maint: Re-add intel mac build, on arm this time

2025-02-25 15:46:22 +01:00
1393 changed files with 47007 additions and 71299 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -8,7 +8,7 @@ BraceWrapping:
  AfterUnion: true
  SplitEmptyRecord: false
 PointerAlignment: Middle
-FixNamespaceComments: true
+FixNamespaceComments: false
 SortIncludes: Never
 #IndentPPDirectives: BeforeHash
 SpaceAfterCStyleCast: true
@@ -32,4 +32,3 @@ IndentPPDirectives: AfterHash
 PPIndentWidth: 2
 BinPackArguments: false
 BreakBeforeTernaryOperators: true
-SeparateDefinitionBlocks: Always
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -1,14 +0,0 @@
-# Disable CodeRabbit auto-review to prevent verbose comments on PRs.
-# When enabled: false, CodeRabbit won't attempt reviews and won't post
-# "Review skipped" or other automated comments.
-reviews:
-  auto_review:
-    enabled: false
-  review_status: false
-  high_level_summary: false
-  poem: false
-  sequence_diagrams: false
-  changed_files_summary: false
-  tools:
-    github-checks:
-      enabled: false
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,6 +0,0 @@
-# bulk initial re-formatting with clang-format
-e4f62e46088919428a68bd8014201dc8e379fed7 # !autorebase ./maintainers/format.sh --until-stable
-# meson re-formatting
-385e2c3542c707d95e3784f7f6d623f67e77ab61 # !autorebase ./maintainers/format.sh --until-stable
-# nixfmt 1.0.0
-1d943f581908f35075a84a3d89c2eba3ff35067f # !autorebase ./maintainers/format.sh --until-stable
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -11,7 +11,16 @@
 .github/CODEOWNERS @edolstra

 # Documentation of built-in functions
-src/libexpr/primops.cc @roberth
+src/libexpr/primops.cc @roberth @fricklerhandwerk
+
+# Documentation of settings
+src/libexpr/eval-settings.hh @fricklerhandwerk
+src/libstore/globals.hh @fricklerhandwerk
+
+# Documentation
+doc/manual @fricklerhandwerk
+maintainers/*.md @fricklerhandwerk
+src/**/*.md @fricklerhandwerk

 # Libstore layer
 /src/libstore @ericson2314
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -45,7 +45,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open bug issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug

--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -30,7 +30,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open feature issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature

--- a/.github/ISSUE_TEMPLATE/installer.md
+++ b/.github/ISSUE_TEMPLATE/installer.md
@@ -38,7 +38,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open installer issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer

--- a/.github/ISSUE_TEMPLATE/missing_documentation.md
+++ b/.github/ISSUE_TEMPLATE/missing_documentation.md
@@ -22,7 +22,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open documentation issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation

--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -15,10 +15,6 @@ so you understand the process and the expectations.
 - volunteering contributions effectively
 - how to get help and our review process.

-PR stuck in review? We have two Nix team meetings per week online that are open for everyone in a jitsi conference:
-
- https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com
-
 -->

 ## Motivation
--- a/.github/STALE-BOT.md
+++ b/.github/STALE-BOT.md
@@ -3,7 +3,7 @@
 - Thanks for your contribution!
 - To remove the stale label, just leave a new comment.
 - _How to find the right people to ping?_ &rarr; [`git blame`](https://git-scm.com/docs/git-blame) to the rescue! (or GitHub's history and blame buttons.)
- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/) or on [Matrix - #users:nixos.org](https://matrix.to/#/#users:nixos.org).
+- You can always ask for help on [our Discourse Forum](https://discourse.nixos.org/) or on [Matrix - #nix:nixos.org](https://matrix.to/#/#nix:nixos.org).

 ## Suggestions for PRs

--- a/.github/actions/install-nix-action/action.yaml
+++ b/.github/actions/install-nix-action/action.yaml
@@ -1,131 +0,0 @@
-name: "Install Nix"
-description: "Helper action for installing Nix with support for dogfooding from master"
-inputs:
-  dogfood:
-    description: "Whether to use Nix installed from the latest artifact from master branch"
-    required: true # Be explicit about the fact that we are using unreleased artifacts
-  experimental-installer:
-    description: "Whether to use the experimental installer to install Nix"
-    default: false
-  experimental-installer-version:
-    description: "Version of the experimental installer to use. If `latest`, the newest artifact from the default branch is used."
-    # TODO: This should probably be pinned to a release after https://github.com/NixOS/experimental-nix-installer/pull/49 lands in one
-    default: "latest"
-  extra_nix_config:
-    description: "Gets appended to `/etc/nix/nix.conf` if passed."
-  install_url:
-    description: "URL of the Nix installer"
-    required: false
-    default: "https://releases.nixos.org/nix/nix-2.32.1/install"
-  tarball_url:
-    description: "URL of the Nix tarball to use with the experimental installer"
-    required: false
-  github_token:
-    description: "Github token"
-    required: true
-  use_cache:
-    description: "Whether to setup magic-nix-cache"
-    default: true
-    required: false
-runs:
-  using: "composite"
-  steps:
-    - name: "Download nix install artifact from master"
-      shell: bash
-      id: download-nix-installer
-      if: inputs.dogfood == 'true'
-      run: |
-        RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")
-
-        if [ "$RUNNER_OS" == "Linux" ]; then
-          INSTALLER_ARTIFACT="installer-linux"
-        elif [ "$RUNNER_OS" == "macOS" ]; then
-          INSTALLER_ARTIFACT="installer-darwin"
-        else
-          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
-          exit 1
-        fi
-
-        INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$INSTALLER_ARTIFACT"
-        mkdir -p "$INSTALLER_DOWNLOAD_DIR"
-
-        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
-        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-        TARBALL_PATH="$(find "$INSTALLER_DOWNLOAD_DIR" -name 'nix*.tar.xz' -print | head -n 1)"
-        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-
-        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
-      env:
-        GH_TOKEN: ${{ inputs.github_token }}
-        DOGFOOD_REPO: "NixOS/nix"
-    - name: "Gather system info for experimental installer"
-      shell: bash
-      if: ${{ inputs.experimental-installer == 'true' }}
-      run: |
-        echo "::notice Using experimental installer from $EXPERIMENTAL_INSTALLER_REPO (https://github.com/$EXPERIMENTAL_INSTALLER_REPO)"
-
-        if [ "$RUNNER_OS" == "Linux" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="linux"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_OS" == "macOS" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="darwin"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
-          exit 1
-        fi
-
-        if [ "$RUNNER_ARCH" == "X64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=x86_64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_ARCH" == "ARM64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=aarch64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_ARCH: $RUNNER_ARCH"
-          exit 1
-        fi
-
-        echo "EXPERIMENTAL_INSTALLER_ARTIFACT=nix-installer-$EXPERIMENTAL_INSTALLER_ARCH-$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-      env:
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
-    - name: "Download latest experimental installer"
-      shell: bash
-      id: download-latest-experimental-installer
-      if: ${{ inputs.experimental-installer == 'true' && inputs.experimental-installer-version == 'latest' }}
-      run: |
-        RUN_ID=$(gh run list --repo "$EXPERIMENTAL_INSTALLER_REPO" --workflow ci.yml --branch main --status success --json databaseId --jq ".[0].databaseId")
-
-        EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$EXPERIMENTAL_INSTALLER_ARTIFACT"
-        mkdir -p "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-
-        gh run download "$RUN_ID" --repo "$EXPERIMENTAL_INSTALLER_REPO" -n "$EXPERIMENTAL_INSTALLER_ARTIFACT" -D "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-        # Executable permissions are lost in artifacts
-        find $EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR -type f -exec chmod +x {} +
-        echo "installer-path=$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-      env:
-        GH_TOKEN: ${{ inputs.github_token }}
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
-    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
-      if: ${{ inputs.experimental-installer != 'true' }}
-      with:
-        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
-        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
-        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
-        extra_nix_config: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
-      if: ${{ inputs.experimental-installer == 'true' }}
-      with:
-        diagnostic-endpoint: ""
-        # TODO: It'd be nice to use `artifacts.nixos.org` for both of these, maybe through an `/experimental-installer/latest` endpoint? or `/commit/<hash>`?
-        local-root: ${{ inputs.experimental-installer-version == 'latest' && steps.download-latest-experimental-installer.outputs.installer-path || '' }}
-        source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
-        nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
-        extra-conf: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
-      if: ${{ inputs.use_cache == 'true' }}
-      with:
-        diagnostic-endpoint: ''
-        use-flakehub: false
-        use-gha-cache: true
-        source-revision: 92d9581367be2233c2d5714a2640e1339f4087d8 # main
--- a/.github/workflows/backport.yml
+++ b/.github/workflows/backport.yml
@@ -1,37 +0,0 @@
-name: Backport
-on:
-  pull_request_target:
-    types: [closed, labeled]
-permissions:
-  contents: read
-jobs:
-  backport:
-    name: Backport Pull Request
-    permissions:
-      # for korthout/backport-action
-      contents: write
-      pull-requests: write
-    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-24.04-arm
-    steps:
-      - name: Generate GitHub App token
-        id: generate-token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ vars.CI_APP_ID }}
-          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
-      - uses: actions/checkout@v5
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          # required to find all branches
-          fetch-depth: 0
-      - name: Create backport PRs
-        uses: korthout/backport-action@d07416681cab29bf2661702f925f020aaa962997 # v3.4.1
-        id: backport
-        with:
-          # Config README: https://github.com/korthout/backport-action#backport-action
-          github_token: ${{ steps.generate-token.outputs.token }}
-          github_workspace: ${{ github.workspace }}
-          auto_merge_enabled: true
-          pull_description: |-
-            Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,21 +2,7 @@ name: "CI"

 on:
  pull_request:
-  merge_group:
  push:
-    branches:
-      - master
-  workflow_dispatch:
-    inputs:
-      dogfood:
-        description: 'Use dogfood Nix build'
-        required: false
-        default: true
-        type: boolean
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true

 permissions: read-all

@@ -24,168 +10,85 @@ jobs:
  eval:
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
-      with:
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-        extra_nix_config:
-          experimental-features = nix-command flakes
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        use_cache: false
-    - run: nix flake show --all-systems --json
-
-  pre-commit-checks:
-    name: pre-commit checks
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@v5
-      - uses: ./.github/actions/install-nix-action
-        with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-          extra_nix_config: experimental-features = nix-command flakes
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-      - run: ./ci/gha/tests/pre-commit-checks
-
-  basic-checks:
-    name: aggregate basic checks
-    if: ${{ always() }}
-    runs-on: ubuntu-24.04
-    needs: [pre-commit-checks, eval]
-    steps:
-      - name: Exit with any errors
-        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
-        run: |
-          exit 1
+    - uses: cachix/install-nix-action@v30
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json

  tests:
-    needs: basic-checks
    strategy:
      fail-fast: false
      matrix:
        include:
          - scenario: on ubuntu
            runs-on: ubuntu-24.04
+            system: x86_64-linux
            os: linux
-            instrumented: false
-            primary: true
-            stdenv: stdenv
-          - scenario: on macos
+          - scenario: on macos (aarch64)
            runs-on: macos-14
+            system: aarch64-darwin
+            os: darwin
+          - scenario: on macos (x86_64)
+            runs-on: macos-14
+            system: x86_64-darwin
            os: darwin
-            instrumented: false
-            primary: true
-            stdenv: stdenv
-          - scenario: on ubuntu (with sanitizers / coverage)
-            runs-on: ubuntu-24.04
-            os: linux
-            instrumented: true
-            primary: false
-            stdenv: clangStdenv
    name: tests ${{ matrix.scenario }}
    runs-on: ${{ matrix.runs-on }}
    timeout-minutes: 60
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
+    - uses: cachix/install-nix-action@v30
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
        # The sandbox would otherwise be disabled by default on Darwin
-        extra_nix_config: "sandbox = true"
+        extra_nix_config: |
+          sandbox = true
+          max-jobs = 1
+          system = ${{ matrix.system }}
+    - uses: DeterminateSystems/magic-nix-cache-action@main
    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
      if: matrix.os == 'linux'
-    - name: Run component tests
-      run: |
-        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
-          --arg withInstrumentation ${{ matrix.instrumented }} \
-          --argstr stdenv "${{ matrix.stdenv }}"
-    - name: Run VM tests
-      run: |
-        nix build --file ci/gha/tests/wrapper.nix vmTests -L \
-          --arg withInstrumentation ${{ matrix.instrumented }} \
-          --argstr stdenv "${{ matrix.stdenv }}"
-      if: ${{ matrix.os == 'linux' }}
-    - name: Run flake checks and prepare the installer tarball
-      run: |
-        ci/gha/tests/build-checks
-        ci/gha/tests/prepare-installer-for-github-actions
-      if: ${{ matrix.primary }}
-    - name: Collect code coverage
-      run: |
-        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
-          --arg withInstrumentation ${{ matrix.instrumented }} \
-          --argstr stdenv "${{ matrix.stdenv }}" \
-          --out-link coverage-reports
-        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
-      if: ${{ matrix.instrumented }}
-    - name: Upload coverage reports
-      uses: actions/upload-artifact@v4
-      with:
-        name: coverage-reports
-        path: coverage-reports/
-      if: ${{ matrix.instrumented }}
+    - run: scripts/build-checks
+    - run: scripts/prepare-installer-for-github-actions
    - name: Upload installer tarball
      uses: actions/upload-artifact@v4
      with:
        name: installer-${{matrix.os}}
        path: out/*
-      if: ${{ matrix.primary }}

  installer_test:
    needs: [tests]
    strategy:
      fail-fast: false
      matrix:
+        # No x86_64-darwin (yet?) because of poor performance and similarity to aarch64-darwin
        include:
          - scenario: on ubuntu
            runs-on: ubuntu-24.04
            os: linux
-            experimental-installer: false
          - scenario: on macos
            runs-on: macos-14
            os: darwin
-            experimental-installer: false
-          - scenario: on ubuntu (experimental)
-            runs-on: ubuntu-24.04
-            os: linux
-            experimental-installer: true
-          - scenario: on macos (experimental)
-            runs-on: macos-14
-            os: darwin
-            experimental-installer: true
    name: installer test ${{ matrix.scenario }}
    runs-on: ${{ matrix.runs-on }}
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
    - name: Download installer tarball
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@v4
      with:
        name: installer-${{matrix.os}}
        path: out
-    - name: Looking up the installer tarball URL
-      id: installer-tarball-url
-      run: |
-        echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
-        TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
-        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
-      if: ${{ !matrix.experimental-installer }}
+    - name: Serving installer
+      id: serving_installer
+      run: ./scripts/serve-installer-for-github-actions
+    - uses: cachix/install-nix-action@v30
      with:
-        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
-        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
-    - uses: ./.github/actions/install-nix-action
-      if: ${{ matrix.experimental-installer }}
-      with:
-        dogfood: false
-        experimental-installer: true
-        tarball_url: ${{ steps.installer-tarball-url.outputs.tarball-path }}
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        install_url: 'http://localhost:8126/install'
+        install_options: "--tarball-url-prefix http://localhost:8126/"
    - run: sudo apt install fish zsh
      if: matrix.os == 'linux'
    - run: brew install fish
@@ -204,20 +107,20 @@ jobs:
  check_secrets:
    permissions:
      contents: none
-    name: Check presence of secrets
+    name: Check Docker secrets present for installer tests
    runs-on: ubuntu-24.04
    outputs:
      docker: ${{ steps.secret.outputs.docker }}
    steps:
-      - name: Check for DockerHub secrets
+      - name: Check for secrets
        id: secret
        env:
          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
        run: |
-          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
+          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"

  docker_push_image:
-    needs: [tests, check_secrets]
+    needs: [tests, vm_tests, check_secrets]
    permissions:
      contents: read
      packages: write
@@ -227,16 +130,21 @@ jobs:
      github.ref_name == 'master'
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/checkout@v5
+    - name: Check for secrets
+      id: secret
+      env:
+        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+      run: |
+        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
+    - uses: cachix/install-nix-action@v30
      with:
-        dogfood: false
-        extra_nix_config: |
-          experimental-features = flakes nix-command
-    - run: echo NIX_VERSION="$(nix eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - run: nix build .#dockerImage -L
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
+    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
    - run: docker load -i ./result/image.tar.gz
    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
@@ -271,48 +179,36 @@ jobs:
        docker tag nix:$NIX_VERSION $IMAGE_ID:master
        docker push $IMAGE_ID:master

+  vm_tests:
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: |
+          nix build -L \
+            .#hydraJobs.tests.functional_user \
+            .#hydraJobs.tests.githubFlakes \
+            .#hydraJobs.tests.nix-docker \
+            .#hydraJobs.tests.tarballFlakes \
+            ;
+
  flake_regressions:
-    needs: tests
+    needs: vm_tests
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout nix
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Checkout flake-regressions
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: NixOS/flake-regressions
          path: flake-regressions
      - name: Checkout flake-regressions-data
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: NixOS/flake-regressions-data
          path: flake-regressions/tests
-      - uses: ./.github/actions/install-nix-action
-        with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-          extra_nix_config:
-            experimental-features = nix-command flakes
-          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
-
-  profile_build:
-    needs: tests
-    runs-on: ubuntu-24.04
-    timeout-minutes: 60
-    if: >-
-      github.event_name == 'push' &&
-      github.ref_name == 'master'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-        extra_nix_config: |
-          experimental-features = flakes nix-command ca-derivations impure-derivations
-          max-jobs = 1
-    - run: |
-        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
-        cat build-time-report.md >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-24.04
    if: github.repository_owner == 'NixOS'
    steps:
-    - uses: actions/labeler@v6
+    - uses: actions/labeler@v5
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        sync-labels: false
--- a/.gitignore
+++ b/.gitignore
@@ -14,7 +14,7 @@
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast

-/outputs
+outputs/

 *~

@@ -47,6 +47,3 @@ result-*
 .DS_Store

 flake-regressions
-
-# direnv
-.direnv/
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -0,0 +1,119 @@
+queue_rules:
+  - name: default
+    # all required tests need to go here
+    merge_conditions:
+      - check-success=tests on macos
+      - check-success=tests on ubuntu
+      - check-success=installer test on macos
+      - check-success=installer test on ubuntu
+      - check-success=vm_tests
+    batch_size: 5
+
+pull_request_rules:
+  - name: merge using the merge queue
+    conditions:
+      - base~=master|.+-maintenance
+      - label~=merge-queue|dependencies
+    actions:
+      queue: {}
+
+# The rules below will first create backport pull requests and put those in a merge queue.
+
+  - name: backport patches to 2.18
+    conditions:
+      - label=backport 2.18-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.18-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.19
+    conditions:
+      - label=backport 2.19-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.19-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.20
+    conditions:
+      - label=backport 2.20-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.20-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.21
+    conditions:
+      - label=backport 2.21-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.21-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.22
+    conditions:
+      - label=backport 2.22-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.22-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.23
+    conditions:
+      - label=backport 2.23-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.23-maintenance
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.24
+    conditions:
+      - label=backport 2.24-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.24-maintenance"
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.25
+    conditions:
+      - label=backport 2.25-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.25-maintenance"
+        labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.26
+    conditions:
+      - label=backport 2.26-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.26-maintenance"
+        labels:
+          - automatic backport
+          - merge-queue
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.33.0
+2.27.0
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -89,7 +89,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).

 ## Making changes to the Nix manual

-The Nix reference manual is hosted on https://nix.dev/manual/nix.
+The Nix reference manual is hosted on https://nixos.org/manual/nix.
 The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
--- a/25
+++ b/25
@@ -1,8 +1,8 @@
-                  GNU LESSER GENERAL PUBLIC LICENSE
-                       Version 2.1, February 1999
+		  GNU LESSER GENERAL PUBLIC LICENSE
+		       Version 2.1, February 1999

 Copyright (C) 1991, 1999 Free Software Foundation, Inc.
- <https://fsf.org/>
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

@@ -10,7 +10,7 @@
 as the successor of the GNU Library Public License, version 2, hence
 the version number 2.1.]

-                            Preamble
+			    Preamble

  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
@@ -112,7 +112,7 @@ modification follow.  Pay close attention to the difference between a
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.

-                  GNU LESSER GENERAL PUBLIC LICENSE
+		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License Agreement applies to any software library or other
@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-
+  
  1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -432,7 +432,7 @@ decision will be guided by the two goals of preserving the free status
 of all derivatives of our free software and of promoting the sharing
 and reuse of software generally.

-                            NO WARRANTY
+			    NO WARRANTY

  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
 WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
@@ -455,7 +455,7 @@ FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
 SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

-                     END OF TERMS AND CONDITIONS
+		     END OF TERMS AND CONDITIONS

           How to Apply These Terms to Your New Libraries

@@ -484,7 +484,8 @@ convey the exclusion of warranty; and each file should have at least the
    Lesser General Public License for more details.

