From 0bf99a8feeacec67c78f79fcf3abaab7877e94b7 Mon Sep 17 00:00:00 2001
From: Maxim Cournoyer <maxim.cournoyer@savoirfairelinux.com>
Date: Mon, 20 Feb 2023 21:59:28 -0500
Subject: [PATCH] build: Use the new --symlink option instead of --expose.

Instead of leaking host TLS certificates at /etc/ssl/certs for GnuTLS,
we can now have the directory symlinked to the ones provided by the
nss-certs package in the Guix container, which is cleaner.

* extras/packaging/gnu-linux/Makefile
(portable-release-tarball): Replace --expose options with --symlink.
* build.py (run_install): Likewise.

Change-Id: Id3b8c2b3dd06fade10bbd280fd0af8f9ac8fde45
---
 build.py                            | 6 ++----
 extras/packaging/gnu-linux/Makefile | 6 +++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/build.py b/build.py
index c1edd9c6..b4a1b09b 100755
--- a/build.py
+++ b/build.py
@@ -406,11 +406,9 @@ def run_install(args):
             print('info: consider setting the TARBALLS environment variable '
                   'to a stable writable location to avoid loosing '
                   'cached tarballs')
-        # Note: we must expose /gnu/store because /etc/ssl/certs
-        # contains certs that are symlinks to store items.
         command = ['guix', 'shell', '--manifest=guix/manifest.scm',
-                   '--expose=/gnu/store', '--expose=/etc/ssl/certs',
-                   '--expose=/usr/bin/env',
+                   '--symlink=/usr/bin/env=bin/env',
+                   '--symlink=/etc/ssl/certs=etc/ssl/certs',
                    '--container', '--network'] + share_tarballs_args \
             + ['--'] + command
 
diff --git a/extras/packaging/gnu-linux/Makefile b/extras/packaging/gnu-linux/Makefile
index d6beffbd..2df67631 100644
--- a/extras/packaging/gnu-linux/Makefile
+++ b/extras/packaging/gnu-linux/Makefile
@@ -98,9 +98,9 @@ guix-share-tarball-arg = $${TARBALLS:+"--share=$$TARBALLS"}
 portable-release-tarball: has-guix-p
 	guix shell --container --network \
           --preserve=TARBALLS $(guix-share-tarball-arg) \
-          --expose=/usr/bin/env \
-          --expose=$$SSL_CERT_DIR=/etc/ssl/certs \
-          --manifest=$(CURDIR)/extras/packaging/gnu-linux/guix/minimal-manifest.scm \
+          --symlink=/usr/bin/env=bin/env \
+          --symlink=/etc/ssl/certs=etc/ssl/certs \
+          --manifest=extras/packaging/gnu-linux/guix/minimal-manifest.scm \
           -- $(MAKE) -f extras/packaging/gnu-linux/Makefile release-tarball
 
 daemon/contrib/native/Makefile: