derivations: Add #:leaked-env-vars parameter.

Suggested by Joshua Randall <jcrandall@alum.mit.edu>
in <http://bugs.gnu.org/20402>.

* guix/derivations.scm (derivation): Add #:leaked-env-vars parameter.
  [user+system-env-vars]: Honor it.
* guix/gexp.scm (gexp->derivation): Add #:leaked-env-vars and pass it to
  'raw-derivation'.
* doc/guix.texi (Derivations, G-Expressions): Adjust accordingly.

2 files changed, 13 insertions, 1 deletions

diff --git a/guix/derivations.scm b/guix/derivations.scm
index 7737e39b2d..1056caa70a 100644
--- a/guix/derivations.scm
+++ b/guix/derivations.scm
@@ -692,7 +692,7 @@ HASH-ALGO, of the derivation NAME.  RECURSIVE? has the same meaning as for
                      (inputs '()) (outputs '("out"))
                      hash hash-algo recursive?
                      references-graphs allowed-references
-                     local-build?)
+                     leaked-env-vars local-build?)
   "Build a derivation with the given arguments, and return the resulting
 <derivation> object.  When HASH and HASH-ALGO are given, a
 fixed-output derivation is created---i.e., one whose result is known in
@@ -707,6 +707,12 @@ the build environment in the corresponding file, in a simple text format.
 When ALLOWED-REFERENCES is true, it must be a list of store items or outputs
 that the derivation's output may refer to.
 
+When LEAKED-ENV-VARS is true, it must be a list of strings denoting
+environment variables that are allowed to \"leak\" from the daemon's
+environment to the build environment.  This is only applicable to fixed-output
+derivations--i.e., when HASH is true.  The main use is to allow variables such
+as \"http_proxy\" to be passed to derivations that download files.
+
 When LOCAL-BUILD? is true, declare that the derivation is not a good candidate
 for offloading and should rather be built locally.  This is the case for small
 derivations where the costs of data transfers would outweigh the benefits."
@@ -751,6 +757,10 @@ derivations where the costs of data transfers would outweigh the benefits."
                             `(("allowedReferences"
                                . ,(string-join allowed-references)))
                             '())
+                      ,@(if leaked-env-vars
+                            `(("impureEnvVars"
+                               . ,(string-join leaked-env-vars)))
+                            '())
                       ,@env-vars)))
       (match references-graphs
         (((file . path) ...)
diff --git a/guix/gexp.scm b/guix/gexp.scm
index a2da72e76c..b08a361232 100644
--- a/guix/gexp.scm
+++ b/guix/gexp.scm
@@ -282,6 +282,7 @@ names and file names suitable for the #:allowed-references argument to
                            (graft? (%graft?))
                            references-graphs
                            allowed-references
+                           leaked-env-vars
                            local-build?)
   "Return a derivation NAME that runs EXP (a gexp) with GUILE-FOR-BUILD (a
 derivation) on SYSTEM.  When TARGET is true, it is used as the
@@ -400,6 +401,7 @@ The other arguments are as for 'derivation'."
                       #:hash hash #:hash-algo hash-algo #:recursive? recursive?
                       #:references-graphs (and=> graphs graphs-file-names)
                       #:allowed-references allowed
+                      #:leaked-env-vars leaked-env-vars
                       #:local-build? local-build?))))
 
 (define* (gexp-inputs exp #:key native?)