    You should have received a copy of the GNU Lesser General Public
-    License along with this library; if not, see <https://www.gnu.org/licenses/>.
+    License along with this library; if not, write to the Free Software
+    Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA

 Also add information on how to contact you by electronic and paper mail.

@@ -495,7 +496,9 @@ necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the
  library `Frob' (a library for tweaking knobs) written by James Random Hacker.

-  <signature of Moe Ghoul>, 1 April 1990
-  Moe Ghoul, President of Vice
+  <signature of Ty Coon>, 1 April 1990
+  Ty Coon, President of Vice

 That's all there is to it!
+
+
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Today, a world-wide developer community contributes to Nix and the ecosystem tha
 - [Nixpkgs](https://github.com/NixOS/nixpkgs) is [the largest, most up-to-date free software repository in the world](https://repology.org/repositories/graphs)
 - [NixOS](https://github.com/NixOS/nixpkgs/tree/master/nixos) is a Linux distribution that can be configured fully declaratively
 - [Discourse](https://discourse.nixos.org/)
- Matrix: [#users:nixos.org](https://matrix.to/#/#users:nixos.org) for user support and [#nix-dev:nixos.org](https://matrix.to/#/#nix-dev:nixos.org) for development
+- [Matrix](https://matrix.to/#/#nix:nixos.org)

 ## License

--- a/ci/gha/profile-build/default.nix
+++ b/ci/gha/profile-build/default.nix
@@ -1,101 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-}:
-
-let
-  inherit (pkgs) lib;
-
-  nixComponentsInstrumented =
-    (nixFlake.lib.makeComponents {
-      inherit pkgs;
-      getStdenv = p: p.clangStdenv;
-    }).overrideScope
-      (
-        _: _: {
-          mesonComponentOverrides = finalAttrs: prevAttrs: {
-            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "buildprofile" ];
-            nativeBuildInputs = [ pkgs.clangbuildanalyzer ] ++ prevAttrs.nativeBuildInputs or [ ];
-            __impure = true;
-
-            env = {
-              CFLAGS = "-ftime-trace";
-              CXXFLAGS = "-ftime-trace";
-            };
-
-            preBuild = ''
-              ClangBuildAnalyzer --start $PWD
-            '';
-
-            postBuild = ''
-              ClangBuildAnalyzer --stop $PWD $buildprofile
-            '';
-          };
-        }
-      );
-
-  componentsToProfile = {
-    "nix-util" = { };
-    "nix-util-c" = { };
-    "nix-util-test-support" = { };
-    "nix-util-tests" = { };
-    "nix-store" = { };
-    "nix-store-c" = { };
-    "nix-store-test-support" = { };
-    "nix-store-tests" = { };
-    "nix-fetchers" = { };
-    "nix-fetchers-c" = { };
-    "nix-fetchers-tests" = { };
-    "nix-expr" = { };
-    "nix-expr-c" = { };
-    "nix-expr-test-support" = { };
-    "nix-expr-tests" = { };
-    "nix-flake" = { };
-    "nix-flake-c" = { };
-    "nix-flake-tests" = { };
-    "nix-main" = { };
-    "nix-main-c" = { };
-    "nix-cmd" = { };
-    "nix-cli" = { };
-  };
-
-  componentDerivationsToProfile = builtins.intersectAttrs componentsToProfile nixComponentsInstrumented;
-  componentBuildProfiles = lib.mapAttrs (
-    n: v: lib.getOutput "buildprofile" v
-  ) componentDerivationsToProfile;
-
-  buildTimeReport =
-    pkgs.runCommand "build-time-report"
-      {
-        __impure = true;
-        __structuredAttrs = true;
-        nativeBuildInputs = [ pkgs.clangbuildanalyzer ];
-        inherit componentBuildProfiles;
-      }
-      ''
-        {
-          echo "# Build time performance profile for components:"
-          echo
-          echo "This reports the build profile collected via \`-ftime-trace\` for each component."
-          echo
-        } >> $out
-
-        for name in "''\${!componentBuildProfiles[@]}"; do
-          {
-            echo "<details><summary><strong>$name</strong></summary>"
-            echo
-            echo '````'
-            ClangBuildAnalyzer --analyze "''\${componentBuildProfiles[$name]}"
-            echo '````'
-            echo
-            echo "</details>"
-          } >> $out
-        done
-      '';
-in
-
-{
-  inherit buildTimeReport;
-  inherit componentDerivationsToProfile;
-}
--- a/ci/gha/tests/default.nix
+++ b/ci/gha/tests/default.nix
@@ -1,240 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-  nixComponents ? (
-    nixFlake.lib.makeComponents {
-      inherit pkgs;
-      inherit getStdenv;
-    }
-  ),
-  getStdenv ? p: p.stdenv,
-  componentTestsPrefix ? "",
-  withSanitizers ? false,
-  withCoverage ? false,
-  ...
-}:
-
-let
-  inherit (pkgs) lib;
-  hydraJobs = nixFlake.hydraJobs;
-  packages' = nixFlake.packages.${system};
-  stdenv = (getStdenv pkgs);
-
-  collectCoverageLayer = finalAttrs: prevAttrs: {
-    env =
-      let
-        # https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#the-code-coverage-workflow
-        coverageFlags = [
-          "-fprofile-instr-generate"
-          "-fcoverage-mapping"
-        ];
-      in
-      {
-        CFLAGS = toString coverageFlags;
-        CXXFLAGS = toString coverageFlags;
-      };
-
-    # Done in a pre-configure hook, because $NIX_BUILD_TOP needs to be substituted.
-    preConfigure = prevAttrs.preConfigure or "" + ''
-      mappingFlag=" -fcoverage-prefix-map=$NIX_BUILD_TOP/${finalAttrs.src.name}=${finalAttrs.src}"
-      CFLAGS+="$mappingFlag"
-      CXXFLAGS+="$mappingFlag"
-    '';
-  };
-
-  componentOverrides = (lib.optional withCoverage collectCoverageLayer);
-in
-
-rec {
-  nixComponentsInstrumented = nixComponents.overrideScope (
-    final: prev: {
-      withASan = withSanitizers;
-      withUBSan = withSanitizers;
-
-      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
-      # Boehm is incompatible with ASAN.
-      nix-expr = prev.nix-expr.override { enableGC = !withSanitizers; };
-
-      mesonComponentOverrides = lib.composeManyExtensions componentOverrides;
-      # Unclear how to make Perl bindings work with a dynamically linked ASAN.
-      nix-perl-bindings = if withSanitizers then null else prev.nix-perl-bindings;
-    }
-  );
-
-  # Import NixOS tests using the instrumented components
-  nixosTests = import ../../../tests/nixos {
-    inherit lib pkgs;
-    nixComponents = nixComponentsInstrumented;
-    nixpkgs = nixFlake.inputs.nixpkgs;
-    inherit (nixFlake.inputs) nixpkgs-23-11;
-  };
-
-  /**
-    Top-level tests for the flake outputs, as they would be built by hydra.
-    These tests generally can't be overridden to run with sanitizers.
-  */
-  topLevel = {
-    installerScriptForGHA = hydraJobs.installerScriptForGHA.${system};
-    installTests = hydraJobs.installTests.${system};
-    nixpkgsLibTests = hydraJobs.tests.nixpkgsLibTests.${system};
-    rl-next = pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
-      LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${../../../doc/manual/rl-next} >$out
-    '';
-    repl-completion = pkgs.callPackage ../../../tests/repl-completion.nix { inherit (packages') nix; };
-
-    /**
-      Checks for our packaging expressions.
-      This shouldn't build anything significant; just check that things
-      (including derivations) are _set up_ correctly.
-    */
-    packaging-overriding =
-      let
-        nix = packages'.nix;
-      in
-      assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
-      if pkgs.stdenv.buildPlatform.isDarwin then
-        lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
-      else
-        # If this fails, something might be wrong with how we've wired the scope,
-        # or something could be broken in Nixpkgs.
-        pkgs.testers.testEqualContents {
-          assertion = "trivial patch does not change source contents";
-          expected = "${../../..}";
-          actual =
-            # Same for all components; nix-util is an arbitrary pick
-            (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
-        };
-  };
-
-  componentTests =
-    (lib.concatMapAttrs (
-      pkgName: pkg:
-      lib.concatMapAttrs (testName: test: {
-        "${componentTestsPrefix}${pkgName}-${testName}" = test;
-      }) (pkg.tests or { })
-    ) nixComponentsInstrumented)
-    // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
-      "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;
-      "${componentTestsPrefix}nix-json-schema-checks" = nixComponentsInstrumented.nix-json-schema-checks;
-    };
-
-  codeCoverage =
-    let
-      componentsTestsToProfile =
-        (builtins.mapAttrs (n: v: nixComponentsInstrumented.${n}.tests.run) {
-          "nix-util-tests" = { };
-          "nix-store-tests" = { };
-          "nix-fetchers-tests" = { };
-          "nix-expr-tests" = { };
-          "nix-flake-tests" = { };
-        })
-        // {
-          inherit (nixComponentsInstrumented) nix-functional-tests;
-        };
-
-      coverageProfileDrvs = lib.mapAttrs (
-        n: v:
-        v.overrideAttrs (
-          finalAttrs: prevAttrs: {
-            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "profraw" ];
-            env = {
-              LLVM_PROFILE_FILE = "${placeholder "profraw"}/%m";
-            };
-          }
-        )
-      ) componentsTestsToProfile;
-
-      coverageProfiles = lib.mapAttrsToList (n: v: lib.getOutput "profraw" v) coverageProfileDrvs;
-
-      mergedProfdata =
-        pkgs.runCommand "merged-profdata"
-          {
-            __structuredAttrs = true;
-            nativeBuildInputs = [ pkgs.llvmPackages.libllvm ];
-            inherit coverageProfiles;
-          }
-          ''
-            rawProfiles=()
-            for dir in "''\${coverageProfiles[@]}"; do
-              rawProfiles+=($dir/*)
-            done
-            llvm-profdata merge -sparse -output $out "''\${rawProfiles[@]}"
-          '';
-
-      coverageReports =
-        let
-          nixComponentDrvs = lib.filter (lib.isDerivation) (lib.attrValues nixComponentsInstrumented);
-        in
-        pkgs.runCommand "code-coverage-report"
-          {
-            nativeBuildInputs = [
-              pkgs.llvmPackages.libllvm
-              pkgs.jq
-            ];
-            __structuredAttrs = true;
-            nixComponents = nixComponentDrvs;
-          }
-          ''
-            # ${toString (lib.map (v: v.src) nixComponentDrvs)}
-
-            binaryFiles=()
-            for dir in "''\${nixComponents[@]}"; do
-              readarray -t filesInDir < <(find "$dir" -type f -executable)
-              binaryFiles+=("''\${filesInDir[@]}")
-            done
-
-            arguments=$(concatStringsSep " -object " binaryFiles)
-            llvm-cov show $arguments -instr-profile ${mergedProfdata} -output-dir $out -format=html
-
-            {
-              echo "# Code coverage summary (generated via \`llvm-cov\`):"
-              echo
-              echo '```'
-              llvm-cov report $arguments -instr-profile ${mergedProfdata} -format=text -use-color=false
-              echo '```'
-              echo
-            } >> $out/index.txt
-
-            llvm-cov export $arguments -instr-profile ${mergedProfdata} -format=text > $out/coverage.json
-
-            mkdir -p $out/nix-support
-
-            coverageTotals=$(jq ".data[0].totals" $out/coverage.json)
-
-            # Mostly inline from pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh [1],
-            # which we can't use here, because we rely on LLVM's infra for source code coverage collection.
-            # [1]: https://github.com/NixOS/nixpkgs/blob/67bb48c4c8e327417d6d5aa7e538244b209e852b/pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh#L16
-            declare -A metricsArray=(["lineCoverage"]="lines" ["functionCoverage"]="functions" ["branchCoverage"]="branches")
-
-            for metricName in "''\${!metricsArray[@]}"; do
-              key="''\${metricsArray[$metricName]}"
-              metric=$(echo "$coverageTotals" | jq ".$key.percent * 10 | round / 10")
-              echo "$metricName $metric %" >> $out/nix-support/hydra-metrics
-            done
-
-            echo "report coverage $out" >> $out/nix-support/hydra-build-products
-          '';
-    in
-    assert withCoverage;
-    assert stdenv.cc.isClang;
-    {
-      inherit coverageProfileDrvs mergedProfdata coverageReports;
-    };
-
-  vmTests = {
-    inherit (nixosTests) s3-binary-cache-store;
-  }
-  // lib.optionalAttrs (!withSanitizers && !withCoverage) {
-    # evalNixpkgs uses non-instrumented components from hydraJobs, so only run it
-    # when not testing with sanitizers to avoid rebuilding nix
-    inherit (hydraJobs.tests) evalNixpkgs;
-    # FIXME: CI times out when building vm tests instrumented
-    inherit (nixosTests)
-      functional_user
-      githubFlakes
-      nix-docker
-      tarballFlakes
-      ;
-  };
-}
--- a/ci/gha/tests/pre-commit-checks
+++ b/ci/gha/tests/pre-commit-checks
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-system=$(nix eval --raw --impure --expr builtins.currentSystem)
-
-echo "::group::Running pre-commit checks"
-
-if nix build ".#checks.$system.pre-commit" -L; then
-    echo "::endgroup::"
-    exit 0
-fi
-
-echo "::error ::Changes do not pass pre-commit checks"
-
-cat <<EOF
-The code isn't formatted or doesn't pass lints. You can run pre-commit locally with:
-
-    nix develop -c ./maintainers/format.sh
-EOF
-
-echo "::endgroup::"
-
-exit 1
--- a/ci/gha/tests/wrapper.nix
+++ b/ci/gha/tests/wrapper.nix
@@ -1,16 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-  stdenv ? "stdenv",
-  componentTestsPrefix ? "",
-  withInstrumentation ? false,
-}@args:
-import ./. (
-  args
-  // {
-    getStdenv = p: p.${stdenv};
-    withSanitizers = withInstrumentation;
-    withCoverage = withInstrumentation;
-  }
-)
--- a/doc/manual/generate-deps.py
+++ b/doc/manual/generate-deps.py
@@ -14,7 +14,7 @@ import sys
 # literally. since the rules for these aren't even the same for
 # all three we will just fail when we encounter any of them (if
 # asserts are off for some reason the depfile will likely point
-# to nonexistent paths, making everything phony and thus fine.)
+# to nonexistant paths, making everything phony and thus fine.)
 for path in glob.glob(sys.argv[1] + '/**', recursive=True):
    assert '\\' not in path
    assert ' ' not in path
--- a/doc/manual/generate-store-info.nix
+++ b/doc/manual/generate-store-info.nix
@@ -33,7 +33,6 @@ let
    {
      settings,
      doc,
-      uri-schemes,
      experimentalFeature,
    }:
    let
--- a/doc/manual/meson.build
+++ b/doc/manual/meson.build
@@ -1,5 +1,4 @@
-project(
-  'nix-manual',
+project('nix-manual',
  version : files('.version'),
  meson_version : '>= 1.1',
  license : 'LGPL-2.1-or-later',
@@ -9,45 +8,43 @@ nix = find_program('nix', native : true)

 mdbook = find_program('mdbook', native : true)
 bash = find_program('bash', native : true)
-rsync = find_program('rsync', required : true, native : true)

 pymod = import('python')
 python = pymod.find_installation('python3')

 nix_env_for_docs = {
-  'HOME' : '/dummy',
-  'NIX_CONF_DIR' : '/dummy',
-  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
-  'NIX_STATE_DIR' : '/dummy',
-  'NIX_CONFIG' : 'cores = 0',
+  'HOME': '/dummy',
+  'NIX_CONF_DIR': '/dummy',
+  'NIX_SSL_CERT_FILE': '/dummy/no-ca-bundle.crt',
+  'NIX_STATE_DIR': '/dummy',
+  'NIX_CONFIG': 'cores = 0',
 }

-nix_for_docs = [ nix, '--experimental-features', 'nix-command' ]
+nix_for_docs = [nix, '--experimental-features', 'nix-command']
 nix_eval_for_docs_common = nix_for_docs + [
  'eval',
-  '-I',
-  'nix=' + meson.current_source_dir(),
+  '-I', 'nix=' + meson.current_source_dir(),
  '--store', 'dummy://',
  '--impure',
 ]
 nix_eval_for_docs = nix_eval_for_docs_common + '--raw'

 conf_file_json = custom_target(
-  command : nix_for_docs + [ 'config', 'show', '--json' ],
+  command : nix_for_docs + ['config', 'show', '--json'],
  capture : true,
  output : 'conf-file.json',
  env : nix_env_for_docs,
 )

 language_json = custom_target(
-  command : [ nix, '__dump-language' ],
+  command: [nix, '__dump-language'],
  output : 'language.json',
  capture : true,
  env : nix_env_for_docs,
 )

 nix3_cli_json = custom_target(
-  command : [ nix, '__dump-cli' ],
+  command : [nix, '__dump-cli'],
  capture : true,
  output : 'nix.json',
  env : nix_env_for_docs,
@@ -70,7 +67,7 @@ subdir('source/release-notes')
 subdir('source')

 # Hacky way to figure out if `nix` is an `ExternalProgram` or
-# `Executable`. Only the latter can occur in custom target input lists.
+# `Exectuable`. Only the latter can occur in custom target input lists.
 if nix.full_path().startswith(meson.build_root())
  nix_input = nix
 else
@@ -81,14 +78,13 @@ manual = custom_target(
  'manual',
  command : [
    bash,
-    '-euo',
-    'pipefail',
+    '-euo', 'pipefail',
    '-c',
    '''
        @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
        @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
        sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
-        @4@ -r -L --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
+        rsync -r --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
        (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
        rm -rf @2@/manual
        mv @2@/html @2@/manual
@@ -98,7 +94,6 @@ manual = custom_target(
      mdbook.full_path(),
      meson.current_build_dir(),
      meson.project_version(),
-      rsync.full_path(),
    ),
  ],
  input : [
@@ -115,7 +110,6 @@ manual = custom_target(
    builtins_md,
    rl_next_generated,
    summary_rl_next,
-    json_schema_generated_files,
    nix_input,
  ],
  output : [
@@ -124,8 +118,8 @@ manual = custom_target(
  ],
  depfile : 'manual.d',
  env : {
-    'RUST_LOG' : 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
+    'RUST_LOG': 'info',
+    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'source',
  },
 )
 manual_html = manual[0]
@@ -137,8 +131,7 @@ install_subdir(
 )

 nix_nested_manpages = [
-  [
-    'nix-env',
+  [ 'nix-env',
    [
      'delete-generations',
      'install',
@@ -153,8 +146,7 @@ nix_nested_manpages = [
      'upgrade',
    ],
  ],
-  [
-    'nix-store',
+  [ 'nix-store',
    [
      'add-fixed',
      'add',
@@ -254,11 +246,11 @@ nix3_manpages = [
  'nix3-nar',
  'nix3-path-info',
  'nix3-print-dev-env',
-  'nix3-profile',
-  'nix3-profile-add',
  'nix3-profile-diff-closures',
  'nix3-profile-history',
+  'nix3-profile-install',
  'nix3-profile-list',
+  'nix3-profile',
  'nix3-profile-remove',
  'nix3-profile-rollback',
  'nix3-profile-upgrade',
@@ -289,6 +281,7 @@ nix3_manpages = [
  'nix3-store',
  'nix3-store-optimise',
  'nix3-store-path-from-hash-part',
+  'nix3-store-ping',
  'nix3-store-prefetch-file',
  'nix3-store-repair',
  'nix3-store-sign',
--- a/doc/manual/package.nix
+++ b/doc/manual/package.nix
@@ -11,9 +11,6 @@
  python3,
  rsync,
  nix-cli,
-  changelog-d,
-  json-schema-for-humans,
-  officialRelease,

