Merge commit '18c84ea816348e2a098390101b92d1e39a9dbd45'

Conflicts:
	nixpkgs/nixos/modules/misc/documentation.nix
	nixpkgs/pkgs/applications/networking/browsers/firefox/packages.nix
	nixpkgs/pkgs/applications/window-managers/sway/default.nix
	nixpkgs/pkgs/build-support/rust/build-rust-package/default.nix
	nixpkgs/pkgs/development/go-modules/generic/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/default.nix
	nixpkgs/pkgs/development/interpreters/ruby/patchsets.nix
	nixpkgs/pkgs/development/libraries/boehm-gc/7.6.6.nix
	nixpkgs/pkgs/development/python-modules/django-mailman3/default.nix
	nixpkgs/pkgs/servers/mail/mailman/web.nix
	nixpkgs/pkgs/top-level/aliases.nix
	nixpkgs/pkgs/top-level/all-packages.nix
	nixpkgs/pkgs/top-level/impure.nix

1 files changed, 15 insertions, 8 deletions

diff --git a/nixpkgs/pkgs/development/libraries/gnutls/default.nix b/nixpkgs/pkgs/development/libraries/gnutls/default.nix
index 4c4094987dde..f56052953033 100644
--- a/nixpkgs/pkgs/development/libraries/gnutls/default.nix
+++ b/nixpkgs/pkgs/development/libraries/gnutls/default.nix
@@ -1,8 +1,10 @@
 { config, lib, stdenv, fetchurl, zlib, lzo, libtasn1, nettle, pkg-config, lzip
-, perl, gmp, autoconf, automake, libidn, p11-kit, libiconv
-, unbound, dns-root-data, gettext, cacert, util-linux
+, perl, gmp, autoconf, automake, libidn, libiconv
+, unbound, dns-root-data, gettext, util-linux
+, cxxBindings ? !stdenv.hostPlatform.isStatic # tries to link libstdc++.so
 , guileBindings ? config.gnutls.guile or false, guile
 , tpmSupport ? false, trousers, which, nettools, libunistring
+, withP11-kit ? !stdenv.hostPlatform.isStatic, p11-kit
 , withSecurity ? false, Security  # darwin Security.framework
 }:
 
@@ -51,11 +53,15 @@ stdenv.mkDerivation rec {
 
   preConfigure = "patchShebangs .";
   configureFlags =
-    lib.optional stdenv.isLinux "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
-  ++ [
+    lib.optionals withP11-kit [
+    "--with-default-trust-store-file=/etc/ssl/certs/ca-certificates.crt"
+    "--with-default-trust-store-pkcs11=pkcs11:"
+  ] ++ [
     "--disable-dependency-tracking"
     "--enable-fast-install"
     "--with-unbound-root-key-file=${dns-root-data}/root.key"
+    (lib.withFeature withP11-kit "p11-kit")
+    (lib.enableFeature cxxBindings "cxx")
   ] ++ lib.optional guileBindings [
     "--enable-guile"
     "--with-guile-site-dir=\${out}/share/guile/site"
@@ -65,7 +71,8 @@ stdenv.mkDerivation rec {
 
   enableParallelBuilding = true;
 
-  buildInputs = [ lzo lzip libtasn1 libidn p11-kit zlib gmp libunistring unbound gettext libiconv ]
+  buildInputs = [ lzo lzip libtasn1 libidn zlib gmp libunistring unbound gettext libiconv ]
+    ++ lib.optional (withP11-kit) p11-kit
     ++ lib.optional (isDarwin && withSecurity) Security
     ++ lib.optional (tpmSupport && stdenv.isLinux) trousers
     ++ lib.optional guileBindings guile;
@@ -77,9 +84,9 @@ stdenv.mkDerivation rec {
   propagatedBuildInputs = [ nettle ];
 
   inherit doCheck;
-  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` broke tests with:
-  #   Error setting the x509 trust file: Error while reading file.
-  checkInputs = [ cacert ];
+  # stdenv's `NIX_SSL_CERT_FILE=/no-cert-file.crt` breaks tests.
+  # Also empty files won't work, and we want to avoid potentially impure /etc/
+  preCheck = "NIX_SSL_CERT_FILE=${./dummy.crt}";
 
   # Fixup broken libtool and pkg-config files
   preFixup = lib.optionalString (!isDarwin) ''