diff --git a/internal/rosa/gnu.go b/internal/rosa/gnu.go
index 893d24a8..9ec83da4 100644
--- a/internal/rosa/gnu.go
+++ b/internal/rosa/gnu.go
@@ -77,187 +77,6 @@ func init() {
 	})
 }
 
-func (t Toolchain) newGnuTLS() (pkg.Artifact, string) {
-	const (
-		version  = "3.8.12"
-		checksum = "VPdP-nRydQQRJcnma-YA7CJYA_kzTJ2rb3QFeP6D27emSyInJ8sQ-Wzn518I38dl"
-	)
-
-	var configureExtra []KV
-	switch t.arch {
-	case "arm64":
-		configureExtra = []KV{
-			{"disable-hardware-acceleration"},
-		}
-	}
-
-	return t.NewPackage("gnutls", version, t.newTagRemote(
-		"https://gitlab.com/gnutls/gnutls.git",
-		version, checksum,
-	), &PackageAttr{
-		Patches: []KV{
-			{"bootstrap-remove-gtk-doc", `diff --git a/bootstrap.conf b/bootstrap.conf
-index 1c3cc61e6..32bae9387 100644
---- a/bootstrap.conf
-+++ b/bootstrap.conf
-@@ -50,7 +50,6 @@ bison      2.4
- gettext    0.17
- git        1.4.4
- gperf      -
--gtkdocize  -
- perl       5.5
- wget       -
- "
-diff --git a/configure.ac b/configure.ac
-index 5057536e5..731558a15 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -403,11 +403,6 @@ if test "$enable_fuzzer_target" != "no";then
- 	AC_DEFINE([FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], 1, [Enable fuzzer target -not for production])
- fi
- 
--dnl
--dnl check for gtk-doc
--dnl
--GTK_DOC_CHECK([1.14],[--flavour no-tmpl])
--
- AM_GNU_GETTEXT([external])
- AM_GNU_GETTEXT_VERSION([0.19])
- m4_ifdef([AM_GNU_GET][TEXT_REQUIRE_VERSION],[
-diff --git a/doc/Makefile.am b/doc/Makefile.am
-index fb1390d70..52f0ad9af 100644
---- a/doc/Makefile.am
-+++ b/doc/Makefile.am
-@@ -33,9 +33,6 @@ IMAGES = \
- 	pkcs11-vision.png
- 
- SUBDIRS = examples scripts credentials latex
--if ENABLE_GTK_DOC
--SUBDIRS += reference
--endif
- 
- -include $(top_srcdir)/doc/doc.mk
- 
-diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am
-index f10c8ed3c..b711b58ec 100644
---- a/doc/reference/Makefile.am
-+++ b/doc/reference/Makefile.am
-@@ -82,13 +82,4 @@ include $(top_srcdir)/gtk-doc.make
- # e.g. EXTRA_DIST += version.xml.in
- EXTRA_DIST += version.xml.in
- 
--# Comment this out if you want 'make check' to test you doc status
--# and run some sanity checks
--if ENABLE_GTK_DOC
--TESTS_ENVIRONMENT = \
--  DOC_MODULE=$(DOC_MODULE) DOC_MAIN_SGML_FILE=$(DOC_MAIN_SGML_FILE) \
--  SRCDIR=$(abs_srcdir) BUILDDIR=$(abs_builddir)
--#TESTS = $(GTKDOC_CHECK)
--endif
--
- -include $(top_srcdir)/git.mk
-`},
-
-			{"alpine-tests-certtool", `I think this tests is simply wrong.
-When a PIN is given, the program should run in batch mode.
-So the question for "Enter password" should _not_ be present.
-
-DO NOT REMOVE UNLESS VERIFIED IT'S NOT ACTUALLY NECESSARY ANYMORE.
-
---- a/tests/cert-tests/certtool.sh	2019-02-07 07:33:45.960887338 +0000
-+++ b/tests/cert-tests/certtool.sh	2019-02-07 07:36:14.550955051 +0000
-@@ -49,7 +49,7 @@
- 
- 	#check whether password is being honoured
- 	#some CI runners need GNUTLS_PIN (GNUTLS_PIN=${PASS})
--	${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
-+	GNUTLS_PIN=${PASS} ${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
- $PASS
- EOF
- 	if test $? != 0;then
-@@ -59,7 +59,7 @@
- 	fi
- 
- 	grep "Enter password" ${TMPFILE2} >/dev/null 2>&1
--	if test $? != 0;then
-+	if test $? != 1; then
- 		cat ${TMPFILE2}
- 		echo "No password was asked"
- 		exit 1
-`},
-
-			{"test-kernel-version-ksh", `diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
-index 1b78b8cf1..350156a86 100644
---- a/tests/scripts/common.sh
-+++ b/tests/scripts/common.sh
-@@ -279,10 +279,6 @@ kernel_version_check() {
- 	kernel_major=$(echo $kernel_version | cut -d. -f1 2>/dev/null)