  # Configuration Options

@@ -33,13 +30,6 @@ mkMesonDerivation (finalAttrs: {
    fileset.difference
      (fileset.unions [
        ../../.version
-        # For example JSON
-        ../../src/libutil-tests/data/hash
-        ../../src/libstore-tests/data/content-address
-        ../../src/libstore-tests/data/store-path
-        ../../src/libstore-tests/data/derived-path
-        ../../src/libstore-tests/data/path-info
-        ../../src/libstore-tests/data/nar-info
        # Too many different types of files to filter for now
        ../../doc/manual
        ./.
@@ -63,14 +53,6 @@ mkMesonDerivation (finalAttrs: {
    jq
    python3
    rsync
-    json-schema-for-humans
-    changelog-d
-  ]
-  ++ lib.optionals (!officialRelease) [
-    # When not an official release, we likely have changelog entries that have
-    # yet to be rendered.
-    # When released, these are rendered into a committed file to save a dependency.
-    changelog-d
  ];

  nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
--- a/doc/manual/redirects.js
+++ b/doc/manual/redirects.js
@@ -374,7 +374,6 @@ const redirects = {
  },
  "glossary.html": {
    "gloss-local-store": "store/types/local-store.html",
-    "package-attribute-set": "#package",
    "gloss-chroot-store": "store/types/local-store.html",
    "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation",
  },
--- a/doc/manual/rl-next/curl-cloexec.md
+++ b/doc/manual/rl-next/curl-cloexec.md
@@ -0,0 +1,10 @@
+---
+synopsis: Set FD_CLOEXEC on sockets created by curl
+issues: []
+prs: [12439]
+---
+
+
+Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell`
+
+This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.
--- a/doc/manual/rl-next/git-lfs-support.md
+++ b/doc/manual/rl-next/git-lfs-support.md
@@ -0,0 +1,18 @@
+---
+synopsis: "Git LFS support"
+prs: [10153, 12468]
+---
+
+The Git fetcher now supports Large File Storage (LFS). This can be enabled by passing the attribute `lfs = true` to the fetcher, e.g.
+```console
+nix flake prefetch 'git+ssh://git@github.com/Apress/repo-with-large-file-storage.git?lfs=1'
+```
+
+A flake can also declare that it requires lfs to be enabled:
+```
+{
+  inputs.self.lfs = true;
+}
+```
+
+Author: [**@b-camacho**](https://github.com/b-camacho), [**@kip93**](https://github.com/kip93)
--- a/doc/manual/rl-next/s3-curl-implementation.md
+++ b/doc/manual/rl-next/s3-curl-implementation.md
@@ -1,26 +0,0 @@
---
-synopsis: "Improved S3 binary cache support via HTTP"
-prs: [13823, 14026, 14120, 14131, 14135, 14144, 14170, 14190, 14198, 14206, 14209, 14222, 14223, 13752]
-issues: [13084, 12671, 11748, 12403]
---
-
-S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native
-AWS SigV4 authentication instead of the AWS C++ SDK, providing significant
-improvements:
-
- **Reduced memory usage**: Eliminates memory buffering issues that caused
-  segfaults with large files
- **Fixed upload reliability**: Resolves AWS SDK chunking errors
-  (`InvalidChunkSizeError`)
- **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full
-  `aws-cpp-sdk`, reducing build complexity
-
-The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
-management.
-
-All existing S3 URL formats and parameters remain supported, with the notable
-exception of multi-part uploads, which are no longer supported.
-
-Note that this change also means Nix now supports S3 binary cache stores even
-if build without `aws-crt-cpp`, but only for public buckets which do not
-require auth.
--- a/doc/manual/rl-next/s3-object-versioning.md
+++ b/doc/manual/rl-next/s3-object-versioning.md
@@ -1,14 +0,0 @@
---
-synopsis: "S3 URLs now support object versioning via versionId parameter"
-prs: [14274]
-issues: [13955]
---
-
-S3 URLs now support a `versionId` query parameter to fetch specific versions
-of objects from S3 buckets with versioning enabled. This allows pinning to
-exact object versions for reproducibility and protection against unexpected
-changes:
-
-```
-s3://bucket/key?region=us-east-1&versionId=abc123def456
-```
--- a/doc/manual/rl-next/self-submodules-attr.md
+++ b/doc/manual/rl-next/self-submodules-attr.md
@@ -0,0 +1,12 @@
+---
+synopsis: "`inputs.self.submodules` flake attribute"
+prs: [12421]
+---
+
+Flakes in Git repositories can now declare that they need Git submodules to be enabled:
+```
+{
+  inputs.self.submodules = true;
+}
+```
+Thus, it's no longer needed for the caller of the flake to pass `submodules = true`.
--- a/doc/manual/source/SUMMARY.md.in
+++ b/doc/manual/source/SUMMARY.md.in
@@ -22,10 +22,7 @@
  - [Store Object](store/store-object.md)
    - [Content-Addressing Store Objects](store/store-object/content-address.md)
  - [Store Path](store/store-path.md)
-  - [Store Derivation and Deriving Path](store/derivation/index.md)
-    - [Derivation Outputs and Types of Derivations](store/derivation/outputs/index.md)
-      - [Content-addressing derivation outputs](store/derivation/outputs/content-address.md)
-      - [Input-addressing derivation outputs](store/derivation/outputs/input-address.md)
+  - [Store Derivation and Deriving Path](store/drv.md)
  - [Building](store/building.md)
  - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
@@ -33,7 +30,6 @@
  - [Data Types](language/types.md)
    - [String context](language/string-context.md)
  - [Syntax and semantics](language/syntax.md)
-    - [Evaluation](language/evaluation.md)
    - [Variables](language/variables.md)
    - [String literals](language/string-literals.md)
    - [Identifiers](language/identifiers.md)
@@ -57,7 +53,6 @@
  - [Tuning Cores and Jobs](advanced-topics/cores-vs-jobs.md)
  - [Verifying Build Reproducibility](advanced-topics/diff-hook.md)
  - [Using the `post-build-hook`](advanced-topics/post-build-hook.md)
-  - [Evaluation profiler](advanced-topics/eval-profiler.md)
 - [Command Reference](command-ref/index.md)
  - [Common Options](command-ref/opt-common.md)
  - [Common Environment Variables](command-ref/env-common.md)
@@ -117,12 +112,8 @@
 - [Architecture and Design](architecture/architecture.md)
 - [Formats and Protocols](protocols/index.md)
  - [JSON Formats](protocols/json/index.md)
-    - [Hash](protocols/json/hash.md)
-    - [Content Address](protocols/json/content-address.md)
-    - [Store Path](protocols/json/store-path.md)
    - [Store Object Info](protocols/json/store-object-info.md)
    - [Derivation](protocols/json/derivation.md)
-    - [Deriving Path](protocols/json/deriving-path.md)
  - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
  - [Store Path Specification](protocols/store-path.md)
  - [Nix Archive (NAR) Format](protocols/nix-archive.md)
@@ -132,7 +123,6 @@
 - [Development](development/index.md)
  - [Building](development/building.md)
  - [Testing](development/testing.md)
-  - [Benchmarking](development/benchmarking.md)
  - [Debugging](development/debugging.md)
  - [Documentation](development/documentation.md)
  - [CLI guideline](development/cli-guideline.md)
@@ -142,12 +132,6 @@
  - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
-  - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md)
-  - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
-  - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)
-  - [Release 2.29 (2025-05-14)](release-notes/rl-2.29.md)
-  - [Release 2.28 (2025-04-02)](release-notes/rl-2.28.md)
-  - [Release 2.27 (2025-03-03)](release-notes/rl-2.27.md)
  - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
  - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)
  - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
--- a/doc/manual/source/advanced-topics/distributed-builds.md
+++ b/doc/manual/source/advanced-topics/distributed-builds.md
@@ -20,14 +20,14 @@ For a local machine to forward a build to a remote machine, the remote machine m

 ## Testing

-To test connecting to a remote [Nix instance] (in this case `mac`), run:
+To test connecting to a remote Nix instance (in this case `mac`), run:

 ```console
 nix store info --store ssh://username@mac
 ```

 To specify an SSH identity file as part of the remote store URI add a
-query parameter, e.g.
+query paramater, e.g.

 ```console
 nix store info --store ssh://username@mac?ssh-key=/home/alice/my-key
@@ -106,5 +106,3 @@ file included in `builders` via the syntax `@/path/to/file`. For example,

 causes the list of machines in `/etc/nix/machines` to be included.
 (This is the default.)
-
-[Nix instance]: @docroot@/glossary.md#gloss-nix-instance
--- a/doc/manual/source/advanced-topics/eval-profiler.md
+++ b/doc/manual/source/advanced-topics/eval-profiler.md
@@ -1,33 +0,0 @@
-# Using the `eval-profiler`
-
-Nix evaluator supports [evaluation](@docroot@/language/evaluation.md)
-[profiling](<https://en.wikipedia.org/wiki/Profiling_(computer_programming)>)
-compatible with `flamegraph.pl`. The profiler samples the nix
-function call stack at regular intervals. It can be enabled with the
-[`eval-profiler`](@docroot@/command-ref/conf-file.md#conf-eval-profiler)
-setting:
-
-```console
-$ nix-instantiate "<nixpkgs>" -A hello --eval-profiler flamegraph
-```
-
-Stack sampling frequency and the output file path can be configured with
-[`eval-profile-file`](@docroot@/command-ref/conf-file.md#conf-eval-profile-file)
-and [`eval-profiler-frequency`](@docroot@/command-ref/conf-file.md#conf-eval-profiler-frequency).
-By default the collected profile is saved to `nix.profile` file in the current working directory.
-
-The collected profile can be directly consumed by `flamegraph.pl`:
-
-```console
-$ flamegraph.pl nix.profile > flamegraph.svg
-```
-
-The line information in the profile contains the location of the [call
-site](https://en.wikipedia.org/wiki/Call_site) position and the name of the
-function being called (when available). For example:
-
-```
-/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5:primop import
-```
-
-Here `import` primop is called at `/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5`.
--- a/doc/manual/source/architecture/architecture.md
+++ b/doc/manual/source/architecture/architecture.md
@@ -22,9 +22,9 @@ The following [concept map] shows its main components (rectangles), the objects
           |                   |
 +----------|-------------------|--------------------------------+
 | Nix      |                   V                                |
-|          |       +------------------------+                   |
-|          |       | command line interface |------.            |
-|          |       +------------------------+      |            |
+|          |      +-------------------------+                   |
+|          |      | commmand line interface |------.            |
+|          |      +-------------------------+      |            |
 |          |                   |                   |            |
 |    evaluated by            calls              manages         |
 |          |                   |                   |            |
--- a/doc/manual/source/command-ref/env-common.md
+++ b/doc/manual/source/command-ref/env-common.md
@@ -75,7 +75,7 @@ Most Nix commands interpret the following environment variables:
 - <span id="env-NIX_CONF_DIR">[`NIX_CONF_DIR`](#env-NIX_CONF_DIR)</span>

  Overrides the location of the system Nix configuration directory
-  (default `sysconfdir/nix`, i.e. `/etc/nix` on most systems).
+  (default `prefix/etc/nix`).

 - <span id="env-NIX_CONFIG">[`NIX_CONFIG`](#env-NIX_CONFIG)</span>

--- a/doc/manual/source/command-ref/meson.build
+++ b/doc/manual/source/command-ref/meson.build
@@ -1,13 +1,13 @@
 xp_features_json = custom_target(
-  command : [ nix, '__dump-xp-features' ],
+  command : [nix, '__dump-xp-features'],
  capture : true,
  output : 'xp-features.json',
-  env : nix_env_for_docs,
 )

 experimental_features_shortlist_md = custom_target(
  command : nix_eval_for_docs + [
-    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr',
+    'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
  ],
  input : [
    '../../generate-xp-features-shortlist.nix',
@@ -19,8 +19,14 @@ experimental_features_shortlist_md = custom_target(
 )

 nix3_cli_files = custom_target(
-  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
-    '--expr', 'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
+  command : [
+    python.full_path(),
+    '@INPUT0@',
+    '@OUTPUT@',
+    '--'
+  ] + nix_eval_for_docs + [
+    '--expr',
+    'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
  ],
  input : [
    '../../remove_before_wrapper.py',
@@ -34,7 +40,8 @@ nix3_cli_files = custom_target(
 conf_file_md_body = custom_target(
  command : [
    nix_eval_for_docs,
-    '--expr', 'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr',
+    'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
  ],
  capture : true,
  input : [
--- a/doc/manual/source/command-ref/nix-channel.md
+++ b/doc/manual/source/command-ref/nix-channel.md
@@ -53,11 +53,6 @@ This command has the following operations:
  Download the Nix expressions of subscribed channels and create a new generation.
  Update all channels if none is specified, and only those included in *names* otherwise.

-  > **Note**
-  >
-  > Downloaded channel contents are cached.
-  > Use `--tarball-ttl` or the [`tarball-ttl` configuration option](@docroot@/command-ref/conf-file.md#conf-tarball-ttl) to change the validity period of cached downloads.
-
 - `--list-generations`

  Prints a list of all the current existing generations for the
--- a/doc/manual/source/command-ref/nix-env/delete-generations.md
+++ b/doc/manual/source/command-ref/nix-env/delete-generations.md
@@ -27,7 +27,7 @@ This operation deletes the specified generations of the current profile.
  >
  > Older *and newer* generations will be deleted by this operation.
  >
-  > One might expect this to just delete older generations than the current one, but that is only true if the current generation is also the latest.
+  > One might expect this to just delete older generations than the curent one, but that is only true if the current generation is also the latest.
  > Because one can roll back to a previous generation, it is possible to have generations newer than the current one.
  > They will also be deleted.

--- a/doc/manual/source/command-ref/nix-shell.md
+++ b/doc/manual/source/command-ref/nix-shell.md
@@ -242,21 +242,16 @@ print(t)
 ```

 Similarly, the following is a Perl script that specifies that it
-requires Perl and the `HTML::TokeParser::Simple`, `LWP` and
-`LWP::Protocol::Https` packages:
+requires Perl and the `HTML::TokeParser::Simple` and `LWP` packages:

 ```perl
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl 
-#! nix-shell --packages perl 
-#! nix-shell --packages perlPackages.HTMLTokeParserSimple 
-#! nix-shell --packages perlPackages.LWP
-#! nix-shell --packages perlPackages.LWPProtocolHttps
+#! nix-shell -i perl --packages perl perlPackages.HTMLTokeParserSimple perlPackages.LWP

 use HTML::TokeParser::Simple;

 # Fetch nixos.org and print all hrefs.
-my $p = HTML::TokeParser::Simple->new(url => 'https://nixos.org/');
+my $p = HTML::TokeParser::Simple->new(url => 'http://nixos.org/');

 while (my $token = $p->get_tag("a")) {
    my $href = $token->get_attr("href");
@@ -321,7 +316,7 @@ contains:
 ```nix
 with import <nixpkgs> {};

-runCommand "dummy" { buildInputs = [ python3 python3Packages.prettytable ]; } ""
+runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } ""
 ```

 The script's file name is passed as the first argument to the interpreter specified by the `-i` flag.
--- a/doc/manual/source/command-ref/nix-store/gc.md
+++ b/doc/manual/source/command-ref/nix-store/gc.md
@@ -48,7 +48,8 @@ The behaviour of the collector is also influenced by the
 configuration file.

 By default, the collector prints the total number of freed bytes when it
-finishes (or when it is interrupted).
+finishes (or when it is interrupted). With `--print-dead`, it prints the
+number of bytes that would be freed.

 {{#include ./opt-common.md}}

--- a/doc/manual/source/command-ref/nix-store/query.md
+++ b/doc/manual/source/command-ref/nix-store/query.md
@@ -45,19 +45,10 @@ symlink.

  [output paths]: @docroot@/glossary.md#gloss-output-path

- `--references`
-
-  Prints the set of [references] of the store paths
-  *paths*, that is, their immediate dependencies. (For *all*
-  dependencies, use `--requisites`.)
-
-  [references]: @docroot@/glossary.md#gloss-reference
-
 - `--requisites` / `-R`

-  Prints out the set of [*requisites*][requisite] (better known as the [closure]) of the store path *paths*.
+  Prints out the [closure] of the store path *paths*.

-  [requisite]: @docroot@/glossary.md#gloss-requisite
  [closure]: @docroot@/glossary.md#gloss-closure

  This query has one option:
@@ -74,25 +65,29 @@ symlink.
  dependencies) is obtained by distributing the closure of a store
  derivation and specifying the option `--include-outputs`.

+- `--references`
+
+  Prints the set of [references] of the store paths
+  *paths*, that is, their immediate dependencies. (For *all*
+  dependencies, use `--requisites`.)
+
+  [references]: @docroot@/glossary.md#gloss-reference
+
 - `--referrers`

-  Prints the set of [*referrers*][referrer] of the store paths *paths*, that is,
+  Prints the set of *referrers* of the store paths *paths*, that is,
  the store paths currently existing in the Nix store that refer to
  one of *paths*. Note that contrary to the references, the set of
  referrers is not constant; it can change as store paths are added or
  removed.

-  [referrer]: @docroot@/glossary.md#gloss-referrer
-
 - `--referrers-closure`

  Prints the closure of the set of store paths *paths* under the
-  [referrers relation][referrer]; that is, all store paths that directly or
+  referrers relation; that is, all store paths that directly or
  indirectly refer to one of *paths*. These are all the path currently
  in the Nix store that are dependent on *paths*.

-  [referrer]: @docroot@/glossary.md#gloss-referrer
-
 - `--deriver` / `-d`

  Prints the [deriver] that was used to build the store paths *paths*. If
--- a/doc/manual/source/development/benchmarking.md
+++ b/doc/manual/source/development/benchmarking.md
@@ -1,187 +0,0 @@
-# Running Benchmarks
-
-This guide explains how to build and run performance benchmarks in the Nix codebase.
-
-## Overview
-
-Nix uses the [Google Benchmark](https://github.com/google/benchmark) framework for performance testing. Benchmarks help measure and track the performance of critical operations like derivation parsing.
-
-## Building Benchmarks
-
-Benchmarks are disabled by default and must be explicitly enabled during the build configuration. For accurate results, use a debug-optimized release build.
-
-### Development Environment Setup
-
-First, enter the development shell which includes the necessary dependencies:
-
-```bash
-nix develop .#native-ccacheStdenv
-```
-
-### Configure Build with Benchmarks
-
-From the project root, configure the build with benchmarks enabled and optimization:
-
-```bash
-cd build
-meson configure -Dbenchmarks=true -Dbuildtype=debugoptimized
-```
-
-The `debugoptimized` build type provides:
- Compiler optimizations for realistic performance measurements
- Debug symbols for profiling and analysis
- Balance between performance and debuggability
-
-### Build the Benchmarks
-
-Build the project including benchmarks:
-
-```bash
-ninja
-```
-
-This will create benchmark executables in the build directory. Currently available:
- `build/src/libstore-tests/nix-store-benchmarks` - Store-related performance benchmarks
-
-Additional benchmark executables will be created as more benchmarks are added to the codebase.
-
-## Running Benchmarks
-
-### Basic Usage
-
-Run benchmark executables directly. For example, to run store benchmarks:
-
-```bash
-./build/src/libstore-tests/nix-store-benchmarks
-```
-
-As more benchmark executables are added, run them similarly from their respective build directories.
-
-### Filtering Benchmarks
-
-Run specific benchmarks using regex patterns:
-
-```bash
-# Run only derivation parser benchmarks
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter="derivation.*"
-
-# Run only benchmarks for hello.drv
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter=".*hello.*"
-```
-
-### Output Formats
-
-Generate benchmark results in different formats:
-
-```bash
-# JSON output
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > results.json
-
-# CSV output
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=csv > results.csv
-```
-
-### Advanced Options
-
-```bash
-# Run benchmarks multiple times for better statistics
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_repetitions=10
-
-# Set minimum benchmark time (useful for micro-benchmarks)
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_min_time=2
-
-# Compare against baseline
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
-
-# Display time in custom units
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_time_unit=ms
-```
-
-## Writing New Benchmarks
-
-To add new benchmarks:
-
-1. Create a new `.cc` file in the appropriate `*-tests` directory
-2. Include the benchmark header:
-   ```cpp
-   #include <benchmark/benchmark.h>
-   ```
-
-3. Write benchmark functions:
-   ```cpp
-   static void BM_YourBenchmark(benchmark::State & state)
-   {
-       // Setup code here
-
-       for (auto _ : state) {
-           // Code to benchmark
-       }
-   }
-   BENCHMARK(BM_YourBenchmark);
-   ```
-
-4. Add the file to the corresponding `meson.build`:
-   ```meson
-   benchmarks_sources = files(
-       'your-benchmark.cc',
-       # existing benchmarks...
-   )
-   ```
-
-## Profiling with Benchmarks
-
-For deeper performance analysis, combine benchmarks with profiling tools:
-
-```bash
-# Using Linux perf
-perf record ./build/src/libstore-tests/nix-store-benchmarks
-perf report
-```
-
-### Using Valgrind Callgrind
-
-Valgrind's callgrind tool provides detailed profiling information that can be visualized with kcachegrind:
-
-```bash
-# Profile with callgrind
-valgrind --tool=callgrind ./build/src/libstore-tests/nix-store-benchmarks
-
-# Visualize the results with kcachegrind
-kcachegrind callgrind.out.*
-```
-
-This provides:
- Function call graphs
- Instruction-level profiling
- Source code annotation
- Interactive visualization of performance bottlenecks
-
-## Continuous Performance Testing
-
-```bash
-# Save baseline results
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > baseline.json
-
-# Compare against baseline in CI
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
-```
-
-## Troubleshooting
-
-### Benchmarks not building
-
-Ensure benchmarks are enabled:
-```bash
-meson configure build | grep benchmarks
-# Should show: benchmarks true
-```
-
-### Inconsistent results
-
- Ensure your system is not under heavy load
- Disable CPU frequency scaling for consistent results
- Run benchmarks multiple times with `--benchmark_repetitions`
-
-## See Also
-
- [Google Benchmark documentation](https://github.com/google/benchmark/blob/main/docs/user_guide.md)
--- a/doc/manual/source/development/building.md
+++ b/doc/manual/source/development/building.md
@@ -23,7 +23,7 @@ $ nix-shell
 To get a shell with one of the other [supported compilation environments](#compilation-environments):

