readHead(): Make sure we're returning the HEAD ref line

If we previously fetched by revision, the output of "git ls-remote"
won't start with the expected line like

  ref: refs/heads/master HEAD

but will be something like

  5c4410e3b9891c05ab40d723de78c6f0be45ad30        refs/heads/5c4410e3b9891c05ab40d723de78c6f0be45ad30

This then causes Nix to treat that revision as a refname, which then
leads to warnings like

  warning: could not update cached head '5c4410e3b9891c05ab40d723de78c6f0be45ad30' for 'file:///tmp/repo'

(cherry picked from commit c8b22643ba)

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -11,6 +11,10 @@ assignees: ''
 
 <!-- describe your problem -->
 
+## Proposal
+
+<!-- propose a solution -->
+
 ## Checklist
 
 <!-- make sure this issue is not redundant or obsolete -->
@@ -22,10 +26,6 @@ assignees: ''
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/src
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
 
-## Proposal
-
-<!-- propose a solution -->
-
 ## Priorities
 
 Add :+1: to [issues you find important](https://github.com/NixOS/nix/issues?q=is%3Aissue+is%3Aopen+sort%3Areactions-%2B1-desc).

.github/PULL_REQUEST_TEMPLATE.md

@@ -10,24 +10,6 @@
 
 <!-- Large change: Provide instructions to reviewers how to read the diff. -->
 
-# Checklist for maintainers
-
-<!-- Contributors: please leave this as is -->
-
-Maintainers: tick if completed or explain if not relevant
-
- - [ ] agreed on idea
- - [ ] agreed on implementation strategy
- - [ ] tests, as appropriate
-   - functional tests - `tests/**.sh`
-   - unit tests - `src/*/tests`
-   - integration tests - `tests/nixos/*`
- - [ ] documentation in the manual
- - [ ] documentation in the internal API docs
- - [ ] code and comments are self-explanatory
- - [ ] commit message explains why the change was made
- - [ ] new feature or incompatible change: updated release notes
-
 # Priorities
 
 Add :+1: to [pull requests you find important](https://github.com/NixOS/nix/pulls?q=is%3Aopen+sort%3Areactions-%2B1-desc).

.github/labeler.yml

@@ -16,8 +16,8 @@
 "new-cli":
   - src/nix/**/*
 
-"tests":
+"with-tests":
   # Unit tests
   - src/*/tests/**/*
   # Functional and integration tests
-  - tests/**/*
+  - tests/functional/**/*

.github/workflows/backport.yml

@@ -14,14 +14,14 @@ jobs:
     if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           # required to find all branches
           fetch-depth: 0
       - name: Create backport PRs
         # should be kept in sync with `version`
-        uses: zeebe-io/backport-action@v1.3.0
+        uses: zeebe-io/backport-action@v1.4.0
         with:
           # Config README: https://github.com/zeebe-io/backport-action#backport-action
           github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -11,26 +11,45 @@ jobs:
   tests:
     needs: [check_secrets]
     strategy:
+      fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v30
       with:
         # The sandbox would otherwise be disabled by default on Darwin
         extra_nix_config: "sandbox = true"
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v12
+    - uses: cachix/cachix-action@v15
       if: needs.check_secrets.outputs.cachix == 'true'
       with:
         name: '${{ env.CACHIX_NAME }}'
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - if: matrix.os == 'ubuntu-latest'
+      run: |
+        free -h
+        swapon --show
+        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
+        echo "Found swap: $swap"
+        sudo swapoff $swap
+        # resize it (fallocate)
+        sudo fallocate -l 10G $swap
+        sudo mkswap $swap
+        sudo swapon $swap
+        free -h
+        (
+          while sleep 60; do
+            free -h
+          done
+        ) &
     - run: nix --experimental-features 'nix-command flakes' flake check -L
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
 
   check_secrets:
     permissions:
@@ -57,11 +76,11 @@ jobs:
     outputs:
       installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v23
       with:
         install_url: https://releases.nixos.org/nix/nix-2.13.3/install
     - uses: cachix/cachix-action@v12
@@ -76,13 +95,14 @@ jobs:
     needs: [installer, check_secrets]
     if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
     strategy:
+      fail-fast: false
       matrix:
         os: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.os }}
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v23
       with:
         install_url: '${{needs.installer.outputs.installerURL}}'
         install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
@@ -106,10 +126,10 @@ jobs:
       needs.check_secrets.outputs.docker == 'true'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v21
+    - uses: cachix/install-nix-action@v23
       with:
         install_url: https://releases.nixos.org/nix/nix-2.13.3/install
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
@@ -125,7 +145,7 @@ jobs:
     - run: docker tag nix:$NIX_VERSION nixos/nix:$NIX_VERSION
     - run: docker tag nix:$NIX_VERSION nixos/nix:master
     - name: Login to Docker Hub
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}

.github/workflows/hydra_status.yml

@@ -13,7 +13,7 @@ jobs:
     if: github.repository_owner == 'NixOS'
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - run: bash scripts/check-hydra-status.sh

.github/workflows/labels.yml

@@ -21,4 +21,4 @@ jobs:
     - uses: actions/labeler@v4
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
-        sync-labels: true
+        sync-labels: false

.gitignore

@@ -18,7 +18,7 @@ perl/Makefile.config
 /doc/manual/generated/*
 /doc/manual/nix.json
 /doc/manual/conf-file.json
-/doc/manual/builtins.json
+/doc/manual/language.json
 /doc/manual/xp-features.json
 /doc/manual/src/SUMMARY.md
 /doc/manual/src/command-ref/new-cli
@@ -26,6 +26,7 @@ perl/Makefile.config
 /doc/manual/src/command-ref/experimental-features-shortlist.md
 /doc/manual/src/contributing/experimental-feature-descriptions.md
 /doc/manual/src/language/builtins.md
+/doc/manual/src/language/builtin-constants.md
 
 # /scripts/
 /scripts/nix-profile.sh
@@ -40,14 +41,14 @@ perl/Makefile.config
 /src/libexpr/parser-tab.hh
 /src/libexpr/parser-tab.output
 /src/libexpr/nix.tbl
-/src/libexpr/tests/libnixexpr-tests
+/tests/unit/libexpr/libnixexpr-tests
 
 # /src/libstore/
 *.gen.*
-/src/libstore/tests/libnixstore-tests
+/tests/unit/libstore/libnixstore-tests
 
 # /src/libutil/
-/src/libutil/tests/libnixutil-tests
+/tests/unit/libutil/libnixutil-tests
 
 /src/nix/nix
 
@@ -78,22 +79,24 @@ perl/Makefile.config
 
 /src/build-remote/build-remote
 
-# /tests/
-/tests/test-tmp
-/tests/common/vars-and-functions.sh
-/tests/result*
-/tests/restricted-innocent
-/tests/shell
-/tests/shell.drv
-/tests/config.nix
-/tests/ca/config.nix
-/tests/dyn-drv/config.nix
-/tests/repl-result-out
+# /tests/functional/
+/tests/functional/test-tmp
+/tests/functional/common/vars-and-functions.sh
+/tests/functional/result*
+/tests/functional/restricted-innocent
+/tests/functional/shell
+/tests/functional/shell.drv
+/tests/functional/config.nix
+/tests/functional/ca/config.nix
+/tests/functional/dyn-drv/config.nix
+/tests/functional/repl-result-out
+/tests/functional/test-libstoreconsumer/test-libstoreconsumer
 
-# /tests/lang/
-/tests/lang/*.out
-/tests/lang/*.out.xml
-/tests/lang/*.ast
+# /tests/functional/lang/
+/tests/functional/lang/*.out
+/tests/functional/lang/*.out.xml
+/tests/functional/lang/*.err
+/tests/functional/lang/*.ast
 
 /perl/lib/Nix/Config.pm
 /perl/lib/Nix/Store.cc
@@ -136,3 +139,6 @@ nix-rust/target
 result
 
 .vscode/
+
+# clangd and possibly more
+.cache/

.version

@@ -1 +1 @@
-2.16.0
+2.18.10

CONTRIBUTING.md

@@ -5,7 +5,6 @@ We appreciate your support.
 
 Reading and following these guidelines will help us make the contribution process easy and effective for everyone involved.
 
-
 ## Report a bug
 
 1. Check on the [GitHub issue tracker](https://github.com/NixOS/nix/issues) if your bug was already reported.
@@ -30,7 +29,9 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
    You can use [labels](https://github.com/NixOS/nix/labels) to filter for relevant topics.
 
 2. Search for related issues that cover what you're going to work on. It could help to mention there that you will work on the issue.
-   Pull requests addressing issues labeled ["idea approved"](https://github.com/NixOS/nix/labels/idea%20approved) are especially welcomed by maintainers and will receive prioritised review.
+
+   Issues labeled [good first issue](https://github.com/NixOS/nix/labels/good-first-issue) should be relatively easy to fix and are likely to get merged quickly.
+   Pull requests addressing issues labeled [idea approved](https://github.com/NixOS/nix/labels/idea%20approved) are especially welcomed by maintainers and will receive prioritised review.
 
 3. Check the [Nix reference manual](https://nixos.org/manual/nix/unstable/contributing/hacking.html) for information on building Nix and running its tests.
 
@@ -39,14 +40,27 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 4. Make your changes!
 
 5. [Create a pull request](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/creating-a-pull-request) for your changes.
-   * [Mark the pull request as draft](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request) if you're not done with the changes.
-   * Make sure to have [a clean history of commits on your branch by using rebase](https://www.digitalocean.com/community/tutorials/how-to-rebase-and-update-a-pull-request).
    * Link related issues in your pull request to inform interested parties and future contributors about your change.
+   * Make sure to have [a clean history of commits on your branch by using rebase](https://www.digitalocean.com/community/tutorials/how-to-rebase-and-update-a-pull-request).
      If your pull request closes one or multiple issues, note that in the description using `Closes: #<number>`, as it will then happen automatically when your change is merged.
+   * [Mark the pull request as draft](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request) if you're not done with the changes.
 
 6. Do not expect your pull request to be reviewed immediately.
    Nix maintainers follow a [structured process for reviews and design decisions](https://github.com/NixOS/nix/tree/master/maintainers#project-board-protocol), which may or may not prioritise your work.
 
+   Following this checklist will make the process smoother for everyone:
+
+   - [ ] Fixes an [idea approved](https://github.com/NixOS/nix/labels/idea%20approved) issue
+   - [ ] Tests, as appropriate:
+     - Functional tests – [`tests/functional/**.sh`](./tests/functional)
+     - Unit tests – [`src/*/tests`](./src/)
+     - Integration tests – [`tests/nixos/*`](./tests/nixos)
+   - [ ] User documentation in the [manual](..doc/manual/src)
+   - [ ] API documentation in header files
+   - [ ] Code and comments are self-explanatory
+   - [ ] Commit message explains **why** the change was made
+   - [ ] New feature or incompatible change: updated [release notes](./doc/manual/src/release-notes/rl-next.md)
+
 7. If you need additional feedback or help to getting pull request into shape, ask other contributors using [@mentions](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#mentioning-people-and-teams).
 
 ## Making changes to the Nix manual

Makefile

@@ -23,11 +23,17 @@ makefiles = \
 
 ifeq ($(tests), yes)
 makefiles += \
-  src/libutil/tests/local.mk \
-  src/libstore/tests/local.mk \
-  src/libexpr/tests/local.mk \
-  tests/local.mk \
-  tests/plugins/local.mk
+  tests/unit/libutil/local.mk \
+  tests/unit/libutil-support/local.mk \
+  tests/unit/libstore/local.mk \
+  tests/unit/libstore-support/local.mk \
+  tests/unit/libexpr/local.mk \
+  tests/unit/libexpr-support/local.mk \
+  tests/functional/local.mk \
+  tests/functional/ca/local.mk \
+  tests/functional/dyn-drv/local.mk \
+  tests/functional/test-libstoreconsumer/local.mk \
+  tests/functional/plugins/local.mk
 else
 makefiles += \
   mk/disable-tests.mk

configure.ac

@@ -5,7 +5,14 @@ AC_CONFIG_AUX_DIR(config)
 
 AC_PROG_SED
 
-# Construct a Nix system name (like "i686-linux").
+# Construct a Nix system name (like "i686-linux"):
+# https://www.gnu.org/software/autoconf/manual/html_node/Canonicalizing.html#index-AC_005fCANONICAL_005fHOST-1
+# The inital value is produced by the `config/config.guess` script:
+# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.guess
+# It has the following form, which is not documented anywhere:
+# <cpu>-<vendor>-<os>[<version>][-<abi>]
+# If `./configure` is passed any of the `--host`, `--build`, `--target` options, the value comes from `config/config.sub` instead:
+# upstream: https://git.savannah.gnu.org/cgit/config.git/tree/config.sub
 AC_CANONICAL_HOST
 AC_MSG_CHECKING([for the canonical Nix system name])
 
@@ -51,13 +58,17 @@ AC_CHECK_TOOL([AR], [ar])
 AC_SYS_LARGEFILE
 
 
-# Solaris-specific stuff.
+# OS-specific stuff.
 AC_STRUCT_DIRENT_D_TYPE
 case "$host_os" in
   solaris*)
     # Solaris requires -lsocket -lnsl for network functions
     LDFLAGS="-lsocket -lnsl $LDFLAGS"
     ;;
+  darwin*)
+    # Need to link to libsandbox.
+    LDFLAGS="-lsandbox $LDFLAGS"
+    ;;
 esac
 
 
@@ -245,6 +256,17 @@ case "$host_os" in
                         [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
       have_seccomp=1
       AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
+      AC_COMPILE_IFELSE([
+        AC_LANG_SOURCE([[
+          #include <seccomp.h>
+          #ifndef __SNR_fchmodat2
+          # error "Missing support for fchmodat2"
+          #endif
+        ]])
+      ], [], [
+        echo "libseccomp is missing __SNR_fchmodat2. Please provide libseccomp 2.5.5 or later"
+        exit 1
+      ])
     else
       have_seccomp=
     fi

doc/internal-api/doxygen.cfg.in

@@ -39,17 +39,21 @@ INPUT                  = \
   src/libcmd \
   src/libexpr \
   src/libexpr/flake \
-  src/libexpr/tests \
-  src/libexpr/tests/value \
+  tests/unit/libexpr \
+  tests/unit/libexpr/value \
+  tests/unit/libexpr/test \
+  tests/unit/libexpr/test/value \
   src/libexpr/value \
   src/libfetchers \
   src/libmain \
   src/libstore \
   src/libstore/build \
   src/libstore/builtins \
-  src/libstore/tests \
+  tests/unit/libstore \
+  tests/unit/libstore/test \
   src/libutil \
-  src/libutil/tests \
+  tests/unit/libutil \
+  tests/unit/libutil/test \
   src/nix \
   src/nix-env \
   src/nix-store

doc/manual/custom.css

@@ -1,3 +1,25 @@
+:root {
+    --sidebar-width: 23em;
+}
+
+h1.menu-title::before {
+  content: "";
+  background-image: url("./favicon.svg");
+  padding: 1.25em;
+  background-position: center center;
+  background-size: 2em;
+  background-repeat: no-repeat;
+}
+
+
+h1.menu-title {
+  padding: 0.5em;
+}
+
+.sidebar .sidebar-scrollbox {
+  padding: 1em;
+}
+
 h1:not(:first-of-type) {
     margin-top: 1.3em;
 }

doc/manual/generate-builtin-constants.nix

@@ -0,0 +1,31 @@
+let
+  inherit (builtins) concatStringsSep attrValues mapAttrs;
+  inherit (import ./utils.nix) optionalString squash;
+in
+
+builtinsInfo:
+let
+  showBuiltin = name: { doc, type, impure-only }:
+    let
+      type' = optionalString (type != null) " (${type})";
+
+      impureNotice = optionalString impure-only ''
+        > **Note**
+        >
+        > Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).
+      '';
+    in
+    squash ''
+      <dt id="builtins-${name}">
+        <a href="#builtins-${name}"><code>${name}</code></a>${type'}
+      </dt>
+      <dd>
+
+      ${doc}
+
+      ${impureNotice}
+
+      </dd>
+    '';
+in
+concatStringsSep "\n" (attrValues (mapAttrs showBuiltin builtinsInfo))

doc/manual/generate-builtins.nix

@@ -1,24 +1,28 @@
 let
-  inherit (builtins) concatStringsSep attrNames;
+  inherit (builtins) concatStringsSep attrValues mapAttrs;
+  inherit (import ./utils.nix) optionalString squash;
 in
 
 builtinsInfo:
 let
-  showBuiltin = name:
+  showBuiltin = name: { doc, args, arity, experimental-feature }:
     let
-      inherit (builtinsInfo.${name}) doc args;
+      experimentalNotice = optionalString (experimental-feature != null) ''
+        This function is only available if the [${experimental-feature}](@docroot@/contributing/experimental-features.md#xp-feature-${experimental-feature}) experimental feature is enabled.
+      '';
     in
-    ''
+    squash ''
       <dt id="builtins-${name}">
         <a href="#builtins-${name}"><code>${name} ${listArgs args}</code></a>
       </dt>
       <dd>
 
-        ${doc}
+      ${doc}
+
+      ${experimentalNotice}
 
       </dd>
     '';
   listArgs = args: concatStringsSep " " (map (s: "<var>${s}</var>") args);
 in
-concatStringsSep "\n" (map showBuiltin (attrNames builtinsInfo))
-
+concatStringsSep "\n" (attrValues (mapAttrs showBuiltin builtinsInfo))

doc/manual/generate-manpage.nix

@@ -5,7 +5,7 @@ let
   inherit (import ./utils.nix) concatStrings optionalString filterAttrs trim squash unique showSettings;
 in
 
-commandDump:
+inlineHTML: commandDump:
 
 let
 
@@ -30,7 +30,7 @@ let
 
         ${maybeSubcommands}
 
-        ${maybeDocumentation}
+        ${maybeStoreDocs}
 
         ${maybeOptions}
       '';
@@ -70,7 +70,7 @@ let
         * [`${command} ${name}`](./${appendName filename name}.md) - ${subcmd.description}
       '';
 
-      maybeDocumentation = optionalString
+      maybeStoreDocs = optionalString
         (details ? doc)
         (replaceStrings ["@stores@"] [storeDocs] details.doc);
 
@@ -91,17 +91,20 @@ let
           listOptions = opts: concatStringsSep "\n" (attrValues (mapAttrs showOption opts));
           showOption = name: option:
             let
+              result = trim ''
+                - ${item}
+                  ${option.description}
+              '';
+              item = if inlineHTML
+                then ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
+                else "`--${name}` ${shortName} ${labels}";
               shortName = optionalString
                 (option ? shortName)
                 ("/ `-${option.shortName}`");
               labels = optionalString
                 (option ? labels)
                 (concatStringsSep " " (map (s: "*${s}*") option.labels));
-            in trim ''
-              - `--${name}` ${shortName} ${labels}
-
-                ${option.description}
-            '';
+            in result;
           categories = sort lessThan (unique (map (cmd: cmd.category) (attrValues allOptions)));
         in concatStrings (map showCategory categories);
     in squash result;
@@ -137,15 +140,32 @@ let
 
   storeDocs =
     let
-      showStore = name: { settings, doc }:
-        ''
+      showStore = name: { settings, doc, experimentalFeature }:
+        let
+          experimentalFeatureNote = optionalString (experimentalFeature != null) ''
+            > **Warning**
+            > This store is part of an
+            > [experimental feature](@docroot@/contributing/experimental-features.md).
+
+            To use this store, you need to make sure the corresponding experimental feature,
+            [`${experimentalFeature}`](@docroot@/contributing/experimental-features.md#xp-feature-${experimentalFeature}),
+            is enabled.
+            For example, include the following in [`nix.conf`](#):
+
+            ```
+            extra-experimental-features = ${experimentalFeature}
+            ```
+          '';
+        in ''
           ## ${name}
 
           ${doc}
 
+          ${experimentalFeatureNote}
+
           **Settings**:
 
-          ${showSettings { useAnchors = false; } settings}
+          ${showSettings { inherit inlineHTML; } settings}
         '';
     in concatStrings (attrValues (mapAttrs showStore commandInfo.stores));
 

doc/manual/local.mk

@@ -98,12 +98,12 @@ $(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/command-ref/new-cli $(d)/sr
 
 $(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/utils.nix $(d)/generate-manpage.nix $(bindir)/nix
 	@rm -rf $@ $@.tmp
-	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-manpage.nix (builtins.readFile $<)'
+	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-manpage.nix true (builtins.readFile $<)'
 	@mv $@.tmp $@
 
 $(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/utils.nix $(d)/src/command-ref/conf-file-prefix.md $(d)/src/command-ref/experimental-features-shortlist.md $(bindir)/nix
 	@cat doc/manual/src/command-ref/conf-file-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr '(import doc/manual/utils.nix).showSettings { useAnchors = true; } (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
+	$(trace-gen) $(nix-eval) --expr '(import doc/manual/utils.nix).showSettings { inlineHTML = true; } (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
 	@mv $@.tmp $@
 
 $(d)/nix.json: $(bindir)/nix
@@ -128,14 +128,20 @@ $(d)/xp-features.json: $(bindir)/nix
 	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(bindir)/nix __dump-xp-features > $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/language/builtins.md: $(d)/builtins.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(bindir)/nix
+$(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(bindir)/nix
 	@cat doc/manual/src/language/builtins-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
+	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<)).builtins' >> $@.tmp;
 	@cat doc/manual/src/language/builtins-suffix.md >> $@.tmp
 	@mv $@.tmp $@
 
-$(d)/builtins.json: $(bindir)/nix
-	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(bindir)/nix __dump-builtins > $@.tmp
+$(d)/src/language/builtin-constants.md: $(d)/language.json $(d)/generate-builtin-constants.nix $(d)/src/language/builtin-constants-prefix.md $(bindir)/nix
+	@cat doc/manual/src/language/builtin-constants-prefix.md > $@.tmp
+	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtin-constants.nix (builtins.fromJSON (builtins.readFile $<)).constants' >> $@.tmp;
+	@cat doc/manual/src/language/builtin-constants-suffix.md >> $@.tmp
+	@mv $@.tmp $@
+
+$(d)/language.json: $(bindir)/nix
+	$(trace-gen) $(dummy-env) NIX_PATH=nix/corepkgs=corepkgs $(bindir)/nix __dump-language > $@.tmp
 	@mv $@.tmp $@
 
 # Generate the HTML manual.
@@ -167,7 +173,7 @@ doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
 	done
 	@touch $@
 
-$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md
+$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/language/builtin-constants.md $(d)/src/favicon.png $(d)/src/favicon.svg
 	$(trace-gen) \
 		tmp="$$(mktemp -d)"; \
 		cp -r doc/manual "$$tmp"; \

doc/manual/redirects.js

@@ -1,7 +1,9 @@
-// redirect rules for anchors ensure backwards compatibility of URLs.
-// this must be done on the client side, as web servers do not see the anchor part of the URL.
+// redirect rules for URL fragments (client-side) to prevent link rot.
+// this must be done on the client side, as web servers do not see the fragment part of the URL.
+// it will only work with JavaScript enabled in the browser, but this is the best we can do here.
+// see ./_redirects for path redirects (client-side)
 
-// redirections are declared as follows:
+// redirects are declared as follows:
 // each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
 //
 //     IMPORTANT: it must specify the full path with file name and suffix
@@ -19,6 +21,7 @@ const redirects = {
     "chap-distributed-builds": "advanced-topics/distributed-builds.html",
     "chap-post-build-hook": "advanced-topics/post-build-hook.html",
     "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
+    "chap-writing-nix-expressions": "language/index.html",
     "part-command-ref": "command-ref/command-ref.html",
     "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
     "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
@@ -281,7 +284,7 @@ const redirects = {
     "chap-introduction": "introduction.html",
     "ch-basic-package-mgmt": "package-management/basic-package-mgmt.html",
     "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
-    "sec-channels": "package-management/channels.html",
+    "sec-channels": "command-ref/nix-channel.html",
     "ssec-copy-closure": "package-management/copy-closure.html",
     "sec-garbage-collection": "package-management/garbage-collection.html",
     "ssec-gc-roots": "package-management/garbage-collector-roots.html",
@@ -330,17 +333,31 @@ const redirects = {
     "ssec-relnotes-2.0": "release-notes/rl-2.0.html",
     "ssec-relnotes-2.1": "release-notes/rl-2.1.html",
     "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
-    "ssec-relnotes-2.3": "release-notes/rl-2.3.html"
+    "ssec-relnotes-2.3": "release-notes/rl-2.3.html",
   },
   "language/values.html": {
     "simple-values": "#primitives",
     "lists": "#list",
     "strings": "#string",
     "lists": "#list",
-    "attribute-sets": "#attribute-set"
+    "attribute-sets": "#attribute-set",
   },
   "installation/installing-binary.html": {
-    "uninstalling": "uninstall.html"
+    "linux": "uninstall.html#linux",
+    "macos": "uninstall.html#macos",
+    "uninstalling": "uninstall.html",
+  }
+  "contributing/hacking.html": {
+    "nix-with-flakes": "#building-nix-with-flakes",
+    "classic-nix": "#building-nix",
+    "running-tests": "testing.html#running-tests",
+    "unit-tests": "testing.html#unit-tests",
+    "functional-tests": "testing.html#functional-tests",
+    "debugging-failing-functional-tests": "testing.html#debugging-failing-functional-tests",
+    "integration-tests": "testing.html#integration-tests",
+    "installer-tests": "testing.html#installer-tests",
+    "one-time-setup": "testing.html#one-time-setup",
+    "using-the-ci-generated-installer-for-manual-testing": "testing.html#using-the-ci-generated-installer-for-manual-testing",
   }
 };
 

doc/manual/rl-next/harden-user-sandboxing.md

@@ -0,0 +1,8 @@
+---
+synopsis: Harden the user sandboxing
+significance: significant
+issues:
+prs: <only provided once merged>
+---
+
+The build directory has been hardened against interference with the outside world by nesting it inside another directory owned by (and only readable by) the daemon user.

doc/manual/rl-next/leading-period.md

@@ -0,0 +1,10 @@
+---
+synopsis: Store paths are allowed to start with `.`
+issues: 912
+prs: 9867 9091 9095 9120 9121 9122 9130 9219 9224
+---
+
+Leading periods were allowed by accident in Nix 2.4. The Nix team has considered this to be a bug, but this behavior has since been relied on by users, leading to unnecessary difficulties.
+From now on, leading periods are officially, definitively supported. The names `.` and `..` are disallowed, as well as those starting with `.-` or `..-`.
+
+Nix versions that denied leading periods are documented [in the issue](https://github.com/NixOS/nix/issues/912#issuecomment-1919583286).

doc/manual/rl-next/verify-tls.md

@@ -0,0 +1,8 @@
+---
+synopsis: "`<nix/fetchurl.nix>` uses TLS verification"
+prs: [11585]
+---
+
+Previously `<nix/fetchurl.nix>` did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from `netrc` and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does *not* check the hash. Therefore we have now enabled TLS verification. This means that downloads by `<nix/fetchurl.nix>` will now fail if you're fetching from a HTTPS server that does not have a valid certificate.
+
+`<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.

doc/manual/src/SUMMARY.md.in

@@ -21,7 +21,6 @@
   - [Profiles](package-management/profiles.md)
   - [Garbage Collection](package-management/garbage-collection.md)
     - [Garbage Collector Roots](package-management/garbage-collector-roots.md)
-  - [Channels](package-management/channels.md)
   - [Sharing Packages Between Machines](package-management/sharing-packages.md)
     - [Serving a Nix store via HTTP](package-management/binary-cache-substituter.md)
     - [Copying Closures via SSH](package-management/copy-closure.md)
@@ -97,15 +96,22 @@
       - [manifest.json](command-ref/files/manifest.json.md)
     - [Channels](command-ref/files/channels.md)
     - [Default Nix expression](command-ref/files/default-nix-expression.md)
-- [Architecture](architecture/architecture.md)
+- [Architecture and Design](architecture/architecture.md)
+  - [File System Object](architecture/file-system-object.md)
+- [Protocols](protocols/protocols.md)
+  - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
+  - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
 - [Glossary](glossary.md)
 - [Contributing](contributing/contributing.md)
   - [Hacking](contributing/hacking.md)
+  - [Testing](contributing/testing.md)
   - [Experimental Features](contributing/experimental-features.md)
   - [CLI guideline](contributing/cli-guideline.md)
+  - [C++ style guide](contributing/cxx.md)
 - [Release Notes](release-notes/release-notes.md)
-  - [Release X.Y (202?-??-??)](release-notes/rl-next.md)
-  - [Release 2.16 (2023-05-21)](release-notes/rl-2.16.md)
+  - [Release 2.18 (2023-09-20)](release-notes/rl-2.18.md)
+  - [Release 2.17 (2023-07-24)](release-notes/rl-2.17.md)
+  - [Release 2.16 (2023-05-31)](release-notes/rl-2.16.md)
   - [Release 2.15 (2023-04-11)](release-notes/rl-2.15.md)
   - [Release 2.14 (2023-02-28)](release-notes/rl-2.14.md)
   - [Release 2.13 (2023-01-17)](release-notes/rl-2.13.md)

doc/manual/src/_redirects

@@ -0,0 +1,30 @@
+# redirect rules for paths (server-side) to prevent link rot.
+# see ./redirects.js for redirects based on URL fragments (client-side)
+#
+# concrete user story this supports:
+# - user finds URL to the manual for Nix x.y
+# - Nix x.z (z > y) is the most recent release
+# - updating the version in the URL will show the right thing
+#
+# format documentation:
+# - https://docs.netlify.com/routing/redirects/#syntax-for-the-redirects-file
+# - https://docs.netlify.com/routing/redirects/redirect-options/
+#
+# conventions:
+# - always force (<CODE>!) since this allows re-using file names
+# - group related paths to ease readability
+# - always append new redirects to the end of the file
+# - redirects that should have been there but are missing can be inserted where they belong
+
+/expressions/expression-language /language/ 301!
+/expressions/language-values /language/values 301!
+/expressions/language-constructs /language/constructs 301!
+/expressions/language-operators /language/operators 301!
+/expressions/* /language/:splat 301!
+
+/package-management/basic-package-mgmt /command-ref/nix-env 301!
+
+/package-management/channels* /command-ref/nix-channel 301!
+
+/package-management/s3-substituter* /command-ref/new-cli/nix3-help-stores#s3-binary-cache-store 301!
+

doc/manual/src/advanced-topics/advanced-topics.md

@@ -1 +1 @@
-
+This section lists advanced topics related to builds and builds performance

doc/manual/src/architecture/architecture.md

@@ -7,11 +7,11 @@ It should help users understand why Nix behaves as it does, and it should help d
 
 Nix consists of [hierarchical layers].
 
