Merge branch 'master' (reformat)

Merge branch 'master' (pre-reformat)
AllowListSourceAccessor: Make thread-safe
2025-07-23 21:23:25 +02:00 · 2025-07-23 21:23:16 +02:00 · 2025-07-15 19:44:13 +02:00
470 changed files with 3915 additions and 8512 deletions
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -1,6 +1,2 @@
 # bulk initial re-formatting with clang-format
 e4f62e46088919428a68bd8014201dc8e379fed7 # !autorebase ./maintainers/format.sh --until-stable
-# meson re-formatting
-385e2c3542c707d95e3784f7f6d623f67e77ab61 # !autorebase ./maintainers/format.sh --until-stable
-# nixfmt 1.0.0
-1d943f581908f35075a84a3d89c2eba3ff35067f # !autorebase ./maintainers/format.sh --until-stable
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -45,7 +45,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open bug issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug

--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@@ -30,7 +30,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open feature issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature

--- a/.github/ISSUE_TEMPLATE/installer.md
+++ b/.github/ISSUE_TEMPLATE/installer.md
@@ -38,7 +38,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open installer issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer

--- a/.github/ISSUE_TEMPLATE/missing_documentation.md
+++ b/.github/ISSUE_TEMPLATE/missing_documentation.md
@@ -22,7 +22,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open documentation issues and pull requests] for possible duplicates

-[latest Nix manual]: https://nix.dev/manual/nix/development/
+[latest Nix manual]: https://nixos.org/manual/nix/unstable/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation

--- a/.github/actions/install-nix-action/action.yaml
+++ b/.github/actions/install-nix-action/action.yaml
@@ -4,36 +4,22 @@ inputs:
  dogfood:
    description: "Whether to use Nix installed from the latest artifact from master branch"
    required: true # Be explicit about the fact that we are using unreleased artifacts
-  experimental-installer:
-    description: "Whether to use the experimental installer to install Nix"
-    default: false
-  experimental-installer-version:
-    description: "Version of the experimental installer to use. If `latest`, the newest artifact from the default branch is used."
-    # TODO: This should probably be pinned to a release after https://github.com/NixOS/experimental-nix-installer/pull/49 lands in one
-    default: "latest"
  extra_nix_config:
    description: "Gets appended to `/etc/nix/nix.conf` if passed."
  install_url:
    description: "URL of the Nix installer"
    required: false
-    default: "https://releases.nixos.org/nix/nix-2.30.2/install"
-  tarball_url:
-    description: "URL of the Nix tarball to use with the experimental installer"
-    required: false
+    default: "https://releases.nixos.org/nix/nix-2.30.1/install"
  github_token:
    description: "Github token"
    required: true
-  use_cache:
-    description: "Whether to setup github actions cache (not implemented currently)"
-    default: false
-    required: false
 runs:
  using: "composite"
  steps:
    - name: "Download nix install artifact from master"
      shell: bash
      id: download-nix-installer
-      if: inputs.dogfood == 'true'
+      if: ${{ inputs.dogfood }}
      run: |
        RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")

@@ -51,74 +37,14 @@ runs:

        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-        TARBALL_PATH="$(find "$INSTALLER_DOWNLOAD_DIR" -name 'nix*.tar.xz' -print | head -n 1)"
-        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"

        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
      env:
        GH_TOKEN: ${{ inputs.github_token }}
        DOGFOOD_REPO: "NixOS/nix"
-    - name: "Gather system info for experimental installer"
-      shell: bash
-      if: ${{ inputs.experimental-installer == 'true' }}
-      run: |
-        echo "::notice Using experimental installer from $EXPERIMENTAL_INSTALLER_REPO (https://github.com/$EXPERIMENTAL_INSTALLER_REPO)"
-
-        if [ "$RUNNER_OS" == "Linux" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="linux"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_OS" == "macOS" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="darwin"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
-          exit 1
-        fi
-
-        if [ "$RUNNER_ARCH" == "X64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=x86_64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_ARCH" == "ARM64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=aarch64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_ARCH: $RUNNER_ARCH"
-          exit 1
-        fi
-
-        echo "EXPERIMENTAL_INSTALLER_ARTIFACT=nix-installer-$EXPERIMENTAL_INSTALLER_ARCH-$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-      env:
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
-    - name: "Download latest experimental installer"
-      shell: bash
-      id: download-latest-experimental-installer
-      if: ${{ inputs.experimental-installer == 'true' && inputs.experimental-installer-version == 'latest' }}
-      run: |
-        RUN_ID=$(gh run list --repo "$EXPERIMENTAL_INSTALLER_REPO" --workflow ci.yml --branch main --status success --json databaseId --jq ".[0].databaseId")
-
-        EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$EXPERIMENTAL_INSTALLER_ARTIFACT"
-        mkdir -p "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-
-        gh run download "$RUN_ID" --repo "$EXPERIMENTAL_INSTALLER_REPO" -n "$EXPERIMENTAL_INSTALLER_ARTIFACT" -D "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-        # Executable permissions are lost in artifacts
-        find $EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR -type f -exec chmod +x {} +
-        echo "installer-path=$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-      env:
-        GH_TOKEN: ${{ inputs.github_token }}
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
-      if: ${{ inputs.experimental-installer != 'true' }}
      with:
        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
-        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
-        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
+        install_url: ${{ inputs.dogfood && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
+        install_options: ${{ inputs.dogfood && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
        extra_nix_config: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
-      if: ${{ inputs.experimental-installer == 'true' }}
-      with:
-        diagnostic-endpoint: ""
-        # TODO: It'd be nice to use `artifacts.nixos.org` for both of these, maybe through an `/experimental-installer/latest` endpoint? or `/commit/<hash>`?
-        local-root: ${{ inputs.experimental-installer-version == 'latest' && steps.download-latest-experimental-installer.outputs.installer-path || '' }}
-        source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
-        nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
-        extra-conf: ${{ inputs.extra_nix_config }}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,15 +2,7 @@ name: "CI"

 on:
  pull_request:
-  merge_group:
  push:
-  workflow_dispatch:
-    inputs:
-      dogfood:
-        description: 'Use dogfood Nix build'
-        required: false
-        default: true
-        type: boolean

 permissions: read-all

@@ -18,16 +10,15 @@ jobs:
  eval:
    runs-on: ubuntu-24.04
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: ./.github/actions/install-nix-action
      with:
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        dogfood: true
        extra_nix_config:
          experimental-features = nix-command flakes
        github_token: ${{ secrets.GITHUB_TOKEN }}
-        use_cache: false
    - run: nix flake show --all-systems --json

  tests:
@@ -38,68 +29,36 @@ jobs:
          - scenario: on ubuntu
            runs-on: ubuntu-24.04
            os: linux
-            instrumented: false
-            primary: true
-            stdenv: stdenv
          - scenario: on macos
            runs-on: macos-14
            os: darwin
-            instrumented: false
-            primary: true
-            stdenv: stdenv
-          - scenario: on ubuntu (with sanitizers / coverage)
-            runs-on: ubuntu-24.04
-            os: linux
-            instrumented: true
-            primary: false
-            stdenv: clangStdenv
    name: tests ${{ matrix.scenario }}
    runs-on: ${{ matrix.runs-on }}
    timeout-minutes: 60
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: ./.github/actions/install-nix-action
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        dogfood: true
        # The sandbox would otherwise be disabled by default on Darwin
-        extra_nix_config: "sandbox = true"
+        extra_nix_config: |
+          sandbox = true
+          max-jobs = 1
+    - uses: DeterminateSystems/magic-nix-cache-action@main
    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
      if: matrix.os == 'linux'
-    - name: Run component tests
-      run: |
-        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
-          --arg withInstrumentation ${{ matrix.instrumented }} \
-          --argstr stdenv "${{ matrix.stdenv }}"
-    - name: Run flake checks and prepare the installer tarball
-      run: |
-        ci/gha/tests/build-checks
-        ci/gha/tests/prepare-installer-for-github-actions
-      if: ${{ matrix.primary }}
-    - name: Collect code coverage
-      run: |
-        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
-          --arg withInstrumentation ${{ matrix.instrumented }} \
-          --argstr stdenv "${{ matrix.stdenv }}" \
-          --out-link coverage-reports
-        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
-      if: ${{ matrix.instrumented }}
-    - name: Upload coverage reports
-      uses: actions/upload-artifact@v4
-      with:
-        name: coverage-reports
-        path: coverage-reports/
-      if: ${{ matrix.instrumented }}
+    - run: scripts/build-checks
+    - run: scripts/prepare-installer-for-github-actions
    - name: Upload installer tarball
      uses: actions/upload-artifact@v4
      with:
        name: installer-${{matrix.os}}
        path: out/*
-      if: ${{ matrix.primary }}

  installer_test:
    needs: [tests]
@@ -116,19 +75,19 @@ jobs:
    name: installer test ${{ matrix.scenario }}
    runs-on: ${{ matrix.runs-on }}
    steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v4
    - name: Download installer tarball
-      uses: actions/download-artifact@v5
+      uses: actions/download-artifact@v4
      with:
        name: installer-${{matrix.os}}
        path: out
-    - name: Looking up the installer tarball URL
-      id: installer-tarball-url
-      run: echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+    - name: Serving installer
+      id: serving_installer
+      run: ./scripts/serve-installer-for-github-actions
    - uses: cachix/install-nix-action@v31
      with:
-        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
-        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+        install_url: 'http://localhost:8126/install'
+        install_options: "--tarball-url-prefix http://localhost:8126/"
    - run: sudo apt install fish zsh
      if: matrix.os == 'linux'
    - run: brew install fish
@@ -140,28 +99,92 @@ jobs:
    - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
    - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"

+  # Steps to test CI automation in your own fork.
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check Docker secrets present for installer tests
+    runs-on: ubuntu-24.04
+    outputs:
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for secrets
+        id: secret
+        env:
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+
  docker_push_image:
-    name: Push docker image to DockerHub and GHCR
-    needs: [tests, vm_tests]
-    if: github.event_name == 'push' && github.ref_name == 'master'
-    uses: ./.github/workflows/docker-push.yml
-    with:
-      ref: ${{ github.sha }}
-      is_master: true
+    needs: [tests, vm_tests, check_secrets]
    permissions:
      contents: read
      packages: write
-    secrets:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+    if: >-
+      needs.check_secrets.outputs.docker == 'true' &&
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Check for secrets
+      id: secret
+      env:
+        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+      run: |
+        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - uses: cachix/install-nix-action@v31
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
+    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
+    - run: docker load -i ./result/image.tar.gz
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
+    #
+    # Push to Docker Hub first
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # Push to GitHub Container Registry as well
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Push image
+      run: |
+        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
+        # Change all uppercase to lowercase
+        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+
+        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
+        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
+        docker push $IMAGE_ID:$NIX_VERSION
+        docker push $IMAGE_ID:latest
+        # deprecated 2024-02-24
+        docker tag nix:$NIX_VERSION $IMAGE_ID:master
+        docker push $IMAGE_ID:master

