build: Use the new --symlink option instead of --expose.

Instead of leaking host TLS certificates at /etc/ssl/certs for GnuTLS,
we can now have the directory symlinked to the ones provided by the
nss-certs package in the Guix container, which is cleaner.

* extras/packaging/gnu-linux/Makefile
(portable-release-tarball): Replace --expose options with --symlink.
* build.py (run_install): Likewise.

Change-Id: Id3b8c2b3dd06fade10bbd280fd0af8f9ac8fde45

build.py

@@ -406,11 +406,9 @@ def run_install(args):
             print('info: consider setting the TARBALLS environment variable '
                   'to a stable writable location to avoid loosing '
                   'cached tarballs')
-        # Note: we must expose /gnu/store because /etc/ssl/certs
-        # contains certs that are symlinks to store items.
         command = ['guix', 'shell', '--manifest=guix/manifest.scm',
-                   '--expose=/gnu/store', '--expose=/etc/ssl/certs',
-                   '--expose=/usr/bin/env',
+                   '--symlink=/usr/bin/env=bin/env',
+                   '--symlink=/etc/ssl/certs=etc/ssl/certs',
                    '--container', '--network'] + share_tarballs_args \
             + ['--'] + command
 

extras/packaging/gnu-linux/Makefile

@@ -98,9 +98,9 @@ guix-share-tarball-arg = $${TARBALLS:+"--share=$$TARBALLS"}
 portable-release-tarball: has-guix-p
 	guix shell --container --network \
           --preserve=TARBALLS $(guix-share-tarball-arg) \
-          --expose=/usr/bin/env \
-          --expose=$$SSL_CERT_DIR=/etc/ssl/certs \
-          --manifest=$(CURDIR)/extras/packaging/gnu-linux/guix/minimal-manifest.scm \
+          --symlink=/usr/bin/env=bin/env \
+          --symlink=/etc/ssl/certs=etc/ssl/certs \
+          --manifest=extras/packaging/gnu-linux/guix/minimal-manifest.scm \
           -- $(MAKE) -f extras/packaging/gnu-linux/Makefile release-tarball
 
 daemon/contrib/native/Makefile: