Eliminate plain HTTP dependency (include everything needed for HTTPS in srcfs)

[Googulator]

Plain HTTP is a dangerous dependency for sustainability. Plain HTTP download sources are expected to become increasingly rare as sites switch to redirecting to their HTTPS versions.

For this reason, it's advisable to switch to including prerequisites for HTTPS downloads in srcfs.

Unfortunately, this will increase srcfs size, which I would like to see reduced to no more than 256MiB, to facilitate building "trusted flash drives". For this reason, various strategies will be needed to reduce the overhead, e.g.:

• For ca-certificates, we download Mozilla's nss library. This is a massive, almost 70MB tarball - all for a single file. We could just ship that file in live-bootstrap itself, or download it from some other source (e.g. Mozilla's Hg or Git repository - if we predownload, there's no need for it to be plain HTTP).
• gmp, autoconf-archive, mpfr, mpc and libarchive are currently built before openssl, but they don't appear to be prerequisites - they should just be delayed until after HTTPS is available.
• building both bison-3.4.1 and bison-3.4.2 seems redundant - why not just build the same version once with a custom makefile, and than again with its proper build system? Hopefully this redundancy can be eliminated.
• The number of different gnulib snapshots downloaded seems excessive.

[MaxHearnden]

Given that all downloaded files are currently checked using a hash, the CA bundle could be omitted. This would get the sustainability/compatibility of HTTPS, keeping the authenticity from the hash. Although this would compromise privacy compared to a CA bundle.

This is the approach currently taken by nixpkgs/NixOS.