  vm_tests:
    runs-on: ubuntu-24.04
    steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v4
      - uses: ./.github/actions/install-nix-action
        with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          dogfood: true
          extra_nix_config:
            experimental-features = nix-command flakes
          github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -179,43 +202,22 @@ jobs:
    runs-on: ubuntu-24.04
    steps:
      - name: Checkout nix
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
      - name: Checkout flake-regressions
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: NixOS/flake-regressions
          path: flake-regressions
      - name: Checkout flake-regressions-data
-        uses: actions/checkout@v5
+        uses: actions/checkout@v4
        with:
          repository: NixOS/flake-regressions-data
          path: flake-regressions/tests
      - uses: ./.github/actions/install-nix-action
        with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          dogfood: true
          extra_nix_config:
            experimental-features = nix-command flakes
          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
-
-  profile_build:
-    needs: tests
-    runs-on: ubuntu-24.04
-    timeout-minutes: 60
-    if: >-
-      github.event_name == 'push' &&
-      github.ref_name == 'master'
-    steps:
-    - uses: actions/checkout@v5
-      with:
-        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
-      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-        extra_nix_config: |
-          experimental-features = flakes nix-command ca-derivations impure-derivations
-          max-jobs = 1
-    - run: |
-        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
-        cat build-time-report.md >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/docker-push.yml
+++ b/.github/workflows/docker-push.yml
@@ -1,101 +0,0 @@
-name: "Push Docker Image"
-
-on:
-  workflow_call:
-    inputs:
-      ref:
-        description: "Git ref to build the docker image from"
-        required: true
-        type: string
-      is_master:
-        description: "Whether run from master branch"
-        required: true
-        type: boolean
-    secrets:
-      DOCKERHUB_USERNAME:
-        required: true
-      DOCKERHUB_TOKEN:
-        required: true
-
-permissions: {}
-
-jobs:
-  # Steps to test CI automation in your own fork.
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check presence of secrets
-    runs-on: ubuntu-24.04
-    outputs:
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for DockerHub secrets
-        id: secret
-        env:
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
-
-  push:
-    name: Push docker image to DockerHub and GHCR
-    needs: [check_secrets]
-    permissions:
-      contents: read
-      packages: write
-    if: needs.check_secrets.outputs.docker == 'true'
-    runs-on: ubuntu-24.04
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        fetch-depth: 0
-        ref: ${{ inputs.ref }}
-    - uses: ./.github/actions/install-nix-action
-      with:
-        dogfood: false
-        extra_nix_config: |
-          experimental-features = flakes nix-command
-    - run: echo NIX_VERSION="$(nix eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - run: nix build .#dockerImage -L
-    - run: docker load -i ./result/image.tar.gz
-    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
-    #
-    # Push to Docker Hub first
-    - name: Login to Docker Hub
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Push to Docker Hub
-      env:
-        IS_MASTER: ${{ inputs.is_master }}
-        DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_USERNAME }}/nix
-      run: |
-        docker tag nix:$NIX_VERSION $DOCKERHUB_REPO:$NIX_VERSION
-        docker push $DOCKERHUB_REPO:$NIX_VERSION
-        if [ "$IS_MASTER" = "true" ]; then
-          docker tag nix:$NIX_VERSION $DOCKERHUB_REPO:master
-          docker push $DOCKERHUB_REPO:master
-        fi
-    # Push to GitHub Container Registry as well
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push to GHCR
-      env:
-        IS_MASTER: ${{ inputs.is_master }}
-      run: |
-        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker push $IMAGE_ID:$NIX_VERSION
-        if [ "$IS_MASTER" = "true" ]; then
-          docker tag nix:$NIX_VERSION $IMAGE_ID:master
-          docker push $IMAGE_ID:master
-        fi
--- a/.github/workflows/upload-release.yml
+++ b/.github/workflows/upload-release.yml
@@ -1,80 +0,0 @@
-name: Upload Release
-on:
-  workflow_dispatch:
-    inputs:
-      eval_id:
-        description: "Hydra evaluation ID"
-        required: true
-        type: number
-      is_latest:
-        description: "Mark as latest release"
-        required: false
-        type: boolean
-        default: false
-permissions:
-  contents: read
-  id-token: write
-  packages: write
-jobs:
-  release:
-    runs-on: ubuntu-24.04
-    environment: releases
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: ./.github/actions/install-nix-action
-        with:
-          dogfood: false # Use stable version
-          use_cache: false # Don't want any cache injection shenanigans
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-      - name: Set NIX_PATH from flake input
-        run: |
-          NIXPKGS_PATH=$(nix build --inputs-from .# nixpkgs#path --print-out-paths --no-link)
-          # Shebangs with perl have issues. Pin nixpkgs this way. nix shell should maybe
-          # get the same uberhack that nix-shell has to support it.
-          echo "NIX_PATH=nixpkgs=$NIXPKGS_PATH" >> "$GITHUB_ENV"
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
-        with:
-          role-to-assume: "arn:aws:iam::080433136561:role/nix-release"
-          role-session-name: nix-release-oidc-${{ github.run_id }}
-          aws-region: eu-west-1
-      - name: Disable containerd image store
-        run: |
-          # Docker 28+ defaults to the containerd image store, which
-          # pushes layers uncompressed instead of gzip. OCI clients
-          # that only support gzip (e.g. go-containerregistry) fail
-          # with "gzip: invalid header". Disabling the containerd
-          # snapshotter restores the classic storage driver, which
-          # preserves gzip-compressed layers through the
-          # `docker load` / `docker push` pipeline.
-          echo '{"features":{"containerd-snapshotter":false}}' | sudo tee /etc/docker/daemon.json > /dev/null
-          sudo systemctl restart docker
-      - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload release
-        run: |
-          ./maintainers/upload-release.pl \
-            ${{ inputs.eval_id }} \
-            --skip-git
-        env:
-          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
-      - name: Push to GHCR
-        run: |
-          DOCKER_OWNER="ghcr.io/$(echo '${{ github.repository_owner }}' | tr '[A-Z]' '[a-z]')/nix"
-          ./maintainers/upload-release.pl \
-            ${{ inputs.eval_id }} \
-            --skip-git \
-            --skip-s3 \
-            --docker-owner "$DOCKER_OWNER"
-        env:
-          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.31.4
+2.31.0
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -89,7 +89,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).