-[hierarchical layers]: https://en.m.wikipedia.org/wiki/Multitier_architecture#Layers
+[hierarchical layers]: https://en.wikipedia.org/wiki/Multitier_architecture#Layers
 
 The following [concept map] shows its main components (rectangles), the objects they operate on (rounded rectangles), and their interactions (connecting phrases):
 
-[concept map]: https://en.m.wikipedia.org/wiki/Concept_map
+[concept map]: https://en.wikipedia.org/wiki/Concept_map
 
 ```
 
@@ -76,7 +76,7 @@ The result of a build task can be input to another build task.
 The following [data flow diagram] shows a build plan for illustration.
 Build inputs used as instructions to a build task are marked accordingly:
 
-[data flow diagram]: https://en.m.wikipedia.org/wiki/Data-flow_diagram
+[data flow diagram]: https://en.wikipedia.org/wiki/Data-flow_diagram
 
 ```
 +--------------------------------------------------------------------+

doc/manual/src/architecture/file-system-object.md

@@ -0,0 +1,64 @@
+# File System Object
+
+Nix uses a simplified model of the file system, which consists of file system objects.
+Every file system object is one of the following:
+
+ - File
+
+   - A possibly empty sequence of bytes for contents
+   - A single boolean representing the [executable](https://en.m.wikipedia.org/wiki/File-system_permissions#Permissions) permission
+
+ - Directory
+
+   Mapping of names to child file system objects
+
+ - [Symbolic link](https://en.m.wikipedia.org/wiki/Symbolic_link)
+
+   An arbitrary string.
+   Nix does not assign any semantics to symbolic links.
+
+File system objects and their children form a tree.
+A bare file or symlink can be a root file system object.
+
+Nix does not encode any other file system notions such as [hard links](https://en.m.wikipedia.org/wiki/Hard_link), [permissions](https://en.m.wikipedia.org/wiki/File-system_permissions), timestamps, or other metadata.
+
+## Examples of file system objects
+
+A plain file:
+
+```
+50 B, executable: false
+```
+
+An executable file:
+
+```
+122 KB, executable: true
+```
+
+A symlink:
+
+```
+-> /usr/bin/sh
+```
+
+A directory with contents:
+
+```
+├── bin
+│   └── hello: 35 KB, executable: true
+└── share
+    ├── info
+    │   └── hello.info: 36 KB, executable: false
+    └── man
+        └── man1
+            └── hello.1.gz: 790 B, executable: false
+```
+
+A directory that contains a symlink and other directories:
+
+```
+├── bin -> share/go/bin
+├── nix-support/
+└── share/
+```

doc/manual/src/command-ref/conf-file-prefix.md

@@ -4,49 +4,67 @@
 
 # Description
 
-By default Nix reads settings from the following places:
+Nix supports a variety of configuration settings, which are read from configuration files or taken as command line flags.
 
-  - The system-wide configuration file `sysconfdir/nix/nix.conf` (i.e.
-    `/etc/nix/nix.conf` on most systems), or `$NIX_CONF_DIR/nix.conf` if
-    `NIX_CONF_DIR` is set. Values loaded in this file are not forwarded
-    to the Nix daemon. The client assumes that the daemon has already
-    loaded them.
+## Configuration file
 
-  - If `NIX_USER_CONF_FILES` is set, then each path separated by `:`
-    will be loaded in reverse order.
+By default Nix reads settings from the following places, in that order:
 
-    Otherwise it will look for `nix/nix.conf` files in `XDG_CONFIG_DIRS`
-    and `XDG_CONFIG_HOME`. If unset, `XDG_CONFIG_DIRS` defaults to
-    `/etc/xdg`, and `XDG_CONFIG_HOME` defaults to `$HOME/.config`
-    as per [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).
+1. The system-wide configuration file `sysconfdir/nix/nix.conf` (i.e. `/etc/nix/nix.conf` on most systems), or `$NIX_CONF_DIR/nix.conf` if [`NIX_CONF_DIR`](./env-common.md#env-NIX_CONF_DIR) is set.
 
-  - If `NIX_CONFIG` is set, its contents is treated as the contents of
-    a configuration file.
+   Values loaded in this file are not forwarded to the Nix daemon.
+   The client assumes that the daemon has already loaded them.
 
-The configuration files consist of `name = value` pairs, one per
-line. Other files can be included with a line like `include path`,
-where *path* is interpreted relative to the current conf file and a
-missing file is an error unless `!include` is used instead. Comments
-start with a `#` character. Here is an example configuration file:
+1. If [`NIX_USER_CONF_FILES`](./env-common.md#env-NIX_USER_CONF_FILES) is set, then each path separated by `:` will be loaded in reverse order.
 
-    keep-outputs = true       # Nice for developers
-    keep-derivations = true   # Idem
+   Otherwise it will look for `nix/nix.conf` files in `XDG_CONFIG_DIRS` and [`XDG_CONFIG_HOME`](./env-common.md#env-XDG_CONFIG_HOME).
+   If unset, `XDG_CONFIG_DIRS` defaults to `/etc/xdg`, and `XDG_CONFIG_HOME` defaults to `$HOME/.config` as per [XDG Base Directory Specification](https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html).
 
-You can override settings on the command line using the `--option`
-flag, e.g. `--option keep-outputs false`. Every configuration setting
-also has a corresponding command line flag, e.g. `--max-jobs 16`; for
-Boolean settings, there are two flags to enable or disable the setting
-(e.g. `--keep-failed` and `--no-keep-failed`).
+1. If [`NIX_CONFIG`](./env-common.md#env-NIX_CONFIG) is set, its contents are treated as the contents of a configuration file.
 
-A configuration setting usually overrides any previous value. However,
-you can prefix the name of the setting by `extra-` to *append* to the
-previous value. For instance,
+### File format
 
-    substituters = a b
-    extra-substituters = c d
+Configuration files consist of `name = value` pairs, one per line.
+Comments start with a `#` character.
 
-defines the `substituters` setting to be `a b c d`. This is also
-available as a command line flag (e.g. `--extra-substituters`).
+Example:
 
-The following settings are currently available:
+```
+keep-outputs = true       # Nice for developers
+keep-derivations = true   # Idem
+```
+
+Other files can be included with a line like `include <path>`, where `<path>` is interpreted relative to the current configuration file.
+A missing file is an error unless `!include` is used instead.
+
+A configuration setting usually overrides any previous value.
+However, for settings that take a list of items, you can prefix the name of the setting by `extra-` to *append* to the previous value.
+
+For instance,
+
+```
+substituters = a b
+extra-substituters = c d
+```
+
+defines the `substituters` setting to be `a b c d`.
+
+Unknown option names are not an error, and are simply ignored with a warning.
+
+## Command line flags
+
+Configuration options can be set on the command line, overriding the values set in the [configuration file](#configuration-file):
+
+- Every configuration setting has corresponding command line flag (e.g. `--max-jobs 16`).
+  Boolean settings do not need an argument, and can be explicitly disabled with the `no-` prefix (e.g. `--keep-failed` and `--no-keep-failed`).
+
+  Unknown option names are invalid flags (unless there is already a flag with that name), and are rejected with an error.
+
+- The flag `--option <name> <value>` is interpreted exactly like a `<name> = <value>` in a setting file.
+
+  Unknown option names are ignored with a warning.
+
+The `extra-` prefix is supported for settings that take a list of items (e.g. `--extra-trusted users alice` or `--option extra-trusted-users alice`).
+
+# Available settings
 

doc/manual/src/command-ref/nix-build.md

@@ -51,8 +51,9 @@ derivation).
 
 # Options
 
-All options not listed here are passed to `nix-store --realise`,
-except for `--arg` and `--attr` / `-A` which are passed to `nix-instantiate`.
+All options not listed here are passed to
+[`nix-store --realise`](nix-store/realise.md),
+except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
 
   - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
 
@@ -69,6 +70,8 @@ except for `--arg` and `--attr` / `-A` which are passed to `nix-instantiate`.
     Change the name of the symlink to the output path created from
     `result` to *outlink*.
 
+{{#include ./status-build-failure.md}}
+
 {{#include ./opt-common.md}}
 
 {{#include ./env-common.md}}

doc/manual/src/command-ref/nix-channel.md

@@ -4,49 +4,63 @@
 
 # Synopsis
 
-`nix-channel` {`--add` url [*name*] | `--remove` *name* | `--list` | `--update` [*names…*] | `--rollback` [*generation*] }
+`nix-channel` {`--add` url [*name*] | `--remove` *name* | `--list` | `--update` [*names…*] | `--list-generations` | `--rollback` [*generation*] }
 
 # Description
 
-A Nix channel is a mechanism that allows you to automatically stay
-up-to-date with a set of pre-built Nix expressions. A Nix channel is
-just a URL that points to a place containing a set of Nix expressions.
+Channels are a mechanism for referencing remote Nix expressions and conveniently retrieving their latest version.
 
-To see the list of official NixOS channels, visit
-<https://nixos.org/channels>.
+The moving parts of channels are:
+- The official channels listed at <https://nixos.org/channels>
+- The user-specific list of [subscribed channels](#subscribed-channels)
+- The [downloaded channel contents](#channels)
+- The [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path), set with the [`-I` option](#opt-i) or the [`NIX_PATH` environment variable](#env-NIX_PATH)
+
+> **Note**
+>
+> The state of a subscribed channel is external to the Nix expressions relying on it.
+> This may limit reproducibility.
+>
+> Dependencies on other Nix expressions can be declared explicitly with:
+> - [`fetchurl`](@docroot@/language/builtins.md#builtins-fetchurl), [`fetchTarball`](@docroot@/language/builtins.md#builtins-fetchTarball), or [`fetchGit`](@docroot@/language/builtins.md#builtins-fetchGit) in Nix expressions
+> - the [`-I` option](@docroot@/command-ref/opt-common.md#opt-I) in command line invocations
 
 This command has the following operations:
 
   - `--add` *url* \[*name*\]\
-    Adds a channel named *name* with URL *url* to the list of subscribed
-    channels. If *name* is omitted, it defaults to the last component of
-    *url*, with the suffixes `-stable` or `-unstable` removed.
+    Add a channel *name* located at *url* to the list of subscribed channels.
+    If *name* is omitted, default to the last component of *url*, with the suffixes `-stable` or `-unstable` removed.
+
+    > **Note**
+    >
+    > `--add` does not automatically perform an update.
+    > Use `--update` explicitly.
 
     A channel URL must point to a directory containing a file `nixexprs.tar.gz`.
     At the top level, that tarball must contain a single directory with a `default.nix` file that serves as the channel’s entry point.
 
   - `--remove` *name*\
-    Removes the channel named *name* from the list of subscribed
-    channels.
+    Remove the channel *name* from the list of subscribed channels.
 
   - `--list`\
-    Prints the names and URLs of all subscribed channels on standard
-    output.
+    Print the names and URLs of all subscribed channels on standard output.
 
   - `--update` \[*names*…\]\
-    Downloads the Nix expressions of all subscribed channels (or only
-    those included in *names* if specified) and makes them the default
-    for `nix-env` operations (by symlinking them from the directory
-    `~/.nix-defexpr`).
+    Download the Nix expressions of subscribed channels and create a new generation.
+    Update all channels if none is specified, and only those included in *names* otherwise.
+
+  - `--list-generations`\
+    Prints a list of all the current existing generations for the
+    channel profile.
+
+    Works the same way as
+    ```
+    nix-env --profile /nix/var/nix/profiles/per-user/$USER/channels --list-generations
+    ```
 
   - `--rollback` \[*generation*\]\
-    Reverts the previous call to `nix-channel
-                    --update`. Optionally, you can specify a specific channel generation
-    number to restore.
-
-Note that `--add` does not automatically perform an update.
-
-The list of subscribed channels is stored in `~/.nix-channels`.
+    Revert channels to the state before the last call to `nix-channel --update`.
+    Optionally, you can specify a specific channel *generation* number to restore.
 
 {{#include ./opt-common.md}}
 
@@ -60,23 +74,33 @@ The list of subscribed channels is stored in `~/.nix-channels`.
 
 # Examples
 
-To subscribe to the Nixpkgs channel and install the GNU Hello package:
+Subscribe to the Nixpkgs channel and run `hello` from the GNU Hello package:
 
 ```console
 $ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+$ nix-channel --list
+nixpkgs https://nixos.org/channels/nixpkgs
 $ nix-channel --update
-$ nix-env --install --attr nixpkgs.hello
+$ nix-shell -p hello --run hello
+hello
 ```
 
-You can revert channel updates using `--rollback`:
+Revert channel updates using `--rollback`:
 
 ```console
-$ nix-instantiate --eval --expr '(import <nixpkgs> {}).lib.version'
-"14.04.527.0e935f1"
+$ nix-instantiate --eval '<nixpkgs>' --attr lib.version
+"22.11pre296212.530a53dcbc9"
 
 $ nix-channel --rollback
 switching from generation 483 to 482
 
-$ nix-instantiate --eval --expr '(import <nixpkgs> {}).lib.version'
-"14.04.526.dbadfad"
+$ nix-instantiate --eval '<nixpkgs>' --attr lib.version
+"22.11pre281526.d0419badfad"
+```
+
+Remove a channel:
+
+```console
+$ nix-channel --remove nixpkgs
+$ nix-channel --list
 ```

doc/manual/src/command-ref/nix-collect-garbage.md

@@ -1,6 +1,6 @@
 # Name
 
-`nix-collect-garbage` - delete unreachable store paths
+`nix-collect-garbage` - delete unreachable [store objects]
 
 # Synopsis
 
@@ -8,17 +8,57 @@
 
 # Description
 
-The command `nix-collect-garbage` is mostly an alias of [`nix-store
---gc`](@docroot@/command-ref/nix-store/gc.md), that is, it deletes all
-unreachable paths in the Nix store to clean up your system. However,
-it provides two additional options: `-d` (`--delete-old`), which
-deletes all old generations of all profiles in `/nix/var/nix/profiles`
-by invoking `nix-env --delete-generations old` on all profiles (of
-course, this makes rollbacks to previous configurations impossible);
-and `--delete-older-than` *period*, where period is a value such as
-`30d`, which deletes all generations older than the specified number
-of days in all profiles in `/nix/var/nix/profiles` (except for the
-generations that were active at that point in time).
+The command `nix-collect-garbage` is mostly an alias of [`nix-store --gc`](@docroot@/command-ref/nix-store/gc.md).
+That is, it deletes all unreachable [store objects] in the Nix store to clean up your system.
+
+However, it provides two additional options,
+[`--delete-old`](#opt-delete-old) and [`--delete-older-than`](#opt-delete-older-than),
+which also delete old [profiles], allowing potentially more [store objects] to be deleted because profiles are also garbage collection roots.
+These options are the equivalent of running
+[`nix-env --delete-generations`](@docroot@/command-ref/nix-env/delete-generations.md)
+with various augments on multiple profiles,
+prior to running `nix-collect-garbage` (or just `nix-store --gc`) without any flags.
+
+> **Note**
+>
+> Deleting previous configurations makes rollbacks to them impossible.
+
+These flags should be used with care, because they potentially delete generations of profiles used by other users on the system.
+
+## Locations searched for profiles
+
+`nix-collect-garbage` cannot know about all profiles; that information doesn't exist.
+Instead, it looks in a few locations, and acts on all profiles it finds there:
+
+1. The default profile locations as specified in the [profiles] section of the manual.
+
+2. > **NOTE**
+   >
+   > Not stable; subject to change
+   >
+   > Do not rely on this functionality; it just exists for migration purposes and is may change in the future.
+   > These deprecated paths remain a private implementation detail of Nix.
+
+   `$NIX_STATE_DIR/profiles` and `$NIX_STATE_DIR/profiles/per-user`.
+
+   With the exception of `$NIX_STATE_DIR/profiles/per-user/root` and `$NIX_STATE_DIR/profiles/default`, these directories are no longer used by other commands.
+   `nix-collect-garbage` looks there anyways in order to clean up profiles from older versions of Nix.
+
+# Options
+
+These options are for deleting old [profiles] prior to deleting unreachable [store objects].
+
+- <span id="opt-delete-old">[`--delete-old`](#opt-delete-old)</span> / `-d`\
+  Delete all old generations of profiles.
+
+  This is the equivalent of invoking `nix-env --delete-generations old` on each found profile.
+
+- <span id="opt-delete-older-than">[`--delete-older-than`](#opt-delete-older-than)</span> *period*\
+  Delete all generations of profiles older than the specified amount (except for the generations that were active at that point in time).
+  *period* is a value such as `30d`, which would mean 30 days.
+
+  This is the equivalent of invoking [`nix-env --delete-generations <period>`](@docroot@/command-ref/nix-env/delete-generations.md#generations-time) on each found profile.
+  See the documentation of that command for additional information about the *period* argument.
 
 {{#include ./opt-common.md}}
 
@@ -32,3 +72,6 @@ generations of each profile, do
 ```console
 $ nix-collect-garbage -d
 ```
+
+[profiles]: @docroot@/command-ref/files/profiles.md
+[store objects]: @docroot@/glossary.md#gloss-store-object

doc/manual/src/command-ref/nix-env/delete-generations.md

@@ -9,14 +9,47 @@
 # Description
 
 This operation deletes the specified generations of the current profile.
-The generations can be a list of generation numbers, the special value
-`old` to delete all non-current generations, a value such as `30d` to
-delete all generations older than the specified number of days (except
-for the generation that was active at that point in time), or a value
-such as `+5` to keep the last `5` generations ignoring any newer than
-current, e.g., if `30` is the current generation `+5` will delete
-generation `25` and all older generations. Periodically deleting old
-generations is important to make garbage collection effective.
+
+*generations* can be a one of the following:
+
+- <span id="generations-list">`<number>...`</span>:\
+  A list of generation numbers, each one a separate command-line argument.
+
+  Delete exactly the profile generations given by their generation number.
+  Deleting the current generation is not allowed.
+
+- The special value <span id="generations-old">`old`</span>
+
+  Delete all generations except the current one.
+
+  > **WARNING**
+  >
+  > Older *and newer* generations will be deleted by this operation.
+  >
+  > One might expect this to just delete older generations than the curent one, but that is only true if the current generation is also the latest.
+  > Because one can roll back to a previous generation, it is possible to have generations newer than the current one.
+  > They will also be deleted.
+
+- <span id="generations-time">`<number>d`</span>:\
+  The last *number* days
+
+  *Example*: `30d`
+
+  Delete all generations created more than *number* days ago, except the most recent one of them.
+  This allows rolling back to generations that were available within the specified period.
+
+- <span id="generations-count">`+<number>`</span>:\
+  The last *number* generations up to the present
+
+  *Example*: `+5`
+
+  Keep the last *number* generations, along with any newer than current.
+
+Periodically deleting old generations is important to make garbage collection
+effective.
+The is because profiles are also garbage collection roots — any [store object] reachable from a profile is "alive" and ineligible for deletion.
+
+[store object]: @docroot@/glossary.md#gloss-store-object
 
 {{#include ./opt-common.md}}
 
@@ -28,19 +61,35 @@ generations is important to make garbage collection effective.
 
 # Examples
 
+## Delete explicit generation numbers
+
 ```console
 $ nix-env --delete-generations 3 4 8
 ```
 
+Delete the generations numbered 3, 4, and 8, so long as the current active generation is not any of those.
+
+## Keep most-recent by count (number of generations)
+
 ```console
 $ nix-env --delete-generations +5
 ```
 
+Suppose `30` is the current generation, and we currently have generations numbered `20` through `32`.
+
+Then this command will delete generations `20` through `25` (`<= 30 - 5`),
+and keep generations `26` through `31` (`> 30 - 5`).
+
+## Keep most-recent by time (number of days)
+
 ```console
 $ nix-env --delete-generations 30d
 ```
 
+This command will delete all generations older than 30 days, except for the generation that was active 30 days ago (if it currently exists).
+
+## Delete all older
+
 ```console
 $ nix-env --profile other_profile --delete-generations old
 ```
-

doc/manual/src/command-ref/nix-env/install.md

@@ -30,7 +30,7 @@ a number of possible ways:
     derivation with the highest *priority* is used. A derivation can
     define a priority by declaring the `meta.priority` attribute. This
     attribute should be a number, with a higher value denoting a lower
-    priority. The default priority is `0`.
+    priority. The default priority is `5`.
 
     If there are multiple matching derivations with the same priority,
     then the derivation with the highest version will be installed.

doc/manual/src/command-ref/nix-prefetch-url.md

@@ -31,15 +31,18 @@ store already contains a file with the same hash and base name.
 Otherwise, the file is downloaded, and an error is signaled if the
 actual hash of the file does not match the specified hash.
 
-This command prints the hash on standard output. Additionally, if the
-option `--print-path` is used, the path of the downloaded file in the
-Nix store is also printed.
+This command prints the hash on standard output.
+The hash is printed using base-32 unless `--type md5` is specified,
+in which case it's printed using base-16.
+Additionally, if the option `--print-path` is used,
+the path of the downloaded file in the Nix store is also printed.
 
 # Options
 
   - `--type` *hashAlgo*\
-    Use the specified cryptographic hash algorithm, which can be one of
-    `md5`, `sha1`, `sha256`, and `sha512`.
+    Use the specified cryptographic hash algorithm,
+    which can be one of `md5`, `sha1`, `sha256`, and `sha512`.
+    The default is `sha256`.
 
   - `--print-path`\
     Print the store path of the downloaded file on standard output.

doc/manual/src/command-ref/nix-store/query.md

@@ -5,8 +5,8 @@
 # Synopsis
 
 `nix-store` {`--query` | `-q`}
-  {`--outputs` | `--requisites` | `-R` | `--references` |
-  `--referrers` | `--referrers-closure` | `--deriver` | `-d` |
+  {`--outputs` | `--requisites` | `-R` | `--references` | `--referrers` |
+  `--referrers-closure` | `--deriver` | `-d` | `--valid-derivers` |
   `--graph` | `--tree` | `--binding` *name* | `-b` *name* | `--hash` |
   `--size` | `--roots`}
   [`--use-output`] [`-u`] [`--force-realise`] [`-f`]
@@ -82,13 +82,21 @@ symlink.
     in the Nix store that are dependent on *paths*.
 
   - `--deriver`; `-d`\
-    Prints the [deriver] of the store paths *paths*. If
+    Prints the [deriver] that was used to build the store paths *paths*. If
     the path has no deriver (e.g., if it is a source file), or if the
     deriver is not known (e.g., in the case of a binary-only
     deployment), the string `unknown-deriver` is printed.
+    The returned deriver is not guaranteed to exist in the local store, for
+    example when *paths* were substituted from a binary cache.
+    Use `--valid-derivers` instead to obtain valid paths only.
 
     [deriver]: ../../glossary.md#gloss-deriver
 
+  - `--valid-derivers`\
+    Prints a set of derivation files (`.drv`) which are supposed produce
+    said paths when realized. Might print nothing, for example for source paths
+    or paths subsituted from a binary cache.
+
   - `--graph`\
     Prints the references graph of the store paths *paths* in the format
     of the `dot` tool of AT\&T's [Graphviz

doc/manual/src/command-ref/nix-store/realise.md

@@ -1,6 +1,6 @@
 # Name
 
-`nix-store --realise` - realise specified store paths
+`nix-store --realise` - build or fetch store objects
 
 # Synopsis
 
@@ -8,33 +8,35 @@
 
 # Description
 
-The operation `--realise` essentially “builds” the specified store
-paths. Realisation is a somewhat overloaded term:
 
-  - If the store path is a *derivation*, realisation ensures that the
-    output paths of the derivation are [valid] (i.e.,
-    the output path and its closure exist in the file system). This
-    can be done in several ways. First, it is possible that the
-    outputs are already valid, in which case we are done
-    immediately. Otherwise, there may be [substitutes]
-    that produce the outputs (e.g., by downloading them). Finally, the
-    outputs can be produced by running the build task described
-    by the derivation.
+Each of *paths* is processed as follows:
 
-  - If the store path is not a derivation, realisation ensures that the
-    specified path is valid (i.e., it and its closure exist in the file
-    system). If the path is already valid, we are done immediately.
-    Otherwise, the path and any missing paths in its closure may be
-    produced through substitutes. If there are no (successful)
-    substitutes, realisation fails.
+- If the path leads to a [store derivation]:
+  1. If it is not [valid], substitute the store derivation file itself.
+  2. Realise its [output paths]:
+    - Try to fetch from [substituters] the [store objects] associated with the output paths in the store derivation's [closure].
+      - With [content-addressed derivations] (experimental): Determine the output paths to realise by querying content-addressed realisation entries in the [Nix database].
+    - For any store paths that cannot be substituted, produce the required store objects. This involves first realising all outputs of the derivation's dependencies and then running the derivation's [`builder`](@docroot@/language/derivations.md#attr-builder) executable. <!-- TODO: Link to build process page #8888 -->
+- Otherwise, and if the path is not already valid: Try to fetch the associated [store objects] in the path's [closure] from [substituters].
 
+If no substitutes are available and no store derivation is given, realisation fails.
+
+[store paths]: @docroot@/glossary.md#gloss-store-path
 [valid]: @docroot@/glossary.md#gloss-validity
-[substitutes]: @docroot@/glossary.md#gloss-substitute
+[store derivation]: @docroot@/glossary.md#gloss-store-derivation
+[output paths]: @docroot@/glossary.md#gloss-output-path
+[store objects]: @docroot@/glossary.md#gloss-store-object
+[closure]: @docroot@/glossary.md#gloss-closure
+[substituters]: @docroot@/command-ref/conf-file.md#conf-substituters
+[content-addressed derivations]: @docroot@/contributing/experimental-features.md#xp-feature-ca-derivations
+[Nix database]: @docroot@/glossary.md#gloss-nix-database
 
-The output path of each derivation is printed on standard output. (For
-non-derivations argument, the argument itself is printed.)
+The resulting paths are printed on standard output.
+For non-derivation arguments, the argument itself is printed.
 
-The following flags are available:
+{{#include ../status-build-failure.md}}
+
+# Options
 
   - `--dry-run`\
     Print on standard error a description of what packages would be
@@ -54,37 +56,6 @@ The following flags are available:
     previous build, the new output path is left in
     `/nix/store/name.check.`
 
-Special exit codes:
-
-  - `100`\
-    Generic build failure, the builder process returned with a non-zero
-    exit code.
-
-  - `101`\
-    Build timeout, the build was aborted because it did not complete
-    within the specified `timeout`.
-
-  - `102`\
-    Hash mismatch, the build output was rejected because it does not
-    match the [`outputHash` attribute of the
-    derivation](@docroot@/language/advanced-attributes.md).
-
-  - `104`\
-    Not deterministic, the build succeeded in check mode but the
-    resulting output is not binary reproducible.
-
-With the `--keep-going` flag it's possible for multiple failures to
-occur, in this case the 1xx status codes are or combined using binary
-or.
-
-    1100100
-       ^^^^
-       |||`- timeout
-       ||`-- output hash mismatch
-       |`--- build failure
-       `---- not deterministic
-
-
 {{#include ./opt-common.md}}
 
 {{#include ../opt-common.md}}
@@ -96,8 +67,6 @@ or.
 This operation is typically used to build [store derivation]s produced by
 [`nix-instantiate`](@docroot@/command-ref/nix-instantiate.md):
 
-[store derivation]: @docroot@/glossary.md#gloss-store-derivation
-
 ```console
 $ nix-store --realise $(nix-instantiate ./test.nix)
 /nix/store/31axcgrlbfsxzmfff1gyj1bf62hvkby2-aterm-2.3.1

doc/manual/src/command-ref/opt-common.md

@@ -2,217 +2,204 @@
 
 Most Nix commands accept the following command-line options:
 
-  - <span id="opt-help">[`--help`](#opt-help)</span>\
-    Prints out a summary of the command syntax and exits.
+- <span id="opt-help">[`--help`](#opt-help)</span>
 
-  - <span id="opt-version">[`--version`](#opt-version)</span>\
-    Prints out the Nix version number on standard output and exits.
+  Prints out a summary of the command syntax and exits.
 
-  - <span id="opt-verbose">[`--verbose`](#opt-verbose)</span> / `-v`\
-    Increases the level of verbosity of diagnostic messages printed on
-    standard error. For each Nix operation, the information printed on
-    standard output is well-defined; any diagnostic information is
-    printed on standard error, never on standard output.
+- <span id="opt-version">[`--version`](#opt-version)</span>
 
-    This option may be specified repeatedly. Currently, the following
-    verbosity levels exist:
+  Prints out the Nix version number on standard output and exits.
 
-      - 0\
-        “Errors only”: only print messages explaining why the Nix
-        invocation failed.
+- <span id="opt-verbose">[`--verbose`](#opt-verbose)</span> / `-v`
 
-      - 1\
-        “Informational”: print *useful* messages about what Nix is
-        doing. This is the default.
+  Increases the level of verbosity of diagnostic messages printed on standard error.
+  For each Nix operation, the information printed on standard output is well-defined;
+  any diagnostic information is printed on standard error, never on standard output.
 
-      - 2\
-        “Talkative”: print more informational messages.
+  This option may be specified repeatedly.
+  Currently, the following verbosity levels exist:
 
-      - 3\
-        “Chatty”: print even more informational messages.
+  - `0` “Errors only”
 
-      - 4\
-        “Debug”: print debug information.
+    Only print messages explaining why the Nix invocation failed.
 
-      - 5\
-        “Vomit”: print vast amounts of debug information.
+  - `1` “Informational”
 
-  - <span id="opt-quiet">[`--quiet`](#opt-quiet)</span>\
-    Decreases the level of verbosity of diagnostic messages printed on
-    standard error. This is the inverse option to `-v` / `--verbose`.
+    Print *useful* messages about what Nix is doing.
+    This is the default.
 
-    This option may be specified repeatedly. See the previous verbosity
-    levels list.
+  - `2` “Talkative”
 
-  - <span id="opt-log-format">[`--log-format`](#opt-log-format)</span> *format*\
-    This option can be used to change the output of the log format, with
-    *format* being one of:
+    Print more informational messages.
 
-      - raw\
-        This is the raw format, as outputted by nix-build.
+  - `3` “Chatty”
 
-      - internal-json\
-        Outputs the logs in a structured manner.
+    Print even more informational messages.
 
-        > **Warning**
-        >
-        > While the schema itself is relatively stable, the format of
-        > the error-messages (namely of the `msg`-field) can change
-        > between releases.
+  - `4` “Debug”
+   
+    Print debug information.
 
-      - bar\
-        Only display a progress bar during the builds.
+  - `5` “Vomit”
 
-      - bar-with-logs\
-        Display the raw logs, with the progress bar at the bottom.
+    Print vast amounts of debug information.
 
-  - <span id="opt-no-build-output">[`--no-build-output`](#opt-no-build-output)</span> / `-Q`\
-    By default, output written by builders to standard output and
-    standard error is echoed to the Nix command's standard error. This
-    option suppresses this behaviour. Note that the builder's standard
-    output and error are always written to a log file in
-    `prefix/nix/var/log/nix`.
+- <span id="opt-quiet">[`--quiet`](#opt-quiet)</span>
 
-  - <span id="opt-max-jobs">[`--max-jobs`](#opt-max-jobs)</span> / `-j` *number*\
-    Sets the maximum number of build jobs that Nix will perform in
-    parallel to the specified number. Specify `auto` to use the number
-    of CPUs in the system. The default is specified by the `max-jobs`
-    configuration setting, which itself defaults to `1`. A higher
-    value is useful on SMP systems or to exploit I/O latency.
+  Decreases the level of verbosity of diagnostic messages printed on standard error.
+  This is the inverse option to `-v` / `--verbose`.
 
-    Setting it to `0` disallows building on the local machine, which is
-    useful when you want builds to happen only on remote builders.
+  This option may be specified repeatedly.
+  See the previous verbosity levels list.
 
-  - <span id="opt-cores">[`--cores`](#opt-cores)</span>\
-    Sets the value of the `NIX_BUILD_CORES` environment variable in
-    the invocation of builders. Builders can use this variable at
-    their discretion to control the maximum amount of parallelism. For
-    instance, in Nixpkgs, if the derivation attribute
-    `enableParallelBuilding` is set to `true`, the builder passes the
-    `-jN` flag to GNU Make. It defaults to the value of the `cores`
-    configuration setting, if set, or `1` otherwise. The value `0`
-    means that the builder should use all available CPU cores in the
-    system.
+- <span id="opt-log-format">[`--log-format`](#opt-log-format)</span> *format*
 
-  - <span id="opt-max-silent-time">[`--max-silent-time`](#opt-max-silent-time)</span>\
-    Sets the maximum number of seconds that a builder can go without
-    producing any data on standard output or standard error. The
-    default is specified by the `max-silent-time` configuration
-    setting. `0` means no time-out.
+  This option can be used to change the output of the log format, with *format* being one of:
 
-  - <span id="opt-timeout">[`--timeout`](#opt-timeout)</span>\
-    Sets the maximum number of seconds that a builder can run. The
-    default is specified by the `timeout` configuration setting. `0`
-    means no timeout.
+  - `raw`
 
-  - <span id="opt-keep-going">[`--keep-going`](#opt-keep-going)</span> / `-k`\
-    Keep going in case of failed builds, to the greatest extent
-    possible. That is, if building an input of some derivation fails,
-    Nix will still build the other inputs, but not the derivation
-    itself. Without this option, Nix stops if any build fails (except
-    for builds of substitutes), possibly killing builds in progress (in
-    case of parallel or distributed builds).
+    This is the raw format, as outputted by nix-build.
 
-  - <span id="opt-keep-failed">[`--keep-failed`](#opt-keep-failed)</span> / `-K`\
-    Specifies that in case of a build failure, the temporary directory
-    (usually in `/tmp`) in which the build takes place should not be
-    deleted. The path of the build directory is printed as an
-    informational message.
+  - `internal-json`
 
-  - <span id="opt-fallback">[`--fallback`](#opt-fallback)</span>\
-    Whenever Nix attempts to build a derivation for which substitutes
-    are known for each output path, but realising the output paths
-    through the substitutes fails, fall back on building the derivation.
+    Outputs the logs in a structured manner.
 
-    The most common scenario in which this is useful is when we have
-    registered substitutes in order to perform binary distribution from,
-    say, a network repository. If the repository is down, the
-    realisation of the derivation will fail. When this option is
-    specified, Nix will build the derivation instead. Thus, installation
-    from binaries falls back on installation from source. This option is
-    not the default since it is generally not desirable for a transient
-    failure in obtaining the substitutes to lead to a full build from
-    source (with the related consumption of resources).
+    > **Warning**
+    >
+    > While the schema itself is relatively stable, the format of
+    > the error-messages (namely of the `msg`-field) can change
+    > between releases.
 
-  - <span id="opt-readonly-mode">[`--readonly-mode`](#opt-readonly-mode)</span>\
-    When this option is used, no attempt is made to open the Nix
-    database. Most Nix operations do need database access, so those
-    operations will fail.
+  - `bar`
 
-  - <span id="opt-arg">[`--arg`](#opt-arg)</span> *name* *value*\
-    This option is accepted by `nix-env`, `nix-instantiate`,
-    `nix-shell` and `nix-build`. When evaluating Nix expressions, the
-    expression evaluator will automatically try to call functions that
-    it encounters. It can automatically call functions for which every
-    argument has a [default
-    value](@docroot@/language/constructs.md#functions) (e.g.,
-    `{ argName ?  defaultValue }: ...`). With `--arg`, you can also
-    call functions that have arguments without a default value (or
-    override a default value). That is, if the evaluator encounters a
-    function with an argument named *name*, it will call it with value
-    *value*.
+    Only display a progress bar during the builds.
 
-    For instance, the top-level `default.nix` in Nixpkgs is actually a
-    function:
+  - `bar-with-logs`
 
-    ```nix
-    { # The system (e.g., `i686-linux') for which to build the packages.
-      system ? builtins.currentSystem
-      ...
-    }: ...
-    ```
+    Display the raw logs, with the progress bar at the bottom.
 
-    So if you call this Nix expression (e.g., when you do `nix-env --install --attr
-    pkgname`), the function will be called automatically using the
-    value [`builtins.currentSystem`](@docroot@/language/builtins.md) for
-    the `system` argument. You can override this using `--arg`, e.g.,
-    `nix-env --install --attr pkgname --arg system \"i686-freebsd\"`. (Note that
-    since the argument is a Nix string literal, you have to escape the
-    quotes.)
+- <span id="opt-no-build-output">[`--no-build-output`](#opt-no-build-output)</span> / `-Q`
 
-  - <span id="opt-argstr">[`--argstr`](#opt-argstr)</span> *name* *value*\
-    This option is like `--arg`, only the value is not a Nix
-    expression but a string. So instead of `--arg system
-    \"i686-linux\"` (the outer quotes are to keep the shell happy) you
-    can say `--argstr system i686-linux`.
+  By default, output written by builders to standard output and standard error is echoed to the Nix command's standard error.
+  This option suppresses this behaviour.
+  Note that the builder's standard output and error are always written to a log file in `prefix/nix/var/log/nix`.
 
-  - <span id="opt-attr">[`--attr`](#opt-attr)</span> / `-A` *attrPath*\
-    Select an attribute from the top-level Nix expression being
-    evaluated. (`nix-env`, `nix-instantiate`, `nix-build` and
-    `nix-shell` only.) The *attribute path* *attrPath* is a sequence
-    of attribute names separated by dots. For instance, given a
-    top-level Nix expression *e*, the attribute path `xorg.xorgserver`
-    would cause the expression `e.xorg.xorgserver` to be used. See
-    [`nix-env --install`](@docroot@/command-ref/nix-env/install.md) for some
-    concrete examples.
+- <span id="opt-max-jobs">[`--max-jobs`](#opt-max-jobs)</span> / `-j` *number*
 
-    In addition to attribute names, you can also specify array indices.
-    For instance, the attribute path `foo.3.bar` selects the `bar`
-    attribute of the fourth element of the array in the `foo` attribute
-    of the top-level expression.
+  Sets the maximum number of build jobs that Nix will perform in parallel to the specified number.
+  Specify `auto` to use the number of CPUs in the system.
+  The default is specified by the `max-jobs` configuration setting, which itself defaults to `1`.
+  A higher value is useful on SMP systems or to exploit I/O latency.
 
-  - <span id="opt-expr">[`--expr`](#opt-expr)</span> / `-E`\
-    Interpret the command line arguments as a list of Nix expressions to
-    be parsed and evaluated, rather than as a list of file names of Nix
-    expressions. (`nix-instantiate`, `nix-build` and `nix-shell` only.)
+  Setting it to `0` disallows building on the local machine, which is useful when you want builds to happen only on remote builders.
 
-    For `nix-shell`, this option is commonly used to give you a shell in
-    which you can build the packages returned by the expression. If you
-    want to get a shell which contain the *built* packages ready for
-    use, give your expression to the `nix-shell --packages ` convenience flag
-    instead.
+- <span id="opt-cores">[`--cores`](#opt-cores)</span>
 
-  - <span id="opt-I">[`-I`](#opt-I)</span> *path*\
-    Add an entry to the [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path).
-    This option may be given multiple times.
-    Paths added through `-I` take precedence over [`NIX_PATH`](@docroot@/command-ref/env-common.md#env-NIX_PATH).
+  Sets the value of the `NIX_BUILD_CORES` environment variable in the invocation of builders.
+  Builders can use this variable at their discretion to control the maximum amount of parallelism.
+  For instance, in Nixpkgs, if the derivation attribute `enableParallelBuilding` is set to `true`, the builder passes the `-jN` flag to GNU Make.
+  It defaults to the value of the `cores` configuration setting, if set, or `1` otherwise.
+  The value `0` means that the builder should use all available CPU cores in the system.
 
-  - <span id="opt-option">[`--option`](#opt-option)</span> *name* *value*\
-    Set the Nix configuration option *name* to *value*. This overrides
-    settings in the Nix configuration file (see nix.conf5).
+- <span id="opt-max-silent-time">[`--max-silent-time`](#opt-max-silent-time)</span>
 
-  - <span id="opt-repair">[`--repair`](#opt-repair)</span>\
-    Fix corrupted or missing store paths by redownloading or rebuilding
-    them. Note that this is slow because it requires computing a
-    cryptographic hash of the contents of every path in the closure of
-    the build. Also note the warning under `nix-store --repair-path`.
+  Sets the maximum number of seconds that a builder can go without producing any data on standard output or standard error.
+  The default is specified by the `max-silent-time` configuration setting.
+  `0` means no time-out.
+
+- <span id="opt-timeout">[`--timeout`](#opt-timeout)</span>
+
+  Sets the maximum number of seconds that a builder can run.
+  The default is specified by the `timeout` configuration setting.
+  `0` means no timeout.
+
+- <span id="opt-keep-going">[`--keep-going`](#opt-keep-going)</span> / `-k`
+
+  Keep going in case of failed builds, to the greatest extent possible.
+  That is, if building an input of some derivation fails, Nix will still build the other inputs, but not the derivation itself.
+  Without this option, Nix stops if any build fails (except for builds of substitutes), possibly killing builds in progress (in case of parallel or distributed builds).
+
+- <span id="opt-keep-failed">[`--keep-failed`](#opt-keep-failed)</span> / `-K`
+
+  Specifies that in case of a build failure, the temporary directory (usually in `/tmp`) in which the build takes place should not be deleted.
+  The path of the build directory is printed as an informational message.
+
+- <span id="opt-fallback">[`--fallback`](#opt-fallback)</span>
+
+  Whenever Nix attempts to build a derivation for which substitutes are known for each output path, but realising the output paths through the substitutes fails, fall back on building the derivation.
+
+  The most common scenario in which this is useful is when we have registered substitutes in order to perform binary distribution from, say, a network repository.
+  If the repository is down, the realisation of the derivation will fail.
+  When this option is specified, Nix will build the derivation instead.
+  Thus, installation from binaries falls back on installation from source.
+  This option is not the default since it is generally not desirable for a transient failure in obtaining the substitutes to lead to a full build from source (with the related consumption of resources).
+
+- <span id="opt-readonly-mode">[`--readonly-mode`](#opt-readonly-mode)</span>
+
+  When this option is used, no attempt is made to open the Nix database.
+  Most Nix operations do need database access, so those operations will fail.
+
+- <span id="opt-arg">[`--arg`](#opt-arg)</span> *name* *value*
+
+  This option is accepted by `nix-env`, `nix-instantiate`, `nix-shell` and `nix-build`.
+  When evaluating Nix expressions, the expression evaluator will automatically try to call functions that it encounters.
+  It can automatically call functions for which every argument has a [default value](@docroot@/language/constructs.md#functions) (e.g., `{ argName ?  defaultValue }: ...`).
+
+  With `--arg`, you can also call functions that have arguments without a default value (or override a default value).
+  That is, if the evaluator encounters a function with an argument named *name*, it will call it with value *value*.
+
+  For instance, the top-level `default.nix` in Nixpkgs is actually a function:
+
+  ```nix
+  { # The system (e.g., `i686-linux') for which to build the packages.
+    system ? builtins.currentSystem
+    ...
+  }: ...
+  ```
+
+  So if you call this Nix expression (e.g., when you do `nix-env --install --attr pkgname`), the function will be called automatically using the value [`builtins.currentSystem`](@docroot@/language/builtins.md) for the `system` argument.
+  You can override this using `--arg`, e.g., `nix-env --install --attr pkgname --arg system \"i686-freebsd\"`.
+  (Note that since the argument is a Nix string literal, you have to escape the quotes.)
+
+- <span id="opt-argstr">[`--argstr`](#opt-argstr)</span> *name* *value*
+
+  This option is like `--arg`, only the value is not a Nix expression but a string.
+  So instead of `--arg system \"i686-linux\"` (the outer quotes are to keep the shell happy) you can say `--argstr system i686-linux`.
+
+- <span id="opt-attr">[`--attr`](#opt-attr)</span> / `-A` *attrPath*
+
+  Select an attribute from the top-level Nix expression being evaluated.
+  (`nix-env`, `nix-instantiate`, `nix-build` and `nix-shell` only.)
+  The *attribute path* *attrPath* is a sequence of attribute names separated by dots.
+  For instance, given a top-level Nix expression *e*, the attribute path `xorg.xorgserver` would cause the expression `e.xorg.xorgserver` to be used.
+  See [`nix-env --install`](@docroot@/command-ref/nix-env/install.md) for some concrete examples.
+
+  In addition to attribute names, you can also specify array indices.
+  For instance, the attribute path `foo.3.bar` selects the `bar`
+  attribute of the fourth element of the array in the `foo` attribute
+  of the top-level expression.
+
+- <span id="opt-expr">[`--expr`](#opt-expr)</span> / `-E`
+
+  Interpret the command line arguments as a list of Nix expressions to be parsed and evaluated, rather than as a list of file names of Nix expressions.
+  (`nix-instantiate`, `nix-build` and `nix-shell` only.)
+
+  For `nix-shell`, this option is commonly used to give you a shell in which you can build the packages returned by the expression.
+  If you want to get a shell which contain the *built* packages ready for use, give your expression to the `nix-shell --packages ` convenience flag instead.
+
+- <span id="opt-I">[`-I`](#opt-I)</span> *path*
+
+  Add an entry to the [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path).
+  This option may be given multiple times.
+  Paths added through `-I` take precedence over [`NIX_PATH`](@docroot@/command-ref/env-common.md#env-NIX_PATH).
+
+- <span id="opt-option">[`--option`](#opt-option)</span> *name* *value*
+
+  Set the Nix configuration option *name* to *value*.
+  This overrides settings in the Nix configuration file (see nix.conf5).
+
+- <span id="opt-repair">[`--repair`](#opt-repair)</span>
+
+  Fix corrupted or missing store paths by redownloading or rebuilding them.
+  Note that this is slow because it requires computing a cryptographic hash of the contents of every path in the closure of the build.
+  Also note the warning under `nix-store --repair-path`.

doc/manual/src/command-ref/status-build-failure.md

@@ -0,0 +1,34 @@
+# Special exit codes for build failure
+
+1xx status codes are used when requested builds failed.
+The following codes are in use:
+
+- `100` Generic build failure
+
+  The builder process returned with a non-zero exit code.
+
+- `101` Build timeout
+
+  The build was aborted because it did not complete within the specified `timeout`.
+
+- `102` Hash mismatch
+
+  The build output was rejected because it does not match the
+  [`outputHash` attribute of the derivation](@docroot@/language/advanced-attributes.md).
+
+- `104` Not deterministic
+
+  The build succeeded in check mode but the resulting output is not binary reproducible.
+
+With the `--keep-going` flag it's possible for multiple failures to occur.
+In this case the 1xx status codes are or combined using
+[bitwise OR](https://en.wikipedia.org/wiki/Bitwise_operation#OR).
+
+```
+0b1100100
+     ^^^^
+     |||`- timeout
+     ||`-- output hash mismatch
+     |`--- build failure
+     `---- not deterministic
+```

doc/manual/src/contributing/cxx.md

@@ -0,0 +1,28 @@
+# C++ style guide
+
+Some miscellaneous notes on how we write C++.
+Formatting we hope to eventually normalize automatically, so this section is free to just discuss higher-level concerns.
+
+## The `*-impl.hh` pattern
+
+Let's start with some background info first.
+Headers, are supposed to contain declarations, not definitions.
+This allows us to change a definition without changing the declaration, and have a very small rebuild during development.
+Templates, however, need to be specialized to use-sites.
+Absent fancier techniques, templates require that the definition, not just mere declaration, must be available at use-sites in order to make that specialization on the fly as part of compiling those use-sites.
+Making definitions available like that means putting them in headers, but that is unfortunately means we get all the extra rebuilds we want to avoid by just putting declarations there as described above.
+
+The `*-impl.hh` pattern is a ham-fisted partial solution to this problem.
+It constitutes:
+
+- Declaring items only in the main `foo.hh`, including templates.
+
+- Putting template definitions in a companion `foo-impl.hh` header.
+
+Most C++ developers would accompany this by having `foo.hh` include `foo-impl.hh`, to ensure any file getting the template declarations also got the template definitions.
+But we've found not doing this has some benefits and fewer than imagined downsides.
+The fact remains that headers are rarely as minimal as they could be;
+there is often code that needs declarations from the headers but not the templates within them.
+With our pattern where `foo.hh` doesn't include `foo-impl.hh`, that means they can just include `foo.hh`
+Code that needs both just includes `foo.hh` and `foo-impl.hh`.
+This does make linking error possible where something forgets to include `foo-impl.hh` that needs it, but those are build-time only as easy to fix.

doc/manual/src/contributing/hacking.md

@@ -12,14 +12,15 @@ The following instructions assume you already have some version of Nix installed
 
 [installation instructions]: ../installation/installation.md
 
-## Nix with flakes
+## Building Nix with flakes
 
-This section assumes you are using Nix with [flakes] enabled. See the [next section](#classic-nix) for equivalent instructions which don't require flakes.
+This section assumes you are using Nix with the [`flakes`] and [`nix-command`] experimental features enabled.
+See the [Building Nix](#building-nix) section for equivalent instructions using stable Nix interfaces.
 
-[flakes]: ../command-ref/new-cli/nix3-flake.md#description
+[`flakes`]: @docroot@/contributing/experimental-features.md#xp-feature-flakes
+[`nix-command`]: @docroot@/contributing/experimental-features.md#xp-nix-command
 
-To build all dependencies and start a shell in which all environment
-variables are set up so that those dependencies can be found:
+To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
 
 ```console
 $ nix develop
@@ -55,20 +56,17 @@ To install it in `$(pwd)/outputs` and test it:
 nix (Nix) 2.12
 ```
 
-To build a release version of Nix:
+To build a release version of Nix for the current operating system and CPU architecture:
 
 ```console
 $ nix build
 ```
 
-You can also build Nix for one of the [supported target platforms](#target-platforms).
+You can also build Nix for one of the [supported platforms](#platforms).
 
-## Classic Nix
+## Building Nix
 
-This section is for Nix without [flakes].
-
-To build all dependencies and start a shell in which all environment
-variables are set up so that those dependencies can be found:
+To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
 
 ```console
 $ nix-shell
@@ -102,51 +100,82 @@ To install it in `$(pwd)/outputs` and test it:
 nix (Nix) 2.12
 ```
 
-To build Nix for the current operating system and CPU architecture use
+To build a release version of Nix for the current operating system and CPU architecture:
 
 ```console
 $ nix-build
 ```
 
-You can also build Nix for one of the [supported target platforms](#target-platforms).
+You can also build Nix for one of the [supported platforms](#platforms).
 
 ## Platforms
 
-As specified in [`flake.nix`], Nix can be built for various platforms:
-
-- `aarch64-linux`
-- `i686-linux`
-- `x86_64-darwin`
-- `x86_64-linux`
+Nix can be built for various platforms, as specified in [`flake.nix`]:
 
 [`flake.nix`]: https://github.com/nixos/nix/blob/master/flake.nix
 
+- `x86_64-linux`
+- `x86_64-darwin`
+- `i686-linux`
+- `aarch64-linux`
+- `aarch64-darwin`
+- `armv6l-linux`
+- `armv7l-linux`
+
 In order to build Nix for a different platform than the one you're currently
-on, you need to have some way for your system Nix to build code for that
-platform. Common solutions include [remote builders] and [binfmt emulation]
+on, you need a way for your current Nix installation to build code for that
+platform. Common solutions include [remote builders] and [binary format emulation]
 (only supported on NixOS).
 
 [remote builders]: ../advanced-topics/distributed-builds.md
-[binfmt emulation]: https://nixos.org/manual/nixos/stable/options.html#opt-boot.binfmt.emulatedSystems
+[binary format emulation]: https://nixos.org/manual/nixos/stable/options.html#opt-boot.binfmt.emulatedSystems
 
-These solutions let Nix perform builds as if you're on the native platform, so
-executing the build is as simple as
-
-```console
-$ nix build .#packages.aarch64-linux.default
-```
-
-for flake-enabled Nix, or
+Given such a setup, executing the build only requires selecting the respective attribute.
+For example, to compile for `aarch64-linux`:
 
