cacert: Improve sourcing

Switch to fetching only certdata.txt directly from the upstream
repository (and a mirror), because:

- While it's possible to deduct that github/nss-dev is an NSS-project-owned
  mirror repository, it's not trivial:
  - Go to the homepage: https://firefox-source-docs.mozilla.org/security/nss/index.html
  - Navigate to the source, e.g.
    https://phabricator.services.mozilla.com/source/nss/
  - Check the readme.md, which mentions github.com/nss-dev/nss
- GitHub is a mirror of the Mercurial repository, and while I was able
  to confirm that the latest version does match, it leaves more room for
  a malicious actor:
  - It's unknown who owns the nss-dev GitHub organisation, there's no
    public members and no contact information
  - The mirroring automation from Mercurial to GitHub is not documented
  - Git hashes by necessity don't match Mercurial hashes, so it's not
    easy to verify that they match
- Previously the build and update script were more complicated and slow
  by depending on the entire source, when we really only need a single file.

Furthermore, update the meta.homepage to point to the actual page that
mentions the root certificates, because the old one pointed to a curl
page which we don't even use anymore (if we ever even did, Git history
is inconclusive)

The cacert build was verified to be unchanged

(cherry picked from commit 0e7826f)

Author: infinisil

pkgs/by-name/ca/cacert/package.nix

@@ -2,15 +2,12 @@
   lib,
   stdenv,
   writeText,
-  fetchFromGitHub,
+  fetchurl,
   buildcatrust,
   blacklist ? [ ],
   extraCertificateFiles ? [ ],
   extraCertificateStrings ? [ ],
 
-  # Used by update.sh
-  nssOverride ? null,
-
   # Used for tests only
   runCommand,
   cacert,
@@ -23,10 +20,9 @@ let
     lib.concatStringsSep "\n\n" extraCertificateStrings
   );
 
-  srcVersion = "3.119.1";
-  version = if nssOverride != null then nssOverride.version else srcVersion;
+  version = "3.119.1";
   meta = {
-    homepage = "https://curl.haxx.se/docs/caextract.html";
+    homepage = "https://firefox-source-docs.mozilla.org/security/nss/runbooks/rootstore.html#root-store-consumers";
     description = "Bundle of X.509 certificates of public Certificate Authorities (CA)";
     platforms = lib.platforms.all;
     maintainers = with lib.maintainers; [
@@ -35,40 +31,31 @@ let
     ];
     license = lib.licenses.mpl20;
   };
-  certdata = stdenv.mkDerivation {
-    pname = "nss-cacert-certdata";
-    inherit version;
-
-    src =
-      if nssOverride != null then
-        nssOverride.src
-      else
-        fetchFromGitHub {
-          owner = "nss-dev";
-          repo = "nss";
-          rev = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
-          hash = "sha256-GxLTqHcVWGiFezcwdctXJ8k9wqizVJPHyLBPZzphLro=";
-        };
-
-    dontBuild = true;
-
-    installPhase = ''
-      runHook preInstall
-
-      mkdir $out
-      cp lib/ckfw/builtins/certdata.txt $out
-
-      runHook postInstall
-    '';
-
-    inherit meta;
-  };
 in
 stdenv.mkDerivation {
   pname = "nss-cacert";
   inherit version;
 
-  src = certdata;
+  src = fetchurl {
+    urls =
+      let
+        # This file is effectively a public interface, see the homepage link
+        file = "lib/ckfw/builtins/certdata.txt";
+        tag = "NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM";
+      in
+      [
+        # Prefer mercurial as the canonical source, while github is just a mirror
+        "https://hg-edge.mozilla.org/projects/nss/raw-file/${tag}/${file}"
+        "https://raw.githubusercontent.com/nss-dev/nss/refs/tags/${tag}/${file}"
+      ];
+    hash = "sha256-qQOzzQUjHjkzJRXvfr435pcmLzlRWlIBXCPGKAW3PNA=";
+  };
+
+  unpackPhase = ''
+    runHook preUnpack
+    cp "$src" "$(stripHash "$src")"
+    runHook postUnpack
+  '';
 
   outputs = [
     "out"

pkgs/by-name/ca/cacert/update.sh

@@ -25,7 +25,7 @@ BASEDIR="$(dirname "$0")/../../../.."
 
 
 CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
-PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.override { nssOverride = nss_latest; }).out")
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs { src = nss_latest.src + \"/lib/ckfw/builtins/certdata.txt\"; }).out")
 
 # Check the hash of the etc subfolder
 # We can't check the entire output as that contains the nix-support folder
@@ -35,5 +35,5 @@ PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
 
 if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
     NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss_latest.version" | jq -r .)
-    update-source-version --version-key=srcVersion cacert.src "$NSS_VERSION"
+    update-source-version cacert "$NSS_VERSION"
 fi