 ```console
-$ nix-shell --attr devShells.x86_64-linux.native-clangStdenv
+$ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
 ```

 > **Note**
@@ -34,7 +34,7 @@ $ nix-shell --attr devShells.x86_64-linux.native-clangStdenv
 To build Nix itself in this shell:

 ```console
-[nix-shell]$ out="$(pwd)/outputs/out" dev=$out debug=$out mesonFlags+=" --prefix=${out}"
+[nix-shell]$ mesonFlags+=" --prefix=$(pwd)/outputs/out"
 [nix-shell]$ dontAddPrefix=1 configurePhase
 [nix-shell]$ buildPhase
 ```
@@ -195,38 +195,28 @@ Nix uses a string with the following format to identify the *system type* or *pl
 <cpu>-<os>[-<abi>]
 ```

-It is set when Nix is compiled for the given system, and based on the output of Meson's [`host_machine` information](https://mesonbuild.com/Reference-manual_builtin_host_machine.html)>
+It is set when Nix is compiled for the given system, and based on the output of [`config.guess`](https://github.com/nixos/nix/blob/master/config/config.guess) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.guess)):

 ```
 <cpu>-<vendor>-<os>[<version>][-<abi>]
 ```

-When cross-compiling Nix with Meson for local development, you need to specify a [cross-file](https://mesonbuild.com/Cross-compilation.html) using the `--cross-file` option. Cross-files define the target architecture and toolchain. When cross-compiling Nix with Nix, Nixpkgs takes care of this for you.
-
-In the nix flake we also have some cross-compilation targets available:
+When Nix is built such that `./configure` is passed any of the `--host`, `--build`, `--target` options, the value is based on the output of [`config.sub`](https://github.com/nixos/nix/blob/master/config/config.sub) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.sub)):

 ```
-nix build .#nix-everything-riscv64-unknown-linux-gnu
-nix build .#nix-everything-armv7l-unknown-linux-gnueabihf
-nix build .#nix-everything-armv7l-unknown-linux-gnueabihf
-nix build .#nix-everything-x86_64-unknown-freebsd
-nix build .#nix-everything-x86_64-w64-mingw32
+<cpu>-<vendor>[-<kernel>]-<os>
 ```

-For historic reasons and backward-compatibility, some CPU and OS identifiers are translated as follows:
+For historic reasons and backward-compatibility, some CPU and OS identifiers are translated from the GNU Autotools naming convention in [`configure.ac`](https://github.com/nixos/nix/blob/master/configure.ac) as follows:

-| `host_machine.cpu_family()` | `host_machine.endian()` | Nix                 |
-|-----------------------------|-------------------------|---------------------|
-| `x86`                       |                         | `i686`              |
-| `arm`                       |                         | `host_machine.cpu()`|
-| `ppc`                       | `little`                | `powerpcle`         |
-| `ppc64`                     | `little`                | `powerpc64le`       |
-| `ppc`                       | `big`                   | `powerpc`           |
-| `ppc64`                     | `big`                   | `powerpc64`         |
-| `mips`                      | `little`                | `mipsel`            |
-| `mips64`                    | `little`                | `mips64el`          |
-| `mips`                      | `big`                   | `mips`              |
-| `mips64`                    | `big`                   | `mips64`            |
+| `config.guess`             | Nix                 |
+|----------------------------|---------------------|
+| `amd64`                    | `x86_64`            |
+| `i*86`                     | `i686`              |
+| `arm6`                     | `arm6l`             |
+| `arm7`                     | `arm7l`             |
+| `linux-gnu*`               | `linux`             |
+| `linux-musl*`              | `linux`             |

 ## Compilation environments

@@ -240,18 +230,18 @@ Nix can be compiled using multiple environments:
 To build with one of those environments, you can use

 ```console
-$ nix build .#nix-cli-ccacheStdenv
+$ nix build .#nix-ccacheStdenv
 ```

 for flake-enabled Nix, or

 ```console
-$ nix-build --attr nix-cli-ccacheStdenv
+$ nix-build --attr nix-ccacheStdenv
 ```

 for classic Nix.

-You can use any of the other supported environments in place of `nix-cli-ccacheStdenv`.
+You can use any of the other supported environments in place of `nix-ccacheStdenv`.

 ## Editor integration

--- a/doc/manual/source/development/cli-guideline.md
+++ b/doc/manual/source/development/cli-guideline.md
@@ -170,9 +170,9 @@ sensitive.


 ```shell
-$ nix init --template=template#python
+$ nix init --template=template#pyton
 ------------------------------------------------------------------------
-  Error! Template `template#python` not found.
+  Error! Template `template#pyton` not found.
 ------------------------------------------------------------------------
 Initializing Nix project at `/path/to/here`.
      Select a template for you new project:
--- a/doc/manual/source/development/contributing.md
+++ b/doc/manual/source/development/contributing.md
@@ -20,9 +20,8 @@ prs: 1238
 Here's one or more paragraphs that describe the change.

 - It's markdown
- Add references to the manual using [links like this](@_at_docroot@/example.md)
+- Add references to the manual using @docroot@
 ```
-<!-- for the raw markdown readers: that means using @docroot@ -->

 Significant changes should add the following header, which moves them to the top.

--- a/doc/manual/source/development/debugging.md
+++ b/doc/manual/source/development/debugging.md
@@ -24,19 +24,6 @@ It is also possible to build without debugging for faster build:

 (The first line is needed because `fortify` hardening requires at least some optimization.)

-## Building Nix with sanitizers
-
-Nix can be built with [Address](https://clang.llvm.org/docs/AddressSanitizer.html) and
-[UB](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) sanitizers using LLVM
-or GCC. This is useful when debugging memory corruption issues.
-
-```console
-[nix-shell]$ export mesonBuildType=debugoptimized
-[nix-shell]$ appendToVar mesonFlags "-Dlibexpr:gc=disabled" # Disable Boehm
-[nix-shell]$ appendToVar mesonFlags "-Dbindings=false" # Disable nix-perl
-[nix-shell]$ appendToVar mesonFlags "-Db_sanitize=address,undefined"
-```
-
 ## Debugging the Nix Binary

 Obtain your preferred debugger within the development shell:
--- a/doc/manual/source/development/documentation.md
+++ b/doc/manual/source/development/documentation.md
@@ -25,31 +25,20 @@ nix build .#nix-manual
 and open `./result/share/doc/nix/manual/index.html`.


-To build the manual incrementally, [enter the development shell](./building.md) and configure with `doc-gen` enabled:
-
-**If using interactive `nix develop`:**
+To build the manual incrementally, [enter the development shell](./building.md) and run:

 ```console
-$ nix develop
-$ mesonFlags="$mesonFlags -Ddoc-gen=true" mesonConfigurePhase
+make manual-html-open -j $NIX_BUILD_CORES
 ```

-**If using direnv:**
+In order to reflect changes to the [Makefile for the manual], clear all generated files before re-building:
+
+[Makefile for the manual]: https://github.com/NixOS/nix/blob/master/doc/manual/local.mk

 ```console
-$ direnv allow
-$ bash -c 'source $stdenv/setup && mesonFlags="$mesonFlags -Ddoc-gen=true" mesonConfigurePhase'
+rm $(git ls-files doc/manual/ -o | grep -F '.md') && rmdir doc/manual/source/command-ref/new-cli && make manual-html -j $NIX_BUILD_CORES
 ```

-Then build the manual:
-
-```console
-$ cd build
-$ meson compile manual
-```
-
-The HTML manual will be generated at `build/src/nix-manual/manual/index.html`.
-
 ## Style guide

 The goal of this style guide is to make it such that
@@ -240,9 +229,3 @@ $ configurePhase
 $ ninja src/external-api-docs/html
 $ xdg-open src/external-api-docs/html/index.html
 ```
-
-If you use direnv, or otherwise want to run `configurePhase` in a transient shell, use:
-
-```bash
-nix-shell -A devShells.x86_64-linux.native-clangStdenv --command 'appendToVar mesonFlags "-Ddoc-gen=true"; mesonConfigurePhase'
-```
--- a/doc/manual/source/development/meson.build
+++ b/doc/manual/source/development/meson.build
@@ -1,12 +1,12 @@
 experimental_feature_descriptions_md = custom_target(
  command : nix_eval_for_docs + [
-    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
+    '--expr',
+    'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
  ],
  input : [
    '../../generate-xp-features.nix',
    xp_features_json,
  ],
  capture : true,
-  env : nix_env_for_docs,
  output : 'experimental-feature-descriptions.md',
 )
--- a/doc/manual/source/development/testing.md
+++ b/doc/manual/source/development/testing.md
@@ -30,7 +30,7 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > src
 > ├── libexpr
 > │   ├── meson.build
-> │   ├── include/nix/expr/value/context.hh
+> │   ├── value/context.hh
 > │   ├── value/context.cc
 > │   …
 > │
@@ -46,12 +46,8 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > │   │
 > │   ├── libexpr-test-support
 > │   │   ├── meson.build
-> │   │   ├── include/nix/expr
-> │   │   │   ├── meson.build
-> │   │   │   └── tests
-> │   │   │       ├── value/context.hh
-> │   │   │       …
 > │   │   └── tests
+> │   │       ├── value/context.hh
 > │   │       ├── value/context.cc
 > │   │       …
 > │   │
@@ -63,7 +59,7 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > ```

 The tests for each Nix library (`libnixexpr`, `libnixstore`, etc..) live inside a directory `src/${library_name_without-nix}-test`.
-Given an interface (header) and implementation pair in the original library, say, `src/libexpr/include/nix/expr/value/context.hh` and `src/libexpr/value/context.cc`, we write tests for it in `src/libexpr-tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `src/libexpr-test-support/include/nix/expr/tests/value/context.hh` and `src/libexpr-test-support/tests/value/context.cc`.
+Given an interface (header) and implementation pair in the original library, say, `src/libexpr/value/context.{hh,cc}`, we write tests for it in `src/libexpr-tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `src/libexpr-test-support/tests/value/context.{hh,cc}`.

 Data for unit tests is stored in a `data` subdir of the directory for each unit test executable.
 For example, `libnixstore` code is in `src/libstore`, and its test data is in `src/libstore-tests/data`.
@@ -71,7 +67,7 @@ The path to the `src/${library_name_without-nix}-test/data` directory is passed
 Note that each executable only gets the data for its tests.

 The unit test libraries are in `src/${library_name_without-nix}-test-support`.
-All headers are in a `tests` subdirectory so they are included with `#include "nix/tests/"`.
+All headers are in a `tests` subdirectory so they are included with `#include "tests/"`.

 The use of all these separate directories for the unit tests might seem inconvenient, as for example the tests are not "right next to" the part of the code they are testing.
 But organizing the tests this way has one big benefit:
--- a/doc/manual/source/glossary.md
+++ b/doc/manual/source/glossary.md
@@ -1,13 +1,5 @@
 # Glossary

- [build system]{#gloss-build-system}
-
-  Generic term for software that facilitates the building of software by automating the invocation of compilers, linkers, and other tools.
-
-  Nix can be used as a generic build system.
-  It has no knowledge of any particular programming language or toolchain.
-  These details are specified in [derivation expressions](#gloss-derivation-expression).
-
 - [content address]{#gloss-content-address}

  A
@@ -27,42 +19,18 @@

  Besides content addressing, the Nix store also uses [input addressing](#gloss-input-addressed-store-object).

- [content-addressed storage]{#gloss-content-addressed-store}
-
-  The industry term for storage and retrieval systems using [content addressing](#gloss-content-address). A Nix store also has [input addressing](#gloss-input-addressed-store-object), and metadata.
-
- [derivation]{#gloss-derivation}
-
-  A derivation can be thought of as a [pure function](https://en.wikipedia.org/wiki/Pure_function) that produces new [store objects][store object] from existing store objects.
-
-  Derivations are implemented as [operating system processes that run in a sandbox](@docroot@/store/building.md#builder-execution).
-  This sandbox by default only allows reading from store objects specified as inputs, and only allows writing to designated [outputs][output] to be [captured as store objects](@docroot@/store/building.md#processing-outputs).
-
-  A derivation is typically specified as a [derivation expression] in the [Nix language], and [instantiated][instantiate] to a [store derivation].
-  There are multiple ways of obtaining store objects from store derivatons, collectively called [realisation][realise].
-
-  [derivation]: #gloss-derivation
-
 - [store derivation]{#gloss-store-derivation}

-  A [derivation] represented as a [store object].
-
-  See [Store Derivation](@docroot@/store/derivation/index.md#store-derivation) for details.
+  A single build task.
+  See [Store Derivation](@docroot@/store/drv.md#store-derivation) for details.

  [store derivation]: #gloss-store-derivation

- [directed acyclic graph]{#gloss-directed-acyclic-graph}
-
-  A [directed acyclic graph](https://en.wikipedia.org/wiki/Directed_acyclic_graph) (DAG) is graph whose edges are given a direction ("a to b" is not the same edge as "b to a"), and for which no possible path (created by joining together edges) forms a cycle.
-
-  DAGs are very important to Nix.
-  In particular, the non-self-[references][reference] of [store object][store object] form a cycle.
-
 - [derivation path]{#gloss-derivation-path}

  A [store path] which uniquely identifies a [store derivation].

-  See [Referencing Store Derivations](@docroot@/store/derivation/index.md#derivation-path) for details.
+  See [Referencing Store Derivations](@docroot@/store/drv.md#derivation-path) for details.

  Not to be confused with [deriving path].

@@ -70,7 +38,10 @@

 - [derivation expression]{#gloss-derivation-expression}

-  A description of a [store derivation] using the [`derivation` primitive](./language/derivations.md) in the [Nix language].
+  A description of a [store derivation] in the Nix language.
+  The output(s) of a derivation are store objects.
+  Derivations are typically specified in Nix expressions using the [`derivation` primitive](./language/derivations.md).
+  These are translated into store layer *derivations* (implicitly by `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).

  [derivation expression]: #gloss-derivation-expression

@@ -88,8 +59,9 @@

  This can be achieved by:
  - Fetching a pre-built [store object] from a [substituter]
-  - [Building](@docroot@/store/building.md) the corresponding [store derivation]
+  - Running the [`builder`](@docroot@/language/derivations.md#attr-builder) executable as specified in the corresponding [store derivation]
  - Delegating to a [remote machine](@docroot@/command-ref/conf-file.md#conf-builders) and retrieving the outputs
+  <!-- TODO: link [running] to build process page, #8888 -->

  See [`nix-store --realise`](@docroot@/command-ref/nix-store/realise.md) for a detailed description of the algorithm.

@@ -116,12 +88,6 @@

  [store]: #gloss-store

- [Nix instance]{#gloss-nix-instance}
-  <!-- ambiguous -->
-  1. An installation of Nix, which includes the presence of a [store], and the Nix package manager which operates on that store.
-     A local Nix installation and a [remote builder](@docroot@/advanced-topics/distributed-builds.md) are two examples of Nix instances.
-  2. A running Nix process, such as the `nix` command.
-
 - [binary cache]{#gloss-binary-cache}

  A *binary cache* is a Nix store which uses a different format: its
@@ -172,8 +138,6 @@
  non-[fixed-output](#gloss-fixed-output-derivation)
  derivation.

-  See [input-addressing derivation outputs](store/derivation/outputs/input-address.md) for details.
-
 - [content-addressed store object]{#gloss-content-addressed-store-object}

  A [store object] which is [content-addressed](#gloss-content-address),
@@ -233,32 +197,30 @@

  > **Example**
  >
-  > Building and deploying software using Nix entails writing Nix expressions to describe [packages][package] and compositions thereof.
+  > Building and deploying software using Nix entails writing Nix expressions as a high-level description of packages and compositions thereof.

 - [reference]{#gloss-reference}

-  An edge from one [store object] to another.
+  A [store object] `O` is said to have a *reference* to a store object `P` if a [store path] to `P` appears in the contents of `O`.

-  See [References](@docroot@/store/store-object.md#references) for details.
+  Store objects can refer to both other store objects and themselves.
+  References from a store object to itself are called *self-references*.
+  References other than a self-reference must not form a cycle.

  [reference]: #gloss-reference

-  See [References](@docroot@/store/store-object.md#references) for details.
-
 - [reachable]{#gloss-reachable}

  A store path `Q` is reachable from another store path `P` if `Q`
  is in the *closure* of the *references* relation.

-  See [References](@docroot@/store/store-object.md#references) for details.
-
 - [closure]{#gloss-closure}

  The closure of a store path is the set of store paths that are
  directly or indirectly “reachable” from that store path; that is,
  it’s the closure of the path under the *references* relation. For
  a package, the closure of its derivation is equivalent to the
-  build-time dependencies, while the closure of its [output path] is
+  build-time dependencies, while the closure of its output path is
  equivalent to its runtime dependencies. For correct deployment it
  is necessary to deploy whole closures, since otherwise at runtime
  files could be missing. The command `nix-store --query --requisites ` prints out
@@ -268,21 +230,8 @@
  to a store object at path `Q`, then `Q` is in the closure of `P`. Further, if `Q`
  references `R` then `R` is also in the closure of `P`.

-  See [References](@docroot@/store/store-object.md#references) for details.
-
  [closure]: #gloss-closure

- [requisite]{#gloss-requisite}
-
-  A store object [reachable] by a path (chain of references) from a given [store object].
-  The [closure] is the set of requisites.
-
-  See [References](@docroot@/store/store-object.md#references) for details.
-
- [referrer]{#gloss-reference}
-
-  A reversed edge from one [store object] to another.
-
 - [output]{#gloss-output}

  A [store object] produced by a [store derivation].
@@ -303,7 +252,7 @@

  Deriving paths are a way to refer to [store objects][store object] that might not yet be [realised][realise].

-  See [Deriving Path](./store/derivation/index.md#deriving-path) for details.
+  See [Deriving Path](./store/drv.md#deriving-path) for details.

  Not to be confused with [derivation path].

@@ -353,7 +302,7 @@

  See [Nix Archive](store/file-system-object/content-address.html#serial-nix-archive) for details.

- [`∅`]{#gloss-empty-set}
+- [`∅`]{#gloss-emtpy-set}

  The empty set symbol. In the context of profile history, this denotes a package is not present in a particular version of the profile.

@@ -363,17 +312,18 @@

 - [package]{#package}

-  A software package; files that belong together for a particular purpose, and metadata.
+  1. A software package; a collection of files and other data.

-  Nix represents files as [file system objects][file system object], and how they belong together is encoded as [references][reference] between [store objects][store object] that contain these file system objects.
+  2. A [package attribute set].

-  The [Nix language] allows denoting packages in terms of [attribute sets](@docroot@/language/types.md#attribute-set) containing:
-  - attributes that refer to the files of a package, typically in the form of [derivation outputs](#output),
-  - attributes with metadata, such as information about how the package is supposed to be used.
+- [package attribute set]{#package-attribute-set}

-  The exact shape of these attribute sets is up to convention.
+  An [attribute set](@docroot@/language/types.md#attribute-set) containing the attribute `type = "derivation";` (derivation for historical reasons), as well as other attributes, such as
+  - attributes that refer to the files of a [package], typically in the form of [derivation outputs](#output),
+  - attributes that declare something about how the package is supposed to be installed or used,
+  - other metadata or arbitrary attributes.

-  [package]: #package
+  [package attribute set]: #package-attribute-set

 - [string interpolation]{#gloss-string-interpolation}

--- a/doc/manual/source/installation/index.md
+++ b/doc/manual/source/installation/index.md
@@ -30,8 +30,6 @@ $ curl -L https://nixos.org/nix/install | sh -s -- --daemon

 > Single-user is not supported on Mac.

-> `warning: installing Nix as root is not supported by this script!`
-
 This installation has less requirements than the multi-user install, however it
 cannot offer equivalent sharing, isolation, or security.

--- a/doc/manual/source/installation/installing-binary.md
+++ b/doc/manual/source/installation/installing-binary.md
@@ -25,7 +25,7 @@ This performs the default type of installation for your platform:

 We recommend the multi-user installation if it supports your platform and you can authenticate with `sudo`.

-The installer can be configured with various command line arguments and environment variables.
+The installer can configured with various command line arguments and environment variables.
 To show available command line flags:

 ```console
--- a/doc/manual/source/installation/installing-docker.md
+++ b/doc/manual/source/installation/installing-docker.md
@@ -3,21 +3,19 @@
 To run the latest stable release of Nix with Docker run the following command:

 ```console
-$ docker run -ti docker.io/nixos/nix
-Unable to find image 'docker.io/nixos/nix:latest' locally
-latest: Pulling from docker.io/nixos/nix
+$ docker run -ti ghcr.io/nixos/nix
+Unable to find image 'ghcr.io/nixos/nix:latest' locally
+latest: Pulling from ghcr.io/nixos/nix
 5843afab3874: Pull complete
 b52bf13f109c: Pull complete
 1e2415612aa3: Pull complete
 Digest: sha256:27f6e7f60227e959ee7ece361f75d4844a40e1cc6878b6868fe30140420031ff
-Status: Downloaded newer image for docker.io/nixos/nix:latest
+Status: Downloaded newer image for ghcr.io/nixos/nix:latest
 35ca4ada6e96:/# nix --version
 nix (Nix) 2.3.12
 35ca4ada6e96:/# exit
 ```

-> If you want the latest pre-release you can use ghcr.io/nixos/nix and view them at https://github.com/nixos/nix/pkgs/container/nix
-
 # What is included in Nix's Docker image?