 ```console
 $ nix-build --attr packages.aarch64-linux.default
 ```
 
-for classic Nix.
+or for Nix with the [`flakes`] and [`nix-command`] experimental features enabled:
 
-You can use any of the other supported platforms in place of `aarch64-linux`.
+```console
+$ nix build .#packages.aarch64-linux.default
+```
 
-Cross-compiled builds are available for ARMv6 and ARMv7, and Nix on unsupported platforms can be bootstrapped by adding more `crossSystems` in `flake.nix`.
+Cross-compiled builds are available for ARMv6 (`armv6l-linux`) and ARMv7 (`armv7l-linux`).
+Add more [system types](#system-type) to `crossSystems` in `flake.nix` to bootstrap Nix on unsupported platforms.
+
+## System type
+
+Nix uses a string with he following format to identify the *system type* or *platform* it runs on:
+
+```
+<cpu>-<os>[-<abi>]
+```
+
+It is set when Nix is compiled for the given system, and based on the output of [`config.guess`](https://github.com/nixos/nix/blob/master/config/config.guess) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.guess)):
+
+```
+<cpu>-<vendor>-<os>[<version>][-<abi>]
+```
+
+When Nix is built such that `./configure` is passed any of the `--host`, `--build`, `--target` options, the value is based on the output of [`config.sub`](https://github.com/nixos/nix/blob/master/config/config.sub) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.sub)):
+
+```
+<cpu>-<vendor>[-<kernel>]-<os>
+```
+
+For historic reasons and backward-compatibility, some CPU and OS identifiers are translated from the GNU Autotools naming convention in [`configure.ac`](https://github.com/nixos/nix/blob/master/configure.ac) as follows:
+
+| `config.guess`             | Nix                 |
+|----------------------------|---------------------|
+| `amd64`                    | `x86_64`            |
+| `i*86`                     | `i686`              |
+| `arm6`                     | `arm6l`             |
+| `arm7`                     | `arm7l`             |
+| `linux-gnu*`               | `linux`             |
+| `linux-musl*`              | `linux`             |
 
 ## Compilation environments
 
@@ -192,171 +221,6 @@ Configure your editor to use the `clangd` from the shell, either by running it i
 > Some other editors (e.g. Emacs, Vim) need a plugin to support LSP servers in general (e.g. [lsp-mode](https://github.com/emacs-lsp/lsp-mode) for Emacs and [vim-lsp](https://github.com/prabirshrestha/vim-lsp) for vim).
 > Editor-specific setup is typically opinionated, so we will not cover it here in more detail.
 
-## Running tests
-
-### Unit-tests
-
-The unit-tests for each Nix library (`libexpr`, `libstore`, etc..) are defined
-under `src/{library_name}/tests` using the
-[googletest](https://google.github.io/googletest/) and
-[rapidcheck](https://github.com/emil-e/rapidcheck) frameworks.
-
-You can run the whole testsuite with `make check`, or the tests for a specific component with `make libfoo-tests_RUN`. Finer-grained filtering is also possible using the [--gtest_filter](https://google.github.io/googletest/advanced.html#running-a-subset-of-the-tests) command-line option.
-
-### Functional tests
-
-The functional tests reside under the `tests` directory and are listed in `tests/local.mk`.
-Each test is a bash script.
-
-The whole test suite can be run with:
-
-```shell-session
-$ make install && make installcheck
-ran test tests/foo.sh... [PASS]
-ran test tests/bar.sh... [PASS]
-...
-```
-
-Individual tests can be run with `make`:
-
-```shell-session
-$ make tests/${testName}.sh.test
-ran test tests/${testName}.sh... [PASS]
-```
-
-or without `make`:
-
-```shell-session
-$ ./mk/run-test.sh tests/${testName}.sh
-ran test tests/${testName}.sh... [PASS]
-```
-
-To see the complete output, one can also run:
-
-```shell-session
-$ ./mk/debug-test.sh tests/${testName}.sh
-+ foo
-output from foo
-+ bar
-output from bar
-...
-```
-
-The test script will then be traced with `set -x` and the output displayed as it happens, regardless of whether the test succeeds or fails.
-
-#### Debugging failing functional tests
-
-When a functional test fails, it usually does so somewhere in the middle of the script.
-
-To figure out what's wrong, it is convenient to run the test regularly up to the failing `nix` command, and then run that command with a debugger like GDB.
-
-For example, if the script looks like:
-
-```bash
-foo
-nix blah blub
-bar
-```
-edit it like so:
-
-```diff
- foo
--nix blah blub
-+gdb --args nix blah blub
- bar
-```
-
-Then, running the test with `./mk/debug-test.sh` will drop you into GDB once the script reaches that point:
-
-```shell-session
-$ ./mk/debug-test.sh tests/${testName}.sh
-...
-+ gdb blash blub
-GNU gdb (GDB) 12.1
-...
-(gdb)
-```
-
-One can debug the Nix invocation in all the usual ways.
-For example, enter `run` to start the Nix invocation.
-
-### Integration tests
-
-The integration tests are defined in the Nix flake under the `hydraJobs.tests` attribute.
-These tests include everything that needs to interact with external services or run Nix in a non-trivial distributed setup.
-Because these tests are expensive and require more than what the standard github-actions setup provides, they only run on the master branch (on <https://hydra.nixos.org/jobset/nix/master>).
-
-You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
-
-### Installer tests
-
-After a one-time setup, the Nix repository's GitHub Actions continuous integration (CI) workflow can test the installer each time you push to a branch.
-
-Creating a Cachix cache for your installer tests and adding its authorization token to GitHub enables [two installer-specific jobs in the CI workflow](https://github.com/NixOS/nix/blob/88a45d6149c0e304f6eb2efcc2d7a4d0d569f8af/.github/workflows/ci.yml#L50-L91):
-
-- The `installer` job generates installers for the platforms below and uploads them to your Cachix cache:
-  - `x86_64-linux`
-  - `armv6l-linux`
-  - `armv7l-linux`
-  - `x86_64-darwin`
-
-- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
-
-#### One-time setup
-
-1. Have a GitHub account with a fork of the [Nix repository](https://github.com/NixOS/nix).
-2. At cachix.org:
-    - Create or log in to an account.
-    - Create a Cachix cache using the format `<github-username>-nix-install-tests`.
-    - Navigate to the new cache > Settings > Auth Tokens.
-    - Generate a new Cachix auth token and copy the generated value.
-3. At github.com:
-    - Navigate to your Nix fork > Settings > Secrets > Actions > New repository secret.
-    - Name the secret `CACHIX_AUTH_TOKEN`.
-    - Paste the copied value of the Cachix cache auth token.
-
-#### Using the CI-generated installer for manual testing
-
-After the CI run completes, you can check the output to extract the installer URL:
-1. Click into the detailed view of the CI run.
-2. Click into any `installer_test` run (the URL you're here to extract will be the same in all of them).
-3. Click into the `Run cachix/install-nix-action@v...` step and click the detail triangle next to the first log line (it will also be `Run cachix/install-nix-action@v...`)
-4. Copy the value of `install_url`
-5. To generate an install command, plug this `install_url` and your GitHub username into this template:
-
-    ```console
-    curl -L <install_url> | sh -s -- --tarball-url-prefix https://<github-username>-nix-install-tests.cachix.org/serve
-    ```
-
-<!-- #### Manually generating test installers
-
-There's obviously a manual way to do this, and it's still the only way for
-platforms that lack GA runners.
-
-I did do this back in Fall 2020 (before the GA approach encouraged here). I'll
-sketch what I recall in case it encourages someone to fill in detail, but: I
-didn't know what I was doing at the time and had to fumble/ask around a lot--
-so I don't want to uphold any of it as "right". It may have been dumb or
-the _hard_ way from the getgo. Fundamentals may have changed since.
-
-Here's the build command I used to do this on and for x86_64-darwin:
-nix build --out-link /tmp/foo ".#checks.x86_64-darwin.binaryTarball"
-
-I used the stable out-link to make it easier to script the next steps:
-link=$(readlink /tmp/foo)
-cp $link/*-darwin.tar.xz ~/somewheres
-
-I've lost the last steps and am just going from memory:
-
-From here, I think I had to extract and modify the `install` script to point
-it at this tarball (which I scped to my own site, but it might make more sense
-to just share them locally). I extracted this script once and then just
-search/replaced in it for each new build.
-
-The installer now supports a `--tarball-url-prefix` flag which _may_ have
-solved this need?
--->
-
 ### Checking links in the manual
 
 The build checks for broken internal links.
@@ -378,7 +242,7 @@ rm $(git ls-files doc/manual/ -o | grep -F '.md') && rmdir doc/manual/src/comman
 [`mdbook-linkcheck`] does not implement checking [URI fragments] yet.
 
 [`mdbook-linkcheck`]: https://github.com/Michael-F-Bryan/mdbook-linkcheck
-[URI fragments]: https://en.m.wikipedia.org/wiki/URI_fragment
+[URI fragments]: https://en.wikipedia.org/wiki/URI_fragment
 
 #### `@docroot@` variable
 

doc/manual/src/contributing/testing.md

@@ -0,0 +1,236 @@
+# Running tests
+
+## Unit-tests
+
+The unit-tests for each Nix library (`libexpr`, `libstore`, etc..) are defined
+under `tests/unit/{library_name}/tests` using the
+[googletest](https://google.github.io/googletest/) and
+[rapidcheck](https://github.com/emil-e/rapidcheck) frameworks.
+
+You can run the whole testsuite with `make check`, or the tests for a specific component with `make libfoo-tests_RUN`.
+Finer-grained filtering is also possible using the [--gtest_filter](https://google.github.io/googletest/advanced.html#running-a-subset-of-the-tests) command-line option, or the `GTEST_FILTER` environment variable.
+
+### Unit test support libraries
+
+There are headers and code which are not just used to test the library in question, but also downstream libraries.
+For example, we do [property testing] with the [rapidcheck] library.
+This requires writing `Arbitrary` "instances", which are used to describe how to generate values of a given type for the sake of running property tests.
+Because types contain other types, `Arbitrary` "instances" for some type are not just useful for testing that type, but also any other type that contains it.
+Downstream types frequently contain upstream types, so it is very important that we share arbitrary instances so that downstream libraries' property tests can also use them.
+
+It is important that these testing libraries don't contain any actual tests themselves.
+On some platforms they would be run as part of every test executable that uses them, which is redundant.
+On other platforms they wouldn't be run at all.
+
+## Functional tests
+
+The functional tests reside under the `tests/functional` directory and are listed in `tests/functional/local.mk`.
+Each test is a bash script.
+
+### Running the whole test suite
+
+The whole test suite can be run with:
+
+```shell-session
+$ make install && make installcheck
+ran test tests/functional/foo.sh... [PASS]
+ran test tests/functional/bar.sh... [PASS]
+...
+```
+
+### Grouping tests
+
+Sometimes it is useful to group related tests so they can be easily run together without running the entire test suite.
+Each test group is in a subdirectory of `tests`.
+For example, `tests/functional/ca/local.mk` defines a `ca` test group for content-addressed derivation outputs.
+
+That test group can be run like this:
+
+```shell-session
+$ make ca.test-group -j50
+ran test tests/functional/ca/nix-run.sh... [PASS]
+ran test tests/functional/ca/import-derivation.sh... [PASS]
+...
+```
+
+The test group is defined in Make like this:
+```makefile
+$(test-group-name)-tests := \
+  $(d)/test0.sh \
+  $(d)/test1.sh \
+  ...
+
+install-tests-groups += $(test-group-name)
+```
+
+### Running individual tests
+
+Individual tests can be run with `make`:
+
+```shell-session
+$ make tests/functional/${testName}.sh.test
+ran test tests/functional/${testName}.sh... [PASS]
+```
+
+or without `make`:
+
+```shell-session
+$ ./mk/run-test.sh tests/functional/${testName}.sh
+ran test tests/functional/${testName}.sh... [PASS]
+```
+
+To see the complete output, one can also run:
+
+```shell-session
+$ ./mk/debug-test.sh tests/functional/${testName}.sh
++ foo
+output from foo
++ bar
+output from bar
+...
+```
+
+The test script will then be traced with `set -x` and the output displayed as it happens, regardless of whether the test succeeds or fails.
+
+### Debugging failing functional tests
+
+When a functional test fails, it usually does so somewhere in the middle of the script.
+
+To figure out what's wrong, it is convenient to run the test regularly up to the failing `nix` command, and then run that command with a debugger like GDB.
+
+For example, if the script looks like:
+
+```bash
+foo
+nix blah blub
+bar
+```
+edit it like so:
+
+```diff
+ foo
+-nix blah blub
++gdb --args nix blah blub
+ bar
+```
+
+Then, running the test with `./mk/debug-test.sh` will drop you into GDB once the script reaches that point:
+
+```shell-session
+$ ./mk/debug-test.sh tests/functional/${testName}.sh
+...
++ gdb blash blub
+GNU gdb (GDB) 12.1
+...
+(gdb)
+```
+
+One can debug the Nix invocation in all the usual ways.
+For example, enter `run` to start the Nix invocation.
+
+### Characterization testing
+
+Occasionally, Nix utilizes a technique called [Characterization Testing](https://en.wikipedia.org/wiki/Characterization_test) as part of the functional tests.
+This technique is to include the exact output/behavior of a former version of Nix in a test in order to check that Nix continues to produce the same behavior going forward.
+
+For example, this technique is used for the language tests, to check both the printed final value if evaluation was successful, and any errors and warnings encountered.
+
+It is frequently useful to regenerate the expected output.
+To do that, rerun the failed test(s) with `_NIX_TEST_ACCEPT=1`.
+For example:
+```bash
+_NIX_TEST_ACCEPT=1 make tests/functional/lang.sh.test
+```
+
+An interesting situation to document is the case when these tests are "overfitted".
+The language tests are, again, an example of this.
+The expected successful output of evaluation is supposed to be highly stable – we do not intend to make breaking changes to (the stable parts of) the Nix language.
+However, the errors and warnings during evaluation (successful or not) are not stable in this way.
+We are free to change how they are displayed at any time.
+
+It may be surprising that we would test non-normative behavior like diagnostic outputs.
+Diagnostic outputs are indeed not a stable interface, but they still are important to users.
+By recording the expected output, the test suite guards against accidental changes, and ensure the *result* (not just the code that implements it) of the diagnostic code paths are under code review.
+Regressions are caught, and improvements always show up in code review.
+
+To ensure that characterization testing doesn't make it harder to intentionally change these interfaces, there always must be an easy way to regenerate the expected output, as we do with `_NIX_TEST_ACCEPT=1`.
+
+## Integration tests
+
+The integration tests are defined in the Nix flake under the `hydraJobs.tests` attribute.
+These tests include everything that needs to interact with external services or run Nix in a non-trivial distributed setup.
+Because these tests are expensive and require more than what the standard github-actions setup provides, they only run on the master branch (on <https://hydra.nixos.org/jobset/nix/master>).
+
+You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
+
+## Installer tests
+
+After a one-time setup, the Nix repository's GitHub Actions continuous integration (CI) workflow can test the installer each time you push to a branch.
+
+Creating a Cachix cache for your installer tests and adding its authorization token to GitHub enables [two installer-specific jobs in the CI workflow](https://github.com/NixOS/nix/blob/88a45d6149c0e304f6eb2efcc2d7a4d0d569f8af/.github/workflows/ci.yml#L50-L91):
+
+- The `installer` job generates installers for the platforms below and uploads them to your Cachix cache:
+  - `x86_64-linux`
+  - `armv6l-linux`
+  - `armv7l-linux`
+  - `x86_64-darwin`
+
+- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
+
+### One-time setup
+
+1. Have a GitHub account with a fork of the [Nix repository](https://github.com/NixOS/nix).
+2. At cachix.org:
+    - Create or log in to an account.
+    - Create a Cachix cache using the format `<github-username>-nix-install-tests`.
+    - Navigate to the new cache > Settings > Auth Tokens.
+    - Generate a new Cachix auth token and copy the generated value.
+3. At github.com:
+    - Navigate to your Nix fork > Settings > Secrets > Actions > New repository secret.
+    - Name the secret `CACHIX_AUTH_TOKEN`.
+    - Paste the copied value of the Cachix cache auth token.
+
+## Working on documentation
+
+### Using the CI-generated installer for manual testing
+
+After the CI run completes, you can check the output to extract the installer URL:
+1. Click into the detailed view of the CI run.
+2. Click into any `installer_test` run (the URL you're here to extract will be the same in all of them).
+3. Click into the `Run cachix/install-nix-action@v...` step and click the detail triangle next to the first log line (it will also be `Run cachix/install-nix-action@v...`)
+4. Copy the value of `install_url`
+5. To generate an install command, plug this `install_url` and your GitHub username into this template:
+
+    ```console
+    curl -L <install_url> | sh -s -- --tarball-url-prefix https://<github-username>-nix-install-tests.cachix.org/serve
+    ```
+
+<!-- #### Manually generating test installers
+
+There's obviously a manual way to do this, and it's still the only way for
+platforms that lack GA runners.
+
+I did do this back in Fall 2020 (before the GA approach encouraged here). I'll
+sketch what I recall in case it encourages someone to fill in detail, but: I
+didn't know what I was doing at the time and had to fumble/ask around a lot--
+so I don't want to uphold any of it as "right". It may have been dumb or
+the _hard_ way from the getgo. Fundamentals may have changed since.
+
+Here's the build command I used to do this on and for x86_64-darwin:
+nix build --out-link /tmp/foo ".#checks.x86_64-darwin.binaryTarball"
+
+I used the stable out-link to make it easier to script the next steps:
+link=$(readlink /tmp/foo)
+cp $link/*-darwin.tar.xz ~/somewheres
+
+I've lost the last steps and am just going from memory:
+
+From here, I think I had to extract and modify the `install` script to point
+it at this tarball (which I scped to my own site, but it might make more sense
+to just share them locally). I extracted this script once and then just
+search/replaced in it for each new build.
+
+The installer now supports a `--tarball-url-prefix` flag which _may_ have
+solved this need?
+-->
+

doc/manual/src/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="587.11" height="516.604" viewBox="0 0 550.416 484.317"><defs><linearGradient id="a"><stop offset="0" style="stop-color:#699ad7;stop-opacity:1"/><stop offset=".243" style="stop-color:#7eb1dd;stop-opacity:1"/><stop offset="1" style="stop-color:#7ebae4;stop-opacity:1"/></linearGradient><linearGradient id="b"><stop offset="0" style="stop-color:#415e9a;stop-opacity:1"/><stop offset=".232" style="stop-color:#4a6baf;stop-opacity:1"/><stop offset="1" style="stop-color:#5277c3;stop-opacity:1"/></linearGradient><linearGradient xlink:href="#a" id="c" x1="200.597" x2="290.087" y1="351.411" y2="506.188" gradientTransform="translate(70.65 -1055.151)" gradientUnits="userSpaceOnUse"/><linearGradient xlink:href="#b" id="e" x1="-584.199" x2="-496.297" y1="782.336" y2="937.714" gradientTransform="translate(864.696 -1491.34)" gradientUnits="userSpaceOnUse"/></defs><g style="display:inline;opacity:1" transform="translate(-132.651 958.04)"><path id="d" d="m309.549-710.388 122.197 211.675-56.157.527-32.624-56.87-32.856 56.566-27.903-.011-14.29-24.69 46.81-80.49-33.23-57.826z" style="opacity:1;fill:url(#c);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:3;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(60 407.112 -715.787)"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(-60 407.312 -715.7)"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(180 407.419 -715.756)"/><path id="f" d="m309.549-710.388 122.197 211.675-56.157.527-32.624-56.87-32.856 56.566-27.903-.011-14.29-24.69 46.81-80.49-33.23-57.826z" style="color:#000;clip-rule:nonzero;display:inline;overflow:visible;visibility:visible;opacity:1;isolation:auto;mix-blend-mode:normal;color-interpolation:sRGB;color-interpolation-filters:linearRGB;solid-color:#000;solid-opacity:1;fill:url(#e);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:3;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;color-rendering:auto;image-rendering:auto;shape-rendering:auto;text-rendering:auto;enable-background:accumulate"/><use xlink:href="#f" width="100%" height="100%" style="display:inline" transform="rotate(120 407.34 -716.084)"/><use xlink:href="#f" width="100%" height="100%" style="display:inline" transform="rotate(-120 407.288 -715.87)"/></g></svg>

doc/manual/src/glossary.md

@@ -1,230 +1,275 @@
 # Glossary
 
-  - [derivation]{#gloss-derivation}\
-    A description of a build task. The result of a derivation is a
-    store object. Derivations are typically specified in Nix expressions
-    using the [`derivation` primitive](./language/derivations.md). These are
-    translated into low-level *store derivations* (implicitly by
-    `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
+- [derivation]{#gloss-derivation}
 
-    [derivation]: #gloss-derivation
+  A description of a build task. The result of a derivation is a
+  store object. Derivations are typically specified in Nix expressions
+  using the [`derivation` primitive](./language/derivations.md). These are
+  translated into low-level *store derivations* (implicitly by
+  `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
 
-  - [store derivation]{#gloss-store-derivation}\
-    A [derivation] represented as a `.drv` file in the [store].
-    It has a [store path], like any [store object].
+  [derivation]: #gloss-derivation
 
-    Example: `/nix/store/g946hcz4c8mdvq2g8vxx42z51qb71rvp-git-2.38.1.drv`
+- [store derivation]{#gloss-store-derivation}
 
-    See [`nix derivation show`](./command-ref/new-cli/nix3-derivation-show.md) (experimental) for displaying the contents of store derivations.
+  A [derivation] represented as a `.drv` file in the [store].
+  It has a [store path], like any [store object].
 
-    [store derivation]: #gloss-store-derivation
+  Example: `/nix/store/g946hcz4c8mdvq2g8vxx42z51qb71rvp-git-2.38.1.drv`
 
-  - [instantiate]{#gloss-instantiate}, instantiation\
-    Translate a [derivation] into a [store derivation].
+  See [`nix derivation show`](./command-ref/new-cli/nix3-derivation-show.md) (experimental) for displaying the contents of store derivations.
 
-    See [`nix-instantiate`](./command-ref/nix-instantiate.md).
+  [store derivation]: #gloss-store-derivation
 
-    [instantiate]: #gloss-instantiate
+- [instantiate]{#gloss-instantiate}, instantiation
 
-  - [realise]{#gloss-realise}, realisation\
-    Ensure a [store path] is [valid][validity].
+  Translate a [derivation] into a [store derivation].
 
-    This means either running the `builder` executable as specified in the corresponding [derivation] or fetching a pre-built [store object] from a [substituter].
+  See [`nix-instantiate`](./command-ref/nix-instantiate.md).
 
-    See [`nix-build`](./command-ref/nix-build.md) and [`nix-store --realise`](@docroot@/command-ref/nix-store/realise.md).
+  [instantiate]: #gloss-instantiate
 
-    See [`nix build`](./command-ref/new-cli/nix3-build.md) (experimental).
+- [realise]{#gloss-realise}, realisation
 
-    [realise]: #gloss-realise
+  Ensure a [store path] is [valid][validity].
 
-  - [content-addressed derivation]{#gloss-content-addressed-derivation}\
-    A derivation which has the
-    [`__contentAddressed`](./language/advanced-attributes.md#adv-attr-__contentAddressed)
-    attribute set to `true`.
+  This means either running the [`builder`](@docroot@/language/derivations.md#attr-builder) executable as specified in the corresponding [derivation], or fetching a pre-built [store object] from a [substituter], or delegating to a [remote builder](@docroot@/advanced-topics/distributed-builds.html) and retrieving the outputs. <!-- TODO: link [running] to build process page, #8888 -->
 
-  - [fixed-output derivation]{#gloss-fixed-output-derivation}\
-    A derivation which includes the
-    [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute.
+  See [`nix-build`](./command-ref/nix-build.md) and [`nix-store --realise`](@docroot@/command-ref/nix-store/realise.md).
 
-  - [store]{#gloss-store}\
-    The location in the file system where store objects live. Typically
-    `/nix/store`.
+  See [`nix build`](./command-ref/new-cli/nix3-build.md) (experimental).
 
-    From   the  perspective   of   the  location   where  Nix   is
-    invoked, the  Nix store can be  referred to
-    as a "_local_" or a "_remote_" one:
+  [realise]: #gloss-realise
 
-    + A [local store]{#gloss-local-store} exists on the filesystem of
-      the machine where Nix is  invoked. You can use other
-      local stores  by passing  the `--store` flag  to the
-      `nix` command.  Local stores can be used for building derivations.
+- [content-addressed derivation]{#gloss-content-addressed-derivation}
 
-    + A  *remote store*  exists  anywhere  other than  the
-      local  filesystem. One  example is  the `/nix/store`
-      directory on another machine,  accessed via `ssh` or
-      served by the `nix-serve` Perl script.
+  A derivation which has the
+  [`__contentAddressed`](./language/advanced-attributes.md#adv-attr-__contentAddressed)
+  attribute set to `true`.
 
-    [store]: #gloss-store
-    [local store]: #gloss-local-store
+- [fixed-output derivation]{#gloss-fixed-output-derivation}
 
-  - [chroot store]{#gloss-chroot-store}\
-    A [local store] whose canonical path is anything other than `/nix/store`.
+  A derivation which includes the
+  [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute.
 
-  - [binary cache]{#gloss-binary-cache}\
-    A *binary cache* is a Nix store which uses a different format: its
-    metadata and signatures are kept in `.narinfo` files rather than in a
-    [Nix database]. This different format simplifies serving store objects
-    over the network, but cannot host builds. Examples of binary caches
-    include S3 buckets and the [NixOS binary cache](https://cache.nixos.org).
+- [store]{#gloss-store}
 
-  - [store path]{#gloss-store-path}\
-    The location of a [store object] in the file system, i.e., an
-    immediate child of the Nix store directory.
+  The location in the file system where store objects live. Typically
+  `/nix/store`.
 
-    Example: `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
+  From   the  perspective   of   the  location   where  Nix   is
+  invoked, the  Nix store can be  referred to
+  as a "_local_" or a "_remote_" one:
 
-    [store path]: #gloss-store-path
+  + A [local store]{#gloss-local-store} exists on the filesystem of
+    the machine where Nix is  invoked. You can use other
+    local stores  by passing  the `--store` flag  to the
+    `nix` command.  Local stores can be used for building derivations.
 
-  - [store object]{#gloss-store-object}\
-    A file that is an immediate child of the Nix store directory. These
-    can be regular files, but also entire directory trees. Store objects
-    can be sources (objects copied from outside of the store),
-    derivation outputs (objects produced by running a build task), or
-    derivations (files describing a build task).
+  + A  *remote store*  exists  anywhere  other than  the
+    local  filesystem. One  example is  the `/nix/store`
+    directory on another machine,  accessed via `ssh` or
+    served by the `nix-serve` Perl script.
 
-    [store object]: #gloss-store-object
+  [store]: #gloss-store
+  [local store]: #gloss-local-store
 
-  - [input-addressed store object]{#gloss-input-addressed-store-object}\
-    A store object produced by building a
-    non-[content-addressed](#gloss-content-addressed-derivation),
-    non-[fixed-output](#gloss-fixed-output-derivation)
-    derivation.
+- [chroot store]{#gloss-chroot-store}
 
-  - [output-addressed store object]{#gloss-output-addressed-store-object}\
-    A [store object] whose [store path] is determined by its contents.
-    This includes derivations, the outputs of [content-addressed derivations](#gloss-content-addressed-derivation), and the outputs of [fixed-output derivations](#gloss-fixed-output-derivation).
+  A [local store] whose canonical path is anything other than `/nix/store`.
 
-  - [substitute]{#gloss-substitute}\
-    A substitute is a command invocation stored in the [Nix database] that
-    describes how to build a store object, bypassing the normal build
-    mechanism (i.e., derivations). Typically, the substitute builds the
-    store object by downloading a pre-built version of the store object
-    from some server.
+- [binary cache]{#gloss-binary-cache}
 
-  - [substituter]{#gloss-substituter}\
-    A *substituter* is an additional store from which Nix will
-    copy store objects it doesn't have.  For details, see the
-    [`substituters` option](./command-ref/conf-file.md#conf-substituters).
+  A *binary cache* is a Nix store which uses a different format: its
+  metadata and signatures are kept in `.narinfo` files rather than in a
+  [Nix database]. This different format simplifies serving store objects
+  over the network, but cannot host builds. Examples of binary caches
+  include S3 buckets and the [NixOS binary cache](https://cache.nixos.org).
 
-    [substituter]: #gloss-substituter
+- [store path]{#gloss-store-path}
 
-  - [purity]{#gloss-purity}\
-    The assumption that equal Nix derivations when run always produce
-    the same output. This cannot be guaranteed in general (e.g., a
-    builder can rely on external inputs such as the network or the
-    system time) but the Nix model assumes it.
+  The location of a [store object] in the file system, i.e., an
+  immediate child of the Nix store directory.
 
-  - [Nix database]{#gloss-nix-database}\
-    An SQlite database to track [reference]s between [store object]s.
-    This is an implementation detail of the [local store].
+  Example: `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
 
-    Default location: `/nix/var/nix/db`.
+  [store path]: #gloss-store-path
 
-    [Nix database]: #gloss-nix-database
+- [file system object]{#gloss-store-object}
 
-  - [Nix expression]{#gloss-nix-expression}\
-    A high-level description of software packages and compositions
-    thereof. Deploying software using Nix entails writing Nix
-    expressions for your packages. Nix expressions are translated to
-    derivations that are stored in the Nix store. These derivations can
-    then be built.
+  The Nix data model for representing simplified file system data.
 
-  - [reference]{#gloss-reference}\
-    A [store object] `O` is said to have a *reference* to a store object `P` if a [store path] to `P` appears in the contents of `O`.
+  See [File System Object](@docroot@/architecture/file-system-object.md) for details.
 
-    Store objects can refer to both other store objects and themselves.
-    References from a store object to itself are called *self-references*.
-    References other than a self-reference must not form a cycle.
+  [file system object]: #gloss-file-system-object
 
-    [reference]: #gloss-reference
+- [store object]{#gloss-store-object}
 
-  - [reachable]{#gloss-reachable}\
-    A store path `Q` is reachable from another store path `P` if `Q`
-    is in the *closure* of the *references* relation.
 
-  - [closure]{#gloss-closure}\
-    The closure of a store path is the set of store paths that are
-    directly or indirectly “reachable” from that store path; that is,
-    it’s the closure of the path under the *references* relation. For
-    a package, the closure of its derivation is equivalent to the
-    build-time dependencies, while the closure of its output path is
-    equivalent to its runtime dependencies. For correct deployment it
-    is necessary to deploy whole closures, since otherwise at runtime
-    files could be missing. The command `nix-store --query --requisites ` prints out
-    closures of store paths.
+  A store object consists of a [file system object], [reference]s to other store objects, and other metadata.
+  It can be referred to by a [store path].
 
-    As an example, if the [store object] at path `P` contains a [reference]
-    to a store object at path `Q`, then `Q` is in the closure of `P`. Further, if `Q`
-    references `R` then `R` is also in the closure of `P`.
+  [store object]: #gloss-store-object
 
-    [closure]: #gloss-closure
+- [input-addressed store object]{#gloss-input-addressed-store-object}
 
-  - [output path]{#gloss-output-path}\
-    A [store path] produced by a [derivation].
+  A store object produced by building a
+  non-[content-addressed](#gloss-content-addressed-derivation),
+  non-[fixed-output](#gloss-fixed-output-derivation)
+  derivation.
 
-    [output path]: #gloss-output-path
+- [output-addressed store object]{#gloss-output-addressed-store-object}
 
-  - [deriver]{#gloss-deriver}\
-    The [store derivation] that produced an [output path].
+  A [store object] whose [store path] is determined by its contents.
+  This includes derivations, the outputs of [content-addressed derivations](#gloss-content-addressed-derivation), and the outputs of [fixed-output derivations](#gloss-fixed-output-derivation).
 
-  - [validity]{#gloss-validity}\
-    A store path is valid if all [store object]s in its [closure] can be read from the [store].
+- [substitute]{#gloss-substitute}
 
-    For a [local store], this means:
-    - The store path leads to an existing [store object] in that [store].
-    - The store path is listed in the [Nix database] as being valid.
-    - All paths in the store path's [closure] are valid.
+  A substitute is a command invocation stored in the [Nix database] that
+  describes how to build a store object, bypassing the normal build
+  mechanism (i.e., derivations). Typically, the substitute builds the
+  store object by downloading a pre-built version of the store object
+  from some server.
 
-    [validity]: #gloss-validity
+- [substituter]{#gloss-substituter}
 
-  - [user environment]{#gloss-user-env}\
-    An automatically generated store object that consists of a set of
-    symlinks to “active” applications, i.e., other store paths. These
-    are generated automatically by
-    [`nix-env`](./command-ref/nix-env.md). See *profiles*.
+  An additional [store]{#gloss-store} from which Nix can obtain store objects instead of building them.
+  Often the substituter is a [binary cache](#gloss-binary-cache), but any store can serve as substituter.
 
-  - [profile]{#gloss-profile}\
-    A symlink to the current *user environment* of a user, e.g.,
-    `/nix/var/nix/profiles/default`.
+  See the [`substituters` configuration option](./command-ref/conf-file.md#conf-substituters) for details.
 
-  - [installable]{#gloss-installable}\
-    Something that can be realised in the Nix store.
+  [substituter]: #gloss-substituter
 
-    See [installables](./command-ref/new-cli/nix.md#installables) for [`nix` commands](./command-ref/new-cli/nix.md) (experimental) for details.
+- [purity]{#gloss-purity}
 
-  - [NAR]{#gloss-nar}\
-    A *N*ix *AR*chive. This is a serialisation of a path in the Nix
-    store. It can contain regular files, directories and symbolic
-    links.  NARs are generated and unpacked using `nix-store --dump`
-    and `nix-store --restore`.
+  The assumption that equal Nix derivations when run always produce
+  the same output. This cannot be guaranteed in general (e.g., a
+  builder can rely on external inputs such as the network or the
+  system time) but the Nix model assumes it.
 
-  - [`∅`]{#gloss-emtpy-set}\
-    The empty set symbol. In the context of profile history, this denotes a package is not present in a particular version of the profile.
+- [Nix database]{#gloss-nix-database}
 
-  - [`ε`]{#gloss-epsilon}\
-    The epsilon symbol. In the context of a package, this means the version is empty. More precisely, the derivation does not have a version attribute.
+  An SQlite database to track [reference]s between [store object]s.
+  This is an implementation detail of the [local store].
 
-  - [string interpolation]{#gloss-string-interpolation}\
-    Expanding expressions enclosed in `${ }` within a [string], [path], or [attribute name].
+  Default location: `/nix/var/nix/db`.
 
-    See [String interpolation](./language/string-interpolation.md) for details.
+  [Nix database]: #gloss-nix-database
 
-    [string]: ./language/values.md#type-string
-    [path]: ./language/values.md#type-path
-    [attribute name]: ./language/values.md#attribute-set
+- [Nix expression]{#gloss-nix-expression}
 
-  - [experimental feature]{#gloss-experimental-feature}\
-    Not yet stabilized functionality guarded by named experimental feature flags.
-    These flags are enabled or disabled with the [`experimental-features`](./command-ref/conf-file.html#conf-experimental-features) setting.
+  A high-level description of software packages and compositions
+  thereof. Deploying software using Nix entails writing Nix
+  expressions for your packages. Nix expressions are translated to
+  derivations that are stored in the Nix store. These derivations can
+  then be built.
 
-    See the contribution guide on the [purpose and lifecycle of experimental feaures](@docroot@/contributing/experimental-features.md).
+- [reference]{#gloss-reference}
+
+  A [store object] `O` is said to have a *reference* to a store object `P` if a [store path] to `P` appears in the contents of `O`.
+
+  Store objects can refer to both other store objects and themselves.
+  References from a store object to itself are called *self-references*.
+  References other than a self-reference must not form a cycle.
+
+  [reference]: #gloss-reference
+
+- [reachable]{#gloss-reachable}
+
+  A store path `Q` is reachable from another store path `P` if `Q`
+  is in the *closure* of the *references* relation.
+
+- [closure]{#gloss-closure}
+
+  The closure of a store path is the set of store paths that are
+  directly or indirectly “reachable” from that store path; that is,
+  it’s the closure of the path under the *references* relation. For
+  a package, the closure of its derivation is equivalent to the
+  build-time dependencies, while the closure of its output path is
+  equivalent to its runtime dependencies. For correct deployment it
+  is necessary to deploy whole closures, since otherwise at runtime
+  files could be missing. The command `nix-store --query --requisites ` prints out
+  closures of store paths.
+
+  As an example, if the [store object] at path `P` contains a [reference]
+  to a store object at path `Q`, then `Q` is in the closure of `P`. Further, if `Q`
+  references `R` then `R` is also in the closure of `P`.
+
+  [closure]: #gloss-closure
+
+- [output]{#gloss-output}
+
+  A [store object] produced by a [derivation].
+
+  [output]: #gloss-output
+
+- [output path]{#gloss-output-path}
+
+  The [store path] to the [output] of a [derivation].
+
+  [output path]: #gloss-output-path
+
+- [deriver]{#gloss-deriver}
+
+  The [store derivation] that produced an [output path].
+
+- [validity]{#gloss-validity}
+
+  A store path is valid if all [store object]s in its [closure] can be read from the [store].
+
+  For a [local store], this means:
+  - The store path leads to an existing [store object] in that [store].
+  - The store path is listed in the [Nix database] as being valid.
+  - All paths in the store path's [closure] are valid.
+
+  [validity]: #gloss-validity
+
+- [user environment]{#gloss-user-env}
+
+  An automatically generated store object that consists of a set of
+  symlinks to “active” applications, i.e., other store paths. These
+  are generated automatically by
+  [`nix-env`](./command-ref/nix-env.md). See *profiles*.
+
+- [profile]{#gloss-profile}
+
+  A symlink to the current *user environment* of a user, e.g.,
+  `/nix/var/nix/profiles/default`.
+
+- [installable]{#gloss-installable}
+
+  Something that can be realised in the Nix store.
+
+  See [installables](./command-ref/new-cli/nix.md#installables) for [`nix` commands](./command-ref/new-cli/nix.md) (experimental) for details.
+
+- [NAR]{#gloss-nar}
+
+  A *N*ix *AR*chive. This is a serialisation of a path in the Nix
+  store. It can contain regular files, directories and symbolic
+  links.  NARs are generated and unpacked using `nix-store --dump`
+  and `nix-store --restore`.
+
+- [`∅`]{#gloss-emtpy-set}
+
+  The empty set symbol. In the context of profile history, this denotes a package is not present in a particular version of the profile.
+
+- [`ε`]{#gloss-epsilon}
+
+  The epsilon symbol. In the context of a package, this means the version is empty. More precisely, the derivation does not have a version attribute.
+
+- [string interpolation]{#gloss-string-interpolation}
+
+  Expanding expressions enclosed in `${ }` within a [string], [path], or [attribute name].
+
+  See [String interpolation](./language/string-interpolation.md) for details.
+
+  [string]: ./language/values.md#type-string
+  [path]: ./language/values.md#type-path
+  [attribute name]: ./language/values.md#attribute-set
+
+- [experimental feature]{#gloss-experimental-feature}
+
+  Not yet stabilized functionality guarded by named experimental feature flags.
+  These flags are enabled or disabled with the [`experimental-features`](./command-ref/conf-file.html#conf-experimental-features) setting.
+
+  See the contribution guide on the [purpose and lifecycle of experimental feaures](@docroot@/contributing/experimental-features.md).

doc/manual/src/installation/prerequisites-source.md

@@ -10,7 +10,7 @@
   - Bash Shell. The `./configure` script relies on bashisms, so Bash is
     required.
 
-  - A version of GCC or Clang that supports C++17.
+  - A version of GCC or Clang that supports C++20.
 
   - `pkg-config` to locate dependencies. If your distribution does not
     provide it, you can get it from

doc/manual/src/language/advanced-attributes.md

@@ -320,16 +320,6 @@ Derivations can declare some infrequently used optional attributes.
     ```
 
   - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
-    > **Warning**
-    > This attribute is part of an [experimental feature](@docroot@/contributing/experimental-features.md).
-    >
-    > To use this attribute, you must enable the
-    > [`discard-references`](@docroot@/contributing/experimental-features.md#xp-feature-discard-references) experimental feature.
-    > For example, in [nix.conf](../command-ref/conf-file.md) you could add:
-    >
-    > ```
-    > extra-experimental-features = discard-references
-    > ```
 
     When using [structured attributes](#adv-attr-structuredAttrs), the
     attribute `unsafeDiscardReferences` is an attribute set with a boolean value for each output name.

doc/manual/src/language/builtin-constants-prefix.md

@@ -0,0 +1,5 @@
+# Built-in Constants
+
+These constants are built into the Nix language evaluator:
+
+<dl>

doc/manual/src/language/builtin-constants-suffix.md

@@ -0,0 +1 @@
+</dl>

doc/manual/src/language/builtin-constants.md

@@ -1,43 +0,0 @@
-# Built-in Constants
-
-These constants are built into the Nix language evaluator:
-
-- [`builtins`]{#builtins-builtins} (attribute set)
-
-  Contains all the [built-in functions](./builtins.md) and values, in order to avoid polluting the global scope.
-
-  Since built-in functions were added over time, [testing for attributes](./operators.md#has-attribute) in `builtins` can be used for graceful fallback on older Nix installations:
-
-  ```nix
-  if builtins ? getEnv then builtins.getEnv "PATH" else ""
-  ```
-
-- [`builtins.currentSystem`]{#builtins-currentSystem} (string)
-
-  The built-in value `currentSystem` evaluates to the Nix platform
-  identifier for the Nix installation on which the expression is being
-  evaluated, such as `"i686-linux"` or `"x86_64-darwin"`.
-
-  Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).
-
-- [`builtins.currentTime`]{#builtins-currentTime} (integer)
-
-  Return the [Unix time](https://en.wikipedia.org/wiki/Unix_time) at first evaluation.
-  Repeated references to that name will re-use the initially obtained value.
-
-  Example:
-
-  ```console
-  $ nix repl
-  Welcome to Nix 2.15.1 Type :? for help.
-
-  nix-repl> builtins.currentTime
-  1683705525
-
-  nix-repl> builtins.currentTime
-  1683705525
-  ```
-
-  The [store path](@docroot@/glossary.md#gloss-store-path) of a derivation depending on `currentTime` will differ for each evaluation.
-
-  Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).

doc/manual/src/language/builtins-prefix.md

@@ -3,7 +3,7 @@
 This section lists the functions built into the Nix language evaluator.
 All built-in functions are available through the global [`builtins`](./builtin-constants.md#builtins-builtins) constant.
 
-For convenience, some built-ins are can be accessed directly:
+For convenience, some built-ins can be accessed directly:
 
 - [`derivation`](#builtins-derivation)
 - [`import`](#builtins-import)

doc/manual/src/language/constructs.md

@@ -2,8 +2,11 @@
 
 ## Recursive sets
 
-Recursive sets are just normal sets, but the attributes can refer to
-each other. For example,
+Recursive sets are like normal [attribute sets](./values.md#attribute-set), but the attributes can refer to each other.
+
+> *rec-attrset* = `rec {` [ *name* `=` *expr* `;` `]`... `}`
+
+Example:
 
 ```nix
 rec {
@@ -12,7 +15,9 @@ rec {
 }.x
 ```
 
-evaluates to `123`. Note that without `rec` the binding `x = y;` would
+This evaluates to `123`.
+
+Note that without `rec` the binding `x = y;` would
 refer to the variable `y` in the surrounding scope, if one exists, and
 would be invalid if no such variable exists. That is, in a normal
 (non-recursive) set, attributes are not added to the lexical scope; in a
@@ -33,7 +38,10 @@ will crash with an `infinite recursion encountered` error message.
 ## Let-expressions
 
 A let-expression allows you to define local variables for an expression.
-For instance,
+
+> *let-in* = `let` [ *identifier* = *expr* ]... `in` *expr*
+
+Example:
 
 ```nix
 let
@@ -42,18 +50,19 @@ let
 in x + y
 ```
 
-evaluates to `"foobar"`.
+This evaluates to `"foobar"`.
 
 ## Inheriting attributes
 
-When defining a set or in a let-expression it is often convenient to
-copy variables from the surrounding lexical scope (e.g., when you want
-to propagate attributes). This can be shortened using the `inherit`
-keyword. For instance,
+When defining an [attribute set](./values.md#attribute-set) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).
+This can be shortened using the `inherit` keyword.
+
+Example:
 
 ```nix
 let x = 123; in
-{ inherit x;
+{
+  inherit x;
   y = 456;
 }
 ```
@@ -62,23 +71,31 @@ is equivalent to
 
 ```nix
 let x = 123; in
-{ x = x;
+{
+  x = x;
   y = 456;
 }
 ```
 
-and both evaluate to `{ x = 123; y = 456; }`. (Note that this works
-because `x` is added to the lexical scope by the `let` construct.) It is
-also possible to inherit attributes from another set. For instance, in
-this fragment from `all-packages.nix`,
+and both evaluate to `{ x = 123; y = 456; }`.
+
+> **Note**
+>
+> This works because `x` is added to the lexical scope by the `let` construct.
+
+It is also possible to inherit attributes from another attribute set.
+
+Example:
+
+In this fragment from `all-packages.nix`,
 
 ```nix
 graphviz = (import ../tools/graphics/graphviz) {
   inherit fetchurl stdenv libpng libjpeg expat x11 yacc;
-  inherit (xlibs) libXaw;
+  inherit (xorg) libXaw;
 };
 
-xlibs = {
+xorg = {
   libX11 = ...;
   libXaw = ...;
   ...
@@ -92,7 +109,7 @@ libjpg = ...;
 the set used in the function call to the function defined in
 `../tools/graphics/graphviz` inherits a number of variables from the
 surrounding scope (`fetchurl` ... `yacc`), but also inherits `libXaw`
-(the X Athena Widgets) from the `xlibs` (X11 client-side libraries) set.
+(the X Athena Widgets) from the `xorg` set.
 
