build-system/gnu: Add #:disallowed-references.

* guix/build-system/gnu.scm (gnu-build): Add #:disallowed-references and
honor it.
(gnu-cross-build): Likewise.

gexp: Add #:disallowed-references.

* guix/gexp.scm (gexp->derivation): Add #:disallowed-references and
honor it.
* tests/gexp.scm ("gexp->derivation #:disallowed-references, allowed")
("gexp->derivation #:disallowed-references"): New tests.
* doc/guix.texi (G-Expressions): Adjust accordingly.

derivations: Add #:disallowed-references.

* guix/derivations.scm (derivation): Add #:disallowed-references.
[user+system-env-vars]: Honor it.
(build-expression->derivation): Likewise.
* tests/derivations.scm ("derivation #:disallowed-references, ok")
("derivation #:disallowed-references, not ok"): New tests.
* doc/guix.texi (Derivations): Adjust accordingly.

import: pypi: Emit 'pypi-uri' only when it yields the right URL.

Fixes <http://bugs.gnu.org/23062>.
Reported by Danny Milosavljevic <dannym@scratchpost.org>.

* guix/import/pypi.scm (make-pypi-sexp): Check whether 'pypi-uri'
returns SOURCE-URL and fall back to the full URL otherwise.
* tests/pypi.scm ("pypi->guix-package"): Adjust expected URI
accordingly.

Co-authored-by: Danny Milosavljevic <dannym@scratchpost.org>

substitute: Do not leak file descriptors for TLS connections.

Partially fixes <http://bugs.gnu.org/20145>.

* guix/scripts/substitute.scm (fetch, download-cache-info):
(http-multiple-get, fetch-narinfos, progress-report-port): Use
'close-connection' instead of 'close-port'.

substitute: Cache transient HTTP errors for 10mn.

* guix/scripts/substitute.scm (fetch-narinfos)[handle-narinfo-response]:
Cache transient errors for 10mn.
(%narinfo-transient-error-ttl): New variable.

lint: Do not leak file descriptors for TLS connections.

Partially fixes <http://bugs.gnu.org/20145>.

* guix/scripts/lint.scm (probe-uri): Use 'close-connection' instead of
'close-port'.

download: Add 'close-connection'.

Partially fixes <http://bugs.gnu.org/20145>.

* guix/build/download.scm (add-weak-reference): Remove.
(%tls-ports): New variable.
(register-tls-record-port): New procedure.
(tls-wrap): Use it instead of 'add-weak-reference'.
(close-connection): New procedure.

substitute: Update progress for responses different from 200/404.

* guix/scripts/substitute.scm (fetch-narinfos)[handle-narinfo-response]:
Add missing call to 'update-progress!'.

licenses: Add Apache Software License 1.1.

* guix/licenses.scm (asl1.1): New variables.

Signed-off-by: Leo Famulari <leo@famulari.name>

substitute: Honor client-provided empty URL list.

Before that, 'guix build --substitute-urls=""' would lead to using the
daemon's own URL list instead of the empty list.  The 'or*' hack, which
is to blame, had become unnecessary since commit
fb4bf72be3fbc23bca35ba4b842b7e1517ef0e3a.

Reported by Mark H Weaver <mhw@netris.org>.

* guix/scripts/substitute.scm (or*): Remove.
(%cache-urls): Use 'or' instead of 'or*'.
* tests/store.scm ("substitute query, alternating URLs"): Add test with
empty URL list.
* doc/guix.texi (Common Build Options): Mention the empty string.

substitute: Honor the 'max-age' of 'Cache-Control' headers.

This allows substitute servers to tell 'guix substitute' how long they
can cache narinfo lookups.

* guix/scripts/substitute.scm (cache-narinfo!): Add 'ttl' parameter.
[cache-entry]: Honor it.
(fetch-narinfos)[handle-narinfo-response]: Check the 'Cache-Control'
header of RESPONSE and pass its 'max-age' value to 'cache-narinfo!'.

substitute: Make room for a 'ttl' field in cached entries.

* guix/scripts/substitute.scm (cached-narinfo): Expect 'narinfo' sexp
version 2 with a 'ttl' field.
(cache-narinfo!)[cache-entry]: Produce 'narinfo' sexp version 2 with a
'ttl' field.
(remove-expired-cached-narinfos)[expired?]: Read 'narinfo' sexp version 2.

build: Default to "https://mirror.hydra.gnu.org/" for substitutes.

* config-daemon.ac: Check for (gnutls) and define 'GUIX_SUBSTITUTE_URLS'.
* nix/nix-daemon/guix-daemon.cc (main): Use GUIX_SUBSTITUTE_URLS.
* guix/store.scm (%default-substitute-urls): Use 'https' when (gnutls)
is available.
* doc/guix.texi (Binary Installation): Mention mirrors
(Invoking guix-daemon): Mention mirror.hydra.gnu.org.
(Substitutes): Mention mirrors.
(Invoking guix archive): Show https URLs.

http-client: No 'setvbuf' for non-file ports.

* guix/http-client.scm (http-fetch): Do not call 'setvbuf' on non-file
ports.

grafts: Update the narinfo cache before building a derivation.

* guix/grafts.scm (references-oracle)[references*]: Add call to
'substitution-oracle'.

substitute: Keep the initial connection alive.

The connection used to fetch /nix-cache-info is now reused for the
subsequent narinfo requests.

* guix/scripts/substitute.scm (download-cache-info)[download]: Remove.
[uri, read-cache-info]: New variables.
Rewrite in terms of 'http-fetch' instead of 'fetch'.  Return an open
port in addition to a <cache-info>.
* guix/scripts/substitute.scm (http-multiple-get): Add #:port parameter
and honor it.
(fetch-narinfos)[do-fetch]: Add 'port' parameter.
Adjust to new 'download-cache-info' and 'do-fetch' signatures.

http-client: Add #:keep-alive? parameter.

* guix/http-client.scm (http-fetch): Add #:keep-alive? parameter and
pass it to 'http-get' or 'http-get*'.

substitute: Remove dead code.

This parameter became unused with the switch to HTTP pipelining in
commit d3a652037ef879f9279bc056c43d15ba7afcbb25.

* guix/scripts/substitute.scm (fetch): Remove #:quiet-404? and adjust
accordingly.

store: 'references/substitutes' caches its results.

* guix/store.scm (%reference-cache): New variable.
(references/substitutes): Use it.