 The official Docker image is created using `pkgs.dockerTools.buildLayeredImage`
--- a/doc/manual/source/installation/prerequisites-source.md
+++ b/doc/manual/source/installation/prerequisites-source.md
@@ -10,7 +10,7 @@
  - Bash Shell. The `./configure` script relies on bashisms, so Bash is
    required.

-  - A version of GCC or Clang that supports C++23.
+  - A version of GCC or Clang that supports C++20.

  - `pkg-config` to locate dependencies. If your distribution does not
    provide it, you can get it from
--- a/doc/manual/source/installation/uninstall.md
+++ b/doc/manual/source/installation/uninstall.md
@@ -41,38 +41,6 @@ There may also be references to Nix in

 which you may remove.

-### FreeBSD
-
-1. Stop and remove the Nix daemon service:
-
-   ```console
-   sudo service nix-daemon stop
-   sudo rm -f /usr/local/etc/rc.d/nix-daemon
-   sudo sysrc -x nix_daemon_enable
-   ```
-
-2. Remove files created by Nix:
-
-   ```console
-   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
-   ```
-
-3. Remove build users and their group:
-
-   ```console
-   for i in $(seq 1 32); do
-     sudo pw userdel nixbld$i
-   done
-   sudo pw groupdel nixbld
-   ```
-
-4. There may also be references to Nix in:
-   - `/usr/local/etc/bashrc`
-   - `/usr/local/etc/zshrc`
-   - Shell configuration files in users' home directories
-
-   which you may remove.
-
 ### macOS

 > **Updating to macOS 15 Sequoia**
--- a/doc/manual/source/introduction.md
+++ b/doc/manual/source/introduction.md
@@ -1,8 +1,8 @@
 # Introduction

 Nix is a _purely functional package manager_.  This means that it
-treats packages like values in a purely functional programming language
-— packages are built by functions that don’t have
+treats packages like values in purely functional programming languages
+such as Haskell — they are built by functions that don’t have
 side-effects, and they never change after they have been built.  Nix
 stores packages in the _Nix store_, usually the directory
 `/nix/store`, where each package has its own unique subdirectory such
--- a/doc/manual/source/language/advanced-attributes.md
+++ b/doc/manual/source/language/advanced-attributes.md
@@ -2,75 +2,6 @@

 Derivations can declare some infrequently used optional attributes.

-## Inputs
-
-  - [`exportReferencesGraph`]{#adv-attr-exportReferencesGraph}\
-    This attribute allows builders access to the references graph of
-    their inputs. The attribute is a list of inputs in the Nix store
-    whose references graph the builder needs to know. The value of
-    this attribute should be a list of pairs `[ name1 path1 name2
-    path2 ...  ]`. The references graph of each *pathN* will be stored
-    in a text file *nameN* in the temporary build directory. The text
-    files have the format used by `nix-store --register-validity`
-    (with the deriver fields left empty). For example, when the
-    following derivation is built:
-
-    ```nix
-    derivation {
-      ...
-      exportReferencesGraph = [ "libfoo-graph" libfoo ];
-    };
-    ```
-
-    the references graph of `libfoo` is placed in the file
-    `libfoo-graph` in the temporary build directory.
-
-    `exportReferencesGraph` is useful for builders that want to do
-    something with the closure of a store path. Examples include the
-    builders in NixOS that generate the initial ramdisk for booting
-    Linux (a `cpio` archive containing the closure of the boot script)
-    and the ISO-9660 image for the installation CD (which is populated
-    with a Nix store containing the closure of a bootable NixOS
-    configuration).
-
-  - [`passAsFile`]{#adv-attr-passAsFile}\
-    A list of names of attributes that should be passed via files rather
-    than environment variables. For example, if you have
-
-    ```nix
-    passAsFile = ["big"];
-    big = "a very long string";
-    ```
-
-    then when the builder runs, the environment variable `bigPath`
-    will contain the absolute path to a temporary file containing `a
-    very long string`. That is, for any attribute *x* listed in
-    `passAsFile`, Nix will pass an environment variable `xPath`
-    holding the path of the file containing the value of attribute
-    *x*. This is useful when you need to pass large strings to a
-    builder, since most operating systems impose a limit on the size
-    of the environment (typically, a few hundred kilobyte).
-
-  - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
-    If the special attribute `__structuredAttrs` is set to `true`, the other derivation
-    attributes are serialised into a file in JSON format.
-
-    This obviates the need for [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions, unlike process environments.
-    It also makes it possible to tweak derivation settings in a structured way;
-    see [`outputChecks`](#adv-attr-outputChecks) for example.
-
-    See the [corresponding section in the derivation page](@docroot@/store/derivation/index.md#structured-attrs) for further details.
-
-    > **Warning**
-    >
-    > If set to `true`, other advanced attributes such as [`allowedReferences`](#adv-attr-allowedReferences), [`allowedRequisites`](#adv-attr-allowedRequisites),
-    [`disallowedReferences`](#adv-attr-disallowedReferences) and [`disallowedRequisites`](#adv-attr-disallowedRequisites), maxSize, and maxClosureSize.
-    will have no effect.
-
-## Output checks
-
-See the [corresponding section in the derivation output page](@docroot@/store/derivation/outputs/index.md).
-
  - [`allowedReferences`]{#adv-attr-allowedReferences}\
    The optional attribute `allowedReferences` specifies a list of legal
    references (dependencies) of the output of the builder. For example,
@@ -124,6 +55,259 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
    dependency on `foobar` or any other derivation depending recursively
    on `foobar`.

+  - [`exportReferencesGraph`]{#adv-attr-exportReferencesGraph}\
+    This attribute allows builders access to the references graph of
+    their inputs. The attribute is a list of inputs in the Nix store
+    whose references graph the builder needs to know. The value of
+    this attribute should be a list of pairs `[ name1 path1 name2
+    path2 ...  ]`. The references graph of each *pathN* will be stored
+    in a text file *nameN* in the temporary build directory. The text
+    files have the format used by `nix-store --register-validity`
+    (with the deriver fields left empty). For example, when the
+    following derivation is built:
+
+    ```nix
+    derivation {
+      ...
+      exportReferencesGraph = [ "libfoo-graph" libfoo ];
+    };
+    ```
+
+    the references graph of `libfoo` is placed in the file
+    `libfoo-graph` in the temporary build directory.
+
+    `exportReferencesGraph` is useful for builders that want to do
+    something with the closure of a store path. Examples include the
+    builders in NixOS that generate the initial ramdisk for booting
+    Linux (a `cpio` archive containing the closure of the boot script)
+    and the ISO-9660 image for the installation CD (which is populated
+    with a Nix store containing the closure of a bootable NixOS
+    configuration).
+
+  - [`impureEnvVars`]{#adv-attr-impureEnvVars}\
+    This attribute allows you to specify a list of environment variables
+    that should be passed from the environment of the calling user to
+    the builder. Usually, the environment is cleared completely when the
+    builder is executed, but with this attribute you can allow specific
+    environment variables to be passed unmodified. For example,
+    `fetchurl` in Nixpkgs has the line
+
+    ```nix
+    impureEnvVars = [ "http_proxy" "https_proxy" ... ];
+    ```
+
+    to make it use the proxy server configuration specified by the user
+    in the environment variables `http_proxy` and friends.
+
+    This attribute is only allowed in *fixed-output derivations* (see
+    below), where impurities such as these are okay since (the hash
+    of) the output is known in advance. It is ignored for all other
+    derivations.
+
+    > **Warning**
+    >
+    > `impureEnvVars` implementation takes environment variables from
+    > the current builder process. When a daemon is building its
+    > environmental variables are used. Without the daemon, the
+    > environmental variables come from the environment of the
+    > `nix-build`.
+
+    If the [`configurable-impure-env` experimental
+    feature](@docroot@/development/experimental-features.md#xp-feature-configurable-impure-env)
+    is enabled, these environment variables can also be controlled
+    through the
+    [`impure-env`](@docroot@/command-ref/conf-file.md#conf-impure-env)
+    configuration setting.
+
+  - [`outputHash`]{#adv-attr-outputHash}; [`outputHashAlgo`]{#adv-attr-outputHashAlgo}; [`outputHashMode`]{#adv-attr-outputHashMode}\
+    These attributes declare that the derivation is a so-called *fixed-output derivation* (FOD), which means that a cryptographic hash of the output is already known in advance.
+
+    As opposed to regular derivations, the [`builder`] executable of a fixed-output derivation has access to the network.
+    Nix computes a cryptographic hash of its output and compares that to the hash declared with these attributes.
+    If there is a mismatch, the derivation fails.
+
+    The rationale for fixed-output derivations is derivations such as
+    those produced by the `fetchurl` function. This function downloads a
+    file from a given URL. To ensure that the downloaded file has not
+    been modified, the caller must also specify a cryptographic hash of
+    the file. For example,
+
+    ```nix
+    fetchurl {
+      url = "http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz";
+      sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+    }
+    ```
+
+    It sometimes happens that the URL of the file changes, e.g., because
+    servers are reorganised or no longer available. We then must update
+    the call to `fetchurl`, e.g.,
+
+    ```nix
+    fetchurl {
+      url = "ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz";
+      sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+    }
+    ```
+
+    If a `fetchurl` derivation was treated like a normal derivation, the
+    output paths of the derivation and *all derivations depending on it*
+    would change. For instance, if we were to change the URL of the
+    Glibc source distribution in Nixpkgs (a package on which almost all
+    other packages depend) massive rebuilds would be needed. This is
+    unfortunate for a change which we know cannot have a real effect as
+    it propagates upwards through the dependency graph.
+
+    For fixed-output derivations, on the other hand, the name of the
+    output path only depends on the `outputHash*` and `name` attributes,
+    while all other attributes are ignored for the purpose of computing
+    the output path. (The `name` attribute is included because it is
+    part of the path.)
+
+    As an example, here is the (simplified) Nix expression for
+    `fetchurl`:
+
+    ```nix
+    { stdenv, curl }: # The curl program is used for downloading.
+
+    { url, sha256 }:
+
+    stdenv.mkDerivation {
+      name = baseNameOf (toString url);
+      builder = ./builder.sh;
+      buildInputs = [ curl ];
+
+      # This is a fixed-output derivation; the output must be a regular
+      # file with SHA256 hash sha256.
+      outputHashMode = "flat";
+      outputHashAlgo = "sha256";
+      outputHash = sha256;
+
+      inherit url;
+    }
+    ```
+
+    The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
+    The "nix32" encoding is an adaptation of base-32 encoding.
+    The [`convertHash`](@docroot@/language/builtins.md#builtins-convertHash) function shows how to convert between different encodings, and the [`nix-hash` command](../command-ref/nix-hash.md) has information about obtaining the hash for some contents, as well as converting to and from encodings.
+
+    The `outputHashAlgo` attribute specifies the hash algorithm used to compute the hash.
+    It can currently be `"blake3", "sha1"`, `"sha256"`, `"sha512"`, or `null`.
+    `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format.
+
+    The `outputHashMode` attribute determines how the hash is computed.
+    It must be one of the following values:
+
+      - [`"flat"`](@docroot@/store/store-object/content-address.md#method-flat)
+
+        This is the default.
+
+      - [`"recursive"` or `"nar"`](@docroot@/store/store-object/content-address.md#method-nix-archive)
+
+        > **Compatibility**
+        >
+        > `"recursive"` is the traditional way of indicating this,
+        > and is supported since 2005 (virtually the entire history of Nix).
+        > `"nar"` is more clear, and consistent with other parts of Nix (such as the CLI),
+        > however support for it is only added in Nix version 2.21.
+
+      - [`"text"`](@docroot@/store/store-object/content-address.md#method-text)
+
+        > **Warning**
+        >
+        > The use of this method for derivation outputs is part of the [`dynamic-derivations`][xp-feature-dynamic-derivations] experimental feature.
+
+      - [`"git"`](@docroot@/store/store-object/content-address.md#method-git)
+
+        > **Warning**
+        >
+        > This method is part of the [`git-hashing`][xp-feature-git-hashing] experimental feature.
+
+  - [`__contentAddressed`]{#adv-attr-__contentAddressed}
+
+    > **Warning**
+    > This attribute is part of an [experimental feature](@docroot@/development/experimental-features.md).
+    >
+    > To use this attribute, you must enable the
+    > [`ca-derivations`][xp-feature-ca-derivations] experimental feature.
+    > For example, in [nix.conf](../command-ref/conf-file.md) you could add:
+    >
+    > ```
+    > extra-experimental-features = ca-derivations
+    > ```
+
+    If this attribute is set to `true`, then the derivation
+    outputs will be stored in a content-addressed location rather than the
+    traditional input-addressed one.
+
+    Setting this attribute also requires setting
+    [`outputHashMode`](#adv-attr-outputHashMode)
+    and
+    [`outputHashAlgo`](#adv-attr-outputHashAlgo)
+    like for *fixed-output derivations* (see above).
+
+    It also implicitly requires that the machine to build the derivation must have the `ca-derivations` [system feature](@docroot@/command-ref/conf-file.md#conf-system-features).
+
+  - [`passAsFile`]{#adv-attr-passAsFile}\
+    A list of names of attributes that should be passed via files rather
+    than environment variables. For example, if you have
+
+    ```nix
+    passAsFile = ["big"];
+    big = "a very long string";
+    ```
+
+    then when the builder runs, the environment variable `bigPath`
+    will contain the absolute path to a temporary file containing `a
+    very long string`. That is, for any attribute *x* listed in
+    `passAsFile`, Nix will pass an environment variable `xPath`
+    holding the path of the file containing the value of attribute
+    *x*. This is useful when you need to pass large strings to a
+    builder, since most operating systems impose a limit on the size
+    of the environment (typically, a few hundred kilobyte).
+
+  - [`preferLocalBuild`]{#adv-attr-preferLocalBuild}\
+    If this attribute is set to `true` and [distributed building is enabled](@docroot@/command-ref/conf-file.md#conf-builders), then, if possible, the derivation will be built locally instead of being forwarded to a remote machine.
+    This is useful for derivations that are cheapest to build locally.
+
+  - [`allowSubstitutes`]{#adv-attr-allowSubstitutes}\
+    If this attribute is set to `false`, then Nix will always build this derivation (locally or remotely); it will not try to substitute its outputs.
+    This is useful for derivations that are cheaper to build than to substitute.
+
+    This attribute can be ignored by setting [`always-allow-substitutes`](@docroot@/command-ref/conf-file.md#conf-always-allow-substitutes) to `true`.
+
+    > **Note**
+    >
+    > If set to `false`, the [`builder`] should be able to run on the system type specified in the [`system` attribute](./derivations.md#attr-system), since the derivation cannot be substituted.
+
+    [`builder`]: ./derivations.md#attr-builder
+
+  - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
+    If the special attribute `__structuredAttrs` is set to `true`, the other derivation
+    attributes are serialised into a file in JSON format. The environment variable
+    `NIX_ATTRS_JSON_FILE` points to the exact location of that file both in a build
+    and a [`nix-shell`](../command-ref/nix-shell.md). This obviates the need for
+    [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions,
+    unlike process environments.
+
+    It also makes it possible to tweak derivation settings in a structured way; see
+    [`outputChecks`](#adv-attr-outputChecks) for example.
+
+    As a convenience to Bash builders,
+    Nix writes a script that initialises shell variables
+    corresponding to all attributes that are representable in Bash. The
+    environment variable `NIX_ATTRS_SH_FILE` points to the exact
+    location of the script, both in a build and a
+    [`nix-shell`](../command-ref/nix-shell.md). This includes non-nested
+    (associative) arrays. For example, the attribute `hardening.format = true`
+    ends up as the Bash associative array element `${hardening[format]}`.
+
+    > **Warning**
+    >
+    > If set to `true`, other advanced attributes such as [`allowedReferences`](#adv-attr-allowedReferences), [`allowedReferences`](#adv-attr-allowedReferences), [`allowedRequisites`](#adv-attr-allowedRequisites),
+    [`disallowedReferences`](#adv-attr-disallowedReferences) and [`disallowedRequisites`](#adv-attr-disallowedRequisites), maxSize, and maxClosureSize.
+    will have no effect.
+
  - [`outputChecks`]{#adv-attr-outputChecks}\
    When using [structured attributes](#adv-attr-structuredAttrs), the `outputChecks`
    attribute allows defining checks per-output.
@@ -157,9 +341,8 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
    };
    ```

-## Other output modifications
-
  - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
+
    When using [structured attributes](#adv-attr-structuredAttrs), the
    attribute `unsafeDiscardReferences` is an attribute set with a boolean value for each output name.
    If set to `true`, it disables scanning the output for runtime dependencies.
@@ -175,25 +358,8 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
    their own embedded Nix store: hashes found inside such an image refer
    to the embedded store and not to the host's Nix store.

-## Build scheduling
-
-  - [`preferLocalBuild`]{#adv-attr-preferLocalBuild}\
-    If this attribute is set to `true` and [distributed building is enabled](@docroot@/command-ref/conf-file.md#conf-builders), then, if possible, the derivation will be built locally instead of being forwarded to a remote machine.
-    This is useful for derivations that are cheapest to build locally.
-
-  - [`allowSubstitutes`]{#adv-attr-allowSubstitutes}\
-    If this attribute is set to `false`, then Nix will always build this derivation (locally or remotely); it will not try to substitute its outputs.
-    This is useful for derivations that are cheaper to build than to substitute.
-
-    This attribute can be ignored by setting [`always-allow-substitutes`](@docroot@/command-ref/conf-file.md#conf-always-allow-substitutes) to `true`.
-
-    > **Note**
-    >
-    > If set to `false`, the [`builder`] should be able to run on the system type specified in the [`system` attribute](./derivations.md#attr-system), since the derivation cannot be substituted.
-
-    [`builder`]: ./derivations.md#attr-builder
-
 - [`requiredSystemFeatures`]{#adv-attr-requiredSystemFeatures}\
+
  If a derivation has the `requiredSystemFeatures` attribute, then Nix will only build it on a machine that has the corresponding features set in its [`system-features` configuration](@docroot@/command-ref/conf-file.md#conf-system-features).

  For example, setting
@@ -204,171 +370,6 @@ See the [corresponding section in the derivation output page](@docroot@/store/de

  ensures that the derivation can only be built on a machine with the `kvm` feature.

