The version of tar in stretch does not know how to extract tar.zst
files, so we don't switch to zst for linux builds yet.

var/essential_deps is the same as var/deps, except that we never
redefine it in projects config. This is for the packages we want to
include in every container (even those of projects where we redefine var/deps).

macOS-only toolchain updates.

With this update, we stop downloading the macOS SDK from people.tpo.
Instead, we download it from apple.com and we use the same scripts as
Mozilla to extract it.
We took them from Firefox source tree, and slightly adapted to our
build system/containers/needs.

Also, we try to be more similar to Mozilla in compiling LLVM runtimes.

Windows-only toolchain updates.

Also, bug 40832: Unify mingw-w64-clang 32+64 bits

The clang binaries used in the mingw-w64-clang artifacts were exactly
the same, because Clang allows you to set the target at runtime with
CLI options, contrarily to GCC, that allows you to set them at build
time.

Also, i686 and x86_64 parts that differ have different paths, so they
can live in the same mingw-w64 installation.
This allows us to save both time, and space on the out directory, since
we can safely use only one archive for both platforms.

Also, partially bug 40652: drop dependency on libssp.

Libssp is not necessary anymore for _FORTIFY_SOURCE.
So, we match llvm-mingw, and replace it with empty archives.
In the future, we should stop creating these archives, too, when the
compiler users stop including it during linking.

Toolchain updates needed for all platforms.

Bug 31588 (partially): Create cargo vendor archives locally for
cbindgen.

The Rust crates we use provide a Cargo.lock. That should be enough to
make sure they always use a certain version of a dependency.
Therefore, with 115, we could try stop hosting vendor archives on
people.tpo and build them locally.
In this commit we do that for cbindgen.
In next commit we could try to do so for also other projects.

We already uplifted the patch, and the new version includes it.

Debian Stretch's Python version is still too old for some of the
projects we need to build under it.
So, since we needed to review the Python options we use anyway, we
decided also to update it to a much more recent version.

For normal alpha/release builds, we use the date from the commit, on
which we add the numbers from the version string as seconds (in order to
keep increasing the build date when we release a new version without
adding new commits).

For nightly-testbuild, we use the date from the commit.

For nightly we try to parse the day from the version number, or use the
current day at 00:00:01.

Bug 40889: Add mullvad sha256sums URL to download-unsigned-sha256sums-gpg-signatures-from-people-tpo

In #40871 I incorrectly set `keyring/boklm.gpg` in format `GPG keybox
database version 1`, instead of `PGP/GPG key public ring (v4)`.

This was fixed with:

 gpg --no-default-keyring --keyring ./keyring/boklm.gpg --export > ./keyring/boklm-2.gpg
 mv ./keyring/boklm-2.gpg ./keyring/boklm.gpg

Add some missing spaces that make GitLab not understand the markup
correctly.

Some version numbers like 12.5 can be stored as a numeric value instead
of a string, so we should explicitely store the version as a string. At
the same time we do the same for tag/git_tag (although tags are less
likely to look like a number).

- migrated Docs-PB to Docs-MB in browser project
- updated browser build script to take new path into account
- created separate ChangeLog-MB.txt softlink, migrate ChangeLog.txt softlink
  to ChangeLog-TBB.txt
- updated changelog-format-blog-post script to reference correct file and
  fix bug in raw changelog link

Add the commit hash and GitLab URL to the mozconfig to make them appear
in about:buildconfig on Android, too.

HFS has the disadvantage that we cannot grow the filesystem while
adding files.
We have to estimate an initial size, instead, and we relied on du for
this. However, du depends on the underlying filesystem, and this could
lead to reproducibility issues (because the HFS headers tell different
sizes).

So, with this change, we compute a rough number of needed blocks by
taking the actual size of the files.

Overshooting is not a problem, because DMG is compressed with bzip2, so
unused space will be trimmed, eventually.