 ## Making changes to the Nix manual

-The Nix reference manual is hosted on https://nix.dev/manual/nix.
+The Nix reference manual is hosted on https://nixos.org/manual/nix.
 The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
--- a/ci/gha/profile-build/default.nix
+++ b/ci/gha/profile-build/default.nix
@@ -1,101 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-}:
-
-let
-  inherit (pkgs) lib;
-
-  nixComponentsInstrumented =
-    (nixFlake.lib.makeComponents {
-      inherit pkgs;
-      getStdenv = p: p.clangStdenv;
-    }).overrideScope
-      (
-        _: _: {
-          mesonComponentOverrides = finalAttrs: prevAttrs: {
-            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "buildprofile" ];
-            nativeBuildInputs = [ pkgs.clangbuildanalyzer ] ++ prevAttrs.nativeBuildInputs or [ ];
-            __impure = true;
-
-            env = {
-              CFLAGS = "-ftime-trace";
-              CXXFLAGS = "-ftime-trace";
-            };
-
-            preBuild = ''
-              ClangBuildAnalyzer --start $PWD
-            '';
-
-            postBuild = ''
-              ClangBuildAnalyzer --stop $PWD $buildprofile
-            '';
-          };
-        }
-      );
-
-  componentsToProfile = {
-    "nix-util" = { };
-    "nix-util-c" = { };
-    "nix-util-test-support" = { };
-    "nix-util-tests" = { };
-    "nix-store" = { };
-    "nix-store-c" = { };
-    "nix-store-test-support" = { };
-    "nix-store-tests" = { };
-    "nix-fetchers" = { };
-    "nix-fetchers-c" = { };
-    "nix-fetchers-tests" = { };
-    "nix-expr" = { };
-    "nix-expr-c" = { };
-    "nix-expr-test-support" = { };
-    "nix-expr-tests" = { };
-    "nix-flake" = { };
-    "nix-flake-c" = { };
-    "nix-flake-tests" = { };
-    "nix-main" = { };
-    "nix-main-c" = { };
-    "nix-cmd" = { };
-    "nix-cli" = { };
-  };
-
-  componentDerivationsToProfile = builtins.intersectAttrs componentsToProfile nixComponentsInstrumented;
-  componentBuildProfiles = lib.mapAttrs (
-    n: v: lib.getOutput "buildprofile" v
-  ) componentDerivationsToProfile;
-
-  buildTimeReport =
-    pkgs.runCommand "build-time-report"
-      {
-        __impure = true;
-        __structuredAttrs = true;
-        nativeBuildInputs = [ pkgs.clangbuildanalyzer ];
-        inherit componentBuildProfiles;
-      }
-      ''
-        {
-          echo "# Build time performance profile for components:"
-          echo
-          echo "This reports the build profile collected via \`-ftime-trace\` for each component."
-          echo
-        } >> $out
-
-        for name in "''\${!componentBuildProfiles[@]}"; do
-          {
-            echo "<details><summary><strong>$name</strong></summary>"
-            echo
-            echo '````'
-            ClangBuildAnalyzer --analyze "''\${componentBuildProfiles[$name]}"
-            echo '````'
-            echo
-            echo "</details>"
-          } >> $out
-        done
-      '';
-in
-
-{
-  inherit buildTimeReport;
-  inherit componentDerivationsToProfile;
-}
--- a/ci/gha/tests/default.nix
+++ b/ci/gha/tests/default.nix
@@ -1,229 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-  nixComponents ? (
-    nixFlake.lib.makeComponents {
-      inherit pkgs;
-      inherit getStdenv;
-    }
-  ),
-  getStdenv ? p: p.stdenv,
-  componentTestsPrefix ? "",
-  withSanitizers ? false,
-  withCoverage ? false,
-  ...
-}:
-
-let
-  inherit (pkgs) lib;
-  hydraJobs = nixFlake.hydraJobs;
-  packages' = nixFlake.packages.${system};
-  stdenv = (getStdenv pkgs);
-
-  enableSanitizersLayer = finalAttrs: prevAttrs: {
-    mesonFlags =
-      (prevAttrs.mesonFlags or [ ])
-      ++ [
-        # Run all tests with UBSAN enabled. Running both with ubsan and
-        # without doesn't seem to have much immediate benefit for doubling
-        # the GHA CI workaround.
-        #
-        # TODO: Work toward enabling "address,undefined" if it seems feasible.
-        # This would maybe require dropping Boost coroutines and ignoring intentional
-        # memory leaks with detect_leaks=0.
-        (lib.mesonOption "b_sanitize" "undefined")
-      ]
-      ++ (lib.optionals stdenv.cc.isClang [
-        # https://www.github.com/mesonbuild/meson/issues/764
-        (lib.mesonBool "b_lundef" false)
-      ]);
-  };
-
-  collectCoverageLayer = finalAttrs: prevAttrs: {
-    env =
-      let
-        # https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#the-code-coverage-workflow
-        coverageFlags = [
-          "-fprofile-instr-generate"
-          "-fcoverage-mapping"
-        ];
-      in
-      {
-        CFLAGS = toString coverageFlags;
-        CXXFLAGS = toString coverageFlags;
-      };
-
-    # Done in a pre-configure hook, because $NIX_BUILD_TOP needs to be substituted.
-    preConfigure = prevAttrs.preConfigure or "" + ''
-      mappingFlag=" -fcoverage-prefix-map=$NIX_BUILD_TOP/${finalAttrs.src.name}=${finalAttrs.src}"
-      CFLAGS+="$mappingFlag"
-      CXXFLAGS+="$mappingFlag"
-    '';
-  };
-
-  componentOverrides =
-    (lib.optional withSanitizers enableSanitizersLayer)
-    ++ (lib.optional withCoverage collectCoverageLayer);
-in
-
-rec {
-  nixComponentsInstrumented = nixComponents.overrideScope (
-    final: prev: {
-      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
-
-      mesonComponentOverrides = lib.composeManyExtensions componentOverrides;
-    }
-  );
-
-  /**
-    Top-level tests for the flake outputs, as they would be built by hydra.
-    These tests generally can't be overridden to run with sanitizers.
-  */
-  topLevel = {
-    installerScriptForGHA = hydraJobs.installerScriptForGHA.${system};
-    installTests = hydraJobs.installTests.${system};
-    nixpkgsLibTests = hydraJobs.tests.nixpkgsLibTests.${system};
-    rl-next = pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
-      LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${../../../doc/manual/rl-next} >$out
-    '';
-    repl-completion = pkgs.callPackage ../../../tests/repl-completion.nix { inherit (packages') nix; };
-
-    /**
-      Checks for our packaging expressions.
-      This shouldn't build anything significant; just check that things
-      (including derivations) are _set up_ correctly.
-    */
-    packaging-overriding =
-      let
-        nix = packages'.nix;
-      in
-      assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
-      if pkgs.stdenv.buildPlatform.isDarwin then
-        lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
-      else
-        # If this fails, something might be wrong with how we've wired the scope,
-        # or something could be broken in Nixpkgs.
-        pkgs.testers.testEqualContents {
-          assertion = "trivial patch does not change source contents";
-          expected = "${../../..}";
-          actual =
-            # Same for all components; nix-util is an arbitrary pick
-            (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
-        };
-  };
-
-  componentTests =
-    (lib.concatMapAttrs (
-      pkgName: pkg:
-      lib.concatMapAttrs (testName: test: {
-        "${componentTestsPrefix}${pkgName}-${testName}" = test;
-      }) (pkg.tests or { })
-    ) nixComponentsInstrumented)
-    // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
-      "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;
-    };
-
-  codeCoverage =
-    let
-      componentsTestsToProfile =
-        (builtins.mapAttrs (n: v: nixComponentsInstrumented.${n}.tests.run) {
-          "nix-util-tests" = { };
-          "nix-store-tests" = { };
-          "nix-fetchers-tests" = { };
-          "nix-expr-tests" = { };
-          "nix-flake-tests" = { };
-        })
-        // {
-          inherit (nixComponentsInstrumented) nix-functional-tests;
-        };
-
-      coverageProfileDrvs = lib.mapAttrs (
-        n: v:
-        v.overrideAttrs (
-          finalAttrs: prevAttrs: {
-            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "profraw" ];
-            env = {
-              LLVM_PROFILE_FILE = "${placeholder "profraw"}/%m";
-            };
-          }
-        )
-      ) componentsTestsToProfile;
-
-      coverageProfiles = lib.mapAttrsToList (n: v: lib.getOutput "profraw" v) coverageProfileDrvs;
-
-      mergedProfdata =
-        pkgs.runCommand "merged-profdata"
-          {
-            __structuredAttrs = true;
-            nativeBuildInputs = [ pkgs.llvmPackages.libllvm ];
-            inherit coverageProfiles;
-          }
-          ''
-            rawProfiles=()
-            for dir in "''\${coverageProfiles[@]}"; do
-              rawProfiles+=($dir/*)
-            done
-            llvm-profdata merge -sparse -output $out "''\${rawProfiles[@]}"
-          '';
-
-      coverageReports =
-        let
-          nixComponentDrvs = lib.filter (lib.isDerivation) (lib.attrValues nixComponentsInstrumented);
-        in
-        pkgs.runCommand "code-coverage-report"
-          {
-            nativeBuildInputs = [
-              pkgs.llvmPackages.libllvm
-              pkgs.jq
-            ];
-            __structuredAttrs = true;
-            nixComponents = nixComponentDrvs;
-          }
-          ''
-            # ${toString (lib.map (v: v.src) nixComponentDrvs)}
-
-            binaryFiles=()
-            for dir in "''\${nixComponents[@]}"; do
-              readarray -t filesInDir < <(find "$dir" -type f -executable)
-              binaryFiles+=("''\${filesInDir[@]}")
-            done
-
-            arguments=$(concatStringsSep " -object " binaryFiles)
-            llvm-cov show $arguments -instr-profile ${mergedProfdata} -output-dir $out -format=html
-
-            {
-              echo "# Code coverage summary (generated via \`llvm-cov\`):"
-              echo
-              echo '```'
-              llvm-cov report $arguments -instr-profile ${mergedProfdata} -format=text -use-color=false
-              echo '```'
-              echo
-            } >> $out/index.txt
-
-            llvm-cov export $arguments -instr-profile ${mergedProfdata} -format=text > $out/coverage.json
-
-            mkdir -p $out/nix-support
-
-            coverageTotals=$(jq ".data[0].totals" $out/coverage.json)
-
-            # Mostly inline from pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh [1],
-            # which we can't use here, because we rely on LLVM's infra for source code coverage collection.
-            # [1]: https://github.com/NixOS/nixpkgs/blob/67bb48c4c8e327417d6d5aa7e538244b209e852b/pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh#L16
-            declare -A metricsArray=(["lineCoverage"]="lines" ["functionCoverage"]="functions" ["branchCoverage"]="branches")
-
-            for metricName in "''\${!metricsArray[@]}"; do
-              key="''\${metricsArray[$metricName]}"
-              metric=$(echo "$coverageTotals" | jq ".$key.percent * 10 | round / 10")
-              echo "$metricName $metric %" >> $out/nix-support/hydra-metrics
-            done
-
-            echo "report coverage $out" >> $out/nix-support/hydra-build-products
-          '';
-    in
-    assert withCoverage;
-    assert stdenv.cc.isClang;
-    {
-      inherit coverageProfileDrvs mergedProfdata coverageReports;
-    };
-}
--- a/ci/gha/tests/wrapper.nix
+++ b/ci/gha/tests/wrapper.nix
@@ -1,16 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-  stdenv ? "stdenv",
-  componentTestsPrefix ? "",
-  withInstrumentation ? false,
-}@args:
-import ./. (
-  args
-  // {
-    getStdenv = p: p.${stdenv};
-    withSanitizers = withInstrumentation;
-    withCoverage = withInstrumentation;
-  }
-)
--- a/doc/manual/anchors.jq
+++ b/doc/manual/anchors.jq
@@ -24,15 +24,8 @@ def map_contents_recursively(transformer):
 def process_command:
    .[0] as $context |
    .[1] as $body |
-    # mdbook 0.5.x uses 'items' instead of 'sections'
-    if $body.items then
-        $body + {
-            items: $body.items | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-        }
-    else
-        $body + {
-            sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-        }
-    end;
+    $body + {
+        sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+    };