 Summarizing the fragment
 
@@ -191,30 +208,41 @@ three kinds of patterns:
     ```nix
     { x, y, z, ... } @ args: z + y + x + args.a
     ```
-    
-    Here `args` is bound to the entire argument, which is further
-    matched against the pattern `{ x, y, z,
-            ... }`. `@`-pattern makes mainly sense with an ellipsis(`...`) as
+
+    Here `args` is bound to the argument *as passed*, which is further
+    matched against the pattern `{ x, y, z, ... }`.
+    The `@`-pattern makes mainly sense with an ellipsis(`...`) as
     you can access attribute names as `a`, using `args.a`, which was
     given as an additional attribute to the function.
-    
+
     > **Warning**
-    > 
-    > The `args@` expression is bound to the argument passed to the
-    > function which means that attributes with defaults that aren't
-    > explicitly specified in the function call won't cause an
-    > evaluation error, but won't exist in `args`.
-    > 
+    >
+    > `args@` binds the name `args` to the attribute set that is passed to the function.
+    > In particular, `args` does *not* include any default values specified with `?` in the function's set pattern.
+    >
     > For instance
-    > 
+    >
     > ```nix
     > let
-    >   function = args@{ a ? 23, ... }: args;
+    >   f = args@{ a ? 23, ... }: [ a args ];
     > in
-    >   function {}
-    > ````
-    > 
-    > will evaluate to an empty attribute set.
+    >   f {}
+    > ```
+    >
+    > is equivalent to
+    >
+    > ```nix
+    > let
+    >   f = args @ { ... }: [ (args.a or 23) args ];
+    > in
+    >   f {}
+    > ```
+    >
+    > and both expressions will evaluate to:
+    >
+    > ```nix
+    > [ 23 {} ]
+    > ```
 
 Note that functions do not have names. If you want to give them a name,
 you can bind them to an attribute, e.g.,

doc/manual/src/language/derivations.md

@@ -17,7 +17,7 @@ the attributes of which specify the inputs of the build.
     string. This is used as a symbolic name for the package by
     `nix-env`, and it is appended to the output paths of the derivation.
 
-  - There must be an attribute named `builder` that identifies the
+  - There must be an attribute named [`builder`]{#attr-builder} that identifies the
     program that is executed to perform the build. It can be either a
     derivation or a source (a local file reference, e.g.,
     `./builder.sh`).

doc/manual/src/language/index.md

@@ -1,12 +1,11 @@
 # Nix Language
 
-The Nix language is
+The Nix language is designed for conveniently creating and composing *derivations* – precise descriptions of how contents of existing files are used to derive new files.
+It is:
 
 - *domain-specific*
 
-  It only exists for the Nix package manager:
-  to describe packages and configurations as well as their variants and compositions.
-  It is not intended for general purpose use.
+  It comes with [built-in functions](@docroot@/language/builtins.md) to integrate with the Nix store, which manages files and performs the derivations declared in the Nix language.
 
 - *declarative*
 
@@ -25,7 +24,7 @@ The Nix language is
 
 - *lazy*
 
-  Expressions are only evaluated when their value is needed.
+  Values are only computed when they are needed.
 
 - *dynamically typed*
 

doc/manual/src/language/operators.md

@@ -35,17 +35,14 @@
 
 ## Attribute selection
 
+> *attrset* `.` *attrpath* \[ `or` *expr* \]
+
 Select the attribute denoted by attribute path *attrpath* from [attribute set] *attrset*.
 If the attribute doesn’t exist, return the *expr* after `or` if provided, otherwise abort evaluation.
 
-<!-- FIXME: the following should to into its own language syntax section, but that needs more work to fit in well -->
+An attribute path is a dot-separated list of [attribute names](./values.md#attribute-set).
 
-An attribute path is a dot-separated list of attribute names.
-An attribute name can be an identifier or a string.
-
-> *attrpath* = *name* [ `.` *name* ]... \
-> *name* = *identifier* | *string* \
-> *identifier* ~ `[a-zA-Z_][a-zA-Z0-9_'-]*`
+> *attrpath* = *name* [ `.` *name* ]...
 
 [Attribute selection]: #attribute-selection
 

doc/manual/src/language/values.md

@@ -164,9 +164,17 @@ Note that lists are only lazy in values, and they are strict in length.
 
 An attribute set is a collection of name-value-pairs (called *attributes*) enclosed in curly brackets (`{ }`).
 
+An attribute name can be an identifier or a [string](#string).
+An identifier must start with a letter (`a-z`, `A-Z`) or underscore (`_`), and can otherwise contain letters (`a-z`, `A-Z`), numbers (`0-9`), underscores (`_`), apostrophes (`'`), or dashes (`-`).
+
+> *name* = *identifier* | *string* \
+> *identifier* ~ `[a-zA-Z_][a-zA-Z0-9_'-]*`
+
 Names and values are separated by an equal sign (`=`).
 Each value is an arbitrary expression terminated by a semicolon (`;`).
 
+> *attrset* = `{` [ *name* `=` *expr* `;` `]`... `}`
+
 Attributes can appear in any order.
 An attribute name may only occur once.
 
@@ -182,15 +190,19 @@ Example:
 
 This defines a set with attributes named `x`, `text`, `y`.
 
-Attributes can be selected from a set using the `.` operator. For
-instance,
+Attributes can be accessed with the [`.` operator](./operators.md#attribute-selection).
+
+Example:
 
 ```nix
 { a = "Foo"; b = "Bar"; }.a
 ```
 