-# Impure builder configuration
-
-  - [`impureEnvVars`]{#adv-attr-impureEnvVars}\
-    This attribute allows you to specify a list of environment variables
-    that should be passed from the environment of the calling user to
-    the builder. Usually, the environment is cleared completely when the
-    builder is executed, but with this attribute you can allow specific
-    environment variables to be passed unmodified. For example,
-    `fetchurl` in Nixpkgs has the line
-
-    ```nix
-    impureEnvVars = [ "http_proxy" "https_proxy" ... ];
-    ```
-
-    to make it use the proxy server configuration specified by the user
-    in the environment variables `http_proxy` and friends.
-
-    This attribute is only allowed in [fixed-output derivations][fixed-output derivation],
-    where impurities such as these are okay since (the hash
-    of) the output is known in advance. It is ignored for all other
-    derivations.
-
-    > **Warning**
-    >
-    > `impureEnvVars` implementation takes environment variables from
-    > the current builder process. When a daemon is building its
-    > environmental variables are used. Without the daemon, the
-    > environmental variables come from the environment of the
-    > `nix-build`.
-
-    If the [`configurable-impure-env` experimental
-    feature](@docroot@/development/experimental-features.md#xp-feature-configurable-impure-env)
-    is enabled, these environment variables can also be controlled
-    through the
-    [`impure-env`](@docroot@/command-ref/conf-file.md#conf-impure-env)
-    configuration setting.
-
-## Setting the derivation type
-
-As discussed in [Derivation Outputs and Types of Derivations](@docroot@/store/derivation/outputs/index.md), there are multiples kinds of derivations / kinds of derivation outputs.
-The choice of the following attributes determines which kind of derivation we are making.
-
- [`__contentAddressed`]
-
- [`outputHash`]
-
- [`outputHashAlgo`]
-
- [`outputHashMode`]
-
-The three types of derivations are chosen based on the following combinations of these attributes.
-All other combinations are invalid.
-
- [Input-addressing derivations](@docroot@/store/derivation/outputs/input-address.md)
-
-  This is the default for `builtins.derivation`.
-  Nix only currently supports one kind of input-addressing, so no other information is needed.
-
-  `__contentAddressed = false;` may also be included, but is not needed, and will trigger the experimental feature check.
-
- [Fixed-output derivations][fixed-output derivation]
-
-  All of [`outputHash`], [`outputHashAlgo`], and [`outputHashMode`].
-
-  <!--
-
-  `__contentAddressed` is ignored, because fixed-output derivations always content-address their outputs, by definition.
-
-  **TODO CHECK**
-
-  -->
-
- [(Floating) content-addressing derivations](@docroot@/store/derivation/outputs/content-address.md)
-
-  Both [`outputHashAlgo`] and [`outputHashMode`], `__contentAddressed = true;`, and *not* `outputHash`.
-
-  If an output hash was given, then the derivation output would be "fixed" not "floating".
-
-Here is more information on the `output*` attributes, and what values they may be set to:
-
-  - [`outputHashMode`]{#adv-attr-outputHashMode}
-
-    This specifies how the files of a content-addressing derivation output are digested to produce a content address.
-
-    This works in conjunction with [`outputHashAlgo`](#adv-attr-outputHashAlgo).
-    Specifying one without the other is an error (unless [`outputHash` is also specified and includes its own hash algorithm as described below).
-
-    The `outputHashMode` attribute determines how the hash is computed.
-    It must be one of the following values:
-
-      - [`"flat"`](@docroot@/store/store-object/content-address.md#method-flat)
-
-        This is the default.
-
-      - [`"recursive"` or `"nar"`](@docroot@/store/store-object/content-address.md#method-nix-archive)
-
-        > **Compatibility**
-        >
-        > `"recursive"` is the traditional way of indicating this,
-        > and is supported since 2005 (virtually the entire history of Nix).
-        > `"nar"` is more clear, and consistent with other parts of Nix (such as the CLI),
-        > however support for it is only added in Nix version 2.21.
-
-      - [`"text"`](@docroot@/store/store-object/content-address.md#method-text)
-
-        > **Warning**
-        >
-        > The use of this method for derivation outputs is part of the [`dynamic-derivations`][xp-feature-dynamic-derivations] experimental feature.
-
-      - [`"git"`](@docroot@/store/store-object/content-address.md#method-git)
-
-        > **Warning**
-        >
-        > This method is part of the [`git-hashing`][xp-feature-git-hashing] experimental feature.
-
-    See [content-addressing store objects](@docroot@/store/store-object/content-address.md) for more information about the process this flag controls.
-
-  - [`outputHashAlgo`]{#adv-attr-outputHashAlgo}
-
-    This specifies the hash algorithm used to digest the [file system object] data of a content-addressing derivation output.
-
-    This works in conjunction with [`outputHashMode`](#adv-attr-outputHashAlgo).
-    Specifying one without the other is an error (unless `outputHash` is also specified and includes its own hash algorithm as described below).
-
-    The `outputHashAlgo` attribute specifies the hash algorithm used to compute the hash.
-    It can currently be `"blake3"`, `"sha1"`, `"sha256"`, `"sha512"`, or `null`.
-
-    `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format, because in that case the choice of hash algorithm is determined by `outputHash`.
-
-  - [`outputHash`]{#adv-attr-outputHashAlgo}; [`outputHash`]{#adv-attr-outputHashMode}
-
-    This will specify the output hash of the single output of a [fixed-output derivation].
-
-    The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-    The "nix32" encoding is an adaptation of base-32 encoding.
-
-    > **Note**
-    >
-    > The [`convertHash`](@docroot@/language/builtins.md#builtins-convertHash) function shows how to convert between different encodings.
-    > The [`nix-hash` command](../command-ref/nix-hash.md) has information about obtaining the hash for some contents, as well as converting to and from encodings.
-
-  - [`__contentAddressed`]{#adv-attr-__contentAddressed}
-
-    > **Warning**
-    >
-    > This attribute is part of an [experimental feature](@docroot@/development/experimental-features.md).
-    >
-    > To use this attribute, you must enable the
-    > [`ca-derivations`][xp-feature-ca-derivations] experimental feature.
-    > For example, in [nix.conf](../command-ref/conf-file.md) you could add:
-    >
-    > ```
-    > extra-experimental-features = ca-derivations
-    > ```
-
-    This is a boolean with a default of `false`.
-    It determines whether the derivation is floating content-addressing.
-
-[`__contentAddressed`]: #adv-attr-__contentAddressed
-[`outputHash`]: #adv-attr-outputHash
-[`outputHashAlgo`]: #adv-attr-outputHashAlgo
-[`outputHashMode`]: #adv-attr-outputHashMode
-
-[fixed-output derivation]: @docroot@/glossary.md#gloss-fixed-output-derivation
-[file system object]: @docroot@/store/file-system-object.md
-[store object]: @docroot@/store/store-object.md
+[xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
 [xp-feature-dynamic-derivations]: @docroot@/development/experimental-features.md#xp-feature-dynamic-derivations
 [xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing
--- a/doc/manual/source/language/builtins-prefix.md
+++ b/doc/manual/source/language/builtins-prefix.md
@@ -5,28 +5,12 @@ All built-ins are available through the global [`builtins`](#builtins-builtins)

 Some built-ins are also exposed directly in the global scope:

+<!-- TODO(@rhendric, #10970): this list is incomplete -->
+
 - [`derivation`](#builtins-derivation)
- `derivationStrict`
- [`abort`](#builtins-abort)
- [`baseNameOf`](#builtins-baseNameOf)
- [`break`](#builtins-break)
- [`dirOf`](#builtins-dirOf)
- [`false`](#builtins-false)
- [`fetchGit`](#builtins-fetchGit)
- `fetchMercurial`
- [`fetchTarball`](#builtins-fetchTarball)
- [`fetchTree`](#builtins-fetchTree)
- [`fromTOML`](#builtins-fromTOML)
 - [`import`](#builtins-import)
- [`isNull`](#builtins-isNull)
- [`map`](#builtins-map)
- [`null`](#builtins-null)
- [`placeholder`](#builtins-placeholder)
- [`removeAttrs`](#builtins-removeAttrs)
- `scopedImport`
+- [`abort`](#builtins-abort)
 - [`throw`](#builtins-throw)
- [`toString`](#builtins-toString)
- [`true`](#builtins-true)

 <dl>
  <dt id="builtins-derivation"><a href="#builtins-derivation"><code>derivation <var>attrs</var></code></a></dt>
--- a/doc/manual/source/language/derivations.md
+++ b/doc/manual/source/language/derivations.md
@@ -1,7 +1,7 @@
 # Derivations

 The most important built-in function is `derivation`, which is used to describe a single store-layer [store derivation].
-Consult the [store chapter](@docroot@/store/derivation/index.md) for what a store derivation is;
+Consult the [store chapter](@docroot@/store/drv.md) for what a store derivation is;
 this section just concerns how to create one from the Nix language.

 This builtin function takes as input an attribute set, the attributes of which specify the inputs to the process.
@@ -16,7 +16,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 - [`name`]{#attr-name} ([String](@docroot@/language/types.md#type-string))

  A symbolic name for the derivation.
-  See [derivation outputs](@docroot@/store/derivation/index.md#outputs) for what this is affects.
+  See [derivation outputs](@docroot@/store/drv.md#outputs) for what this is affects.

  [store path]: @docroot@/store/store-path.md

@@ -34,7 +34,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect

 - [`system`]{#attr-system} ([String](@docroot@/language/types.md#type-string))

-  See [system](@docroot@/store/derivation/index.md#system).
+  See [system](@docroot@/store/drv.md#system).

  > **Example**
  >
@@ -64,7 +64,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect

 - [`builder`]{#attr-builder} ([Path](@docroot@/language/types.md#type-path) | [String](@docroot@/language/types.md#type-string))

-  See [builder](@docroot@/store/derivation/index.md#builder).
+  See [builder](@docroot@/store/drv.md#builder).

  > **Example**
  >
@@ -113,7 +113,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect

  Default: `[ ]`

-  See [args](@docroot@/store/derivation/index.md#args).
+  See [args](@docroot@/store/drv.md#args).

  > **Example**
  >
--- a/doc/manual/source/language/evaluation.md
+++ b/doc/manual/source/language/evaluation.md
@@ -1,77 +0,0 @@
-# Evaluation
-
-Evaluation is the process of turning a Nix expression into a [Nix value](types.md).
-
-This happens by a number of rules, such as:
- Constructing values from literals. 
-  For example the number literal `1` is turned into the number value `1`.
- Applying operators
-  For example the addition operator `+` is applied to two number values to produce a new number value.
- Applying built-in functions
-  For example the expression `builtins.isInt 1` is evaluated to `true`.
- Applying user-defined functions
-  For example the expression `(x: x + 1) 10` can[*](#laziness) be thought of rewriting `x` in the function body to the argument, `10 + 1`, which is then evaluated to `11`.
-
-These rules are applied as needed, driven by the specific use of the expression. For example, this can occur in the Nix command line interface or interactively with the [repl (read-eval-print loop)](@docroot@/command-ref/new-cli/nix3-repl.md), which is a useful tool when learning about evaluation.
-
-# Details
-
-## Values {#values}
-
-Nix values can be thought of as a subset of Nix expressions.
-For example, the expression `1 + 2` is not a value, because it can be reduced to `3`. The expression `3` is a value, because it cannot be reduced any further.
-
-Evaluation normally happens by applying rules to the "head" of the expression, which is the outermost part of the expression. The head of an expression like `[ 1 2 ]` is the list literal (`[ a1 a2 ]`), for `1 + 2` it is the addition operator (`+`), and for `f 1` it is the function application "operator" (` `).
-
-After applying all possible rules to the head until no rules can be applied, the expression is in "weak head normal form" (WHNF). This means that the outermost constructor of the expression is evaluated, but the inner values may or may not be. "Weak" only signifies that the expression may be a function. This is an historical or academic artifact, and Nix has no use for the non-weak "head normal form".
-
-## Laziness and thunks {#laziness}
-
-The Nix language implements _call by need_ (as opposed to _call by value_ or _call by reference_). <!-- No wikipedia link, which would be a huge distraction. --> Call by need is commonly known as laziness in functional programming, as it is a specific implementation of the concept where evaluation is deferred until the result is required, aiming to only evaluate the parts of an expression that are needed to produce the final result.
-
-Furthermore, the result of evaluation is preserved, in values, in `let` bindings, in function _parameters_, which behave a lot like `let` bindings, but with the notable exception of function _calls_. Results of function calls rely on being put into `let` bindings, etc to be reused. <!-- which would be prohibitively expensive and too strict, or we wouldn't have a cache key for the argument -->
-
-When discussing the process of evaluation in lower level terms, we may define values not as a subset of expressions, but separately, where each "value" is either a data constructor, a function or a _thunk_. A thunk is a delayed computation, represented by an expression reference and a "closure" &ndash; the values for the lexical scope around the delayed expression.
-
-As a user of the language, you generally don't have to think about thunks, as they are not part of the language semantics, but you may encounter them in the repl, in the [C API] or in discussions.
-
-## Strictness
-
-Instead of thinking about thunks, it is often more productive to think in terms of _strictness_.
-This term is used in functional programming to refer to the opposite of laziness, i.e. not just for something like error propagation. It refers to the need to evaluate certain expressions before evaluation can produce any result.
-
-Statements about strictness usually implicitly refer to weak head normal form.
-For example, we can say that the following function is strict in its argument:
-
-```nix
-x: isAttrs x || isFunction x
-```
-
-The above function must be strict in its argument `x` because determining its type requires evaluating `x` to at least some degree.
-
-The following function is not strict in its argument:
-
-```nix
-x: { isOk = isAttrs x || isFunction x; }
-```
-
-It is not strict, because it can return the attribute set before evaluating `x`.
-The attribute value for `isOk` _is_ strict in `x`.
-
-A function with a _set pattern_ is always strict in its argument, as a consequence of checking the argument's type and/or attribute names:
-
-```nix
-let f = { ... }: "ok";
-in f (throw "kablam")
-=> error: kablam
-```
-
-However, a set pattern does not add any strictness beyond WHNF of the attribute set argument.
-
-```nix
-let f = orig@{ x, ... }: "ok";
-in f { x = throw "error"; y = throw "error"; }
-=> "ok"
-```
-
-[C API]: @docroot@/c-api.md
--- a/doc/manual/source/language/index.md
+++ b/doc/manual/source/language/index.md
@@ -1,6 +1,6 @@
 # Nix Language

-The Nix language is designed for conveniently creating and composing [derivations](@docroot@/glossary.md#gloss-derivation) – precise descriptions of how contents of existing files are used to derive new files.
+The Nix language is designed for conveniently creating and composing *derivations* – precise descriptions of how contents of existing files are used to derive new files.

 > **Tip**
 >
@@ -11,14 +11,7 @@ The language is:

 - *domain-specific*

-  The Nix language is purpose-built for working with text files.
-  Its most characteristic features are:
-
-  - [File system path primitives](@docroot@/language/types.md#type-path), for accessing source files
-  - [Indented strings](@docroot@/language/string-literals.md) and [string interpolation](@docroot@/language/string-interpolation.md), for creating file contents
-  - [Strings with contexts](@docroot@/language/string-context.md), for transparently linking files
-
-  It comes with [built-in functions](@docroot@/language/builtins.md) to integrate with the [Nix store](@docroot@/store/index.md), which manages files and enables [realising](@docroot@/glossary.md#gloss-realise) derivations declared in the Nix language.
+  It comes with [built-in functions](@docroot@/language/builtins.md) to integrate with the Nix store, which manages files and performs the derivations declared in the Nix language.

 - *declarative*

--- a/doc/manual/source/language/meson.build
+++ b/doc/manual/source/language/meson.build
@@ -1,13 +1,19 @@
 builtins_md = custom_target(
-  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
-    '--expr', '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
+  command : [
+    python.full_path(),
+    '@INPUT0@',
+    '@OUTPUT@',
+    '--'
+  ] + nix_eval_for_docs + [
+    '--expr',
+    '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
  ],
  input : [
    '../../remove_before_wrapper.py',
    '../../generate-builtins.nix',
    language_json,
    'builtins-prefix.md',
-    'builtins-suffix.md',
+    'builtins-suffix.md'
  ],
  output : 'builtins.md',
  env : nix_env_for_docs,
--- a/doc/manual/source/language/operators.md
+++ b/doc/manual/source/language/operators.md
@@ -196,7 +196,7 @@ All comparison operators are implemented in terms of `<`, and the following equi

 ## Logical implication

-Equivalent to `!`*b1* `||` *b2*  (or `if` *b1* `then` *b2* `else true`)
+Equivalent to `!`*b1* `||` *b2*.

 [Logical implication]: #logical-implication

--- a/doc/manual/source/language/string-context.md
+++ b/doc/manual/source/language/string-context.md
@@ -13,8 +13,8 @@ The purpose of string contexts is to collect non-string values attached to strin
 [string concatenation](./operators.md#string-concatenation),
 [string interpolation](./string-interpolation.md),
 and similar operations.
-The idea is that a user can reference other files when creating text files through Nix expressions, without manually keeping track of the exact paths.
-Nix will ensure that the all referenced files are accessible – that all [store paths](@docroot@/glossary.md#gloss-store-path) are [valid](@docroot@/glossary.md#gloss-validity).
+The idea is that a user can combine together values to create a build instructions for derivations without manually keeping track of where they come from.
+Then the Nix language implicitly does that bookkeeping to efficiently obtain the closure of derivation inputs.

 > **Note**
 >
@@ -115,7 +115,7 @@ It creates an [attribute set] representing the string context, which can be insp

 ## Clearing string contexts

-[`builtins.unsafeDiscardStringContext`](./builtins.md#builtins-unsafeDiscardStringContext) will make a copy of a string, but with an empty string context.
+[`buitins.unsafeDiscardStringContext`](./builtins.md#builtins-unsafeDiscardStringContext) will make a copy of a string, but with an empty string context.
 The returned string can be used in more ways, e.g. by operators that require the string context to be empty.
 The requirement to explicitly discard the string context in such use cases helps ensure that string context elements are not lost by mistake.
 The "unsafe" marker is only there to remind that Nix normally guarantees that dependencies are tracked, whereas the returned string has lost them.
--- a/doc/manual/source/language/syntax.md
+++ b/doc/manual/source/language/syntax.md
@@ -225,8 +225,8 @@ passed in first , e.g.,

 ```nix
 let add = { __functor = self: x: x + self.x; };
-    inc = add // { x = 1; }; # inc is { x = 1; __functor = (...) }
-in inc 1 # equivalent of `add.__functor add 1` i.e. `1 + self.x`
+    inc = add // { x = 1; };
+in inc 1
 ```

 evaluates to `2`. This can be used to attach metadata to a function
@@ -443,7 +443,7 @@ three kinds of patterns:
    This works on any set that contains at least the three named
    attributes.

-  - It is possible to provide *default values* for attributes, in
+    It is possible to provide *default values* for attributes, in
    which case they are allowed to be missing. A default value is
    specified by writing `name ?  e`, where *e* is an arbitrary
    expression. For example,
@@ -503,45 +503,6 @@ three kinds of patterns:
    > [ 23 {} ]
    > ```

-  - All bindings introduced by the function are in scope in the entire function expression; not just in the body.
-    It can therefore be used in default values.
-
-    > **Example**
-    >
-    > A parameter (`x`), is used in the default value for another parameter (`y`):
-    >
-    > ```nix
-    > let
-    >   f = { x, y ? [x] }: { inherit y; };
-    > in
-    >   f { x = 3; }
-    > ```
-    >
-    > This evaluates to:
-    >
-    > ```nix
-    > {
-    >   y = [ 3 ];
-    > }
-    > ```
-
-    > **Example**
-    >
-    > The binding of an `@` pattern, `args`, is used in the default value for a parameter, `x`:
-    >
-    > ```nix
-    > let
-    >   f = args@{ x ? args.a, ... }: x;
-    > in
-    >   f { a = 1; }
-    > ```
-    >
-    > This evaluates to:
-    >
-    > ```nix
-    > 1
-    > ```
-
 Note that functions do not have names. If you want to give them a name,
 you can bind them to an attribute, e.g.,

--- a/doc/manual/source/meson.build
+++ b/doc/manual/source/meson.build
@@ -1,11 +1,7 @@
-# Process JSON schema documentation
-subdir('protocols')
-
 summary_rl_next = custom_target(
  command : [
    bash,
-    '-euo',
-    'pipefail',
+    '-euo', 'pipefail',
    '-c',
    '''
      if [ -e "@INPUT@" ]; then
@@ -16,6 +12,6 @@ summary_rl_next = custom_target(
  input : [
    rl_next_generated,
  ],
-  capture : true,
+  capture: true,
  output : 'SUMMARY-rl-next.md',
 )
--- a/doc/manual/source/package-management/garbage-collector-roots.md
+++ b/doc/manual/source/package-management/garbage-collector-roots.md
@@ -12,7 +12,7 @@ $ ln -s /nix/store/d718ef...-foo /nix/var/nix/gcroots/bar
 That is, after this command, the garbage collector will not remove
 `/nix/store/d718ef...-foo` or any of its dependencies.