 process_command
--- a/doc/manual/book.toml.in
+++ b/doc/manual/book.toml.in
@@ -23,3 +23,12 @@ renderers = ["html"]
 command = "jq --from-file ./anchors.jq"

 [output.markdown]
+
+[output.linkcheck]
+# no Internet during the build (in the sandbox)
+follow-web-links = false
+
+# mdbook-linkcheck does not understand [foo]{#bar} style links, resulting in
+# excessive "Potential incomplete link" warnings. No other kind of warning was
+# produced at the time of writing.
+warning-policy = "ignore"
--- a/doc/manual/generate-store-types.nix
+++ b/doc/manual/generate-store-types.nix
@@ -24,9 +24,9 @@ let
    in
    concatStringsSep "\n" (map showEntry storesList);

-  "index.md" = replaceStrings [ "@store-types@" ] [ index ] (
-    readFile ./source/store/types/index.md.in
-  );
+  "index.md" =
+    replaceStrings [ "@store-types@" ] [ index ]
+      (readFile ./source/store/types/index.md.in);

  tableOfContents =
    let
--- a/doc/manual/meson.build
+++ b/doc/manual/meson.build
@@ -1,5 +1,4 @@
-project(
-  'nix-manual',
+project('nix-manual',
  version : files('.version'),
  meson_version : '>= 1.1',
  license : 'LGPL-2.1-or-later',
@@ -9,45 +8,44 @@ nix = find_program('nix', native : true)

 mdbook = find_program('mdbook', native : true)
 bash = find_program('bash', native : true)
-rsync = find_program('rsync', required : true, native : true)
+rsync = find_program('rsync', required: true, native: true)

 pymod = import('python')
 python = pymod.find_installation('python3')

 nix_env_for_docs = {
-  'HOME' : '/dummy',
-  'NIX_CONF_DIR' : '/dummy',
-  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
-  'NIX_STATE_DIR' : '/dummy',
-  'NIX_CONFIG' : 'cores = 0',
+  'HOME': '/dummy',
+  'NIX_CONF_DIR': '/dummy',
+  'NIX_SSL_CERT_FILE': '/dummy/no-ca-bundle.crt',
+  'NIX_STATE_DIR': '/dummy',
+  'NIX_CONFIG': 'cores = 0',
 }

-nix_for_docs = [ nix, '--experimental-features', 'nix-command' ]
+nix_for_docs = [nix, '--experimental-features', 'nix-command']
 nix_eval_for_docs_common = nix_for_docs + [
  'eval',
-  '-I',
-  'nix=' + meson.current_source_dir(),
+  '-I', 'nix=' + meson.current_source_dir(),
  '--store', 'dummy://',
  '--impure',
 ]
 nix_eval_for_docs = nix_eval_for_docs_common + '--raw'

 conf_file_json = custom_target(
-  command : nix_for_docs + [ 'config', 'show', '--json' ],
+  command : nix_for_docs + ['config', 'show', '--json'],
  capture : true,
  output : 'conf-file.json',
  env : nix_env_for_docs,
 )

 language_json = custom_target(
-  command : [ nix, '__dump-language' ],
+  command: [nix, '__dump-language'],
  output : 'language.json',
  capture : true,
  env : nix_env_for_docs,
 )

 nix3_cli_json = custom_target(
-  command : [ nix, '__dump-cli' ],
+  command : [nix, '__dump-cli'],
  capture : true,
  output : 'nix.json',
  env : nix_env_for_docs,
@@ -81,8 +79,7 @@ manual = custom_target(
  'manual',
  command : [
    bash,
-    '-euo',
-    'pipefail',
+    '-euo', 'pipefail',
    '-c',
    '''
        @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
@@ -123,8 +120,8 @@ manual = custom_target(
  ],
  depfile : 'manual.d',
  env : {
-    'RUST_LOG' : 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
+    'RUST_LOG': 'info',
+    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'source',
  },
 )
 manual_html = manual[0]
@@ -136,8 +133,7 @@ install_subdir(
 )

 nix_nested_manpages = [
-  [
-    'nix-env',
+  [ 'nix-env',
    [
      'delete-generations',
      'install',
@@ -152,8 +148,7 @@ nix_nested_manpages = [
      'upgrade',
    ],
  ],
-  [
-    'nix-store',
+  [ 'nix-store',
    [
      'add-fixed',
      'add',
--- a/doc/manual/package.nix
+++ b/doc/manual/package.nix
@@ -6,6 +6,7 @@
  ninja,
  lowdown-unsandboxed,
  mdbook,
+  mdbook-linkcheck,
  jq,
  python3,
  rsync,
@@ -45,22 +46,24 @@ mkMesonDerivation (finalAttrs: {
  ];

  # Hack for sake of the dev shell
-  passthru.externalNativeBuildInputs = [
-    meson
-    ninja
-    (lib.getBin lowdown-unsandboxed)
-    mdbook
-    jq
-    python3
-    rsync
-    changelog-d
-  ]
-  ++ lib.optionals (!officialRelease) [
-    # When not an official release, we likely have changelog entries that have
-    # yet to be rendered.
-    # When released, these are rendered into a committed file to save a dependency.
-    changelog-d
-  ];
+  passthru.externalNativeBuildInputs =
+    [
+      meson
+      ninja
+      (lib.getBin lowdown-unsandboxed)
+      mdbook
+      mdbook-linkcheck
+      jq
+      python3
+      rsync
+      changelog-d
+    ]
+    ++ lib.optionals (!officialRelease) [
+      # When not an official release, we likely have changelog entries that have
+      # yet to be rendered.
+      # When released, these are rendered into a committed file to save a dependency.
+      changelog-d
+    ];

  nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
    nix-cli
--- a/doc/manual/rl-next/build-cores-auto-detect.md
+++ b/doc/manual/rl-next/build-cores-auto-detect.md
@@ -0,0 +1,6 @@
+---
+synopsis: "`build-cores = 0` now auto-detects CPU cores"
+prs: [13402]
+---
+
+When `build-cores` is set to `0`, nix now automatically detects the number of available CPU cores and passes this value via `NIX_BUILD_CORES`, instead of passing `0` directly. This matches the behavior when `build-cores` is unset. This prevents the builder from having to detect the number of cores.
--- a/doc/manual/rl-next/shorter-build-dir-names.md
+++ b/doc/manual/rl-next/shorter-build-dir-names.md
@@ -1,6 +0,0 @@
---
-synopsis: "Temporary build directories no longer include derivation names"
-prs: [13839]
---
-
-Temporary build directories created during derivation builds no longer include the derivation name in their path to avoid build failures when the derivation name is too long. This change ensures predictable prefix lengths for build directories under `/nix/var/nix/builds`.
--- a/doc/manual/source/SUMMARY.md.in
+++ b/doc/manual/source/SUMMARY.md.in
@@ -128,7 +128,6 @@
 - [Development](development/index.md)
  - [Building](development/building.md)
  - [Testing](development/testing.md)
-  - [Benchmarking](development/benchmarking.md)
  - [Debugging](development/debugging.md)
  - [Documentation](development/documentation.md)
  - [CLI guideline](development/cli-guideline.md)
@@ -138,7 +137,6 @@
  - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
-  - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
  - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)
  - [Release 2.29 (2025-05-14)](release-notes/rl-2.29.md)
  - [Release 2.28 (2025-04-02)](release-notes/rl-2.28.md)
--- a/doc/manual/source/command-ref/env-common.md
+++ b/doc/manual/source/command-ref/env-common.md
@@ -75,7 +75,7 @@ Most Nix commands interpret the following environment variables:
 - <span id="env-NIX_CONF_DIR">[`NIX_CONF_DIR`](#env-NIX_CONF_DIR)</span>

  Overrides the location of the system Nix configuration directory
-  (default `sysconfdir/nix`, i.e. `/etc/nix` on most systems).
+  (default `prefix/etc/nix`).

 - <span id="env-NIX_CONFIG">[`NIX_CONFIG`](#env-NIX_CONFIG)</span>

--- a/doc/manual/source/command-ref/meson.build
+++ b/doc/manual/source/command-ref/meson.build
@@ -1,12 +1,13 @@
 xp_features_json = custom_target(
-  command : [ nix, '__dump-xp-features' ],
+  command : [nix, '__dump-xp-features'],
  capture : true,
  output : 'xp-features.json',
 )

 experimental_features_shortlist_md = custom_target(
  command : nix_eval_for_docs + [
-    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr',
+    'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
  ],
  input : [
    '../../generate-xp-features-shortlist.nix',
@@ -18,8 +19,14 @@ experimental_features_shortlist_md = custom_target(
 )

 nix3_cli_files = custom_target(
-  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
-    '--expr', 'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
+  command : [
+    python.full_path(),
+    '@INPUT0@',
+    '@OUTPUT@',
+    '--'
+  ] + nix_eval_for_docs + [
+    '--expr',
+    'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
  ],
  input : [
    '../../remove_before_wrapper.py',
@@ -33,7 +40,8 @@ nix3_cli_files = custom_target(
 conf_file_md_body = custom_target(
  command : [
    nix_eval_for_docs,
-    '--expr', 'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr',
+    'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
  ],
  capture : true,
  input : [
--- a/doc/manual/source/development/benchmarking.md
+++ b/doc/manual/source/development/benchmarking.md
@@ -1,187 +0,0 @@
-# Running Benchmarks
-
-This guide explains how to build and run performance benchmarks in the Nix codebase.
-
-## Overview
-
-Nix uses the [Google Benchmark](https://github.com/google/benchmark) framework for performance testing. Benchmarks help measure and track the performance of critical operations like derivation parsing.
-
-## Building Benchmarks
-
-Benchmarks are disabled by default and must be explicitly enabled during the build configuration. For accurate results, use a debug-optimized release build.
-
-### Development Environment Setup
-
-First, enter the development shell which includes the necessary dependencies:
-
-```bash
-nix develop .#native-ccacheStdenv
-```
-
-### Configure Build with Benchmarks
-
-From the project root, configure the build with benchmarks enabled and optimization:
-
-```bash
-cd build
-meson configure -Dbenchmarks=true -Dbuildtype=debugoptimized
-```
-
-The `debugoptimized` build type provides:
- Compiler optimizations for realistic performance measurements
- Debug symbols for profiling and analysis
- Balance between performance and debuggability
-
-### Build the Benchmarks
-
-Build the project including benchmarks:
-
-```bash
-ninja
-```
-
-This will create benchmark executables in the build directory. Currently available:
- `build/src/libstore-tests/nix-store-benchmarks` - Store-related performance benchmarks
-
-Additional benchmark executables will be created as more benchmarks are added to the codebase.
-
-## Running Benchmarks
-
-### Basic Usage
-
-Run benchmark executables directly. For example, to run store benchmarks:
-
-```bash
-./build/src/libstore-tests/nix-store-benchmarks
-```
-
-As more benchmark executables are added, run them similarly from their respective build directories.
-
-### Filtering Benchmarks
-
-Run specific benchmarks using regex patterns:
-
-```bash
-# Run only derivation parser benchmarks
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter="derivation.*"
-
-# Run only benchmarks for hello.drv
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter=".*hello.*"
-```
-
-### Output Formats
-
-Generate benchmark results in different formats:
-
-```bash
-# JSON output
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > results.json
-
-# CSV output
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=csv > results.csv
-```
-
-### Advanced Options
-
-```bash
-# Run benchmarks multiple times for better statistics
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_repetitions=10
-
-# Set minimum benchmark time (useful for micro-benchmarks)
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_min_time=2
-
-# Compare against baseline
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
-
-# Display time in custom units
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_time_unit=ms
-```
-
-## Writing New Benchmarks
-
-To add new benchmarks:
-
-1. Create a new `.cc` file in the appropriate `*-tests` directory
-2. Include the benchmark header:
-   ```cpp
-   #include <benchmark/benchmark.h>
-   ```
-
-3. Write benchmark functions:
-   ```cpp
-   static void BM_YourBenchmark(benchmark::State & state)
-   {
-       // Setup code here
-
-       for (auto _ : state) {
-           // Code to benchmark
-       }
-   }
-   BENCHMARK(BM_YourBenchmark);
-   ```
-
-4. Add the file to the corresponding `meson.build`:
-   ```meson
-   benchmarks_sources = files(
-       'your-benchmark.cc',
-       # existing benchmarks...
-   )
-   ```
-
-## Profiling with Benchmarks
-
-For deeper performance analysis, combine benchmarks with profiling tools:
-
-```bash
-# Using Linux perf
-perf record ./build/src/libstore-tests/nix-store-benchmarks
-perf report
-```
-
-### Using Valgrind Callgrind
-
-Valgrind's callgrind tool provides detailed profiling information that can be visualized with kcachegrind:
-
-```bash
-# Profile with callgrind
-valgrind --tool=callgrind ./build/src/libstore-tests/nix-store-benchmarks
-
-# Visualize the results with kcachegrind
-kcachegrind callgrind.out.*
-```
-
-This provides:
- Function call graphs
- Instruction-level profiling
- Source code annotation
- Interactive visualization of performance bottlenecks
-
-## Continuous Performance Testing
-
-```bash
-# Save baseline results
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > baseline.json
-
-# Compare against baseline in CI
-./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
-```
-
-## Troubleshooting
-
-### Benchmarks not building
-
-Ensure benchmarks are enabled:
-```bash
-meson configure build | grep benchmarks
-# Should show: benchmarks true
-```
-
-### Inconsistent results
-
- Ensure your system is not under heavy load
- Disable CPU frequency scaling for consistent results
- Run benchmarks multiple times with `--benchmark_repetitions`
-
-## See Also
-
- [Google Benchmark documentation](https://github.com/google/benchmark/blob/main/docs/user_guide.md)
--- a/doc/manual/source/development/building.md
+++ b/doc/manual/source/development/building.md
@@ -215,18 +215,14 @@ nix build .#nix-everything-x86_64-w64-mingw32