- 	kernel_minor=$(echo $kernel_version | cut -d. -f2 2>/dev/null)
- 
--	if ! [[ "$kernel_major" =~ ^[0-9]+$ ]] || ! [[ "$kernel_minor" =~ ^[0-9]+$ ]]; then
--		return 1
--	fi
--
- 	if [ "$kernel_major" -lt "$required_major" ]; then
- 		return 1
- 	fi
-`},
-		},
-	}, &MakeHelper{
-		Generate: "./bootstrap --skip-po --no-git --gnulib-srcdir=gnulib",
-
-		Configure: append([]KV{
-			{"disable-doc"},
-			{"disable-openssl-compatibility"},
-
-			{"with-default-trust-store-file", "/system/etc/ssl/certs/ca-bundle.crt"},
-			{"with-default-trust-store-pkcs11", "pkcs11:"},
-
-			{"with-zlib", "link"},
-			{"with-zstd", "link"},
-		}, configureExtra...),
-	},
-		Gzip,
-		Automake,
-		Libtool,
-		Bison,
-		Gettext,
-		Gperf,
-		PkgConfig,
-
-		Python,
-		Texinfo,
-		Diffutils,
-		NSSCACert,
-
-		Libev,
-		Zlib,
-		Zstd,
-		P11Kit,
-		nettle3,
-		Libunistring,
-	), version
-}
-func init() {
-	native.MustRegister(&Artifact{
-		f: Toolchain.newGnuTLS,
-
-		Name:        "gnutls",
-		Description: "a secure communications library implementing the SSL, TLS and DTLS protocols",
-		Website:     "https://gnutls.org",
-
-		Dependencies: P{
-			Zlib,
-			Zstd,
-			P11Kit,
-			nettle3,
-			Libunistring,
-		},
-
-		ID: 1221,
-	})
-}
-
 func (t Toolchain) newBinutils() (pkg.Artifact, string) {
 	const (
 		version  = "2.46.0"
diff --git a/internal/rosa/package/gnu/package.az b/internal/rosa/package/gnu.az
similarity index 100%
rename from internal/rosa/package/gnu/package.az
rename to internal/rosa/package/gnu.az
diff --git a/internal/rosa/package/gnutls/alpine-tests-certtool.patch b/internal/rosa/package/gnutls/alpine-tests-certtool.patch
new file mode 100644
index 00000000..083b2a5e
--- /dev/null
+++ b/internal/rosa/package/gnutls/alpine-tests-certtool.patch
@@ -0,0 +1,26 @@
+I think this tests is simply wrong.
+When a PIN is given, the program should run in batch mode.
+So the question for "Enter password" should _not_ be present.
+
+DO NOT REMOVE UNLESS VERIFIED IT'S NOT ACTUALLY NECESSARY ANYMORE.
+
+--- a/tests/cert-tests/certtool.sh	2019-02-07 07:33:45.960887338 +0000
++++ b/tests/cert-tests/certtool.sh	2019-02-07 07:36:14.550955051 +0000
+@@ -49,7 +49,7 @@
+ 
+ 	#check whether password is being honoured
+ 	#some CI runners need GNUTLS_PIN (GNUTLS_PIN=${PASS})
+-	${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
++	GNUTLS_PIN=${PASS} ${SETSID} "${CERTTOOL}" --generate-self-signed --load-privkey ${TMPFILE1} --template ${srcdir}/templates/template-test.tmpl --ask-pass >${TMPFILE2} 2>&1 <<EOF
+ $PASS
+ EOF
+ 	if test $? != 0;then
+@@ -59,7 +59,7 @@
+ 	fi
+ 
+ 	grep "Enter password" ${TMPFILE2} >/dev/null 2>&1
+-	if test $? != 0;then
++	if test $? != 1; then
+ 		cat ${TMPFILE2}
+ 		echo "No password was asked"
+ 		exit 1
diff --git a/internal/rosa/package/gnutls/bootstrap-remove-gtk-doc.patch b/internal/rosa/package/gnutls/bootstrap-remove-gtk-doc.patch
new file mode 100644
index 00000000..5007218c
--- /dev/null
+++ b/internal/rosa/package/gnutls/bootstrap-remove-gtk-doc.patch
@@ -0,0 +1,60 @@
+diff --git a/bootstrap.conf b/bootstrap.conf
+index 1c3cc61e6..32bae9387 100644
+--- a/bootstrap.conf
++++ b/bootstrap.conf
+@@ -50,7 +50,6 @@ bison      2.4
+ gettext    0.17
+ git        1.4.4
+ gperf      -
+-gtkdocize  -
+ perl       5.5
+ wget       -
+ "
+diff --git a/configure.ac b/configure.ac
+index 5057536e5..731558a15 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -403,11 +403,6 @@ if test "$enable_fuzzer_target" != "no";then
+ 	AC_DEFINE([FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION], 1, [Enable fuzzer target -not for production])
+ fi
+ 
+-dnl
+-dnl check for gtk-doc
+-dnl
+-GTK_DOC_CHECK([1.14],[--flavour no-tmpl])