-evaluates to `"Foo"`. It is possible to provide a default value in an
-attribute selection using the `or` keyword:
+This evaluates to `"Foo"`.
+
+It is possible to provide a default value in an attribute selection using the `or` keyword.
+
+Example:
 
 ```nix
 { a = "Foo"; b = "Bar"; }.c or "Xyzzy"

doc/manual/src/package-management/basic-package-mgmt.md

@@ -25,7 +25,7 @@ or completely new ones.)
 
 You can manually download the latest version of Nixpkgs from
 <https://github.com/NixOS/nixpkgs>. However, it’s much more
-convenient to use the Nixpkgs [*channel*](channels.md), since it makes
+convenient to use the Nixpkgs [*channel*](../command-ref/nix-channel.md), since it makes
 it easy to stay up to date with new versions of Nixpkgs. Nixpkgs is
 automatically added to your list of “subscribed” channels when you
 install Nix. If this is not the case for some reason, you can add it

doc/manual/src/package-management/channels.md

@@ -1,50 +0,0 @@
-# Channels
-
-If you want to stay up to date with a set of packages, it’s not very
-convenient to manually download the latest set of Nix expressions for
-those packages and upgrade using `nix-env`. Fortunately, there’s a
-better way: *Nix channels*.
-
-A Nix channel is just a URL that points to a place that contains a set
-of Nix expressions and a manifest. Using the command
-[`nix-channel`](../command-ref/nix-channel.md) you can automatically
-stay up to date with whatever is available at that URL.
-
-To see the list of official NixOS channels, visit
-<https://nixos.org/channels>.
-
-You can “subscribe” to a channel using `nix-channel --add`, e.g.,
-
-```console
-$ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
-```
-
-subscribes you to a channel that always contains that latest version of
-the Nix Packages collection. (Subscribing really just means that the URL
-is added to the file `~/.nix-channels`, where it is read by subsequent
-calls to `nix-channel
---update`.) You can “unsubscribe” using `nix-channel
---remove`:
-
-```console
-$ nix-channel --remove nixpkgs
-```
-
-To obtain the latest Nix expressions available in a channel, do
-
-```console
-$ nix-channel --update
-```
-
-This downloads and unpacks the Nix expressions in every channel
-(downloaded from `url/nixexprs.tar.bz2`). It also makes the union of
-each channel’s Nix expressions available by default to `nix-env`
-operations (via the symlink `~/.nix-defexpr/channels`). Consequently,
-you can then say
-
-```console
-$ nix-env --upgrade
-```
-
-to upgrade all packages in your profile to the latest versions available
-in the subscribed channels.

doc/manual/src/protocols/derivation-aterm.md

@@ -0,0 +1,19 @@
+# Derivation "ATerm" file format
+
+For historical reasons, [derivations](@docroot@/glossary.md#gloss-store-derivation) are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
+
+Derivations are serialised in one of the following formats:
+
+- ```
+  Derive(...)
+  ```
+
+  For all stable derivations.
+
+- ```
+  DrvWithVersion(<version-string>, ...)
+  ```
+
+  The only `version-string`s that are in use today are for [experimental features](@docroot@/contributing/experimental-features.md):
+
+  - `"xp-dyn-drv"` for the [`dynamic-derivations`](@docroot@/contributing/experimental-features.md#xp-feature-dynamic-derivations) experimental feature.

doc/manual/src/protocols/protocols.md

@@ -0,0 +1,4 @@
+# Protocols
+
+This chapter documents various developer-facing interfaces provided by
+Nix.

doc/manual/src/protocols/tarball-fetcher.md

@@ -0,0 +1,42 @@
+# Lockable HTTP Tarball Protocol
+
+Tarball flakes can be served as regular tarballs via HTTP or the file
+system (for `file://` URLs). Unless the server implements the Lockable
+HTTP Tarball protocol, it is the responsibility of the user to make sure that
+the URL always produces the same tarball contents.
+
+An HTTP server can return an "immutable" HTTP URL appropriate for lock
+files. This allows users to specify a tarball flake input in
+`flake.nix` that requests the latest version of a flake
+(e.g. `https://example.org/hello/latest.tar.gz`), while `flake.lock`
+will record a URL whose contents will not change
+(e.g. `https://example.org/hello/<revision>.tar.gz`). To do so, the
+server must return an [HTTP `Link` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link) with the `rel` attribute set to
+`immutable`, as follows:
+
+```
+Link: <flakeref>; rel="immutable"
+```
+
+(Note the required `<` and `>` characters around *flakeref*.)
+
+*flakeref* must be a tarball flakeref. It can contain the tarball flake attributes
+`narHash`, `rev`, `revCount` and `lastModified`. If `narHash` is included, its
+value must be the NAR hash of the unpacked tarball (as computed via
+`nix hash path`). Nix checks the contents of the returned tarball
+against the `narHash` attribute. The `rev` and `revCount` attributes
+are useful when the tarball flake is a mirror of a fetcher type that
+has those attributes, such as Git or GitHub. They are not checked by
+Nix.
+
+```
+Link: <https://example.org/hello/442793d9ec0584f6a6e82fa253850c8085bb150a.tar.gz
+  ?rev=442793d9ec0584f6a6e82fa253850c8085bb150a
+  &revCount=835
+  &narHash=sha256-GUm8Uh/U74zFCwkvt9Mri4DSM%2BmHj3tYhXUkYpiv31M%3D>; rel="immutable"
+```
+
+(The linebreaks in this example are for clarity and must not be included in the actual response.)
+
+For tarball flakes, the value of the `lastModified` flake attribute is
+defined as the timestamp of the newest file inside the tarball.

doc/manual/src/release-notes/rl-2.17.md

@@ -0,0 +1,42 @@
+# Release 2.17 (2023-07-24)
+
+* [`nix-channel`](../command-ref/nix-channel.md) now supports a `--list-generations` subcommand.
+
+* The function [`builtins.fetchClosure`](../language/builtins.md#builtins-fetchClosure) can now fetch input-addressed paths in [pure evaluation mode](../command-ref/conf-file.md#conf-pure-eval), as those are not impure.
+
+* Nix now allows unprivileged/[`allowed-users`](../command-ref/conf-file.md#conf-allowed-users) to sign paths.
+  Previously, only [`trusted-users`](../command-ref/conf-file.md#conf-trusted-users) users could sign paths.
+
+* Nested dynamic attributes are now merged correctly by the parser. For example:
+
+  ```nix
+  {
+    nested = {
+      foo = 1;
+    };
+    nested = {
+      ${"ba" + "r"} = 2;
+    };
+  }
+  ```
+
+  This used to silently discard `nested.bar`, but now behaves as one would expect and evaluates to:
+
+  ```nix
+  { nested = { bar = 2; foo = 1; }; }
+  ```
+
+  Note that the feature of merging multiple *full declarations* of attribute sets like `nested` in the example is of questionable value.
+  It allows writing expressions that are very hard to read, for instance when there are many lines of code between two declarations of the same attribute.
+  This has been around for a long time and is therefore supported for backwards compatibility, but should not be relied upon.
+
+  Instead, consider using the *nested attribute path* syntax:
+
+  ```nix
+  {
+    nested.foo = 1;
+    nested.${"ba" + "r"} = 2;
+  }
+  ```
+
+* Tarball flakes can now redirect to an "immutable" URL that will be recorded in lock files. This allows the use of "mutable" tarball URLs like `https://example.org/hello/latest.tar.gz` in flakes. See the [tarball fetcher](../protocols/tarball-fetcher.md) for details.

doc/manual/src/release-notes/rl-2.18.md

@@ -0,0 +1,28 @@
+# Release 2.18 (2023-09-20)
+
+- Two new builtin functions,
+  [`builtins.parseFlakeRef`](@docroot@/language/builtins.md#builtins-parseFlakeRef)
+  and
+  [`builtins.flakeRefToString`](@docroot@/language/builtins.md#builtins-flakeRefToString),
+  have been added.
+  These functions are useful for converting between flake references encoded as attribute sets and URLs.
+
+- [`builtins.toJSON`](@docroot@/language/builtins.md#builtins-parseFlakeRef) now prints [--show-trace](@docroot@/command-ref/conf-file.html#conf-show-trace) items for the path in which it finds an evaluation error.
+
+- Error messages regarding malformed input to [`nix derivation add`](@docroot@/command-ref/new-cli/nix3-derivation-add.md) are now clearer and more detailed.
+
+- The `discard-references` feature has been stabilized.
+  This means that the
+  [unsafeDiscardReferences](@docroot@/contributing/experimental-features.md#xp-feature-discard-references)
+  attribute is no longer guarded by an experimental flag and can be used
+  freely.
+
+- The JSON output for derived paths which are store paths is now a string, not an object with a single `path` field.
+  This only affects `nix-build --json` when "building" non-derivation things like fetched sources, which is a no-op.
+
+- A new builtin [`outputOf`](@docroot@/language/builtins.md#builtins-outputOf) has been added.
+  It is part of the [`dynamic-derivations`](@docroot@/contributing/experimental-features.md#xp-feature-dynamic-derivations) experimental feature.
+
+- Flake follow paths at depths greater than 2 are now handled correctly, preventing "follows a non-existent input" errors.
+
+- [`nix-store --query`](@docroot@/command-ref/nix-store/query.md) gained a new type of query: `--valid-derivers`. It returns all `.drv` files in the local store that *can be* used to build the output passed in argument. This is in contrast to `--deriver`, which returns the single `.drv` file that *was actually* used to build the output passed in argument. In case the output was substituted from a binary cache, this `.drv` file may only exist on said binary cache and not locally.

doc/manual/src/release-notes/rl-next.md

@@ -1,2 +1,9 @@
 # Release X.Y (202?-??-??)
 
+- Fix a FOD sandbox escape:
+    Cooperating Nix derivations could send file descriptors to files in the Nix
+    store to each other via Unix domain sockets in the abstract namespace. This
+    allowed one derivation to modify the output of the other derivation, after Nix
+    has registered the path as "valid" and immutable in the Nix database.
+    In particular, this allowed the output of fixed-output derivations to be
+    modified from their expected content. This isn't the case any more.

doc/manual/utils.nix

@@ -44,10 +44,10 @@ rec {
 
   optionalString = cond: string: if cond then string else "";
 
-  showSetting = { useAnchors }: name: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
+  showSetting = { inlineHTML }: name: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
     let
       result = squash ''
-          - ${if useAnchors
+          - ${if inlineHTML
               then ''<span id="conf-${name}">[`${name}`](#conf-${name})</span>''
               else ''`${name}`''}
 

flake.lock

@@ -34,16 +34,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1670461440,
-        "narHash": "sha256-jy1LB8HOMKGJEGXgzFRLDU1CBGL0/LlkolgnqIsF0D8=",
+        "lastModified": 1700748986,
+        "narHash": "sha256-/nqLrNU297h3PCw4QyDpZKZEUHmialJdZW2ceYFobds=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "04a75b2eecc0acf6239acf9dd04485ff8d14f425",
+        "rev": "9ba29e2346bc542e9909d1021e8fd7d4b3f64db0",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-22.11-small",
+        "ref": "nixos-23.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,7 +1,7 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-22.11-small";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05-small";
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
   inputs.lowdown-src = { url = "github:kristapsdz/lowdown"; flake = false; };
   inputs.flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
@@ -11,7 +11,7 @@
     let
       inherit (nixpkgs) lib;
 
-      officialRelease = false;
+      officialRelease = true;
 
       version = lib.fileContents ./.version + versionSuffix;
       versionSuffix =
@@ -19,9 +19,11 @@
         then ""
         else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}";
 
+      linux32BitSystems = [ "i686-linux" ];
       linux64BitSystems = [ "x86_64-linux" "aarch64-linux" ];
-      linuxSystems = linux64BitSystems ++ [ "i686-linux" ];
-      systems = linuxSystems ++ [ "x86_64-darwin" "aarch64-darwin" ];
+      linuxSystems = linux32BitSystems ++ linux64BitSystems;
+      darwinSystems = [ "x86_64-darwin" "aarch64-darwin" ];
+      systems = linuxSystems ++ darwinSystems;
 
       crossSystems = [ "armv6l-linux" "armv7l-linux" ];
 
@@ -40,6 +42,45 @@
             })
             stdenvs);
 
+      # Experimental fileset library: https://github.com/NixOS/nixpkgs/pull/222981
+      # Not an "idiomatic" flake input because:
+      #  - Propagation to dependent locks: https://github.com/NixOS/nix/issues/7730
+      #  - Subflake would download redundant and huge parent flake
+      #  - No git tree hash support: https://github.com/NixOS/nix/issues/6044
+      inherit (import (builtins.fetchTarball { url = "https://github.com/NixOS/nix/archive/1bdcd7fc8a6a40b2e805bad759b36e64e911036b.tar.gz"; sha256 = "sha256:14ljlpdsp4x7h1fkhbmc4bd3vsqnx8zdql4h3037wh09ad6a0893"; }))
+        fileset;
+
+      baseFiles =
+        # .gitignore has already been processed, so any changes in it are irrelevant
+        # at this point. It is not represented verbatim for test purposes because
+        # that would interfere with repo semantics.
+        fileset.fileFilter (f: f.name != ".gitignore") ./.;
+
+      nixSrc = fileset.toSource {
+        root = ./.;
+        fileset = fileset.intersect baseFiles (fileset.unions [
+          ./.version
+          ./boehmgc-coroutine-sp-fallback.diff
+          ./bootstrap.sh
+          ./configure.ac
+          ./doc
+          ./local.mk
+          ./m4
+          ./Makefile
+          ./Makefile.config.in
+          ./misc
+          ./mk
+          ./precompiled-headers.h
+          ./src
+          ./tests/functional
+          ./tests/unit
+          ./COPYING
+          ./scripts/local.mk
+          (fileset.fileFilter (f: lib.strings.hasPrefix "nix-profile" f.name) ./scripts)
+          # TODO: do we really need README.md? It doesn't seem used in the build.
+          ./README.md
+        ]);
+      };
 
       # Memoize nixpkgs for different platforms for efficiency.
       nixpkgsFor = forAllSystems
@@ -132,7 +173,14 @@
             boost
             lowdown-nix
           ]
-          ++ lib.optionals stdenv.isLinux [libseccomp]
+          ++ lib.optionals stdenv.isDarwin [darwin.apple_sdk.libs.sandbox]
+          ++ lib.optionals stdenv.isLinux [(libseccomp.overrideAttrs (_: rec {
+            version = "2.5.5";
+            src = fetchurl {
+              url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
+              hash = "sha256-JIosik2bmFiqa69ScSw0r+/PnJ6Ut23OAsHJqiX7M3U=";
+            };
+          }))]
           ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
           ++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid;
 
@@ -209,7 +257,7 @@
             "-${client.version}-against-${daemon.version}";
         inherit version;
 
-        src = self;
+        src = nixSrc;
 
         VERSION_SUFFIX = versionSuffix;
 
@@ -320,18 +368,11 @@
           };
           let
             canRunInstalled = currentStdenv.buildPlatform.canExecute currentStdenv.hostPlatform;
-
-            sourceByRegexInverted = rxs: origSrc: final.lib.cleanSourceWith {
-              filter = (path: type:
-                let relPath = final.lib.removePrefix (toString origSrc + "/") (toString path);
-                in ! lib.any (re: builtins.match re relPath != null) rxs);
-              src = origSrc;
-            };
           in currentStdenv.mkDerivation (finalAttrs: {
             name = "nix-${version}";
             inherit version;
 
-            src = sourceByRegexInverted [ "tests/nixos/.*" "tests/installer/.*" ] self;
+            src = nixSrc;
             VERSION_SUFFIX = versionSuffix;
 
             outputs = [ "out" "dev" "doc" ];
@@ -427,7 +468,8 @@
                   boost
                 ]
                 ++ lib.optional (currentStdenv.isLinux || currentStdenv.isDarwin) libsodium
-                ++ lib.optional currentStdenv.isDarwin darwin.apple_sdk.frameworks.Security;
+                ++ lib.optional currentStdenv.isDarwin darwin.apple_sdk.frameworks.Security
+                ++ lib.optional stdenv.hostPlatform.isDarwin darwin.apple_sdk.libs.sandbox;
 
               configureFlags = [
                 "--with-dbi=${perlPackages.DBI}/${pkgs.perl.libPrefix}"
@@ -516,7 +558,7 @@
         # tarball for the user's system and calls the second half of the
         # installation script.
         installerScript = installScriptFor [ "x86_64-linux" "i686-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" "armv6l-linux" "armv7l-linux" ];
-        installerScriptForGHA = installScriptFor [ "x86_64-linux" "x86_64-darwin" "armv6l-linux" "armv7l-linux"];
+        installerScriptForGHA = installScriptFor [ "x86_64-linux" "aarch64-darwin" "armv6l-linux" "armv7l-linux"];
 
         # docker image with Nix inside
         dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);
@@ -529,7 +571,7 @@
           releaseTools.coverageAnalysis {
             name = "nix-coverage-${version}";
 
-            src = self;
+            src = nixSrc;
 
             configureFlags = testConfigureFlags;
 
@@ -546,6 +588,8 @@
             lcovFilter = [ "*/boost/*" "*-tab.*" ];
 
             hardeningDisable = ["fortify"];
+
+            NIX_CFLAGS_COMPILE = "-DCOVERAGE=1";
           };
 
         # API docs for Nix's unstable internal C++ interfaces.
@@ -557,7 +601,7 @@
             pname = "nix-internal-api-docs";
             inherit version;
 
-            src = self;
+            src = nixSrc;
 
             configureFlags = testConfigureFlags ++ internalApiDocsConfigureFlags;
 
@@ -578,6 +622,8 @@
         # System tests.
         tests.authorization = runNixOSTestFor "x86_64-linux" ./tests/nixos/authorization.nix;
 
+        tests.fetchurl = runNixOSTestFor "x86_64-linux" ./tests/nixos/fetchurl.nix;
+
         tests.remoteBuilds = runNixOSTestFor "x86_64-linux" ./tests/nixos/remote-builds.nix;
 
         tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
@@ -590,12 +636,18 @@
 
         tests.sourcehutFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/sourcehut-flakes.nix;
 
+        tests.tarballFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/tarball-flakes.nix;
+
         tests.containers = runNixOSTestFor "x86_64-linux" ./tests/nixos/containers/containers.nix;
 
         tests.setuid = lib.genAttrs
           ["i686-linux" "x86_64-linux"]
           (system: runNixOSTestFor system ./tests/nixos/setuid.nix);
 
+        tests.ca-fd-leak = runNixOSTestFor "x86_64-linux" ./tests/nixos/ca-fd-leak;
+
+        tests.user-sandboxing = runNixOSTestFor "x86_64-linux" ./tests/nixos/user-sandboxing;
+
 
         # Make sure that nix-env still produces the exact same result
         # on a particular version of Nixpkgs.
@@ -613,7 +665,9 @@
         tests.nixpkgsLibTests =
           forAllSystems (system:
             import (nixpkgs + "/lib/tests/release.nix")
-              { pkgs = nixpkgsFor.${system}.native; }
+              { pkgs = nixpkgsFor.${system}.native;
+                nixVersions = [ self.packages.${system}.nix ];
+              }
           );
 
         metrics.nixpkgs = import "${nixpkgs-regression}/pkgs/top-level/metrics.nix" {

maintainers/README.md

@@ -117,6 +117,7 @@ Pull requests in this column are reviewed together during work meetings.
 This is both for spreading implementation knowledge and for establishing common values in code reviews.
 
 When the overall direction is agreed upon, even when further changes are required, the pull request is assigned to one team member.
+If significant changes are requested or reviewers cannot come to a conclusion in reasonable time, the pull request is [marked as draft](https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/changing-the-stage-of-a-pull-request#converting-a-pull-request-to-a-draft).
 
 ### Assigned
 

maintainers/release-process.md

@@ -119,8 +119,7 @@ release:
   TODO: This script requires the right AWS credentials. Document.
 
   TODO: This script currently requires a
-  `/home/eelco/Dev/nix-pristine` and
-  `/home/eelco/Dev/nixpkgs-pristine`.
+  `/home/eelco/Dev/nix-pristine`.
 
   TODO: trigger nixos.org netlify: https://docs.netlify.com/configure-builds/build-hooks/
 
@@ -141,7 +140,7 @@ release:
   $ git checkout master
   $ git pull
   $ NEW_VERSION=2.13.0
-  $ echo -n $NEW_VERSION > .version
+  $ echo $NEW_VERSION > .version
   $ git checkout -b bump-$NEW_VERSION
   $ git commit -a -m 'Bump version'
   $ git push --set-upstream origin bump-$NEW_VERSION

maintainers/upload-release.pl

@@ -80,6 +80,38 @@ my $s3_us = Net::Amazon::S3->new(
 
 my $channelsBucket = $s3_us->bucket($channelsBucketName) or die;
 
+sub getStorePath {
+    my ($jobName, $output) = @_;
+    my $buildInfo = decode_json(fetch("$evalUrl/job/$jobName", 'application/json'));
+    return $buildInfo->{buildoutputs}->{$output or "out"}->{path} or die "cannot get store path for '$jobName'";
+}
+
+sub copyManual {
+    my $manual = getStorePath("build.x86_64-linux", "doc");
+    print "$manual\n";
+
+    my $manualNar = "$tmpDir/$releaseName-manual.nar.xz";
+    print "$manualNar\n";
+
+    unless (-e $manualNar) {
+        system("NIX_REMOTE=$binaryCache nix store dump-path '$manual' | xz > '$manualNar'.tmp") == 0
+            or die "unable to fetch $manual\n";
+        rename("$manualNar.tmp", $manualNar) or die;
+    }
+
+    unless (-e "$tmpDir/manual") {
+        system("xz -d < '$manualNar' | nix-store --restore $tmpDir/manual.tmp") == 0
+            or die "unable to unpack $manualNar\n";
+        rename("$tmpDir/manual.tmp/share/doc/nix/manual", "$tmpDir/manual") or die;
+        File::Path::remove_tree("$tmpDir/manual.tmp", {safe => 1});
+    }
+
+    system("aws s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
+        or die "syncing manual to S3\n";
+}
+
+copyManual;
+
 sub downloadFile {
     my ($jobName, $productNr, $dstName) = @_;
 
@@ -179,9 +211,20 @@ if ($isLatest) {
     system("docker manifest push nixos/nix:latest") == 0 or die;
 }
 
+# Upload nix-fallback-paths.nix.
+write_file("$tmpDir/fallback-paths.nix",
+    "{\n" .
+    "  x86_64-linux = \"" . getStorePath("build.x86_64-linux") . "\";\n" .
+    "  i686-linux = \"" . getStorePath("build.i686-linux") . "\";\n" .
+    "  aarch64-linux = \"" . getStorePath("build.aarch64-linux") . "\";\n" .
+    "  x86_64-darwin = \"" . getStorePath("build.x86_64-darwin") . "\";\n" .
+    "  aarch64-darwin = \"" . getStorePath("build.aarch64-darwin") . "\";\n" .
+    "}\n");
+
 # Upload release files to S3.
 for my $fn (glob "$tmpDir/*") {
     my $name = basename($fn);
+    next if $name eq "manual";
     my $dstKey = "$releaseDir/" . $name;
     unless (defined $releasesBucket->head_key($dstKey)) {
         print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
@@ -189,8 +232,7 @@ for my $fn (glob "$tmpDir/*") {
         my $configuration = ();
         $configuration->{content_type} = "application/octet-stream";
 
-        if ($fn =~ /.sha256|install/) {
-            # Text files
+        if ($fn =~ /.sha256|install|\.nix$/) {
             $configuration->{content_type} = "text/plain";
         }
 
@@ -199,24 +241,6 @@ for my $fn (glob "$tmpDir/*") {
     }
 }
 
-# Print new nix-fallback-paths.nix.
-if ($isLatest) {
-    sub getStorePath {
-        my ($jobName) = @_;
-        my $buildInfo = decode_json(fetch("$evalUrl/job/$jobName", 'application/json'));
-        return $buildInfo->{buildoutputs}->{out}->{path} or die "cannot get store path for '$jobName'";
-    }
-
-    print STDERR "nixos/modules/installer/tools/nix-fallback-paths.nix:\n" .
-               "{\n" .
-               "  x86_64-linux = \"" . getStorePath("build.x86_64-linux") . "\";\n" .
-               "  i686-linux = \"" . getStorePath("build.i686-linux") . "\";\n" .
-               "  aarch64-linux = \"" . getStorePath("build.aarch64-linux") . "\";\n" .
-               "  x86_64-darwin = \"" . getStorePath("build.x86_64-darwin") . "\";\n" .
-               "  aarch64-darwin = \"" . getStorePath("build.aarch64-darwin") . "\";\n" .
-               "}\n";
-}
-
 # Update the "latest" symlink.
 $channelsBucket->add_key(
     "nix-latest/install", "",
@@ -230,3 +254,6 @@ system("git remote update origin") == 0 or die;
 system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
 system("git push --tags") == 0 or die;
 system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
+
+File::Path::remove_tree($narCache, {safe => 1});
+File::Path::remove_tree($tmpDir, {safe => 1});

misc/systemd/nix-daemon.service.in

@@ -10,6 +10,7 @@ ConditionPathIsReadWrite=@localstatedir@/nix/daemon-socket
 ExecStart=@@bindir@/nix-daemon nix-daemon --daemon
 KillMode=process
 LimitNOFILE=1048576
+TasksMax=1048576
 
 [Install]
 WantedBy=multi-user.target

mk/common-test.sh

@@ -1,11 +1,15 @@
+test_dir=tests/functional
+
+test=$(echo -n "$test" | sed -e "s|^$test_dir/||")
+
 TESTS_ENVIRONMENT=("TEST_NAME=${test%.*}" 'NIX_REMOTE=')
 
 : ${BASH:=/usr/bin/env bash}
 
 init_test () {
-   cd tests && env "${TESTS_ENVIRONMENT[@]}" $BASH -e init.sh 2>/dev/null > /dev/null
+   cd "$test_dir" && env "${TESTS_ENVIRONMENT[@]}" $BASH -e init.sh 2>/dev/null > /dev/null
 }
 
 run_test_proper () {
-   cd $(dirname $test) && env "${TESTS_ENVIRONMENT[@]}" $BASH -e $(basename $test)
+   cd "$test_dir/$(dirname $test)" && env "${TESTS_ENVIRONMENT[@]}" $BASH -e $(basename $test)
 }

mk/lib.mk

@@ -10,6 +10,7 @@ bin-scripts :=
 noinst-scripts :=
 man-pages :=
 install-tests :=
+install-tests-groups :=
 
 ifdef HOST_OS
   HOST_KERNEL = $(firstword $(subst -, ,$(HOST_OS)))
@@ -121,7 +122,16 @@ $(foreach script, $(bin-scripts), $(eval $(call install-program-in,$(script),$(b
 $(foreach script, $(bin-scripts), $(eval programs-list += $(script)))
 $(foreach script, $(noinst-scripts), $(eval programs-list += $(script)))
 $(foreach template, $(template-files), $(eval $(call instantiate-template,$(template))))
-$(foreach test, $(install-tests), $(eval $(call run-install-test,$(test))))
+$(foreach test, $(install-tests), \
+  $(eval $(call run-install-test,$(test))) \
+  $(eval installcheck: $(test).test))
+$(foreach test-group, $(install-tests-groups), \
+  $(eval $(call run-install-test-group,$(test-group))) \
+  $(eval installcheck: $(test-group).test-group) \
+  $(foreach test, $($(test-group)-tests), \
+    $(eval $(call run-install-test,$(test))) \
+    $(eval $(test-group).test-group: $(test).test)))
+
 $(foreach file, $(man-pages), $(eval $(call install-data-in, $(file), $(mandir)/man$(patsubst .%,%,$(suffix $(file))))))
 
 
@@ -151,6 +161,14 @@ ifdef libs-list
 	@echo "The following libraries can be built:"
 	@echo ""
 	@for i in $(libs-list); do echo "  $$i"; done
+endif
+ifdef install-tests-groups
+	@echo ""
+	@echo "The following groups of functional tests can be run:"
+	@echo ""
+	@for i in $(install-tests-groups); do echo "  $$i.test-group"; done
+	@echo ""
+	@echo "(installcheck includes tests in test groups too.)"
 endif
 	@echo ""
 	@echo "The following variables control the build:"

mk/tests.mk

@@ -4,8 +4,6 @@ test-deps =
 
 define run-install-test
 
-  installcheck: $1.test
-
   .PHONY: $1.test
   $1.test: $1 $(test-deps)
 	@env BASH=$(bash) $(bash) mk/run-test.sh $1 < /dev/null
@@ -16,6 +14,12 @@ define run-install-test
 
 endef
 
+define run-install-test-group
+
+  .PHONY: $1.test-group
+
+endef
+
 .PHONY: check installcheck
 
 print-top-help += \

perl/lib/Nix/Store.xs

@@ -294,10 +294,8 @@ SV * makeFixedOutputPath(int recursive, char * algo, char * hash, char * name)
             auto h = Hash::parseAny(hash, parseHashType(algo));
             auto method = recursive ? FileIngestionMethod::Recursive : FileIngestionMethod::Flat;
             auto path = store()->makeFixedOutputPath(name, FixedOutputInfo {
-                .hash = {
-                    .method = method,
-                    .hash = h,
-                },
+                .method = method,
+                .hash = h,
                 .references = {},
             });
             XPUSHs(sv_2mortal(newSVpv(store()->printStorePath(path).c_str(), 0)));
@@ -326,7 +324,7 @@ SV * derivationFromPath(char * drvPath)
             hv_stores(hash, "outputs", newRV((SV *) outputs));
 
             AV * inputDrvs = newAV();
-            for (auto & i : drv.inputDrvs)
+            for (auto & i : drv.inputDrvs.map)
                 av_push(inputDrvs, newSVpv(store()->printStorePath(i.first).c_str(), 0)); // !!! ignores i->second
             hv_stores(hash, "inputDrvs", newRV((SV *) inputDrvs));
 

scripts/bigsur-nixbld-user-migration.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-((NEW_NIX_FIRST_BUILD_UID=301))
+((NEW_NIX_FIRST_BUILD_UID=351))
 
 id_available(){
 	dscl . list /Users UniqueID | grep -E '\b'$1'\b' >/dev/null

scripts/install-darwin-multi-user.sh

@@ -3,11 +3,24 @@
 set -eu
 set -o pipefail
 
+# System specific settings
+# Notes:
+# - up to macOS Big Sur we used the same GID/UIDs as Linux (30000:30001-32)
+# - we changed UID to 301 because Big Sur updates failed into recovery mode
+#   we're targeting the 200-400 UID range for role users mentioned in the
+#   usage note for sysadminctl
+# - we changed UID to 351 because Sequoia now uses UIDs 300-304 for its own
+#   daemon users
+# - we changed GID to 350 alongside above just because it hides the nixbld
+#   group from the Users & Groups settings panel :)
+export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-351}"
+export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-350}"
+export NIX_BUILD_USER_NAME_TEMPLATE="_nixbld%d"
+
+
 readonly NIX_DAEMON_DEST=/Library/LaunchDaemons/org.nixos.nix-daemon.plist
 # create by default; set 0 to DIY, use a symlink, etc.
 readonly NIX_VOLUME_CREATE=${NIX_VOLUME_CREATE:-1} # now default
-NIX_FIRST_BUILD_UID="301"
-NIX_BUILD_USER_NAME_TEMPLATE="_nixbld%d"
 
 # caution: may update times on / if not run as normal non-root user
 read_only_root() {
@@ -100,7 +113,7 @@ poly_extra_try_me_commands() {
 poly_configure_nix_daemon_service() {
     task "Setting up the nix-daemon LaunchDaemon"
     _sudo "to set up the nix-daemon as a LaunchDaemon" \
-          /bin/cp -f "/nix/var/nix/profiles/default$NIX_DAEMON_DEST" "$NIX_DAEMON_DEST"
+          /usr/bin/install -m -rw-r--r-- "/nix/var/nix/profiles/default$NIX_DAEMON_DEST" "$NIX_DAEMON_DEST"
 
     _sudo "to load the LaunchDaemon plist for nix-daemon" \
           launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist

scripts/install-multi-user.sh

@@ -23,11 +23,12 @@ readonly RED='\033[31m'
 # installer allows overriding build user count to speed up installation
 # as creating each user takes non-trivial amount of time on macos
 readonly NIX_USER_COUNT=${NIX_USER_COUNT:-32}
-readonly NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
 readonly NIX_BUILD_GROUP_NAME="nixbld"
-# darwin installer needs to override these
-NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
-NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"
+# each system specific installer must set these:
+#   NIX_FIRST_BUILD_UID
+#   NIX_BUILD_GROUP_ID
+#   NIX_BUILD_USER_NAME_TEMPLATE
+
 # Please don't change this. We don't support it, because the
 # default shell profile that comes with Nix doesn't support it.
 readonly NIX_ROOT="/nix"
@@ -522,9 +523,7 @@ It seems the build group $NIX_BUILD_GROUP_NAME already exists, but
 with the UID $primary_group_id. This script can't really handle
 that right now, so I'm going to give up.
 
-You can fix this by editing this script and changing the
-NIX_BUILD_GROUP_ID variable near the top to from $NIX_BUILD_GROUP_ID
-to $primary_group_id and re-run.
+You can export NIX_BUILD_GROUP_ID=$primary_group_id and re-run.
 EOF
         else
             row "            Exists" "Yes"
@@ -699,7 +698,17 @@ EOF
     fi
 }
 
+check_required_system_specific_settings() {
+    if [ -z "${NIX_FIRST_BUILD_UID+x}" ] || [ -z "${NIX_BUILD_USER_NAME_TEMPLATE+x}" ]; then
+        failure "Internal error: System specific installer for $(uname) ($1) does not export required settings."
+    fi
+}
+
 welcome_to_nix() {
+    local -r NIX_UID_RANGES="${NIX_FIRST_BUILD_UID}..$((NIX_FIRST_BUILD_UID + NIX_USER_COUNT - 1))"
+    local -r RANGE_TEXT=$(echo -ne "${BLUE}(uids [${NIX_UID_RANGES}])${ESC}")
+    local -r GROUP_TEXT=$(echo -ne "${BLUE}(gid ${NIX_BUILD_GROUP_ID})${ESC}")
+
     ok "Welcome to the Multi-User Nix Installation"
 
     cat <<EOF
@@ -713,8 +722,10 @@ manager. This will happen in a few stages:
 2. Show you what I am going to install and where. Then I will ask
    if you are ready to continue.
 
-3. Create the system users and groups that the Nix daemon uses to run
-   builds.
+3. Create the system users ${RANGE_TEXT} and groups ${GROUP_TEXT}
+   that the Nix daemon uses to run builds. To create system users
+   in a different range, exit and run this tool again with
+   NIX_FIRST_BUILD_UID set.
 
 4. Perform the basic installation of the Nix files daemon.
 
@@ -880,7 +891,7 @@ configure_shell_profile() {
         fi
     done
 
-    task "Setting up shell profiles for Fish with with ${PROFILE_FISH_SUFFIX} inside ${PROFILE_FISH_PREFIXES[*]}"
+    task "Setting up shell profiles for Fish with ${PROFILE_FISH_SUFFIX} inside ${PROFILE_FISH_PREFIXES[*]}"
     for fish_prefix in "${PROFILE_FISH_PREFIXES[@]}"; do
         if [ ! -d "$fish_prefix" ]; then
             # this specific prefix (ie: /etc/fish) is very likely to exist
@@ -956,13 +967,16 @@ main() {
     if is_os_darwin; then
         # shellcheck source=./install-darwin-multi-user.sh
         . "$EXTRACTED_NIX_PATH/install-darwin-multi-user.sh"
+        check_required_system_specific_settings "install-darwin-multi-user.sh"
     elif is_os_linux; then
         # shellcheck source=./install-systemd-multi-user.sh
         . "$EXTRACTED_NIX_PATH/install-systemd-multi-user.sh" # most of this works on non-systemd distros also
+        check_required_system_specific_settings "install-systemd-multi-user.sh"
     else
         failure "Sorry, I don't know what to do on $(uname)"
     fi
 
+
     welcome_to_nix
 
     if ! is_root; then

scripts/install-systemd-multi-user.sh

@@ -3,6 +3,11 @@
 set -eu
 set -o pipefail
 
+# System specific settings
+export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
+export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
+export NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"
+
 readonly SERVICE_SRC=/lib/systemd/system/nix-daemon.service
 readonly SERVICE_DEST=/etc/systemd/system/nix-daemon.service
 

src/build-remote/build-remote.cc

@@ -299,7 +299,7 @@ connected:
             !trusted || *trusted;
         });
 
-        // See the very large comment in `case wopBuildDerivation:` in
+        // See the very large comment in `case WorkerProto::Op::BuildDerivation:` in
         // `src/libstore/daemon.cc` that explains the trust model here.
         //
         // This condition mirrors that: that code enforces the "rules" outlined there;
@@ -314,7 +314,7 @@ connected:
             //
             // 2. Changing the `inputSrcs` set changes the associated
             //    output ids, which break CA derivations
-            if (!drv.inputDrvs.empty())
+            if (!drv.inputDrvs.map.empty())
                 drv.inputSrcs = store->parseStorePathSet(inputs);
             optResult = sshStore->buildDerivation(*drvPath, (const BasicDerivation &) drv);
             auto & result = *optResult;
@@ -322,7 +322,12 @@ connected:
                 throw Error("build of '%s' on '%s' failed: %s", store->printStorePath(*drvPath), storeUri, result.errorMsg);
         } else {
             copyClosure(*store, *sshStore, StorePathSet {*drvPath}, NoRepair, NoCheckSigs, substitute);
-            auto res = sshStore->buildPathsWithResults({ DerivedPath::Built { *drvPath, OutputsSpec::All {} } });
+            auto res = sshStore->buildPathsWithResults({
+                DerivedPath::Built {
+                    .drvPath = makeConstantStorePathRef(*drvPath),
+                    .outputs = OutputsSpec::All {},
+                }
+            });
             // One path to build should produce exactly one build result
             assert(res.size() == 1);
             optResult = std::move(res[0]);

src/libcmd/built-path.cc

@@ -0,0 +1,149 @@
+#include "built-path.hh"
+#include "derivations.hh"
+#include "store-api.hh"
+
+#include <nlohmann/json.hpp>
+
+#include <optional>
+
+namespace nix {
+
+#define CMP_ONE(CHILD_TYPE, MY_TYPE, FIELD, COMPARATOR) \
+    bool MY_TYPE ::operator COMPARATOR (const MY_TYPE & other) const \
+    { \
+        const MY_TYPE* me = this; \
+        auto fields1 = std::make_tuple<const CHILD_TYPE &, const FIELD_TYPE &>(*me->drvPath, me->FIELD); \
+        me = &other; \
+        auto fields2 = std::make_tuple<const CHILD_TYPE &, const FIELD_TYPE &>(*me->drvPath, me->FIELD); \
+        return fields1 COMPARATOR fields2; \
+    }
+#define CMP(CHILD_TYPE, MY_TYPE, FIELD) \
+    CMP_ONE(CHILD_TYPE, MY_TYPE, FIELD, ==) \
+    CMP_ONE(CHILD_TYPE, MY_TYPE, FIELD, !=) \
+    CMP_ONE(CHILD_TYPE, MY_TYPE, FIELD, <)
+
+#define FIELD_TYPE std::pair<std::string, StorePath>
+CMP(SingleBuiltPath, SingleBuiltPathBuilt, output)
+#undef FIELD_TYPE
+
+#define FIELD_TYPE std::map<std::string, StorePath>
+CMP(SingleBuiltPath, BuiltPathBuilt, outputs)
+#undef FIELD_TYPE
+
+#undef CMP
+#undef CMP_ONE
+
+StorePath SingleBuiltPath::outPath() const
+{
+    return std::visit(
+        overloaded{
