cacert: decouple from NSS to reduce rebuild amount

In [#100765] @vcunat pointed out that we could decouple cacert from the
NSS package to make it more rebuild friendly. Just rebuilding packages
that depend on NSS seems to be about ~100. Rebuilding all the packages
that depend on cacert is >9k as of this writing. This makes it much more
feasible to upgrade high-profile packages that are (rightfully) pedantic
on their NSS version like firefox and thunderbird.

[#100765]: https://github.com/NixOS/nixpkgs/pull/100765

pkgs/data/misc/cacert/default.nix

@@ -13,12 +13,17 @@ let
     sha256 = "1d4q27j1gss0186a5m8bs5dk786w07ccyq0qi6xmd2zr1a8q16wy";
   };
 
+  version = "3.57";
+  underscoreVersion = builtins.replaceStrings ["."] ["_"] version;
 in
 
 stdenv.mkDerivation {
-  name = "nss-cacert-${nss.version}";
+  name = "nss-cacert-${version}";
 
-  src = nss.src;
+  src = fetchurl {
+    url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/nss-${version}.tar.gz";
+    sha256 = "55a86c01be860381d64bb4e5b94eb198df9b0f098a8af0e58c014df398bdc382";
+  };
 
   outputs = [ "out" "unbundled" ];
 
@@ -60,6 +65,8 @@ stdenv.mkDerivation {
 
   setupHook = ./setup-hook.sh;
 
+  passthru.updateScript = ./update.sh;
+
   meta = {
     homepage = "https://curl.haxx.se/docs/caextract.html";
     description = "A bundle of X.509 certificates of public Certificate Authorities (CA)";

pkgs/data/misc/cacert/update.sh

@@ -0,0 +1,34 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix common-updater-scripts jq
+
+# Build both the cacert package and an overriden version where we use the source attribute of NSS.
+# Cacert and NSS are both from the same upstream sources. They are decoupled as
+# the cacert output only cares about a few infrequently changing files in the
+# sources while the NSS source code changes frequently.
+#
+# By having cacert on a older source revision that produces the same
+# certificate output as a newer version we can avoid large amounts of
+# unnecessary rebuilds.
+#
+# As of this writing there are a few magnitudes more packages depending on
+# cacert than on nss.
+
+
+set -ex
+
+BASEDIR="$(dirname "$0")/../../../.."
+
+
+CURRENT_PATH=$(nix-build --no-out-link -A cacert.out)
+PATCHED_PATH=$(nix-build --no-out-link -E "with import $BASEDIR {}; (cacert.overrideAttrs (_: { inherit (nss) src version; })).out")
+
+# Check the hash of the etc subfolder
+# We can't check the entire output as that contains the nix-support folder
+# which contains the output path itself.
+CURRENT_HASH=$(nix-hash "$CURRENT_PATH/etc")
+PATCHED_HASH=$(nix-hash "$PATCHED_PATH/etc")
+
+if [[ "$CURRENT_HASH" !=  "$PATCHED_HASH" ]]; then
+    NSS_VERSION=$(nix-instantiate --json --eval -E "with import $BASEDIR {}; nss.version" | jq -r .)
+    update-source-version cacert "$NSS_VERSION"
+fi

pkgs/development/libraries/nss/default.nix

@@ -9,6 +9,12 @@ let
     url = "http://dev.gentoo.org/~polynomial-c/mozilla/nss-3.15.4-pem-support-20140109.patch.xz";
     sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
   };
+
+  # NOTE: Whenever you updated this version check if the `cacert` package also
+  #       needs an update. You can run the regular updater script for cacerts.
+  #       It will rebuild itself using the version of this package (NSS) and if
+  #       an update is required do the required changes to the expression.
+  #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
   version = "3.57";
   underscoreVersion = builtins.replaceStrings ["."] ["_"] version;