+-
+ AM_GNU_GETTEXT([external])
+ AM_GNU_GETTEXT_VERSION([0.19])
+ m4_ifdef([AM_GNU_GET][TEXT_REQUIRE_VERSION],[
+diff --git a/doc/Makefile.am b/doc/Makefile.am
+index fb1390d70..52f0ad9af 100644
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -33,9 +33,6 @@ IMAGES = \
+ 	pkcs11-vision.png
+ 
+ SUBDIRS = examples scripts credentials latex
+-if ENABLE_GTK_DOC
+-SUBDIRS += reference
+-endif
+ 
+ -include $(top_srcdir)/doc/doc.mk
+ 
+diff --git a/doc/reference/Makefile.am b/doc/reference/Makefile.am
+index f10c8ed3c..b711b58ec 100644
+--- a/doc/reference/Makefile.am
++++ b/doc/reference/Makefile.am
+@@ -82,13 +82,4 @@ include $(top_srcdir)/gtk-doc.make
+ # e.g. EXTRA_DIST += version.xml.in
+ EXTRA_DIST += version.xml.in
+ 
+-# Comment this out if you want 'make check' to test you doc status
+-# and run some sanity checks
+-if ENABLE_GTK_DOC
+-TESTS_ENVIRONMENT = \
+-  DOC_MODULE=$(DOC_MODULE) DOC_MAIN_SGML_FILE=$(DOC_MAIN_SGML_FILE) \
+-  SRCDIR=$(abs_srcdir) BUILDDIR=$(abs_builddir)
+-#TESTS = $(GTKDOC_CHECK)
+-endif
+-
+ -include $(top_srcdir)/git.mk
diff --git a/internal/rosa/package/gnutls/package.az b/internal/rosa/package/gnutls/package.az
new file mode 100644
index 00000000..bdc6d47f
--- /dev/null
+++ b/internal/rosa/package/gnutls/package.az
@@ -0,0 +1,66 @@
+package gnutls {
+	description = "a secure communications library implementing the SSL, TLS and DTLS protocols";
+	website = "https://gnutls.org";
+	anitya = 1221;
+
+	version* = "3.8.12";
+	source = remoteGit {
+		url = "https://gitlab.com/gnutls/gnutls.git";
+		tag = version;
+		checksum = "VPdP-nRydQQRJcnma-YA7CJYA_kzTJ2rb3QFeP6D27emSyInJ8sQ-Wzn518I38dl";
+	};
+	patches = [
+		"bootstrap-remove-gtk-doc.patch",
+		"alpine-tests-certtool.patch",
+		"test-kernel-version-ksh.patch",
+	];
+
+	exec = make {
+		generate = "./bootstrap --skip-po --no-git --gnulib-srcdir=gnulib";
+
+		configure = {
+			"disable-doc";
+			"disable-openssl-compatibility";
+
+			"with-default-trust-store-file": "/system/etc/ssl/certs/ca-bundle.crt";
+			"with-default-trust-store-pkcs11": "pkcs11:";
+
+			"with-zlib": "link";
+			"with-zstd": "link";
+
+			"": arch {
+				arm64 = "disable-hardware-acceleration";
+			};
+		};
+	};
+
+	inputs = [
+		gzip,
+		automake,
+		libtool,
+		bison,
+		gettext,
+		gperf,
+		pkg-config,
+
+		python,
+		texinfo,
+		diffutils,
+		nss-cacert,
+
+		libev,
+		zlib,
+		zstd,
+		p11-kit,
+		nettle3,
+		libunistring,
+	];
+
+	runtime = [
+		zlib,
+		zstd,
+		p11-kit,
+		nettle3,
+		libunistring,
+	];
+}
diff --git a/internal/rosa/package/gnutls/test-kernel-version-ksh.patch b/internal/rosa/package/gnutls/test-kernel-version-ksh.patch
new file mode 100644
index 00000000..fbff46a5
--- /dev/null
+++ b/internal/rosa/package/gnutls/test-kernel-version-ksh.patch
@@ -0,0 +1,15 @@
+diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
+index 1b78b8cf1..350156a86 100644
+--- a/tests/scripts/common.sh
++++ b/tests/scripts/common.sh
+@@ -279,10 +279,6 @@ kernel_version_check() {
+ 	kernel_major=$(echo $kernel_version | cut -d. -f1 2>/dev/null)
+ 	kernel_minor=$(echo $kernel_version | cut -d. -f2 2>/dev/null)
+ 
+-	if ! [[ "$kernel_major" =~ ^[0-9]+$ ]] || ! [[ "$kernel_minor" =~ ^[0-9]+$ ]]; then
+-		return 1
+-	fi
+-
+ 	if [ "$kernel_major" -lt "$required_major" ]; then
+ 		return 1
+ 	fi
diff --git a/internal/rosa/state.go b/internal/rosa/state.go
index fd363faf..efb51d96 100644
--- a/internal/rosa/state.go
+++ b/internal/rosa/state.go
@@ -8,6 +8,7 @@ import (
 	"io/fs"
 	"net/http"
 	"path/filepath"
+	"reflect"
 	"runtime"
 	"slices"
 	"strconv"
@@ -373,6 +374,13 @@ func (s *S) Collect() (handles P) {
 	return
 }
 