+            [](const SingleBuiltPath::Opaque & p) { return p.path; },
+            [](const SingleBuiltPath::Built & b) { return b.output.second; },
+        }, raw()
+    );
+}
+
+StorePathSet BuiltPath::outPaths() const
+{
+    return std::visit(
+        overloaded{
+            [](const BuiltPath::Opaque & p) { return StorePathSet{p.path}; },
+            [](const BuiltPath::Built & b) {
+                StorePathSet res;
+                for (auto & [_, path] : b.outputs)
+                    res.insert(path);
+                return res;
+            },
+        }, raw()
+    );
+}
+
+SingleDerivedPath::Built SingleBuiltPath::Built::discardOutputPath() const
+{
+    return SingleDerivedPath::Built {
+        .drvPath = make_ref<SingleDerivedPath>(drvPath->discardOutputPath()),
+        .output = output.first,
+    };
+}
+
+SingleDerivedPath SingleBuiltPath::discardOutputPath() const
+{
+    return std::visit(
+        overloaded{
+            [](const SingleBuiltPath::Opaque & p) -> SingleDerivedPath {
+                return p;
+            },
+            [](const SingleBuiltPath::Built & b) -> SingleDerivedPath {
+                return b.discardOutputPath();
+            },
+        }, raw()
+    );
+}
+
+nlohmann::json BuiltPath::Built::toJSON(const Store & store) const
+{
+    nlohmann::json res;
+    res["drvPath"] = drvPath->toJSON(store);
+    for (const auto & [outputName, outputPath] : outputs) {
+        res["outputs"][outputName] = store.printStorePath(outputPath);
+    }
+    return res;
+}
+
+nlohmann::json SingleBuiltPath::Built::toJSON(const Store & store) const
+{
+    nlohmann::json res;
+    res["drvPath"] = drvPath->toJSON(store);
+    auto & [outputName, outputPath] = output;
+    res["output"] = outputName;
+    res["outputPath"] = store.printStorePath(outputPath);
+    return res;
+}
+
+nlohmann::json SingleBuiltPath::toJSON(const Store & store) const
+{
+    return std::visit([&](const auto & buildable) {
+        return buildable.toJSON(store);
+    }, raw());
+}
+
+nlohmann::json BuiltPath::toJSON(const Store & store) const
+{
+    return std::visit([&](const auto & buildable) {
+        return buildable.toJSON(store);
+    }, raw());
+}
+
+RealisedPath::Set BuiltPath::toRealisedPaths(Store & store) const
+{
+    RealisedPath::Set res;
+    std::visit(
+        overloaded{
+            [&](const BuiltPath::Opaque & p) { res.insert(p.path); },
+            [&](const BuiltPath::Built & p) {
+                auto drvHashes =
+                    staticOutputHashes(store, store.readDerivation(p.drvPath->outPath()));
+                for (auto& [outputName, outputPath] : p.outputs) {
+                    if (experimentalFeatureSettings.isEnabled(
+                                Xp::CaDerivations)) {
+                        auto drvOutput = get(drvHashes, outputName);
+                        if (!drvOutput)
+                            throw Error(
+                                "the derivation '%s' has unrealised output '%s' (derived-path.cc/toRealisedPaths)",
+                                store.printStorePath(p.drvPath->outPath()), outputName);
+                        auto thisRealisation = store.queryRealisation(
+                            DrvOutput{*drvOutput, outputName});
+                        assert(thisRealisation);  // We’ve built it, so we must
+                                                  // have the realisation
+                        res.insert(*thisRealisation);
+                    } else {
+                        res.insert(outputPath);
+                    }
+                }
+            },
+        },
+        raw());
+    return res;
+}
+
+}

src/libcmd/built-path.hh

@@ -0,0 +1,94 @@
+#include "derived-path.hh"
+#include "realisation.hh"
+
+namespace nix {
+
+struct SingleBuiltPath;
+
+struct SingleBuiltPathBuilt {
+    ref<SingleBuiltPath> drvPath;
+    std::pair<std::string, StorePath> output;
+
+    SingleDerivedPathBuilt discardOutputPath() const;
+
+    std::string to_string(const Store & store) const;
+    static SingleBuiltPathBuilt parse(const Store & store, std::string_view, std::string_view);
+    nlohmann::json toJSON(const Store & store) const;
+
+    DECLARE_CMP(SingleBuiltPathBuilt);
+};
+
+using _SingleBuiltPathRaw = std::variant<
+    DerivedPathOpaque,
+    SingleBuiltPathBuilt
+>;
+
+struct SingleBuiltPath : _SingleBuiltPathRaw {
+    using Raw = _SingleBuiltPathRaw;
+    using Raw::Raw;
+
+    using Opaque = DerivedPathOpaque;
+    using Built = SingleBuiltPathBuilt;
+
+    inline const Raw & raw() const {
+        return static_cast<const Raw &>(*this);
+    }
+
+    StorePath outPath() const;
+
+    SingleDerivedPath discardOutputPath() const;
+
+    static SingleBuiltPath parse(const Store & store, std::string_view);
+    nlohmann::json toJSON(const Store & store) const;
+};
+
+static inline ref<SingleBuiltPath> staticDrv(StorePath drvPath)
+{
+    return make_ref<SingleBuiltPath>(SingleBuiltPath::Opaque { drvPath });
+}
+
+/**
+ * A built derived path with hints in the form of optional concrete output paths.
+ *
+ * See 'BuiltPath' for more an explanation.
+ */
+struct BuiltPathBuilt {
+    ref<SingleBuiltPath> drvPath;
+    std::map<std::string, StorePath> outputs;
+
+    std::string to_string(const Store & store) const;
+    static BuiltPathBuilt parse(const Store & store, std::string_view, std::string_view);
+    nlohmann::json toJSON(const Store & store) const;
+
+    DECLARE_CMP(BuiltPathBuilt);
+};
+
+using _BuiltPathRaw = std::variant<
+    DerivedPath::Opaque,
+    BuiltPathBuilt
+>;
+
+/**
+ * A built path. Similar to a DerivedPath, but enriched with the corresponding
+ * output path(s).
+ */
+struct BuiltPath : _BuiltPathRaw {
+    using Raw = _BuiltPathRaw;
+    using Raw::Raw;
+
+    using Opaque = DerivedPathOpaque;
+    using Built = BuiltPathBuilt;
+
+    inline const Raw & raw() const {
+        return static_cast<const Raw &>(*this);
+    }
+
+    StorePathSet outPaths() const;
+    RealisedPath::Set toRealisedPaths(Store & store) const;
+
+    nlohmann::json toJSON(const Store & store) const;
+};
+
+typedef std::vector<BuiltPath> BuiltPaths;
+
+}

src/libcmd/command.cc

@@ -239,9 +239,7 @@ void MixProfile::updateProfile(const StorePath & storePath)
     if (!store) throw Error("'--profile' is not supported for this Nix store");
     auto profile2 = absPath(*profile);
     switchLink(profile2,
-        createGeneration(
-            ref<LocalFSStore>(store),
-            profile2, storePath));
+        createGeneration(*store, profile2, storePath));
 }
 
 void MixProfile::updateProfile(const BuiltPaths & buildables)

src/libcmd/common-eval-args.cc

@@ -1,3 +1,4 @@
+#include "eval-settings.hh"
 #include "common-eval-args.hh"
 #include "shared.hh"
 #include "filetransfer.hh"
@@ -105,7 +106,9 @@ MixEvalArgs::MixEvalArgs()
   )",
         .category = category,
         .labels = {"path"},
-        .handler = {[&](std::string s) { searchPath.push_back(s); }}
+        .handler = {[&](std::string s) {
+            searchPath.elements.emplace_back(SearchPath::Elem::parse(s));
+        }}
     });
 
     addFlag({
@@ -165,7 +168,7 @@ SourcePath lookupFileArg(EvalState & state, std::string_view s)
 {
     if (EvalSettings::isPseudoUrl(s)) {
         auto storePath = fetchers::downloadTarball(
-            state.store, EvalSettings::resolvePseudoUrl(s), "source", false).first.storePath;
+            state.store, EvalSettings::resolvePseudoUrl(s), "source", false).tree.storePath;
         return state.rootPath(CanonPath(state.store->toRealPath(storePath)));
     }
 

src/libcmd/common-eval-args.hh

@@ -3,6 +3,7 @@
 
 #include "args.hh"
 #include "common-args.hh"
+#include "search-path.hh"
 
 namespace nix {
 
@@ -19,7 +20,7 @@ struct MixEvalArgs : virtual Args, virtual MixRepair
 
     Bindings * getAutoArgs(EvalState & state);
 
-    Strings searchPath;
+    SearchPath searchPath;
 
     std::optional<std::string> evalStoreUrl;
 

src/libcmd/installable-attr-path.cc

@@ -80,7 +80,7 @@ DerivedPathsWithInfo InstallableAttrPath::toDerivedPaths()
             [&](const ExtendedOutputsSpec::Explicit & e) -> OutputsSpec {
                 return e;
             },
-        }, extendedOutputsSpec.raw());
+        }, extendedOutputsSpec.raw);
 
         auto [iter, didInsert] = byDrvPath.emplace(*drvPath, newOutputs);
 
@@ -92,10 +92,11 @@ DerivedPathsWithInfo InstallableAttrPath::toDerivedPaths()
     for (auto & [drvPath, outputs] : byDrvPath)
         res.push_back({
             .path = DerivedPath::Built {
-                .drvPath = drvPath,
+                .drvPath = makeConstantStorePathRef(drvPath),
                 .outputs = outputs,
             },
             .info = make_ref<ExtraPathInfoValue>(ExtraPathInfoValue::Value {
+                .extendedOutputsSpec = outputs,
                 /* FIXME: reconsider backwards compatibility above
                    so we can fill in this info. */
             }),
@@ -114,7 +115,7 @@ InstallableAttrPath InstallableAttrPath::parse(
     return {
         state, cmd, v,
         prefix == "." ? "" : std::string { prefix },
-        extendedOutputsSpec
+        std::move(extendedOutputsSpec),
     };
 }
 

src/libcmd/installable-derived-path.cc

@@ -18,14 +18,7 @@ DerivedPathsWithInfo InstallableDerivedPath::toDerivedPaths()
 
 std::optional<StorePath> InstallableDerivedPath::getStorePath()
 {
-    return std::visit(overloaded {
-        [&](const DerivedPath::Built & bfd) {
-            return bfd.drvPath;
-        },
-        [&](const DerivedPath::Opaque & bo) {
-            return bo.path;
-        },
-    }, derivedPath.raw());
+    return derivedPath.getBaseStorePath();
 }
 
 InstallableDerivedPath InstallableDerivedPath::parse(
@@ -42,7 +35,7 @@ InstallableDerivedPath InstallableDerivedPath::parse(
             // Remove this prior to stabilizing the new CLI.
             if (storePath.isDerivation()) {
                 auto oldDerivedPath = DerivedPath::Built {
-                    .drvPath = storePath,
+                    .drvPath = makeConstantStorePathRef(storePath),
                     .outputs = OutputsSpec::All { },
                 };
                 warn(
@@ -55,12 +48,14 @@ InstallableDerivedPath InstallableDerivedPath::parse(
         },
         // If the user did use ^, we just do exactly what is written.
         [&](const ExtendedOutputsSpec::Explicit & outputSpec) -> DerivedPath {
+            auto drv = make_ref<SingleDerivedPath>(SingleDerivedPath::parse(*store, prefix));
+            drvRequireExperiment(*drv);
             return DerivedPath::Built {
-                .drvPath = store->parseStorePath(prefix),
+                .drvPath = std::move(drv),
                 .outputs = outputSpec,
             };
         },
-    }, extendedOutputsSpec.raw());
+    }, extendedOutputsSpec.raw);
     return InstallableDerivedPath {
         store,
         std::move(derivedPath),

src/libcmd/installable-flake.cc

@@ -118,7 +118,7 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
 
     return {{
         .path = DerivedPath::Built {
-            .drvPath = std::move(drvPath),
+            .drvPath = makeConstantStorePathRef(std::move(drvPath)),
             .outputs = std::visit(overloaded {
                 [&](const ExtendedOutputsSpec::Default & d) -> OutputsSpec {
                     std::set<std::string> outputsToInstall;
@@ -141,7 +141,7 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
                 [&](const ExtendedOutputsSpec::Explicit & e) -> OutputsSpec {
                     return e;
                 },
-            }, extendedOutputsSpec.raw()),
+            }, extendedOutputsSpec.raw),
         },
         .info = make_ref<ExtraPathInfoFlake>(
             ExtraPathInfoValue::Value {
@@ -151,7 +151,7 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
             },
             ExtraPathInfoFlake::Flake {
                 .originalRef = flakeRef,
-                .resolvedRef = getLockedFlake()->flake.lockedRef,
+                .lockedRef = getLockedFlake()->flake.lockedRef,
             }),
     }};
 }

src/libcmd/installable-flake.hh

@@ -19,7 +19,7 @@ struct ExtraPathInfoFlake : ExtraPathInfoValue
      */
     struct Flake {
         FlakeRef originalRef;
-        FlakeRef resolvedRef;
+        FlakeRef lockedRef;
     };
 
     Flake flake;

src/libcmd/installable-value.cc

@@ -55,7 +55,8 @@ std::optional<DerivedPathWithInfo> InstallableValue::trySinglePathToDerivedPaths
 
     else if (v.type() == nString) {
         return {{
-            .path = state->coerceToDerivedPath(pos, v, errorCtx),
+            .path = DerivedPath::fromSingle(
+                state->coerceToSingleDerivedPath(pos, v, errorCtx)),
             .info = make_ref<ExtraPathInfo>(),
         }};
     }

src/libcmd/installables.cc

@@ -11,6 +11,7 @@
 #include "derivations.hh"
 #include "eval-inline.hh"
 #include "eval.hh"
+#include "eval-settings.hh"
 #include "get-drvs.hh"
 #include "store-api.hh"
 #include "shared.hh"
@@ -458,7 +459,7 @@ Installables SourceExprCommand::parseInstallables(
             result.push_back(
                 make_ref<InstallableAttrPath>(
                     InstallableAttrPath::parse(
-                        state, *this, vFile, prefix, extendedOutputsSpec)));
+                        state, *this, vFile, std::move(prefix), std::move(extendedOutputsSpec))));
         }
 
     } else {
@@ -474,7 +475,7 @@ Installables SourceExprCommand::parseInstallables(
             if (prefix.find('/') != std::string::npos) {
                 try {
                     result.push_back(make_ref<InstallableDerivedPath>(
-                        InstallableDerivedPath::parse(store, prefix, extendedOutputsSpec)));
+                        InstallableDerivedPath::parse(store, prefix, extendedOutputsSpec.raw)));
                     continue;
                 } catch (BadStorePath &) {
                 } catch (...) {
@@ -490,7 +491,7 @@ Installables SourceExprCommand::parseInstallables(
                         getEvalState(),
                         std::move(flakeRef),
                         fragment,
-                        extendedOutputsSpec,
+                        std::move(extendedOutputsSpec),
                         getDefaultFlakeAttrPaths(),
                         getDefaultFlakeAttrPathPrefixes(),
                         lockFlags));
@@ -514,6 +515,30 @@ ref<Installable> SourceExprCommand::parseInstallable(
     return installables.front();
 }
 
+static SingleBuiltPath getBuiltPath(ref<Store> evalStore, ref<Store> store, const SingleDerivedPath & b)
+{
+    return std::visit(
+        overloaded{
+            [&](const SingleDerivedPath::Opaque & bo) -> SingleBuiltPath {
+                return SingleBuiltPath::Opaque { bo.path };
+            },
+            [&](const SingleDerivedPath::Built & bfd) -> SingleBuiltPath {
+                auto drvPath = getBuiltPath(evalStore, store, *bfd.drvPath);
+                // Resolving this instead of `bfd` will yield the same result, but avoid duplicative work.
+                SingleDerivedPath::Built truncatedBfd {
+                    .drvPath = makeConstantStorePathRef(drvPath.outPath()),
+                    .output = bfd.output,
+                };
+                auto outputPath = resolveDerivedPath(*store, truncatedBfd, &*evalStore);
+                return SingleBuiltPath::Built {
+                    .drvPath = make_ref<SingleBuiltPath>(std::move(drvPath)),
+                    .output = { bfd.output, outputPath },
+                };
+            },
+        },
+        b.raw());
+}
+
 std::vector<BuiltPathWithResult> Installable::build(
     ref<Store> evalStore,
     ref<Store> store,
@@ -567,7 +592,10 @@ std::vector<std::pair<ref<Installable>, BuiltPathWithResult>> Installable::build
                     [&](const DerivedPath::Built & bfd) {
                         auto outputs = resolveDerivedPath(*store, bfd, &*evalStore);
                         res.push_back({aux.installable, {
-                            .path = BuiltPath::Built { bfd.drvPath, outputs },
+                            .path = BuiltPath::Built {
+                                .drvPath = make_ref<SingleBuiltPath>(getBuiltPath(evalStore, store, *bfd.drvPath)),
+                                .outputs = outputs,
+                             },
                             .info = aux.info}});
                     },
                     [&](const DerivedPath::Opaque & bo) {
@@ -596,7 +624,10 @@ std::vector<std::pair<ref<Installable>, BuiltPathWithResult>> Installable::build
                         for (auto & [outputName, realisation] : buildResult.builtOutputs)
                             outputs.emplace(outputName, realisation.outPath);
                         res.push_back({aux.installable, {
-                            .path = BuiltPath::Built { bfd.drvPath, outputs },
+                            .path = BuiltPath::Built {
+                                .drvPath = make_ref<SingleBuiltPath>(getBuiltPath(evalStore, store, *bfd.drvPath)),
+                                .outputs = outputs,
+                            },
                             .info = aux.info,
                             .result = buildResult}});
                     },
@@ -690,7 +721,7 @@ StorePathSet Installable::toDerivations(
                         : throw Error("argument '%s' did not evaluate to a derivation", i->what()));
                 },
                 [&](const DerivedPath::Built & bfd) {
-                    drvPaths.insert(bfd.drvPath);
+                    drvPaths.insert(resolveDerivedPath(*store, *bfd.drvPath));
                 },
             }, b.path.raw());
 
@@ -701,7 +732,7 @@ RawInstallablesCommand::RawInstallablesCommand()
 {
     addFlag({
         .longName = "stdin",
-        .description = "Read installables from the standard input.",
+        .description = "Read installables from the standard input. No default installable applied.",
         .handler = {&readFromStdIn, true}
     });
 
@@ -730,9 +761,9 @@ void RawInstallablesCommand::run(ref<Store> store)
         while (std::cin >> word) {
             rawInstallables.emplace_back(std::move(word));
         }
+    } else {
+        applyDefaultInstallables(rawInstallables);
     }
-
-    applyDefaultInstallables(rawInstallables);
     run(store, std::move(rawInstallables));
 }
 

src/libcmd/installables.hh

@@ -5,6 +5,7 @@
 #include "path.hh"
 #include "outputs-spec.hh"
 #include "derived-path.hh"
+#include "built-path.hh"
 #include "store-api.hh"
 #include "build-result.hh"
 

src/libcmd/repl.cc

@@ -26,6 +26,7 @@ extern "C" {
 #include "eval.hh"
 #include "eval-cache.hh"
 #include "eval-inline.hh"
+#include "eval-settings.hh"
 #include "attr-path.hh"
 #include "store-api.hh"
 #include "log-store.hh"
@@ -68,7 +69,7 @@ struct NixRepl
 
     const Path historyFile;
 
-    NixRepl(const Strings & searchPath, nix::ref<Store> store,ref<EvalState> state,
+    NixRepl(const SearchPath & searchPath, nix::ref<Store> store,ref<EvalState> state,
             std::function<AnnotatedValues()> getValues);
     virtual ~NixRepl();
 
@@ -104,7 +105,7 @@ std::string removeWhitespace(std::string s)
 }
 
 
-NixRepl::NixRepl(const Strings & searchPath, nix::ref<Store> store, ref<EvalState> state,
+NixRepl::NixRepl(const SearchPath & searchPath, nix::ref<Store> store, ref<EvalState> state,
             std::function<NixRepl::AnnotatedValues()> getValues)
     : AbstractNixRepl(state)
     , debugTraceIndex(0)
@@ -487,35 +488,40 @@ bool NixRepl::processLine(std::string line)
         std::cout
              << "The following commands are available:\n"
              << "\n"
-             << "  <expr>        Evaluate and print expression\n"
-             << "  <x> = <expr>  Bind expression to variable\n"
-             << "  :a <expr>     Add attributes from resulting set to scope\n"
-             << "  :b <expr>     Build a derivation\n"
-             << "  :bl <expr>    Build a derivation, creating GC roots in the working directory\n"
-             << "  :e <expr>     Open package or function in $EDITOR\n"
-             << "  :i <expr>     Build derivation, then install result into current profile\n"
-             << "  :l <path>     Load Nix expression and add it to scope\n"
-             << "  :lf <ref>     Load Nix flake and add it to scope\n"
-             << "  :p <expr>     Evaluate and print expression recursively\n"
-             << "  :q            Exit nix-repl\n"
-             << "  :r            Reload all files\n"
-             << "  :sh <expr>    Build dependencies of derivation, then start nix-shell\n"
-             << "  :t <expr>     Describe result of evaluation\n"
-             << "  :u <expr>     Build derivation, then start nix-shell\n"
-             << "  :doc <expr>   Show documentation of a builtin function\n"
-             << "  :log <expr>   Show logs for a derivation\n"
-             << "  :te [bool]    Enable, disable or toggle showing traces for errors\n"
+             << "  <expr>                       Evaluate and print expression\n"
+             << "  <x> = <expr>                 Bind expression to variable\n"
+             << "  :a, :add <expr>              Add attributes from resulting set to scope\n"
+             << "  :b <expr>                    Build a derivation\n"
+             << "  :bl <expr>                   Build a derivation, creating GC roots in the\n"
+             << "                               working directory\n"
+             << "  :e, :edit <expr>             Open package or function in $EDITOR\n"
+             << "  :i <expr>                    Build derivation, then install result into\n"
+             << "                               current profile\n"
+             << "  :l, :load <path>             Load Nix expression and add it to scope\n"
+             << "  :lf, :load-flake <ref>       Load Nix flake and add it to scope\n"
+             << "  :p, :print <expr>            Evaluate and print expression recursively\n"
+             << "  :q, :quit                    Exit nix-repl\n"
+             << "  :r, :reload                  Reload all files\n"
+             << "  :sh <expr>                   Build dependencies of derivation, then start\n"
+             << "                               nix-shell\n"
+             << "  :t <expr>                    Describe result of evaluation\n"
+             << "  :u <expr>                    Build derivation, then start nix-shell\n"
+             << "  :doc <expr>                  Show documentation of a builtin function\n"
+             << "  :log <expr>                  Show logs for a derivation\n"
+             << "  :te, :trace-enable [bool]    Enable, disable or toggle showing traces for\n"
+             << "                               errors\n"
+             << "  :?, :help                    Brings up this help menu\n"
              ;
         if (state->debugRepl) {
              std::cout
              << "\n"
              << "        Debug mode commands\n"
-             << "  :env          Show env stack\n"
-             << "  :bt           Show trace stack\n"
-             << "  :st           Show current trace\n"
-             << "  :st <idx>     Change to another trace in the stack\n"
-             << "  :c            Go until end of program, exception, or builtins.break\n"
-             << "  :s            Go one step\n"
+             << "  :env             Show env stack\n"
+             << "  :bt, :backtrace  Show trace stack\n"
+             << "  :st              Show current trace\n"
+             << "  :st <idx>        Change to another trace in the stack\n"
+             << "  :c, :continue    Go until end of program, exception, or builtins.break\n"
+             << "  :s, :step        Go one step\n"
              ;
         }
 
@@ -647,7 +653,7 @@ bool NixRepl::processLine(std::string line)
         if (command == ":b" || command == ":bl") {
             state->store->buildPaths({
                 DerivedPath::Built {
-                    .drvPath = drvPath,
+                    .drvPath = makeConstantStorePathRef(drvPath),
                     .outputs = OutputsSpec::All { },
                 },
             });
@@ -1024,7 +1030,7 @@ std::ostream & NixRepl::printValue(std::ostream & str, Value & v, unsigned int m
 
 
 std::unique_ptr<AbstractNixRepl> AbstractNixRepl::create(
-   const Strings & searchPath, nix::ref<Store> store, ref<EvalState> state,
+   const SearchPath & searchPath, nix::ref<Store> store, ref<EvalState> state,
    std::function<AnnotatedValues()> getValues)
 {
     return std::make_unique<NixRepl>(
@@ -1044,7 +1050,7 @@ void AbstractNixRepl::runSimple(
         NixRepl::AnnotatedValues values;
         return values;
     };
-    const Strings & searchPath = {};
+    SearchPath searchPath = {};
     auto repl = std::make_unique<NixRepl>(
             searchPath,
             openStore(),

src/libcmd/repl.hh

@@ -25,7 +25,7 @@ struct AbstractNixRepl
     typedef std::vector<std::pair<Value*,std::string>> AnnotatedValues;
 
     static std::unique_ptr<AbstractNixRepl> create(
-        const Strings & searchPath, nix::ref<Store> store, ref<EvalState> state,
+        const SearchPath & searchPath, nix::ref<Store> store, ref<EvalState> state,
         std::function<AnnotatedValues()> getValues);
 
     static void runSimple(

src/libexpr/eval-cache.cc

@@ -6,6 +6,25 @@
 
 namespace nix::eval_cache {
 
+CachedEvalError::CachedEvalError(ref<EvalState> state, ref<AttrCursor> cursor, Symbol attr)
+    : EvalError("cached failure of attribute '%s'", cursor->getAttrPathStr(attr))
+    , state(state), cursor(cursor), attr(attr)
+{ }
+
+void CachedEvalError::force()
+{
+    auto & v = cursor->forceValue();
+
+    if (v.type() == nAttrs) {
+        auto a = v.attrs->get(this->attr);
+
+        state->forceValue(*a->value, a->pos);
+    }
+
+    // Shouldn't happen.
+    throw EvalError("evaluation of cached failed attribute '%s' unexpectedly succeeded", cursor->getAttrPathStr(attr));
+}
+
 static const char * schema = R"sql(
 create table if not exists Attributes (
     parent      integer not null,
@@ -469,7 +488,7 @@ Suggestions AttrCursor::getSuggestionsForAttr(Symbol name)
     return Suggestions::bestMatches(strAttrNames, root->state.symbols[name]);
 }
 
-std::shared_ptr<AttrCursor> AttrCursor::maybeGetAttr(Symbol name, bool forceErrors)
+std::shared_ptr<AttrCursor> AttrCursor::maybeGetAttr(Symbol name)
 {
     if (root->db) {
         if (!cachedValue)
@@ -486,12 +505,9 @@ std::shared_ptr<AttrCursor> AttrCursor::maybeGetAttr(Symbol name, bool forceErro
                 if (attr) {
                     if (std::get_if<missing_t>(&attr->second))
                         return nullptr;
-                    else if (std::get_if<failed_t>(&attr->second)) {
-                        if (forceErrors)
-                            debug("reevaluating failed cached attribute '%s'", getAttrPathStr(name));
-                        else
-                            throw CachedEvalError("cached failure of attribute '%s'", getAttrPathStr(name));
-                    } else
+                    else if (std::get_if<failed_t>(&attr->second))
+                        throw CachedEvalError(ref(root->state.shared_from_this()), ref(shared_from_this()), name);
+                    else
                         return std::make_shared<AttrCursor>(root,
                             std::make_pair(shared_from_this(), name), nullptr, std::move(attr));
                 }
@@ -536,9 +552,9 @@ std::shared_ptr<AttrCursor> AttrCursor::maybeGetAttr(std::string_view name)
     return maybeGetAttr(root->state.symbols.create(name));
 }
 
-ref<AttrCursor> AttrCursor::getAttr(Symbol name, bool forceErrors)
+ref<AttrCursor> AttrCursor::getAttr(Symbol name)
 {
-    auto p = maybeGetAttr(name, forceErrors);
+    auto p = maybeGetAttr(name);
     if (!p)
         throw Error("attribute '%s' does not exist", getAttrPathStr(name));
     return ref(p);
@@ -549,11 +565,11 @@ ref<AttrCursor> AttrCursor::getAttr(std::string_view name)
     return getAttr(root->state.symbols.create(name));
 }
 
-OrSuggestions<ref<AttrCursor>> AttrCursor::findAlongAttrPath(const std::vector<Symbol> & attrPath, bool force)
+OrSuggestions<ref<AttrCursor>> AttrCursor::findAlongAttrPath(const std::vector<Symbol> & attrPath)
 {
     auto res = shared_from_this();
     for (auto & attr : attrPath) {
-        auto child = res->maybeGetAttr(attr, force);
+        auto child = res->maybeGetAttr(attr);
         if (!child) {
             auto suggestions = res->getSuggestionsForAttr(attr);
             return OrSuggestions<ref<AttrCursor>>::failed(suggestions);
@@ -599,12 +615,12 @@ string_t AttrCursor::getStringWithContext()
                             return d.drvPath;
                         },
                         [&](const NixStringContextElem::Built & b) -> const StorePath & {
-                            return b.drvPath;
+                            return b.drvPath->getBaseStorePath();
                         },
                         [&](const NixStringContextElem::Opaque & o) -> const StorePath & {
                             return o.path;
                         },
-                    }, c.raw());
+                    }, c.raw);
                     if (!root->state.store->isValidPath(path)) {
                         valid = false;
                         break;
@@ -750,7 +766,7 @@ bool AttrCursor::isDerivation()
 
 StorePath AttrCursor::forceDerivation()
 {
-    auto aDrvPath = getAttr(root->state.sDrvPath, true);
+    auto aDrvPath = getAttr(root->state.sDrvPath);
     auto drvPath = root->state.store->parseStorePath(aDrvPath->getString());
     if (!root->state.store->isValidPath(drvPath) && !settings.readOnlyMode) {
         /* The eval cache contains 'drvPath', but the actual path has

src/libexpr/eval-cache.hh

@@ -10,14 +10,29 @@
 
 namespace nix::eval_cache {
 
-MakeError(CachedEvalError, EvalError);
-
 struct AttrDb;
 class AttrCursor;
 
+struct CachedEvalError : EvalError
+{
+    const ref<EvalState> state;
+    const ref<AttrCursor> cursor;
+    const Symbol attr;
+
+    CachedEvalError(ref<EvalState>, ref<AttrCursor> cursor, Symbol attr);
+
+    /**
+     * Evaluate this attribute, which should result in a regular
+     * `EvalError` exception being thrown.
+     */
+    [[noreturn]]
+    void force();
+};
+
 class EvalCache : public std::enable_shared_from_this<EvalCache>
 {
     friend class AttrCursor;
+    friend class CachedEvalError;
 
     std::shared_ptr<AttrDb> db;
     EvalState & state;
@@ -73,6 +88,7 @@ typedef std::variant<
 class AttrCursor : public std::enable_shared_from_this<AttrCursor>
 {
     friend class EvalCache;
+    friend class CachedEvalError;
 
     ref<EvalCache> root;
     typedef std::optional<std::pair<std::shared_ptr<AttrCursor>, Symbol>> Parent;
@@ -102,11 +118,11 @@ public:
 
     Suggestions getSuggestionsForAttr(Symbol name);
 
-    std::shared_ptr<AttrCursor> maybeGetAttr(Symbol name, bool forceErrors = false);
+    std::shared_ptr<AttrCursor> maybeGetAttr(Symbol name);
 
     std::shared_ptr<AttrCursor> maybeGetAttr(std::string_view name);
 
-    ref<AttrCursor> getAttr(Symbol name, bool forceErrors = false);
+    ref<AttrCursor> getAttr(Symbol name);
 
     ref<AttrCursor> getAttr(std::string_view name);
 
@@ -114,7 +130,7 @@ public:
      * Get an attribute along a chain of attrsets. Note that this does
      * not auto-call functors or functions.
      */
-    OrSuggestions<ref<AttrCursor>> findAlongAttrPath(const std::vector<Symbol> & attrPath, bool force = false);
+    OrSuggestions<ref<AttrCursor>> findAlongAttrPath(const std::vector<Symbol> & attrPath);
 
     std::string getString();
 

src/libexpr/eval-settings.cc

@@ -0,0 +1,102 @@
+#include "globals.hh"
+#include "profiles.hh"
+#include "eval.hh"
+#include "eval-settings.hh"
+
+namespace nix {
+
+/* Very hacky way to parse $NIX_PATH, which is colon-separated, but
+   can contain URLs (e.g. "nixpkgs=https://bla...:foo=https://"). */
+static Strings parseNixPath(const std::string & s)
+{
+    Strings res;
+
+    auto p = s.begin();
+
+    while (p != s.end()) {
+        auto start = p;
+        auto start2 = p;
+
+        while (p != s.end() && *p != ':') {
+            if (*p == '=') start2 = p + 1;
+            ++p;
+        }
+
+        if (p == s.end()) {
+            if (p != start) res.push_back(std::string(start, p));
+            break;
+        }
+
+        if (*p == ':') {
+            auto prefix = std::string(start2, s.end());
+            if (EvalSettings::isPseudoUrl(prefix) || hasPrefix(prefix, "flake:")) {
+                ++p;
+                while (p != s.end() && *p != ':') ++p;
+            }
+            res.push_back(std::string(start, p));
+            if (p == s.end()) break;
+        }
+
+        ++p;
+    }
+
+    return res;
+}
+
+EvalSettings::EvalSettings()
+{
+    auto var = getEnv("NIX_PATH");
+    if (var) nixPath = parseNixPath(*var);
+}
+
+Strings EvalSettings::getDefaultNixPath()
+{
+    Strings res;
+    auto add = [&](const Path & p, const std::string & s = std::string()) {
+        if (pathAccessible(p)) {
+            if (s.empty()) {
+                res.push_back(p);
+            } else {
+                res.push_back(s + "=" + p);
+            }
+        }
+    };
+
+    if (!evalSettings.restrictEval && !evalSettings.pureEval) {
+        add(getNixDefExpr() + "/channels");
+        add(rootChannelsDir() + "/nixpkgs", "nixpkgs");
+        add(rootChannelsDir());
+    }
+
+    return res;
+}
+
+bool EvalSettings::isPseudoUrl(std::string_view s)
+{
+    if (s.compare(0, 8, "channel:") == 0) return true;
+    size_t pos = s.find("://");
+    if (pos == std::string::npos) return false;
+    std::string scheme(s, 0, pos);
+    return scheme == "http" || scheme == "https" || scheme == "file" || scheme == "channel" || scheme == "git" || scheme == "s3" || scheme == "ssh";
+}
+
+std::string EvalSettings::resolvePseudoUrl(std::string_view url)
+{
+    if (hasPrefix(url, "channel:"))
+        return "https://nixos.org/channels/" + std::string(url.substr(8)) + "/nixexprs.tar.xz";
+    else
+        return std::string(url);
+}
+
+EvalSettings evalSettings;
+
+static GlobalConfig::Register rEvalSettings(&evalSettings);
+
+Path getNixDefExpr()
+{
+    return settings.useXDGBaseDirectories
+        ? getStateDir() + "/nix/defexpr"
+        : getHome() + "/.nix-defexpr";
+}
+
+}

src/libexpr/eval-settings.hh

@@ -0,0 +1,103 @@
+#pragma once
+#include "config.hh"
+
+namespace nix {
+
+struct EvalSettings : Config
+{
+    EvalSettings();
+
+    static Strings getDefaultNixPath();
+
+    static bool isPseudoUrl(std::string_view s);
+
+    static std::string resolvePseudoUrl(std::string_view url);
+
+    Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
+        "Whether builtin functions that allow executing native code should be enabled."};
+
+    Setting<Strings> nixPath{
+        this, getDefaultNixPath(), "nix-path",
+        R"(
+          List of directories to be searched for `<...>` file references
+
+          In particular, outside of [pure evaluation mode](#conf-pure-eval), this determines the value of
+          [`builtins.nixPath`](@docroot@/language/builtin-constants.md#builtins-nixPath).
+        )"};
+
+    Setting<bool> restrictEval{
+        this, false, "restrict-eval",
+        R"(
+          If set to `true`, the Nix evaluator will not allow access to any
+          files outside of the Nix search path (as set via the `NIX_PATH`
+          environment variable or the `-I` option), or to URIs outside of
+          [`allowed-uris`](../command-ref/conf-file.md#conf-allowed-uris).
+          The default is `false`.
+        )"};
+
+    Setting<bool> pureEval{this, false, "pure-eval",
+        R"(
+          Pure evaluation mode ensures that the result of Nix expressions is fully determined by explicitly declared inputs, and not influenced by external state:
+
+          - Restrict file system and network access to files specified by cryptographic hash
+          - Disable [`bultins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime)
+        )"
+        };
+
+    Setting<bool> enableImportFromDerivation{
+        this, true, "allow-import-from-derivation",
+        R"(
+          By default, Nix allows you to `import` from a derivation, allowing
+          building at evaluation time. With this option set to false, Nix will
+          throw an error when evaluating an expression that uses this feature,
+          allowing users to ensure their evaluation will not require any
+          builds to take place.
+        )"};
+
+    Setting<Strings> allowedUris{this, {}, "allowed-uris",
+        R"(
+          A list of URI prefixes to which access is allowed in restricted
+          evaluation mode. For example, when set to
+          `https://github.com/NixOS`, builtin functions such as `fetchGit` are
+          allowed to access `https://github.com/NixOS/patchelf.git`.
+        )"};
+
+    Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
+        R"(
+          If set to `true`, the Nix evaluator will trace every function call.
+          Nix will print a log message at the "vomit" level for every function
+          entrance and function exit.
+
+              function-trace entered undefined position at 1565795816999559622
+              function-trace exited undefined position at 1565795816999581277