 For historic reasons and backward-compatibility, some CPU and OS identifiers are translated as follows:

-| `host_machine.cpu_family()` | `host_machine.endian()` | Nix                 |
-|-----------------------------|-------------------------|---------------------|
-| `x86`                       |                         | `i686`              |
-| `arm`                       |                         | `host_machine.cpu()`|
-| `ppc`                       | `little`                | `powerpcle`         |
-| `ppc64`                     | `little`                | `powerpc64le`       |
-| `ppc`                       | `big`                   | `powerpc`           |
-| `ppc64`                     | `big`                   | `powerpc64`         |
-| `mips`                      | `little`                | `mipsel`            |
-| `mips64`                    | `little`                | `mips64el`          |
-| `mips`                      | `big`                   | `mips`              |
-| `mips64`                    | `big`                   | `mips64`            |
+| `config.guess`             | Nix                 |
+|----------------------------|---------------------|
+| `amd64`                    | `x86_64`            |
+| `i*86`                     | `i686`              |
+| `arm6`                     | `arm6l`             |
+| `arm7`                     | `arm7l`             |
+| `linux-gnu*`               | `linux`             |
+| `linux-musl*`              | `linux`             |

 ## Compilation environments

--- a/doc/manual/source/development/meson.build
+++ b/doc/manual/source/development/meson.build
@@ -1,6 +1,7 @@
 experimental_feature_descriptions_md = custom_target(
  command : nix_eval_for_docs + [
-    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
+    '--expr',
+    'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
  ],
  input : [
    '../../generate-xp-features.nix',
--- a/doc/manual/source/installation/prerequisites-source.md
+++ b/doc/manual/source/installation/prerequisites-source.md
@@ -10,7 +10,7 @@
  - Bash Shell. The `./configure` script relies on bashisms, so Bash is
    required.

-  - A version of GCC or Clang that supports C++23.
+  - A version of GCC or Clang that supports C++20.

  - `pkg-config` to locate dependencies. If your distribution does not
    provide it, you can get it from
--- a/doc/manual/source/installation/uninstall.md
+++ b/doc/manual/source/installation/uninstall.md
@@ -41,38 +41,6 @@ There may also be references to Nix in

 which you may remove.

-### FreeBSD
-
-1. Stop and remove the Nix daemon service:
-
-   ```console
-   sudo service nix-daemon stop
-   sudo rm -f /usr/local/etc/rc.d/nix-daemon
-   sudo sysrc -x nix_daemon_enable
-   ```
-
-2. Remove files created by Nix:
-
-   ```console
-   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
-   ```
-
-3. Remove build users and their group:
-
-   ```console
-   for i in $(seq 1 32); do
-     sudo pw userdel nixbld$i
-   done
-   sudo pw groupdel nixbld
-   ```
-
-4. There may also be references to Nix in:
-   - `/usr/local/etc/bashrc`
-   - `/usr/local/etc/zshrc`
-   - Shell configuration files in users' home directories
-
-   which you may remove.
-
 ### macOS

 > **Updating to macOS 15 Sequoia**
--- a/doc/manual/source/language/advanced-attributes.md
+++ b/doc/manual/source/language/advanced-attributes.md
@@ -160,6 +160,7 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
 ## Other output modifications

  - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
+
    When using [structured attributes](#adv-attr-structuredAttrs), the
    attribute `unsafeDiscardReferences` is an attribute set with a boolean value for each output name.
    If set to `true`, it disables scanning the output for runtime dependencies.
@@ -194,6 +195,7 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
    [`builder`]: ./derivations.md#attr-builder

 - [`requiredSystemFeatures`]{#adv-attr-requiredSystemFeatures}\
+
  If a derivation has the `requiredSystemFeatures` attribute, then Nix will only build it on a machine that has the corresponding features set in its [`system-features` configuration](@docroot@/command-ref/conf-file.md#conf-system-features).

  For example, setting
--- a/doc/manual/source/language/meson.build
+++ b/doc/manual/source/language/meson.build
@@ -1,13 +1,19 @@
 builtins_md = custom_target(
-  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
-    '--expr', '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
+  command : [
+    python.full_path(),
+    '@INPUT0@',
+    '@OUTPUT@',
+    '--'
+  ] + nix_eval_for_docs + [
+    '--expr',
+    '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
  ],
  input : [
    '../../remove_before_wrapper.py',
    '../../generate-builtins.nix',
    language_json,
    'builtins-prefix.md',
-    'builtins-suffix.md',
+    'builtins-suffix.md'
  ],
  output : 'builtins.md',
  env : nix_env_for_docs,
--- a/doc/manual/source/meson.build
+++ b/doc/manual/source/meson.build
@@ -1,8 +1,7 @@
 summary_rl_next = custom_target(
  command : [
    bash,
-    '-euo',
-    'pipefail',
+    '-euo', 'pipefail',
    '-c',
    '''
      if [ -e "@INPUT@" ]; then
@@ -13,6 +12,6 @@ summary_rl_next = custom_target(
  input : [
    rl_next_generated,
  ],
-  capture : true,
+  capture: true,
  output : 'SUMMARY-rl-next.md',
 )
--- a/doc/manual/source/protocols/nix-archive.md
+++ b/doc/manual/source/protocols/nix-archive.md
@@ -24,7 +24,7 @@ nar-obj-inner
  | str("type"), str("directory") directory
  ;

-regular = [ str("executable") ], str("contents"), str(contents);
+regular = [ str("executable"), str("") ], str("contents"), str(contents);

 symlink = str("target"), str(target);