-Subdirectories of `prefix/nix/var/nix/gcroots` are searched
-recursively. Symlinks to store paths count as roots. Symlinks to
-non-store paths are ignored, unless the non-store path is itself a
-symlink to a store path.
+Subdirectories of `prefix/nix/var/nix/gcroots` are also searched for
+symlinks. Symlinks to non-store paths are followed and searched for
+roots, but symlinks to non-store paths *inside* the paths reached in
+that way are not followed to prevent infinite recursion.
--- a/doc/manual/source/protocols/json/content-address.md
+++ b/doc/manual/source/protocols/json/content-address.md
@@ -1,21 +0,0 @@
-{{#include content-address-v1-fixed.md}}
-
-## Examples
-
-### [Text](@docroot@/store/store-object/content-address.html#method-text) method
-
-```json
-{{#include schema/content-address-v1/text.json}}
-```
-
-### [Nix Archive](@docroot@/store/store-object/content-address.html#method-nix-archive) method
-
-```json
-{{#include schema/content-address-v1/nar.json}}
-```
-
-<!-- need to convert YAML to JSON first
-## Raw Schema
-
-[JSON Schema for Hash v1](schema/content-address-v1.json)
-->
--- a/doc/manual/source/protocols/json/derivation.md
+++ b/doc/manual/source/protocols/json/derivation.md
@@ -1,7 +1,93 @@
-{{#include derivation-v3-fixed.md}}
+# Derivation JSON Format

-<!-- need to convert YAML to JSON first
-## Raw Schema
+> **Warning**
+>
+> This JSON format is currently
+> [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
+> and subject to change.

-[JSON Schema for Derivation v3](schema/derivation-v3.json)
-->
+The JSON serialization of a
+[derivations](@docroot@/glossary.md#gloss-store-derivation)
+is a JSON object with the following fields:
+
+* `name`:
+  The name of the derivation.
+  This is used when calculating the store paths of the derivation's outputs.
+
+* `outputs`:
+  Information about the output paths of the derivation.
+  This is a JSON object with one member per output, where the key is the output name and the value is a JSON object with these fields:
+
+  * `path`:
+    The output path, if it is known in advanced.
+    Otherwise, `null`.
+
+
+  * `method`:
+    For an output which will be [content addresed], a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
+    Valid method strings are:
+
+    - [`flat`](@docroot@/store/store-object/content-address.md#method-flat)
+    - [`nar`](@docroot@/store/store-object/content-address.md#method-nix-archive)
+    - [`text`](@docroot@/store/store-object/content-address.md#method-text)
+    - [`git`](@docroot@/store/store-object/content-address.md#method-git)
+
+    Otherwise, `null`.
+
+  * `hashAlgo`:
+    For an output which will be [content addresed], the name of the hash algorithm used.
+    Valid algorithm strings are:
+
+    - `blake3`
+    - `md5`
+    - `sha1`
+    - `sha256`
+    - `sha512`
+
+  * `hash`:
+    For fixed-output derivations, the expected content hash in base-16.
+
+  > **Example**
+  >
+  > ```json
+  > "outputs": {
+  >   "out": {
+  >     "path": "/nix/store/2543j7c6jn75blc3drf4g5vhb1rhdq29-source",
+  >     "method": "nar",
+  >     "hashAlgo": "sha256",
+  >     "hash": "6fc80dcc62179dbc12fc0b5881275898f93444833d21b89dfe5f7fbcbb1d0d62"
+  >   }
+  > }
+  > ```
+
+* `inputSrcs`:
+  A list of store paths on which this derivation depends.
+
+* `inputDrvs`:
+  A JSON object specifying the derivations on which this derivation depends, and what outputs of those derivations.
+
+  > **Example**
+  >
+  > ```json
+  > "inputDrvs": {
+  >   "/nix/store/6lkh5yi7nlb7l6dr8fljlli5zfd9hq58-curl-7.73.0.drv": ["dev"],
+  >   "/nix/store/fn3kgnfzl5dzym26j8g907gq3kbm8bfh-unzip-6.0.drv": ["out"]
+  > }
+  > ```
+
+  specifies that this derivation depends on the `dev` output of `curl`, and the `out` output of `unzip`.
+
+* `system`:
+  The system type on which this derivation is to be built
+  (e.g. `x86_64-linux`).
+
+* `builder`:
+  The absolute path of the program to be executed to run the build.
+  Typically this is the `bash` shell
+  (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
+
+* `args`:
+  The command-line arguments passed to the `builder`.
+
+* `env`:
+  The environment passed to the `builder`.
--- a/doc/manual/source/protocols/json/deriving-path.md
+++ b/doc/manual/source/protocols/json/deriving-path.md
@@ -1,21 +0,0 @@
-{{#include deriving-path-v1-fixed.md}}
-
-## Examples
-
-### Constant
-
-```json
-{{#include schema/deriving-path-v1/single_opaque.json}}
-```
-
-### Output of static derivation
-
-```json
-{{#include schema/deriving-path-v1/single_built.json}}
-```
-
-### Output of dynamic derivation
-
-```json
-{{#include schema/deriving-path-v1/single_built_built.json}}
-```
--- a/doc/manual/source/protocols/json/fixup-json-schema-generated-doc.sed
+++ b/doc/manual/source/protocols/json/fixup-json-schema-generated-doc.sed
@@ -1,17 +0,0 @@
-# For some reason, backticks in the JSON schema are being escaped rather
-# than being kept as intentional code spans. This removes all backtick
-# escaping, which is an ugly solution, but one that is fine, because we
-# are not using backticks for any other purpose.
-s/\\`/`/g
-
-# The way that semi-external references are rendered (i.e. ones to
-# sibling schema files, as opposed to separate website ones, is not nice
-# for humans. Replace it with a nice relative link within the manual
-# instead.
-#
-# As we have more such relative links, more replacements of this nature
-# should appear below.
-s^\(./hash-v1.yaml\)\?#/$defs/algorithm^[JSON format for `Hash`](./hash.html#algorithm)^g
-s^\(./hash-v1.yaml\)^[JSON format for `Hash`](./hash.html)^g
-s^\(./content-address-v1.yaml\)\?#/$defs/method^[JSON format for `ContentAddress`](./content-address.html#method)^g
-s^\(./content-address-v1.yaml\)^[JSON format for `ContentAddress`](./content-address.html)^g
--- a/doc/manual/source/protocols/json/hash.md
+++ b/doc/manual/source/protocols/json/hash.md
@@ -1,33 +0,0 @@
-{{#include hash-v1-fixed.md}}
-
-## Examples
-
-### SHA-256 with Base64 encoding
-
-```json
-{{#include schema/hash-v1/sha256-base64.json}}
-```
-
-### SHA-256 with Base16 (hexadecimal) encoding
-
-```json
-{{#include schema/hash-v1/sha256-base16.json}}
-```
-
-### SHA-256 with Nix32 encoding
-
-```json
-{{#include schema/hash-v1/sha256-nix32.json}}
-```
-
-### BLAKE3 with Base64 encoding
-
-```json
-{{#include schema/hash-v1/blake3-base64.json}}
-```
-
-<!-- need to convert YAML to JSON first
-## Raw Schema
-
-[JSON Schema for Hash v1](schema/hash-v1.json)
-->
--- a/doc/manual/source/protocols/json/json-schema-for-humans-config.yaml
+++ b/doc/manual/source/protocols/json/json-schema-for-humans-config.yaml
@@ -1,17 +0,0 @@
-# Configuration file for json-schema-for-humans
-#
-# https://github.com/coveooss/json-schema-for-humans/blob/main/docs/examples/examples_md_default/Configuration.md
-
-template_name: md
-show_toc: true
-# impure timestamp and distracting
-with_footer: false
-recursive_detection_depth: 3
-show_breadcrumbs: false
-description_is_markdown: true
-template_md_options:
-  properties_table_columns:
-    - Property
-    - Type
-    - Pattern
-    - Title/Description
--- a/doc/manual/source/protocols/json/meson.build
+++ b/doc/manual/source/protocols/json/meson.build
@@ -1,78 +0,0 @@
-# Tests in: ../../../../src/json-schema-checks
-
-fs = import('fs')
-
-# Find json-schema-for-humans if available
-json_schema_for_humans = find_program('generate-schema-doc', required : false)
-
-# Configuration for json-schema-for-humans
-json_schema_config = files('json-schema-for-humans-config.yaml')
-
-schemas = [
-  'hash-v1',
-  'content-address-v1',
-  'store-path-v1',
-  'store-object-info-v1',
-  'derivation-v3',
-  'deriving-path-v1',
-]
-
-schema_files = files()
-foreach schema_name : schemas
-  schema_files += files('schema' / schema_name + '.yaml')
-endforeach
-
-
-schema_outputs = []
-foreach schema_name : schemas
-  schema_outputs += schema_name + '.md'
-endforeach
-
-json_schema_generated_files = []
-
-# Generate markdown documentation from JSON schema
-# Note: output must be just a filename, not a path
-gen_file = custom_target(
-  schema_name + '-schema-docs.tmp',
-  command : [
-    json_schema_for_humans,
-    '--config-file',
-    json_schema_config,
-    meson.current_source_dir() / 'schema',
-    meson.current_build_dir(),
-  ],
-  input : schema_files + [
-    json_schema_config,
-  ],
-  output : schema_outputs,
-  capture : false,
-  build_by_default : true,
-)
-
-idx = 0
-if json_schema_for_humans.found()
-  foreach schema_name : schemas
-    #schema_file = 'schema' / schema_name + '.yaml'
-
-    # There is one so-so hack, and one horrible hack being done here.
-    sedded_file = custom_target(
-      schema_name + '-schema-docs',
-      command : [
-        'sed',
-        '-f',
-        # Out of line to avoid https://github.com/mesonbuild/meson/issues/1564
-        files('fixup-json-schema-generated-doc.sed'),
-        '@INPUT@',
-      ],
-      capture : true,
-      input : gen_file[idx],
-      output : schema_name + '-fixed.md',
-    )
-    idx += 1
-    json_schema_generated_files += [ sedded_file ]
-  endforeach
-else
-  warning(
-    'json-schema-for-humans not found, skipping JSON schema documentation generation',
-  )
-endif
--- a/doc/manual/source/protocols/json/schema/content-address-v1
+++ b/doc/manual/source/protocols/json/schema/content-address-v1
@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/content-address
--- a/doc/manual/source/protocols/json/schema/content-address-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/content-address-v1.yaml
@@ -1,55 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/content-address-v1.json"
-title: Content Address
-description: |
-  This schema describes the JSON representation of Nix's `ContentAddress` type, which conveys information about [content-addressing store objects](@docroot@/store/store-object/content-address.md).
-
-  > **Note**
-  >
-  > For current methods of content addressing, this data type is a bit suspicious, because it is neither simply a content address of a file system object (the `method` is richer), nor simply a content address of a store object (the `hash` doesn't account for the references).
-  > It should thus only be used in contexts where the references are also known / otherwise made tamper-resistant.
-
-  <!--
-  TODO currently `ContentAddress` is used in both of these, and so same rationale applies, but actually in both cases the JSON is currently ad-hoc.
-  That will be fixed, and as each is fixed, the example (along with a more precise link to the field in question) should be become part of the above note, so what is is saying is more clear.
-
-  > For example:
-
-  > - Fixed outputs of derivations are not allowed to have any references, so an empty reference set is statically known by assumption.
-
-  > - [Store object info](./store-object-info.md) includes the set of references along side the (optional) content address.
-
-  > This data type is thus safely used in both of these contexts.
-
-  -->
-
-type: object
-properties:
-  method:
-    "$ref": "#/$defs/method"
-  hash:
-    title: Content Address
-    description: |
-      This would be the content-address itself.
-
-      For all current methods, this is just a content address of the file system object of the store object, [as described in the store chapter](@docroot@/store/file-system-object/content-address.md), and not of the store object as a whole.
-      In particular, the references of the store object are *not* taken into account with this hash (and currently-supported methods).
-    "$ref": "./hash-v1.yaml"
-required:
- method
- hash
-additionalProperties: false
-"$defs":
-  method:
-    type: string
-    enum: [flat, nar, text, git]
-    title: Content-Addressing Method
-    description: |
-      A string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
-
-      Valid method strings are:
-
-      - [`flat`](@docroot@/store/store-object/content-address.md#method-flat) (provided the contents are a single file)
-      - [`nar`](@docroot@/store/store-object/content-address.md#method-nix-archive)
-      - [`text`](@docroot@/store/store-object/content-address.md#method-text)
-      - [`git`](@docroot@/store/store-object/content-address.md#method-git)
--- a/doc/manual/source/protocols/json/schema/derivation-v3.yaml
+++ b/doc/manual/source/protocols/json/schema/derivation-v3.yaml
@@ -1,203 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/derivation-v3.json"
-title: Derivation
-description: |
-  Experimental JSON representation of a Nix derivation (version 3).
-
-  This schema describes the JSON representation of Nix's `Derivation` type.
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-  > and subject to change.
-
-type: object
-required:
-  - name
-  - version
-  - outputs
-  - inputSrcs
-  - inputDrvs
-  - system
-  - builder
-  - args
-  - env
-properties:
-  name:
-    type: string
-    title: Derivation name
-    description: |
-      The name of the derivation.
-      Used when calculating store paths for the derivation’s outputs.
-
-  version:
-    const: 3
-    title: Format version (must be 3)
-    description: |
-      Must be `3`.
-      This is a guard that allows us to continue evolving this format.
-      The choice of `3` is fairly arbitrary, but corresponds to this informal version:
-
-      - Version 0: A-Term format
-
-      - Version 1: Original JSON format, with ugly `"r:sha256"` inherited from A-Term format.
-
-      - Version 2: Separate `method` and `hashAlgo` fields in output specs
-
-      - Version 3: Drop store dir from store paths, just include base name.
-
-      Note that while this format is experimental, the maintenance of versions is best-effort, and not promised to identify every change.
-
-  outputs:
-    type: object
-    title: Output specifications
-    description: |
-     Information about the output paths of the derivation.
-     This is a JSON object with one member per output, where the key is the output name and the value is a JSON object as described.
-
-      > **Example**
-      >
-      > ```json
-      > "outputs": {
-      >   "out": {
-      >     "method": "nar",
-      >     "hashAlgo": "sha256",
-      >     "hash": "6fc80dcc62179dbc12fc0b5881275898f93444833d21b89dfe5f7fbcbb1d0d62"
-      >   }
-      > }
-      > ```
-    additionalProperties:
-      "$ref": "#/$defs/output"
-
-  inputSrcs:
-    type: array
-    title: Input source paths
-    description: |
-      List of store paths on which this derivation depends.
-
-      > **Example**
-      >
-      > ```json
-      > "inputSrcs": [
-      >   "47y241wqdhac3jm5l7nv0x4975mb1975-separate-debug-info.sh",
-      >   "56d0w71pjj9bdr363ym3wj1zkwyqq97j-fix-pop-var-context-error.patch"
-      > ]
-      > ```
-    items:
-      $ref: "store-path-v1.yaml"
-
-  inputDrvs:
-    type: object
-    title: Input derivations
-    description: |
-      Mapping of derivation paths to lists of output names they provide.
-
-      > **Example**
-      >
-      > ```json
-      > "inputDrvs": {
-      >   "6lkh5yi7nlb7l6dr8fljlli5zfd9hq58-curl-7.73.0.drv": ["dev"],
-      >   "fn3kgnfzl5dzym26j8g907gq3kbm8bfh-unzip-6.0.drv": ["out"]
-      > }
-      > ```
-      >
-      > specifies that this derivation depends on the `dev` output of `curl`, and the `out` output of `unzip`.
-    patternProperties:
-      "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+\\.drv$":
-        title: Store Path
-        description: |
-          A store path to a derivation, mapped to the outputs of that derivation.
-        oneOf:
-        - "$ref": "#/$defs/outputNames"
-        - "$ref": "#/$defs/dynamicOutputs"
-    additionalProperties: false
-
-  system:
-    type: string
-    title: Build system type
-    description: |
-      The system type on which this derivation is to be built
-      (e.g. `x86_64-linux`).
-
-  builder:
-    type: string
-    title: Build program path
-    description: |
-      Absolute path of the program used to perform the build.
-      Typically this is the `bash` shell
-      (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
-
-  args:
-    type: array
-    title: Builder arguments
-    description: |
-      Command-line arguments passed to the `builder`.
-    items:
-      type: string
-
-  env:
-    type: object
-    title: Environment variables
-    description: |
-      Environment variables passed to the `builder`.
-    additionalProperties:
-      type: string
-
-  structuredAttrs:
-    title: Structured attributes
-    description: |
-      [Structured Attributes](@docroot@/store/derivation/index.md#structured-attrs), only defined if the derivation contains them.
-      Structured attributes are JSON, and thus embedded as-is.
-    type: object
-    additionalProperties: true
-
-"$defs":
-  output:
-    type: object
-    properties:
-      path:
-        $ref: "store-path-v1.yaml"
-        title: Output path
-        description: |
-          The output path, if known in advance.
-
-      method:
-        "$ref": "./content-address-v1.yaml#/$defs/method"
-        description: |
-          For an output which will be [content addressed](@docroot@/store/derivation/outputs/content-address.md), a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
-          See the linked original definition for further details.
-      hashAlgo:
-        title: Hash algorithm
-        "$ref": "./hash-v1.yaml#/$defs/algorithm"
-
-      hash:
-        type: string
-        title: Expected hash value
-        description: |
-          For fixed-output derivations, the expected content hash in base-16.
-
-  outputName:
-    type: string
-    title: Output name
-    description: Name of the derivation output to depend on
-
-  outputNames:
-    type: array
-    title: Output Names
-    description: Set of names of derivation outputs to depend on
-    items:
-      "$ref": "#/$defs/outputName"
-
-  dynamicOutputs:
-    type: object
-    title: Dynamic Outputs
-    description: |
-      **Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
-
-      This recursive data type allows for depending on outputs of outputs.
-    properties:
-      outputs:
-        "$ref": "#/$defs/outputNames"
-      dynamicOutputs:
-          "$ref": "#/$defs/dynamicOutputs"
--- a/doc/manual/source/protocols/json/schema/deriving-path-v1
+++ b/doc/manual/source/protocols/json/schema/deriving-path-v1
@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/derived-path
--- a/doc/manual/source/protocols/json/schema/deriving-path-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/deriving-path-v1.yaml
@@ -1,27 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/deriving-path-v1.json"
-title: Deriving Path
-description: |
-  This schema describes the JSON representation of Nix's [Deriving Path](@docroot@/store/derivation/index.md#deriving-path).
-oneOf:
-  - title: Constant
-    description: |
-      See [Constant](@docroot@/store/derivation/index.md#deriving-path-constant) deriving path.
-    $ref: "store-path-v1.yaml"
-  - title: Output
-    description: |
-      See [Output](@docroot@/store/derivation/index.md#deriving-path-output) deriving path.
-    type: object
-    properties:
-      drvPath:
-        "$ref": "#"
-        description: |
-          A deriving path to a [Derivation](@docroot@/store/derivation/index.md#store-derivation), whose output is being referred to.
-      output:
-        type: string
-        description: |
-          The name of an output produced by that derivation (e.g. "out", "doc", etc.).
-    required:
-      - drvPath
-      - output
-    additionalProperties: false
--- a/doc/manual/source/protocols/json/schema/hash-v1
+++ b/doc/manual/source/protocols/json/schema/hash-v1
@@ -1 +0,0 @@
-../../../../../../src/libutil-tests/data/hash/
--- a/doc/manual/source/protocols/json/schema/hash-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/hash-v1.yaml
@@ -1,54 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/hash-v1.json"
-title: Hash
-description: |
-  A cryptographic hash value used throughout Nix for content addressing and integrity verification.
-
-  This schema describes the JSON representation of Nix's `Hash` type.
-type: object
-properties:
-  algorithm:
-    "$ref": "#/$defs/algorithm"
-  format:
-    type: string
-    enum:
-    - base64
-    - nix32
-    - base16
-    - sri
-    title: Hash format
-    description: |
-      The encoding format of the hash value.
-
-      - `base64` uses standard Base64 encoding [RFC 4648, section 4](https://datatracker.ietf.org/doc/html/rfc4648#section-4)
-      - `nix32` is Nix-specific base-32 encoding
-      - `base16` is lowercase hexadecimal
-      - `sri` is the [Subresource Integrity format](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity).
-  hash:
-    type: string
-    title: Hash
-    description: |
-      The encoded hash value, itself.
-
-      It is specified in the format specified by the `format` field.
-      It must be the right length for the hash algorithm specified in the `algorithm` field, also.
-      The hash value does not include any algorithm prefix.
-required:
- algorithm
- format
- hash
-additionalProperties: false
-"$defs":
-  algorithm:
-    type: string
-    enum:
-    - blake3
-    - md5
-    - sha1
-    - sha256
-    - sha512
-    title: Hash algorithm
-    description: |
-      The hash algorithm used to compute the hash value.
-
-      `blake3` is currently experimental and requires the [`blake-hashing`](@docroot@/development/experimental-features.md#xp-feature-blake-hashing) experimental feature.
--- a/doc/manual/source/protocols/json/schema/nar-info-v1
+++ b/doc/manual/source/protocols/json/schema/nar-info-v1
@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/nar-info
--- a/doc/manual/source/protocols/json/schema/store-object-info-v1
+++ b/doc/manual/source/protocols/json/schema/store-object-info-v1
@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/path-info
--- a/doc/manual/source/protocols/json/schema/store-object-info-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/store-object-info-v1.yaml
@@ -1,235 +0,0 @@
-"$schema": "http://json-schema.org/draft-07/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-object-info-v1.json"
-title: Store Object Info
-description: |
-  Information about a [store object](@docroot@/store/store-object.md).
-
-  This schema describes the JSON representation of store object metadata as returned by commands like [`nix path-info --json`](@docroot@/command-ref/new-cli/nix3-path-info.md).
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-  > and subject to change.
-
-  ### Field Categories
-
-  Store object information can come in a few different variations.
-
-  Firstly, "impure" fields, which contain non-intrinsic information about the store object, may or may not be included.
-
-  Second, binary cache stores have extra non-intrinsic infomation about the store objects they contain.
-
-  Thirdly, [`nix path-info --json --closure-size`](@docroot@/command-ref/new-cli/nix3-path-info.html#opt-closure-size) can compute some extra information about not just the single store object in question, but the store object and its [closure](@docroot@/glossary.md#gloss-closure).
-
-  The impure and NAR fields are grouped into separate variants below.
-  See their descriptions for additional information.
-  The closure fields however as just included as optional fields, to avoid a combinatorial explosion of variants.
-
-oneOf:
-  - $ref: "#/$defs/base"
-
-  - $ref: "#/$defs/impure"
-
-  - $ref: "#/$defs/narInfo"
-
-$defs:
-  base:
-    title: Store Object Info
-    description: |
-      Basic store object metadata containing only intrinsic properties.
-      This is the minimal set of fields that describe what a store object contains.
-    type: object
-    required:
-      - narHash
-      - narSize
-      - references
-      - ca
-    properties:
-      path:
-        type: string
-        title: Store Path
-        description: |
-          [Store path](@docroot@/store/store-path.md) to the given store object.
-
-          Note: This field may not be present in all contexts, such as when the path is used as the key and the the store object info the value in map.
-
-      narHash:
-        type: string
-        title: NAR Hash
-        description: |
-          Hash of the [file system object](@docroot@/store/file-system-object.md) part of the store object when serialized as a [Nix Archive](@docroot@/store/file-system-object/content-address.md#serial-nix-archive).
-
-      narSize:
-        type: integer
-        minimum: 0
-        title: NAR Size
-        description: |
-          Size of the [file system object](@docroot@/store/file-system-object.md) part of the store object when serialized as a [Nix Archive](@docroot@/store/file-system-object/content-address.md#serial-nix-archive).
-
-      references:
-        type: array
-        title: References
-        description: |
-          An array of [store paths](@docroot@/store/store-path.md), possibly including this one.
-        items:
-          type: string
-
-      ca:
-        type: ["string", "null"]
-        title: Content Address
-        description: |
-          If the store object is [content-addressed](@docroot@/store/store-object/content-address.md),
-          this is the content address of this store object's file system object, used to compute its store path.
-          Otherwise (i.e. if it is [input-addressed](@docroot@/glossary.md#gloss-input-addressed-store-object)), this is `null`.
-    additionalProperties: false
-
-  impure:
-    title: Store Object Info with Impure Fields
-    description: |
-      Store object metadata including impure fields that are not *intrinsic* properties.
-      In other words, the same store object in different stores could have different values for these impure fields.
-    type: object
-    required:
-      - narHash
-      - narSize
-      - references
-      - ca
-      # impure
-      - deriver
-      - registrationTime
-      - ultimate
-      - signatures
-    properties:
-      path: { $ref: "#/$defs/base/properties/path" }
-      narHash: { $ref: "#/$defs/base/properties/narHash" }
-      narSize: { $ref: "#/$defs/base/properties/narSize" }
-      references: { $ref: "#/$defs/base/properties/references" }
-      ca: { $ref: "#/$defs/base/properties/ca" }
-      deriver:
-        type: ["string", "null"]
-        title: Deriver
-        description: |
-          If known, the path to the [store derivation](@docroot@/glossary.md#gloss-store-derivation) from which this store object was produced.
-          Otherwise `null`.
-
-          > This is an "impure" field that may not be included in certain contexts.
-
-      registrationTime:
-        type: ["integer", "null"]
-        title: Registration Time
-        description: |
-          If known, when this derivation was added to the store (Unix timestamp).
-          Otherwise `null`.
-
-          > This is an "impure" field that may not be included in certain contexts.
-
-      ultimate:
-        type: boolean
-        title: Ultimate
-        description: |
-          Whether this store object is trusted because we built it ourselves, rather than substituted a build product from elsewhere.
-
-          > This is an "impure" field that may not be included in certain contexts.
-
-      signatures:
-        type: array
-        title: Signatures
-        description: |
-          Signatures claiming that this store object is what it claims to be.
-          Not relevant for [content-addressed](@docroot@/store/store-object/content-address.md) store objects,
-          but useful for [input-addressed](@docroot@/glossary.md#gloss-input-addressed-store-object) store objects.
-
-          > This is an "impure" field that may not be included in certain contexts.
-        items:
-          type: string
-
-      # Computed closure fields
-      closureSize:
-        type: integer
-        minimum: 0
-        title: Closure Size
-        description: |
-          The total size of this store object and every other object in its [closure](@docroot@/glossary.md#gloss-closure).
-
-          > This field is not stored at all, but computed by traversing the other fields across all the store objects in a closure.
-    additionalProperties: false
-
-  narInfo:
-    title: Store Object Info with Impure fields and NAR Info
-    description: |
-      The store object info in the "binary cache" family of Nix store type contain extra information pertaining to *downloads* of the store object in question.
-      (This store info is called "NAR info", since the downloads take the form of [Nix Archives](@docroot@/store/file-system-object/content-address.md#serial-nix-archive, and the metadata is served in a file with a `.narinfo` extension.)
-
-      This download information, being specific to how the store object happens to be stored and transferred, is also considered to be non-intrinsic / impure.
-    type: object
-    required:
-      - narHash
-      - narSize
-      - references
-      - ca
-      # impure
-      - deriver
-      - registrationTime
-      - ultimate
-      - signatures
-      # nar
-      - url
-      - compression
-      - downloadHash
-      - downloadSize
-    properties:
-      path: { $ref: "#/$defs/base/properties/path" }
-      narHash: { $ref: "#/$defs/base/properties/narHash" }
-      narSize: { $ref: "#/$defs/base/properties/narSize" }
-      references: { $ref: "#/$defs/base/properties/references" }
-      ca: { $ref: "#/$defs/base/properties/ca" }
-      deriver: { $ref: "#/$defs/impure/properties/deriver" }
-      registrationTime: { $ref: "#/$defs/impure/properties/registrationTime" }
-      ultimate: { $ref: "#/$defs/impure/properties/ultimate" }
-      signatures: { $ref: "#/$defs/impure/properties/signatures" }
-      closureSize: { $ref: "#/$defs/impure/properties/closureSize" }
-      url:
-        type: string
-        title: URL
-        description: |
-          Where to download a compressed archive of the file system objects of this store object.
-
-          > This is an impure "`.narinfo`" field that may not be included in certain contexts.
-
-      compression:
-        type: string
-        title: Compression
-        description: |
-          The compression format that the archive is in.
-
-          > This is an impure "`.narinfo`" field that may not be included in certain contexts.
-
-      downloadHash:
-        type: string
-        title: Download Hash
-        description: |
-          A digest for the compressed archive itself, as opposed to the data contained within.
-
-          > This is an impure "`.narinfo`" field that may not be included in certain contexts.
-
-      downloadSize:
-        type: integer
-        minimum: 0
-        title: Download Size
-        description: |
-          The size of the compressed archive itself.
-
-          > This is an impure "`.narinfo`" field that may not be included in certain contexts.
-
-      closureDownloadSize:
-        type: integer
-        minimum: 0
-        title: Closure Download Size
-        description: |
-          The total size of the compressed archive itself for this object, and the compressed archive of every object in this object's [closure](@docroot@/glossary.md#gloss-closure).
-
-          > This is an impure "`.narinfo`" field that may not be included in certain contexts.
-
-          > This field is not stored at all, but computed by traversing the other fields across all the store objects in a closure.
-    additionalProperties: false
--- a/doc/manual/source/protocols/json/schema/store-path-v1
+++ b/doc/manual/source/protocols/json/schema/store-path-v1
@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/store-path
--- a/doc/manual/source/protocols/json/schema/store-path-v1.yaml
+++ b/doc/manual/source/protocols/json/schema/store-path-v1.yaml
@@ -1,32 +0,0 @@
-"$schema": "http://json-schema.org/draft-07/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-path-v1.json"
-title: Store Path
-description: |
-  A [store path](@docroot@/store/store-path.md) identifying a store object.
-
-  This schema describes the JSON representation of store paths as used in various Nix JSON APIs.
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-  > and subject to change.
-
-  ## Format
-
-  Store paths in JSON are represented as strings containing just the hash and name portion, without the store directory prefix.
-
-  For example: `"g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-foo.drv"`
-
-  (If the store dir is `/nix/store`, then this corresponds to the path `/nix/store/g1w7hy3qg1w7hy3qg1w7hy3qg1w7hy3q-foo.drv`.)
-
-  ## Structure
-
-  The format follows this pattern: `${digest}-${name}`
-
-  - **hash**: Digest rendered in a custom variant of [Base32](https://en.wikipedia.org/wiki/Base32) (20 arbitrary bytes become 32 ASCII characters)
-  - **name**: The package name and optional version/suffix information
-
-type: string
-pattern: "^[0123456789abcdfghijklmnpqrsvwxyz]{32}-.+$"
-minLength: 34
--- a/doc/manual/source/protocols/json/store-object-info.md
+++ b/doc/manual/source/protocols/json/store-object-info.md
@@ -1,45 +1,102 @@
-{{#include store-object-info-v1-fixed.md}}
+# Store object info JSON format