+              function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
+              function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684
+
+          The `undefined position` means the function call is a builtin.
+
+          Use the `contrib/stack-collapse.py` script distributed with the Nix
+          source code to convert the trace logs in to a format suitable for
+          `flamegraph.pl`.
+        )"};
+
+    Setting<bool> useEvalCache{this, true, "eval-cache",
+        "Whether to use the flake evaluation cache."};
+
+    Setting<bool> ignoreExceptionsDuringTry{this, false, "ignore-try",
+        R"(
+          If set to true, ignore exceptions inside 'tryEval' calls when evaluating nix expressions in
+          debug mode (using the --debugger flag). By default the debugger will pause on all exceptions.
+        )"};
+
+    Setting<bool> traceVerbose{this, false, "trace-verbose",
+        "Whether `builtins.traceVerbose` should trace its first argument when evaluated."};
+};
+
+extern EvalSettings evalSettings;
+
+/**
+ * Conventionally part of the default nix path in impure mode.
+ */
+Path getNixDefExpr();
+
+}

src/libexpr/eval.cc

@@ -1,4 +1,5 @@
 #include "eval.hh"
+#include "eval-settings.hh"
 #include "hash.hh"
 #include "types.hh"
 #include "util.hh"
@@ -95,11 +96,16 @@ RootValue allocRootValue(Value * v)
 #endif
 }
 
-void Value::print(const SymbolTable & symbols, std::ostream & str,
-    std::set<const void *> * seen) const
+void Value::print(const SymbolTable &symbols, std::ostream &str,
+                  std::set<const void *> *seen, int depth) const
+
 {
     checkInterrupt();
 
+    if (depth <= 0) {
+        str << "«too deep»";
+        return;
+    }
     switch (internalType) {
     case tInt:
         str << integer;
@@ -123,7 +129,7 @@ void Value::print(const SymbolTable & symbols, std::ostream & str,
             str << "{ ";
             for (auto & i : attrs->lexicographicOrder(symbols)) {
                 str << symbols[i->name] << " = ";
-                i->value->print(symbols, str, seen);
+                i->value->print(symbols, str, seen, depth - 1);
                 str << "; ";
             }
             str << "}";
@@ -139,7 +145,7 @@ void Value::print(const SymbolTable & symbols, std::ostream & str,
             str << "[ ";
             for (auto v2 : listItems()) {
                 if (v2)
-                    v2->print(symbols, str, seen);
+                    v2->print(symbols, str, seen, depth - 1);
                 else
                     str << "(nullptr)";
                 str << " ";
@@ -181,11 +187,10 @@ void Value::print(const SymbolTable & symbols, std::ostream & str,
     }
 }
 
-
-void Value::print(const SymbolTable & symbols, std::ostream & str, bool showRepeated) const
-{
+void Value::print(const SymbolTable &symbols, std::ostream &str,
+                  bool showRepeated, int depth) const {
     std::set<const void *> seen;
-    print(symbols, str, showRepeated ? nullptr : &seen);
+    print(symbols, str, showRepeated ? nullptr : &seen, depth);
 }
 
 // Pretty print types for assertion errors
@@ -211,20 +216,21 @@ const Value * getPrimOp(const Value &v) {
     return primOp;
 }
 
-std::string_view showType(ValueType type)
+std::string_view showType(ValueType type, bool withArticle)
 {
+    #define WA(a, w) withArticle ? a " " w : w
     switch (type) {
-        case nInt: return "an integer";
-        case nBool: return "a Boolean";
-        case nString: return "a string";
-        case nPath: return "a path";
+        case nInt: return WA("an", "integer");
+        case nBool: return WA("a", "Boolean");
+        case nString: return WA("a", "string");
+        case nPath: return WA("a", "path");
         case nNull: return "null";
-        case nAttrs: return "a set";
-        case nList: return "a list";
-        case nFunction: return "a function";
-        case nExternal: return "an external value";
-        case nFloat: return "a float";
-        case nThunk: return "a thunk";
+        case nAttrs: return WA("a", "set");
+        case nList: return WA("a", "list");
+        case nFunction: return WA("a", "function");
+        case nExternal: return WA("an", "external value");
+        case nFloat: return WA("a", "float");
+        case nThunk: return WA("a", "thunk");
     }
     abort();
 }
@@ -415,44 +421,6 @@ void initGC()
 }
 
 
-/* Very hacky way to parse $NIX_PATH, which is colon-separated, but
-   can contain URLs (e.g. "nixpkgs=https://bla...:foo=https://"). */
-static Strings parseNixPath(const std::string & s)
-{
-    Strings res;
-
-    auto p = s.begin();
-
-    while (p != s.end()) {
-        auto start = p;
-        auto start2 = p;
-
-        while (p != s.end() && *p != ':') {
-            if (*p == '=') start2 = p + 1;
-            ++p;
-        }
-
-        if (p == s.end()) {
-            if (p != start) res.push_back(std::string(start, p));
-            break;
-        }
-
-        if (*p == ':') {
-            auto prefix = std::string(start2, s.end());
-            if (EvalSettings::isPseudoUrl(prefix) || hasPrefix(prefix, "flake:")) {
-                ++p;
-                while (p != s.end() && *p != ':') ++p;
-            }
-            res.push_back(std::string(start, p));
-            if (p == s.end()) break;
-        }
-
-        ++p;
-    }
-
-    return res;
-}
-
 ErrorBuilder & ErrorBuilder::atPos(PosIdx pos)
 {
     info.errPos = state.positions[pos];
@@ -493,7 +461,7 @@ ErrorBuilder & ErrorBuilder::withFrame(const Env & env, const Expr & expr)
 
 
 EvalState::EvalState(
-    const Strings & _searchPath,
+    const SearchPath & _searchPath,
     ref<Store> store,
     std::shared_ptr<Store> buildStore)
     : sWith(symbols.create("<with>"))
@@ -558,30 +526,32 @@ EvalState::EvalState(
 
     /* Initialise the Nix expression search path. */
     if (!evalSettings.pureEval) {
-        for (auto & i : _searchPath) addToSearchPath(i);
-        for (auto & i : evalSettings.nixPath.get()) addToSearchPath(i);
+        for (auto & i : _searchPath.elements)
+            searchPath.elements.emplace_back(SearchPath::Elem {i});
+        for (auto & i : evalSettings.nixPath.get())
+            searchPath.elements.emplace_back(SearchPath::Elem::parse(i));
     }
 
     if (evalSettings.restrictEval || evalSettings.pureEval) {
         allowedPaths = PathSet();
 
-        for (auto & i : searchPath) {
-            auto r = resolveSearchPathElem(i);
-            if (!r.first) continue;
+        for (auto & i : searchPath.elements) {
+            auto r = resolveSearchPathPath(i.path);
+            if (!r) continue;
 
-            auto path = r.second;
+            auto path = *std::move(r);
 
-            if (store->isInStore(r.second)) {
+            if (store->isInStore(path)) {
                 try {
                     StorePathSet closure;
-                    store->computeFSClosure(store->toStorePath(r.second).first, closure);
+                    store->computeFSClosure(store->toStorePath(path).first, closure);
                     for (auto & path : closure)
                         allowPath(path);
                 } catch (InvalidPath &) {
-                    allowPath(r.second);
+                    allowPath(path);
                 }
             } else
-                allowPath(r.second);
+                allowPath(path);
         }
     }
 
@@ -702,28 +672,34 @@ Path EvalState::toRealPath(const Path & path, const NixStringContext & context)
 }
 
 
-Value * EvalState::addConstant(const std::string & name, Value & v)
+Value * EvalState::addConstant(const std::string & name, Value & v, Constant info)
 {
     Value * v2 = allocValue();
     *v2 = v;
-    addConstant(name, v2);
+    addConstant(name, v2, info);
     return v2;
 }
 
 
-void EvalState::addConstant(const std::string & name, Value * v)
+void EvalState::addConstant(const std::string & name, Value * v, Constant info)
 {
-    staticBaseEnv->vars.emplace_back(symbols.create(name), baseEnvDispl);
-    baseEnv.values[baseEnvDispl++] = v;
     auto name2 = name.substr(0, 2) == "__" ? name.substr(2) : name;
-    baseEnv.values[0]->attrs->push_back(Attr(symbols.create(name2), v));
-}
 
+    constantInfos.push_back({name2, info});
 
-Value * EvalState::addPrimOp(const std::string & name,
-    size_t arity, PrimOpFun primOp)
-{
-    return addPrimOp(PrimOp { .fun = primOp, .arity = arity, .name = name });
+    if (!(evalSettings.pureEval && info.impureOnly)) {
+        /* Check the type, if possible.
+
+           We might know the type of a thunk in advance, so be allowed
+           to just write it down in that case. */
+        if (auto gotType = v->type(true); gotType != nThunk)
+            assert(info.type == gotType);
+
+        /* Install value the base environment. */
+        staticBaseEnv->vars.emplace_back(symbols.create(name), baseEnvDispl);
+        baseEnv.values[baseEnvDispl++] = v;
+        baseEnv.values[0]->attrs->push_back(Attr(symbols.create(name2), v));
+    }
 }
 
 
@@ -737,7 +713,10 @@ Value * EvalState::addPrimOp(PrimOp && primOp)
         vPrimOp->mkPrimOp(new PrimOp(primOp));
         Value v;
         v.mkApp(vPrimOp, vPrimOp);
-        return addConstant(primOp.name, v);
+        return addConstant(primOp.name, v, {
+            .type = nThunk, // FIXME
+            .doc = primOp.doc,
+        });
     }
 
     auto envName = symbols.create(primOp.name);
@@ -763,13 +742,13 @@ std::optional<EvalState::Doc> EvalState::getDoc(Value & v)
 {
     if (v.isPrimOp()) {
         auto v2 = &v;
-        if (v2->primOp->doc)
+        if (auto * doc = v2->primOp->doc)
             return Doc {
                 .pos = {},
                 .name = v2->primOp->name,
                 .arity = v2->primOp->arity,
                 .args = v2->primOp->args,
-                .doc = v2->primOp->doc,
+                .doc = doc,
             };
     }
     return {};
@@ -1048,23 +1027,67 @@ void EvalState::mkStorePathString(const StorePath & p, Value & v)
 }
 
 
+std::string EvalState::mkOutputStringRaw(
+    const SingleDerivedPath::Built & b,
+    std::optional<StorePath> optStaticOutputPath,
+    const ExperimentalFeatureSettings & xpSettings)
+{
+    /* In practice, this is testing for the case of CA derivations, or
+       dynamic derivations. */
+    return optStaticOutputPath
+        ? store->printStorePath(*std::move(optStaticOutputPath))
+        /* Downstream we would substitute this for an actual path once
+           we build the floating CA derivation */
+        : DownstreamPlaceholder::fromSingleDerivedPathBuilt(b, xpSettings).render();
+}
+
+
 void EvalState::mkOutputString(
     Value & value,
-    const StorePath & drvPath,
-    const std::string outputName,
-    std::optional<StorePath> optOutputPath)
+    const SingleDerivedPath::Built & b,
+    std::optional<StorePath> optStaticOutputPath,
+    const ExperimentalFeatureSettings & xpSettings)
 {
     value.mkString(
-        optOutputPath
-            ? store->printStorePath(*std::move(optOutputPath))
-            /* Downstream we would substitute this for an actual path once
-               we build the floating CA derivation */
-            : DownstreamPlaceholder::unknownCaOutput(drvPath, outputName).render(),
+        mkOutputStringRaw(b, optStaticOutputPath, xpSettings),
+        NixStringContext { b });
+}
+
+
+std::string EvalState::mkSingleDerivedPathStringRaw(
+    const SingleDerivedPath & p)
+{
+    return std::visit(overloaded {
+        [&](const SingleDerivedPath::Opaque & o) {
+            return store->printStorePath(o.path);
+        },
+        [&](const SingleDerivedPath::Built & b) {
+            auto optStaticOutputPath = std::visit(overloaded {
+                [&](const SingleDerivedPath::Opaque & o) {
+                    auto drv = store->readDerivation(o.path);
+                    auto i = drv.outputs.find(b.output);
+                    if (i == drv.outputs.end())
+                        throw Error("derivation '%s' does not have output '%s'", b.drvPath->to_string(*store), b.output);
+                    return i->second.path(*store, drv.name, b.output);
+                },
+                [&](const SingleDerivedPath::Built & o) -> std::optional<StorePath> {
+                    return std::nullopt;
+                },
+            }, b.drvPath->raw());
+            return mkOutputStringRaw(b, optStaticOutputPath);
+        }
+    }, p.raw());
+}
+
+
+void EvalState::mkSingleDerivedPathString(
+    const SingleDerivedPath & p,
+    Value & v)
+{
+    v.mkString(
+        mkSingleDerivedPathStringRaw(p),
         NixStringContext {
-            NixStringContextElem::Built {
-                .drvPath = drvPath,
-                .output = outputName,
-            }
+            std::visit([](auto && v) -> NixStringContextElem { return v; }, p),
         });
 }
 
@@ -2319,7 +2342,7 @@ StorePath EvalState::coerceToStorePath(const PosIdx pos, Value & v, NixStringCon
 }
 
 
-std::pair<DerivedPath, std::string_view> EvalState::coerceToDerivedPathUnchecked(const PosIdx pos, Value & v, std::string_view errorCtx)
+std::pair<SingleDerivedPath, std::string_view> EvalState::coerceToSingleDerivedPathUnchecked(const PosIdx pos, Value & v, std::string_view errorCtx)
 {
     NixStringContext context;
     auto s = forceString(v, context, pos, errorCtx);
@@ -2330,23 +2353,18 @@ std::pair<DerivedPath, std::string_view> EvalState::coerceToDerivedPathUnchecked
             s, csize)
             .withTrace(pos, errorCtx).debugThrow<EvalError>();
     auto derivedPath = std::visit(overloaded {
-        [&](NixStringContextElem::Opaque && o) -> DerivedPath {
-            return DerivedPath::Opaque {
-                .path = std::move(o.path),
-            };
+        [&](NixStringContextElem::Opaque && o) -> SingleDerivedPath {
+            return std::move(o);
         },
-        [&](NixStringContextElem::DrvDeep &&) -> DerivedPath {
+        [&](NixStringContextElem::DrvDeep &&) -> SingleDerivedPath {
             error(
                 "string '%s' has a context which refers to a complete source and binary closure. This is not supported at this time",
                 s).withTrace(pos, errorCtx).debugThrow<EvalError>();
         },
-        [&](NixStringContextElem::Built && b) -> DerivedPath {
-            return DerivedPath::Built {
-                .drvPath = std::move(b.drvPath),
-                .outputs = OutputsSpec::Names { std::move(b.output) },
-            };
+        [&](NixStringContextElem::Built && b) -> SingleDerivedPath {
+            return std::move(b);
         },
-    }, ((NixStringContextElem &&) *context.begin()).raw());
+    }, ((NixStringContextElem &&) *context.begin()).raw);
     return {
         std::move(derivedPath),
         std::move(s),
@@ -2354,41 +2372,29 @@ std::pair<DerivedPath, std::string_view> EvalState::coerceToDerivedPathUnchecked
 }
 
 
-DerivedPath EvalState::coerceToDerivedPath(const PosIdx pos, Value & v, std::string_view errorCtx)
+SingleDerivedPath EvalState::coerceToSingleDerivedPath(const PosIdx pos, Value & v, std::string_view errorCtx)
 {
-    auto [derivedPath, s_] = coerceToDerivedPathUnchecked(pos, v, errorCtx);
+    auto [derivedPath, s_] = coerceToSingleDerivedPathUnchecked(pos, v, errorCtx);
     auto s = s_;
-    std::visit(overloaded {
-        [&](const DerivedPath::Opaque & o) {
-            auto sExpected = store->printStorePath(o.path);
-            if (s != sExpected)
+    auto sExpected = mkSingleDerivedPathStringRaw(derivedPath);
+    if (s != sExpected) {
+        /* `std::visit` is used here just to provide a more precise
+           error message. */
+        std::visit(overloaded {
+            [&](const SingleDerivedPath::Opaque & o) {
                 error(
                     "path string '%s' has context with the different path '%s'",
                     s, sExpected)
                     .withTrace(pos, errorCtx).debugThrow<EvalError>();
-        },
-        [&](const DerivedPath::Built & b) {
-            // TODO need derived path with single output to make this
-            // total. Will add as part of RFC 92 work and then this is
-            // cleaned up.
-            auto output = *std::get<OutputsSpec::Names>(b.outputs).begin();
-
-            auto drv = store->readDerivation(b.drvPath);
-            auto i = drv.outputs.find(output);
-            if (i == drv.outputs.end())
-                throw Error("derivation '%s' does not have output '%s'", store->printStorePath(b.drvPath), output);
-            auto optOutputPath = i->second.path(*store, drv.name, output);
-            // This is testing for the case of CA derivations
-            auto sExpected = optOutputPath
-                ? store->printStorePath(*optOutputPath)
-                : DownstreamPlaceholder::unknownCaOutput(b.drvPath, output).render();
-            if (s != sExpected)
+            },
+            [&](const SingleDerivedPath::Built & b) {
                 error(
                     "string '%s' has context with the output '%s' from derivation '%s', but the string is not the right placeholder for this derivation output. It should be '%s'",
-                    s, output, store->printStorePath(b.drvPath), sExpected)
+                    s, b.output, b.drvPath->to_string(*store), sExpected)
                     .withTrace(pos, errorCtx).debugThrow<EvalError>();
-        }
-    }, derivedPath.raw());
+            }
+        }, derivedPath.raw());
+    }
     return derivedPath;
 }
 
@@ -2610,54 +2616,4 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
 }
 
 
-EvalSettings::EvalSettings()
-{
-    auto var = getEnv("NIX_PATH");
-    if (var) nixPath = parseNixPath(*var);
-}
-
-Strings EvalSettings::getDefaultNixPath()
-{
-    Strings res;
-    auto add = [&](const Path & p, const std::string & s = std::string()) {
-        if (pathAccessible(p)) {
-            if (s.empty()) {
-                res.push_back(p);
-            } else {
-                res.push_back(s + "=" + p);
-            }
-        }
-    };
-
-    if (!evalSettings.restrictEval && !evalSettings.pureEval) {
-        add(settings.useXDGBaseDirectories ? getStateDir() + "/nix/defexpr/channels" : getHome() + "/.nix-defexpr/channels");
-        add(rootChannelsDir() + "/nixpkgs", "nixpkgs");
-        add(rootChannelsDir());
-    }
-
-    return res;
-}
-
-bool EvalSettings::isPseudoUrl(std::string_view s)
-{
-    if (s.compare(0, 8, "channel:") == 0) return true;
-    size_t pos = s.find("://");
-    if (pos == std::string::npos) return false;
-    std::string scheme(s, 0, pos);
-    return scheme == "http" || scheme == "https" || scheme == "file" || scheme == "channel" || scheme == "git" || scheme == "s3" || scheme == "ssh";
-}
-
-std::string EvalSettings::resolvePseudoUrl(std::string_view url)
-{
-    if (hasPrefix(url, "channel:"))
-        return "https://nixos.org/channels/" + std::string(url.substr(8)) + "/nixexprs.tar.xz";
-    else
-        return std::string(url);
-}
-
-EvalSettings evalSettings;
-
-static GlobalConfig::Register rEvalSettings(&evalSettings);
-
-
 }

src/libexpr/eval.hh

@@ -9,6 +9,7 @@
 #include "config.hh"
 #include "experimental-features.hh"
 #include "input-accessor.hh"
+#include "search-path.hh"
 
 #include <map>
 #include <optional>
@@ -21,19 +22,76 @@ namespace nix {
 class Store;
 class EvalState;
 class StorePath;
-struct DerivedPath;
+struct SingleDerivedPath;
 enum RepairFlag : bool;
 
 
+/**
+ * Function that implements a primop.
+ */
 typedef void (* PrimOpFun) (EvalState & state, const PosIdx pos, Value * * args, Value & v);
 
+/**
+ * Info about a primitive operation, and its implementation
+ */
 struct PrimOp
 {
-    PrimOpFun fun;
-    size_t arity;
+    /**
+     * Name of the primop. `__` prefix is treated specially.
+     */
     std::string name;
+
+    /**
+     * Names of the parameters of a primop, for primops that take a
+     * fixed number of arguments to be substituted for these parameters.
+     */
     std::vector<std::string> args;
+
+    /**
+     * Aritiy of the primop.
+     *
+     * If `args` is not empty, this field will be computed from that
+     * field instead, so it doesn't need to be manually set.
+     */
+    size_t arity = 0;
+
+    /**
+     * Optional free-form documentation about the primop.
+     */
     const char * doc = nullptr;
+
+    /**
+     * Implementation of the primop.
+     */
+    PrimOpFun fun;
+
+    /**
+     * Optional experimental for this to be gated on.
+     */
+    std::optional<ExperimentalFeature> experimentalFeature;
+};
+
+/**
+ * Info about a constant
+ */
+struct Constant
+{
+    /**
+     * Optional type of the constant (known since it is a fixed value).
+     *
+     * @todo we should use an enum for this.
+     */
+    ValueType type = nThunk;
+
+    /**
+     * Optional free-form documentation about the constant.
+     */
+    const char * doc = nullptr;
+
+    /**
+     * Whether the constant is impure, and not available in pure mode.
+     */
+    bool impureOnly = false;
 };
 
 #if HAVE_BOEHMGC
@@ -65,11 +123,6 @@ std::string printValue(const EvalState & state, const Value & v);
 std::ostream & operator << (std::ostream & os, const ValueType t);
 
 
-// FIXME: maybe change this to an std::variant<SourcePath, URL>.
-typedef std::pair<std::string, std::string> SearchPathElem;
-typedef std::list<SearchPathElem> SearchPath;
-
-
 /**
  * Initialise the Boehm GC, if applicable.
  */
@@ -256,7 +309,7 @@ private:
 
     SearchPath searchPath;
 
-    std::map<std::string, std::pair<bool, std::string>> searchPathResolved;
+    std::map<std::string, std::optional<std::string>> searchPathResolved;
 
     /**
      * Cache used by checkSourcePath().
@@ -283,13 +336,11 @@ private:
 public:
 
     EvalState(
-        const Strings & _searchPath,
+        const SearchPath & _searchPath,
         ref<Store> store,
         std::shared_ptr<Store> buildStore = nullptr);
     ~EvalState();
 
-    void addToSearchPath(const std::string & s);
-
     SearchPath getSearchPath() { return searchPath; }
 
     /**
@@ -370,12 +421,16 @@ public:
      * Look up a file in the search path.
      */
     SourcePath findFile(const std::string_view path);
-    SourcePath findFile(SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos);
+    SourcePath findFile(const SearchPath & searchPath, const std::string_view path, const PosIdx pos = noPos);
 
     /**
+     * Try to resolve a search path value (not the optinal key part)
+     *
      * If the specified search path element is a URI, download it.
+     *
+     * If it is not found, return `std::nullopt`
      */
-    std::pair<bool, std::string> resolveSearchPathElem(const SearchPathElem & elem);
+    std::optional<std::string> resolveSearchPathPath(const SearchPath::Path & path);
 
     /**
      * Evaluate an expression to normal form
@@ -475,12 +530,12 @@ public:
     StorePath coerceToStorePath(const PosIdx pos, Value & v, NixStringContext & context, std::string_view errorCtx);
 
     /**
-     * Part of `coerceToDerivedPath()` without any store IO which is exposed for unit testing only.
+     * Part of `coerceToSingleDerivedPath()` without any store IO which is exposed for unit testing only.
      */
-    std::pair<DerivedPath, std::string_view> coerceToDerivedPathUnchecked(const PosIdx pos, Value & v, std::string_view errorCtx);
+    std::pair<SingleDerivedPath, std::string_view> coerceToSingleDerivedPathUnchecked(const PosIdx pos, Value & v, std::string_view errorCtx);
 
     /**
-     * Coerce to `DerivedPath`.
+     * Coerce to `SingleDerivedPath`.
      *
      * Must be a string which is either a literal store path or a
      * "placeholder (see `DownstreamPlaceholder`).
@@ -494,7 +549,7 @@ public:
      * source of truth, and ultimately tells us what we want, and then
      * we ensure the string corresponds to it.
      */
-    DerivedPath coerceToDerivedPath(const PosIdx pos, Value & v, std::string_view errorCtx);
+    SingleDerivedPath coerceToSingleDerivedPath(const PosIdx pos, Value & v, std::string_view errorCtx);
 
 public:
 
@@ -509,18 +564,23 @@ public:
      */
     std::shared_ptr<StaticEnv> staticBaseEnv; // !!! should be private
 
+    /**
+     * Name and documentation about every constant.
+     *
+     * Constants from primops are hard to crawl, and their docs will go
+     * here too.
+     */
+    std::vector<std::pair<std::string, Constant>> constantInfos;
+
 private:
 
     unsigned int baseEnvDispl = 0;
 
     void createBaseEnv();
 
-    Value * addConstant(const std::string & name, Value & v);
+    Value * addConstant(const std::string & name, Value & v, Constant info);
 
-    void addConstant(const std::string & name, Value * v);
-
-    Value * addPrimOp(const std::string & name,
-        size_t arity, PrimOpFun primOp);
+    void addConstant(const std::string & name, Value * v, Constant info);
 
     Value * addPrimOp(PrimOp && primOp);
 
@@ -534,6 +594,10 @@ public:
         std::optional<std::string> name;
         size_t arity;
         std::vector<std::string> args;
+        /**
+         * Unlike the other `doc` fields in this file, this one should never be
+         * `null`.
+         */
         const char * doc;
     };
 
@@ -602,33 +666,45 @@ public:
     /**
      * Create a string representing a store path.
      *
-     * The string is the printed store path with a context containing a single
-     * `NixStringContextElem::Opaque` element of that store path.
+     * The string is the printed store path with a context containing a
+     * single `NixStringContextElem::Opaque` element of that store path.
      */
     void mkStorePathString(const StorePath & storePath, Value & v);
 
     /**
-     * Create a string representing a `DerivedPath::Built`.
+     * Create a string representing a `SingleDerivedPath::Built`.
      *
-     * The string is the printed store path with a context containing a single
-     * `NixStringContextElem::Built` element of the drv path and output name.
+     * The string is the printed store path with a context containing a
+     * single `NixStringContextElem::Built` element of the drv path and
+     * output name.
      *
      * @param value Value we are settings
      *
-     * @param drvPath Path the drv whose output we are making a string for
+     * @param b the drv whose output we are making a string for, and the
+     * output
      *
-     * @param outputName Name of the output
+     * @param optStaticOutputPath Optional output path for that string.
+     * Must be passed if and only if output store object is
+     * input-addressed or fixed output. Will be printed to form string
+     * if passed, otherwise a placeholder will be used (see
+     * `DownstreamPlaceholder`).
      *
-     * @param optOutputPath Optional output path for that string. Must
-     * be passed if and only if output store object is input-addressed.
-     * Will be printed to form string if passed, otherwise a placeholder
-     * will be used (see `DownstreamPlaceholder`).
+     * @param xpSettings Stop-gap to avoid globals during unit tests.
      */
     void mkOutputString(
         Value & value,
-        const StorePath & drvPath,
-        const std::string outputName,
-        std::optional<StorePath> optOutputPath);
+        const SingleDerivedPath::Built & b,
+        std::optional<StorePath> optStaticOutputPath,
+        const ExperimentalFeatureSettings & xpSettings = experimentalFeatureSettings);
+
+    /**
+     * Create a string representing a `SingleDerivedPath`.
+     *
+     * A combination of `mkStorePathString` and `mkOutputString`.
+     */
+    void mkSingleDerivedPathString(
+        const SingleDerivedPath & p,
+        Value & v);
 
     void concatLists(Value & v, size_t nrLists, Value * * lists, const PosIdx pos, std::string_view errorCtx);
 
@@ -645,6 +721,22 @@ public:
 
 private:
 
+    /**
+     * Like `mkOutputString` but just creates a raw string, not an
+     * string Value, which would also have a string context.
+     */
+    std::string mkOutputStringRaw(
+        const SingleDerivedPath::Built & b,
+        std::optional<StorePath> optStaticOutputPath,
+        const ExperimentalFeatureSettings & xpSettings = experimentalFeatureSettings);
+
+    /**
+     * Like `mkSingleDerivedPathStringRaw` but just creates a raw string
+     * Value, which would also have a string context.
+     */
+    std::string mkSingleDerivedPathStringRaw(
+        const SingleDerivedPath & p);
+
     unsigned long nrEnvs = 0;
     unsigned long nrValuesInEnvs = 0;
     unsigned long nrValues = 0;
@@ -700,14 +792,17 @@ struct DebugTraceStacker {
 
 /**
  * @return A string representing the type of the value `v`.
+ *
+ * @param withArticle Whether to begin with an english article, e.g. "an
+ * integer" vs "integer".
  */
-std::string_view showType(ValueType type);
+std::string_view showType(ValueType type, bool withArticle = true);
 std::string showType(const Value & v);
 
 /**
  * If `path` refers to a directory, then append "/default.nix".
  */
-SourcePath resolveExprPath(const SourcePath & path);
+SourcePath resolveExprPath(SourcePath path);
 
 struct InvalidPathError : EvalError
 {
@@ -718,92 +813,6 @@ struct InvalidPathError : EvalError
 #endif
 };
 
-struct EvalSettings : Config
-{
-    EvalSettings();
-
-    static Strings getDefaultNixPath();
-
-    static bool isPseudoUrl(std::string_view s);
-
-    static std::string resolvePseudoUrl(std::string_view url);
-
-    Setting<bool> enableNativeCode{this, false, "allow-unsafe-native-code-during-evaluation",
-        "Whether builtin functions that allow executing native code should be enabled."};
-
-    Setting<Strings> nixPath{
-        this, getDefaultNixPath(), "nix-path",
-        "List of directories to be searched for `<...>` file references."};
-
-    Setting<bool> restrictEval{
-        this, false, "restrict-eval",
-        R"(
-          If set to `true`, the Nix evaluator will not allow access to any
-          files outside of the Nix search path (as set via the `NIX_PATH`
-          environment variable or the `-I` option), or to URIs outside of
-          `allowed-uri`. The default is `false`.
-        )"};
-
-    Setting<bool> pureEval{this, false, "pure-eval",
-        R"(
-          Pure evaluation mode ensures that the result of Nix expressions is fully determined by explicitly declared inputs, and not influenced by external state:
-
-          - Restrict file system and network access to files specified by cryptographic hash
-          - Disable [`bultins.currentSystem`](@docroot@/language/builtin-constants.md#builtins-currentSystem) and [`builtins.currentTime`](@docroot@/language/builtin-constants.md#builtins-currentTime)
-        )"
-        };
-
-    Setting<bool> enableImportFromDerivation{
-        this, true, "allow-import-from-derivation",
-        R"(
-          By default, Nix allows you to `import` from a derivation, allowing
-          building at evaluation time. With this option set to false, Nix will
-          throw an error when evaluating an expression that uses this feature,
-          allowing users to ensure their evaluation will not require any
-          builds to take place.
-        )"};
-
-    Setting<Strings> allowedUris{this, {}, "allowed-uris",
-        R"(
-          A list of URI prefixes to which access is allowed in restricted
-          evaluation mode. For example, when set to
-          `https://github.com/NixOS`, builtin functions such as `fetchGit` are
-          allowed to access `https://github.com/NixOS/patchelf.git`.
-        )"};
-
-    Setting<bool> traceFunctionCalls{this, false, "trace-function-calls",
-        R"(
-          If set to `true`, the Nix evaluator will trace every function call.
-          Nix will print a log message at the "vomit" level for every function
-          entrance and function exit.
-
-              function-trace entered undefined position at 1565795816999559622
-              function-trace exited undefined position at 1565795816999581277
-              function-trace entered /nix/store/.../example.nix:226:41 at 1565795253249935150
-              function-trace exited /nix/store/.../example.nix:226:41 at 1565795253249941684
-
-          The `undefined position` means the function call is a builtin.
-
-          Use the `contrib/stack-collapse.py` script distributed with the Nix
-          source code to convert the trace logs in to a format suitable for
-          `flamegraph.pl`.
-        )"};
-
-    Setting<bool> useEvalCache{this, true, "eval-cache",
-        "Whether to use the flake evaluation cache."};
-
-    Setting<bool> ignoreExceptionsDuringTry{this, false, "ignore-try",
-        R"(
-          If set to true, ignore exceptions inside 'tryEval' calls when evaluating nix expressions in
-          debug mode (using the --debugger flag). By default the debugger will pause on all exceptions.
-        )"};
-
-    Setting<bool> traceVerbose{this, false, "trace-verbose",
-        "Whether `builtins.traceVerbose` should trace its first argument when evaluated."};
-};
-
-extern EvalSettings evalSettings;
-
 static const std::string corepkgsPrefix{"/__corepkgs__/"};
 
 template<class ErrorType>

src/libexpr/flake/flake.cc

@@ -1,5 +1,6 @@
 #include "flake.hh"
 #include "eval.hh"
+#include "eval-settings.hh"
 #include "lockfile.hh"
 #include "primops.hh"
 #include "eval-inline.hh"
@@ -519,11 +520,6 @@ LockedFlake lockFlake(
                             }
                         }
 
-                        auto localPath(parentPath);
-                        // If this input is a path, recurse it down.
-                        // This allows us to resolve path inputs relative to the current flake.
-                        if ((*input.ref).input.getType() == "path")
-                            localPath = absPath(*input.ref->input.getSourcePath(), parentPath);
                         computeLocks(
                             mustRefetch
                             ? getFlake(state, oldLock->lockedRef, false, flakeCache, inputPath).inputs
@@ -788,14 +784,106 @@ static RegisterPrimOp r2({
       ```nix
       (builtins.getFlake "github:edolstra/dwarffs").rev
       ```
-
-      This function is only available if you enable the experimental feature
-      `flakes`.
     )",
     .fun = prim_getFlake,
     .experimentalFeature = Xp::Flakes,
 });
 
+static void prim_parseFlakeRef(
+    EvalState & state,
+    const PosIdx pos,
+    Value * * args,
+    Value & v)
+{
+    std::string flakeRefS(state.forceStringNoCtx(*args[0], pos,
+        "while evaluating the argument passed to builtins.parseFlakeRef"));
+    auto attrs = parseFlakeRef(flakeRefS, {}, true).toAttrs();
+    auto binds = state.buildBindings(attrs.size());
+    for (const auto & [key, value] : attrs) {
+        auto s = state.symbols.create(key);
+        auto & vv = binds.alloc(s);
+        std::visit(overloaded {
+            [&vv](const std::string    & value) { vv.mkString(value); },
+            [&vv](const uint64_t       & value) { vv.mkInt(value);    },
+            [&vv](const Explicit<bool> & value) { vv.mkBool(value.t); }
+        }, value);
+    }
+    v.mkAttrs(binds);
+}
+
+static RegisterPrimOp r3({
+    .name =  "__parseFlakeRef",
+    .args = {"flake-ref"},
+    .doc = R"(
+      Parse a flake reference, and return its exploded form.
+
+      For example:
+      ```nix
+      builtins.parseFlakeRef "github:NixOS/nixpkgs/23.05?dir=lib"
+      ```
+      evaluates to:
+      ```nix
+      { dir = "lib"; owner = "NixOS"; ref = "23.05"; repo = "nixpkgs"; type = "github"; }
+      ```
+    )",
+    .fun = prim_parseFlakeRef,
+    .experimentalFeature = Xp::Flakes,
+});
+
+
+static void prim_flakeRefToString(
+    EvalState & state,
+    const PosIdx pos,
+    Value * * args,
+    Value & v)
+{
+    state.forceAttrs(*args[0], noPos,
+        "while evaluating the argument passed to builtins.flakeRefToString");
+    fetchers::Attrs attrs;
+    for (const auto & attr : *args[0]->attrs) {
+        auto t = attr.value->type();
+        if (t == nInt) {
+            attrs.emplace(state.symbols[attr.name],
+                          (uint64_t) attr.value->integer);
+        } else if (t == nBool) {
+            attrs.emplace(state.symbols[attr.name],
+                          Explicit<bool> { attr.value->boolean });
+        } else if (t == nString) {
+            attrs.emplace(state.symbols[attr.name],
+                          std::string(attr.value->str()));
+        } else {
+            state.error(
+                "flake reference attribute sets may only contain integers, Booleans, "
+                "and strings, but attribute '%s' is %s",
+                state.symbols[attr.name],
+                showType(*attr.value)).debugThrow<EvalError>();
+        }
+    }
+    auto flakeRef = FlakeRef::fromAttrs(attrs);
+    v.mkString(flakeRef.to_string());
+}
+
+static RegisterPrimOp r4({
+    .name =  "__flakeRefToString",
+    .args = {"attrs"},
+    .doc = R"(
+      Convert a flake reference from attribute set format to URL format.
+
+      For example:
+      ```nix
+      builtins.flakeRefToString {
+        dir = "lib"; owner = "NixOS"; ref = "23.05"; repo = "nixpkgs"; type = "github";
+      }
+      ```
+      evaluates to
+      ```nix
+      "github:NixOS/nixpkgs/23.05?dir=lib"
+      ```
+    )",
+    .fun = prim_flakeRefToString,
+    .experimentalFeature = Xp::Flakes,
+});
+
 }
 
 Fingerprint LockedFlake::getFingerprint() const