+// deferredGit is a call to Toolchain.newTagRemote from azalea.
+type deferredGit struct {
+	url      string
+	tag      string
+	checksum string
+}
+
 // getS must be called before accessing s. This value is not currently safe for
 // concurrent use, but the underlying frame is immutable.
 func (s *S) getS() []azalea.Frame {
@@ -381,6 +389,12 @@ func (s *S) getS() []azalea.Frame {
 		k := func(name string) unique.Handle[azalea.Ident] {
 			return unique.Make(azalea.Ident(name))
 		}
+
+		var (
+			identDefault = k("default")
+			identArch    = k(s.arch)
+		)
+
 		s.s = make([]azalea.Frame, 1, 1<<4)
 		s.s[0].Val = map[unique.Handle[azalea.Ident]]any{
 			k("jobsE"):      jobsE,
@@ -428,9 +442,45 @@ func (s *S) getS() []azalea.Frame {
 				return
 			}},
 
+			// state helpers
+
+			k("arch"): {F: func(
+				args azalea.FArgs,
+			) (v any, set bool, err error) {
+				var fallback any
+				for _, arg := range args {
+					switch arg.K {
+					case identDefault:
+						fallback = arg.V
+						continue
+
+					case identArch:
+						return arg.V, true, nil
+					}
+				}
+
+				return fallback, fallback != nil, nil
+			}},
+
 			// convenience functions
 
-			unique.Make(azalea.Ident("remoteGitLab")): {F: func(
+			k("remoteGit"): {F: func(
+				args azalea.FArgs,
+			) (v any, set bool, err error) {
+				var a deferredGit
+				if err = args.Apply(map[unique.Handle[azalea.Ident]]any{
+					k("url"):      &a.url,
+					k("tag"):      &a.tag,
+					k("checksum"): &a.checksum,
+				}); err != nil {
+					return
+				}
+				v = a
+				set = true
+				return
+			}},
+
+			k("remoteGitLab"): {F: func(
 				args azalea.FArgs,
 			) (v any, set bool, err error) {
 				var domain, suffix, ref, checksum string
@@ -526,7 +576,7 @@ func (ctx *evalContext) f(
 
 		anitya  int64
 		version string
-		source  pkg.Artifact
+		sourceA any
 		helper  Helper
 
 		inputs, runtimes azalea.Array
@@ -537,7 +587,7 @@ func (ctx *evalContext) f(
 		k("anitya"):      &anitya,
 
 		k("version"): &version,
-		k("source"):  &source,
+		k("source"):  &sourceA,
 
 		k("writable"):    &attr.Writable,
 		k("chmod"):       &attr.Chmod,
@@ -581,6 +631,21 @@ func (ctx *evalContext) f(
 
 	meta.ID = int(anitya)
 	meta.f = func(t Toolchain) (pkg.Artifact, string) {
+		var source pkg.Artifact
+		switch p := sourceA.(type) {
+		case pkg.Artifact:
+			source = p
+
+		case deferredGit:
+			source = t.newTagRemote(p.url, p.tag, p.checksum)
+
+		default:
+			panic(azalea.TypeError{
+				Concrete: reflect.TypeOf(sourceA),
+				Asserted: reflect.TypeFor[pkg.Artifact](),
+			})
+		}
+
 		return t.NewPackage(
 			meta.Name,
 			version,