-## Examples
+> **Warning**
+>
+> This JSON format is currently
+> [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
+> and subject to change.

-### Minimal store object (content-addressed)
+Info about a [store object].

-```json
-{{#include schema/store-object-info-v1/pure.json}}
-```
+* `path`:

-### Store object with impure fields
+  [Store path][store path] to the given store object.

-```json
-{{#include schema/store-object-info-v1/impure.json}}
-```
+* `narHash`:

-### Minimal store object (empty)
+  Hash of the [file system object] part of the store object when serialized as a [Nix Archive].

-```json
-{{#include schema/store-object-info-v1/empty_pure.json}}
-```
+* `narSize`:

-### Store object with all impure fields
+  Size of the [file system object] part of the store object when serialized as a [Nix Archive].

-```json
-{{#include schema/store-object-info-v1/empty_impure.json}}
-```
+* `references`:

-### NAR info (minimal)
+  An array of [store paths][store path], possibly including this one.

-```json
-{{#include schema/nar-info-v1/pure.json}}
-```
+* `ca`:

-### NAR info (with binary cache fields)
+  If the store object is [content-addressed],
+  this is the content address of this store object's file system object, used to compute its store path.
+  Otherwise (i.e. if it is [input-addressed]), this is `null`.

-```json
-{{#include schema/nar-info-v1/impure.json}}
-```
+[store path]: @docroot@/store/store-path.md
+[file system object]: @docroot@/store/file-system-object.md
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive

-<!-- need to convert YAML to JSON first
-## Raw Schema
+## Impure fields

-[JSON Schema for Store Object Info v1](schema/store-object-info-v1.json)
-->
+These are not intrinsic properties of the store object.
+In other words, the same store object residing in different store could have different values for these properties.
+
+* `deriver`:
+
+  If known, the path to the [store derivation] from which this store object was produced.
+  Otherwise `null`.
+
+  [store derivation]: @docroot@/glossary.md#gloss-store-derivation
+
+* `registrationTime` (optional):
+
+  If known, when this derivation was added to the store.
+  Otherwise `null`.
+
+* `ultimate`:
+
+  Whether this store object is trusted because we built it ourselves, rather than substituted a build product from elsewhere.
+
+* `signatures`:
+
+  Signatures claiming that this store object is what it claims to be.
+  Not relevant for [content-addressed] store objects,
+  but useful for [input-addressed] store objects.
+
+[content-addressed]: @docroot@/store/store-object/content-address.md
+[input-addressed]: @docroot@/glossary.md#gloss-input-addressed-store-object
+
+### `.narinfo` extra fields
+
+This meta data is specific to the "binary cache" family of Nix store types.
+This information is not intrinsic to the store object, but about how it is stored.
+
+* `url`:
+
+  Where to download a compressed archive of the file system objects of this store object.
+
+* `compression`:
+
+  The compression format that the archive is in.
+
+* `fileHash`:
+
+  A digest for the compressed archive itself, as opposed to the data contained within.
+
+* `fileSize`:
+
+  The size of the compressed archive itself.
+
+## Computed closure fields
+
+These fields are not stored at all, but computed by traversing the other fields across all the store objects in a [closure].
+
+* `closureSize`:
+
+  The total size of the compressed archive itself for this object, and the compressed archive of every object in this object's [closure].
+
+### `.narinfo` extra fields
+
+* `closureSize`:
+
+  The total size of this store object and every other object in its [closure].
+
+[closure]: @docroot@/glossary.md#gloss-closure
--- a/doc/manual/source/protocols/json/store-path.md
+++ b/doc/manual/source/protocols/json/store-path.md
@@ -1,15 +0,0 @@
-{{#include store-path-v1-fixed.md}}
-
-## Examples
-
-### Simple store path
-
-```json
-{{#include schema/store-path-v1/simple.json}}
-```
-
-<!-- need to convert YAML to JSON first
-## Raw Schema
-
-[JSON Schema for Store Path v1](schema/store-path-v1.json)
-->
--- a/doc/manual/source/protocols/meson.build
+++ b/doc/manual/source/protocols/meson.build
@@ -1,2 +0,0 @@
-# Process JSON schema documentation
-subdir('json')
--- a/doc/manual/source/protocols/nix-archive.md
+++ b/doc/manual/source/protocols/nix-archive.md
@@ -24,7 +24,7 @@ nar-obj-inner
  | str("type"), str("directory") directory
  ;

-regular = [ str("executable") ], str("contents"), str(contents);
+regular = [ str("executable"), str("") ], str("contents"), str(contents);

 symlink = str("target"), str(target);

--- a/doc/manual/source/protocols/store-path.md
+++ b/doc/manual/source/protocols/store-path.md
@@ -7,7 +7,7 @@ The format of this specification is close to [Extended Backus–Naur form](https
 Regular users do *not* need to know this information --- store paths can be treated as black boxes computed from the properties of the store objects they refer to.
 But for those interested in exactly how Nix works, e.g. if they are reimplementing it, this information can be useful.

-[store path]: @docroot@/store/store-path.md
+[store path](@docroot@/store/store-path.md)

 ## Store path proper

@@ -20,17 +20,14 @@ where

 - `store-dir` = the [store directory](@docroot@/store/store-path.md#store-directory)

- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`
+- `digest` = base-32 representation of the first 160 bits of a [SHA-256] hash of `fingerprint`

-For the definition of the hash compression algorithm, please refer to the section 5.1 of
-the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf), which also defines the
-specifics of base-32 encoding. Note that base-32 encoding processes the hash bytestring from
-the end, while base-16 processes in from the beginning.
+  This the hash part of the store name

 ## Fingerprint

 - ```ebnf
-  fingerprint = type ":sha256:" inner-digest ":" store ":" name
+  fingerprint = type ":" sha256 ":" inner-digest ":" store ":" name
  ```

  Note that it includes the location of the store as well as the name to make sure that changes to either of those are reflected in the hash
@@ -56,7 +53,7 @@ the end, while base-16 processes in from the beginning.
    method of content addressing store objects,
    if the hash algorithm is [SHA-256].
    Just like in the "Text" case, we can have the store objects referenced by their paths.
-    Additionally, we can have an optional `:self` label to denote self-reference.
+    Additionally, we can have an optional `:self` label to denote self reference.

  - ```ebnf
    | "output:" id
@@ -73,8 +70,7 @@ the end, while base-16 processes in from the beginning.
    `id` is the name of the output (usually, "out").
    For content-addressed store objects, `id`, is always "out".

- `inner-digest` = base-16 representation of a SHA-256 hash of `inner-fingerprint`.
-  The base-16 encoding uses lower-cased hex digits.
+- `inner-digest` = base-16 representation of a SHA-256 hash of `inner-fingerprint`

 ## Inner fingerprint

@@ -86,7 +82,7 @@ the end, while base-16 processes in from the beginning.

  - if `type` = `"source:" ...`:

-    the [Nix Archive (NAR)] serialization of the [file system object](@docroot@/store/file-system-object.md) of the store object.
+    the hash of the [Nix Archive (NAR)] serialization of the [file system object](@docroot@/store/file-system-object.md) of the store object.

  - if `type` = `"output:" id`:

--- a/doc/manual/source/protocols/tarball-fetcher.md
+++ b/doc/manual/source/protocols/tarball-fetcher.md
@@ -46,7 +46,7 @@ defined as the timestamp of the newest file inside the tarball.
 This protocol is supported by Gitea since v1.22.1 and by Forgejo since v7.0.4/v8.0.0 and can be used with the following flake URL schema:

 ```
-https://<domain name>/<owner>/<repo>/archive/<reference or revision>.tar.gz
+https://<domain name>/<owner>/<repo>/archive/<reference or revison>.tar.gz
 ```

 > **Example**
--- a/doc/manual/source/release-notes/rl-2.19.md
+++ b/doc/manual/source/release-notes/rl-2.19.md
@@ -31,7 +31,7 @@
    - To operate on a flake outside the current directory, you must now pass `--flake path/to/flake`.

  - The flake-specific flags `--recreate-lock-file` and `--update-input` have been removed from all commands operating on installables.
-    They are superseded by `nix flake update`.
+    They are superceded by `nix flake update`.

 - Commit signature verification for the [`builtins.fetchGit`](@docroot@/language/builtins.md#builtins-fetchGit) is added as the new [`verified-fetches` experimental feature](@docroot@/development/experimental-features.md#xp-feature-verified-fetches).

--- a/doc/manual/source/release-notes/rl-2.23.md
+++ b/doc/manual/source/release-notes/rl-2.23.md
@@ -15,7 +15,7 @@
 - Modify `nix derivation {add,show}` JSON format [#9866](https://github.com/NixOS/nix/issues/9866) [#10722](https://github.com/NixOS/nix/pull/10722)

  The JSON format for derivations has been slightly revised to better conform to our [JSON guidelines](@docroot@/development/cli-guideline.md#returning-future-proof-json).
-  In particular, the hash algorithm and content addressing method of content-addressed derivation outputs are now separated into two fields `hashAlgo` and `method`,
+  In particular, the hash algorithm and content addressing method of content-addresed derivation outputs are now separated into two fields `hashAlgo` and `method`,
  rather than one field with an arcane `:`-separated format.

  This JSON format is only used by the experimental `nix derivation` family of commands, at this time.
--- a/doc/manual/source/release-notes/rl-2.24.md
+++ b/doc/manual/source/release-notes/rl-2.24.md
@@ -173,7 +173,7 @@
  **Deprecation**: Use `nix32` instead of `base32` as `toHashFormat`

  For the builtin `convertHash`, the `toHashFormat` parameter now accepts the same hash formats as the `--to`/`--from`
-  parameters of the `nix hash convert` command: `"base16"`, `"nix32"`, `"base64"`, and `"sri"`. The former `"base32"` value
+  parameters of the `nix hash conert` command: `"base16"`, `"nix32"`, `"base64"`, and `"sri"`. The former `"base32"` value
  remains as a deprecated alias for `"nix32"`. Please convert your code from:

  ```nix
@@ -269,7 +269,7 @@
  e.g. `--warn-large-path-threshold 100M`.


-## Contributors
+# Contributors

 This release was made possible by the following 43 contributors:

--- a/doc/manual/source/release-notes/rl-2.25.md
+++ b/doc/manual/source/release-notes/rl-2.25.md
@@ -77,7 +77,7 @@
  `<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.


-## Contributors
+# Contributors

 This release was made possible by the following 58 contributors:

--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .33.0
 .27.0
				`@@ -1 +0,0 @@`
				`../../../../../../src/libstore-tests/data/content-address`
				`@@ -1 +0,0 @@`
				`../../../../../../src/libutil-tests/data/hash/`