This change add a `packages` argument, such that we can reuse the same
function with a different set of packages.

Moving `defaultPackages` as argument would be needed for writting tests to
ensure that security fixes are applied correctly.

…d the unfix prefix to functions.

…rgument.

This function is in charge of compiling security updates.  It does so by
taking advantage for the purity of the Nix language.  It does not change any
of the hashes, even when an identical set of packages is given as argument
for the quickfixPackages.

The purity of the Nix language offer us a clean way to reason about Nixpkgs
as if this was a simple function.  Thus, the following property hold true,
even when applied to a collection of packages:

  let f = nixpkgsFun; in
    fix f == f (f (fix f));

This property is used for building security updates, by using a variant of
the first function:

  let f = nixpkgsFun; g = fixpkgsFun; in
     g (fix f)

Using a fixpkgsFun function which is a function similar to nixpkgsFun, we
can generate a similar set of packages while only recompiling the fixed
packages.

The problem then becomes patching any package which are dependening on the
fixed packages. This is what the applyAbiCompatiblePatches functions do.

      +-------+
      |       |
  +---v----+  |  +--------+      +--------+
  |        |  |  |        |      |        |
  |  pkgs  +-----> onefix +-+  +-+ recfix |
  |        |     |        | |  | |        |
  +--------+     +--------+ |  | +-----^--+
                            |  |       |
                         +--v--v--+    |
                         |        |    |
                         | abifix +----+
                         |        |
                         +--------+

The loop back on pkgs is the original fix-point on the default set of
packages.  Then we recompile the patched programs, in the one-fix function
call. The rec-fix is a way to probe for recompilations, by comparing the
dependencies of one-fix packages, taken from pkgs, with the dependencies of
rec-fix packages, taken from the abi-fix packages. The abi-fix packages is a
zipping function which takes one-fix packages and rec-fix packages for
patching one-fix packages.  In practice, it also takes the original set of
packages, to ensure that packages have the same package name length, and
that other which depend on them can be patched safely.

… running the quick-fixes.

This static analysis unroll the fix-point of Nixpkgs and number each
iteration of the fix-point. This numbering is then used to verify the
assumption made by the applyAbiCompatiblePatches function of
top=level/default.nix.

This static analysis reports 2 kinds of errors, and 1 warning.

Errors:

 - Alias Original: A package defined in Nixpkgs is directly defined as a
   value taken from the fix-point. This can happen for overriden packages.

   This is a security issue because fixes can be ignored.

 - Unpatched Inputs: An input which provided in buildInputs or
   nativeBuildInputs is taken from more than one generation of Nixpkgs. This
   can be caused by the Alias Original issue, or can be caused by the
   function which fills the input used in buildInputs.

   This is a security issue, because fixes of the dependency will not cause
   this package to be recompiled.

Warning:

 - Static Linking: A package dependent directly on a version of a package
   which has the same generation as it-self.

   This is not a security issue, but if this is not expected then this would
   cause extra recompilation on the buildfarm and add delays until the fixed
   versions are available.

The test case create a serie of 5 test packages which are forming a chain.
It verifies that:
 - Hashes are identical if the packages have no need to be recompiled nor patched.
 - Packages with fixes are recompiled.
 - Packages with updated dependencies are patched, including the recompiled one.
 - Hashes are correct and consistent in the final version.
 - Version numbers are not updated. (abi compatible hypothesis)
 - Patches carry indirect dependencies modifications.
 - 2 fixed dependencies can be updates at once.

…same hashes if there is no fixes.

…unction calls.

… the evaluation depth of the derivations.