109 x86_64-darwin
17141 x86_64-linux
There's an error when compiling autogen on macos Big Sur with #105026,
and it compiles fine without autogen, so I see no reason to keep it.
The dependency on autogen was originally introduced in 31a128b32b,
but unfortunately there's no explanation for the reason and no linked issue.