--- a/doc/manual/source/release-notes/rl-2.31.md
+++ b/doc/manual/source/release-notes/rl-2.31.md
@@ -1,96 +0,0 @@
-# Release 2.31.0 (2025-08-21)
-
- `build-cores = 0` now auto-detects CPU cores [#13402](https://github.com/NixOS/nix/pull/13402)
-
-  When `build-cores` is set to `0`, Nix now automatically detects the number of available CPU cores and passes this value via `NIX_BUILD_CORES`, instead of passing `0` directly. This matches the behavior when `build-cores` is unset. This prevents the builder from having to detect the number of cores.
-
- Fix Git LFS SSH issues [#13337](https://github.com/NixOS/nix/issues/13337) [#13743](https://github.com/NixOS/nix/pull/13743)
-
-  Fixed some outstanding issues with Git LFS and SSH.
-
-  * Added support for `NIX_SSHOPTS`.
-  * Properly use the parsed port from URL.
-  * Better use of the response of `git-lfs-authenticate` to determine API endpoint when the API is not exposed on port 443.
-
- Add support for `user@address:port` syntax in store URIs [#7044](https://github.com/NixOS/nix/issues/7044) [#3425](https://github.com/NixOS/nix/pull/3425)
-
-  It's now possible to specify the port used for SSH stores directly in the store URL in accordance with [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986). Previously the only way to specify custom ports was via `ssh_config` or the `NIX_SSHOPTS` environment variable, because Nix incorrectly passed the port number together with the host name to the SSH executable.
-
-  This change affects [store references](@docroot@/store/types/index.md#store-url-format) passed via the `--store` and similar flags in CLI as well as in the configuration for [remote builders](@docroot@/command-ref/conf-file.md#conf-builders). For example, the following store URIs now work:
-
-  - `ssh://127.0.0.1:2222`
-  - `ssh://[b573:6a48:e224:840b:6007:6275:f8f7:ebf3]:22`
-  - `ssh-ng://[b573:6a48:e224:840b:6007:6275:f8f7:ebf3]:22`
-
- Represent IPv6 RFC4007 ZoneId literals in conformance with RFC6874 [#13445](https://github.com/NixOS/nix/pull/13445)
-
-  Prior versions of Nix since [#4646](https://github.com/NixOS/nix/pull/4646) accepted [IPv6 scoped addresses](https://datatracker.ietf.org/doc/html/rfc4007) in URIs like [store references](@docroot@/store/types/index.md#store-url-format) in the textual representation with a literal percent character: `[fe80::1%18]`. This was ambiguous, because the the percent literal `%` is reserved by [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986), since it's used to indicate percent encoding. Nix now requires that the percent `%` symbol is percent-encoded as `%25`. This implements [RFC6874](https://datatracker.ietf.org/doc/html/rfc6874), which defines the representation of zone identifiers in URIs. The example from above now has to be specified as `[fe80::1%2518]`.
-
- Use WAL mode for SQLite cache databases [#13800](https://github.com/NixOS/nix/pull/13800)
-
-  Previously, Nix used SQLite's "truncate" mode for caches. However, this could cause a Nix process to block if another process was updating the cache. This was a problem for the flake evaluation cache in particular, since it uses long-running transactions. Thus, concurrent Nix commands operating on the same flake could be blocked for an unbounded amount of time. WAL mode avoids this problem.
-
-  This change required updating the versions of the SQLite caches. For instance, `eval-cache-v5.sqlite` is now `eval-cache-v6.sqlite`.
-
- Enable parallel marking in bdwgc [#13708](https://github.com/NixOS/nix/pull/13708)
-
-  Previously marking was done by only one thread, which takes a long time if the heap gets big. Enabling parallel marking speeds up evaluation a lot, for example (on a Ryzen 9 5900X 12-Core):
-
-  * `nix search nixpkgs` from 24.3s to 18.9s.
-  * Evaluating the `NixOS/nix/2.21.2` flake regression test from 86.1s to 71.2s.
-
- New command `nix flake prefetch-inputs` [#13565](https://github.com/NixOS/nix/pull/13565)
-
-  This command fetches all inputs of a flake in parallel. This can be a lot faster than the serialized on-demand fetching during regular flake evaluation. The downside is that it may fetch inputs that aren't normally used.
-
- Add `warn-short-path-literals` setting [#13489](https://github.com/NixOS/nix/pull/13489)
-
-  This setting, when enabled, causes Nix to emit warnings when encountering relative path literals that don't start with `.` or `/`, for instance suggesting that `foo/bar` should be rewritten to `./foo/bar`.
-
- When updating a lock, respect the input's lock file [#13437](https://github.com/NixOS/nix/pull/13437)
-
-  For example, if a flake has a lock for `a` and `a/b`, and we change the flakeref for `a`, previously Nix would fetch the latest version of `b` rather than using the lock for `b` from `a`.
-
- Implement support for Git hashing with SHA-256 [#13543](https://github.com/NixOS/nix/pull/13543)
-
-  The experimental support for [Git-hashing](@docroot@/development/experimental-features.md#xp-feature-git-hashing) store objects now also includes support for SHA-256, not just SHA-1, in line with upstream Git.
-
-## Contributors
-
-This release was made possible by the following 34 contributors:
-
- John Soo [**(@jsoo1)**](https://github.com/jsoo1)
- Alan Urmancheev [**(@alurm)**](https://github.com/alurm)
- Manse [**(@PedroManse)**](https://github.com/PedroManse)
- Pol Dellaiera [**(@drupol)**](https://github.com/drupol)
- DavHau [**(@DavHau)**](https://github.com/DavHau)
- Leandro Emmanuel Reina Kiperman [**(@kip93)**](https://github.com/kip93)
- h0nIg [**(@h0nIg)**](https://github.com/h0nIg)
- Philip Taron [**(@philiptaron)**](https://github.com/philiptaron)
- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
- kenji [**(@a-kenji)**](https://github.com/a-kenji)
- Oleksandr Knyshuk [**(@k1gen)**](https://github.com/k1gen)
- Maciej Krüger [**(@mkg20001)**](https://github.com/mkg20001)
- Justin Bailey [**(@jgbailey-well)**](https://github.com/jgbailey-well)
- Emily [**(@emilazy)**](https://github.com/emilazy)
- Volker Diels-Grabsch [**(@vog)**](https://github.com/vog)
- gustavderdrache [**(@gustavderdrache)**](https://github.com/gustavderdrache)
- Elliot Cameron [**(@de11n)**](https://github.com/de11n)
- Alexander V. Nikolaev [**(@avnik)**](https://github.com/avnik)
- tomberek [**(@tomberek)**](https://github.com/tomberek)
- Matthew Kenigsberg [**(@mkenigs)**](https://github.com/mkenigs)
- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
- Cosima Neidahl [**(@OPNA2608)**](https://github.com/OPNA2608)
- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
- m4dc4p [**(@m4dc4p)**](https://github.com/m4dc4p)
- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
- Jason Yundt [**(@Jayman2000)**](https://github.com/Jayman2000)
- Jens Petersen [**(@juhp)**](https://github.com/juhp)
- the-sun-will-rise-tomorrow [**(@the-sun-will-rise-tomorrow)**](https://github.com/the-sun-will-rise-tomorrow)
- Farid Zakaria [**(@fzakaria)**](https://github.com/fzakaria)
- AGawas [**(@aln730)**](https://github.com/aln730)
- Robert Hensing [**(@roberth)**](https://github.com/roberth)
- Dmitry Bogatov [**(@KAction)**](https://github.com/KAction)
- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
- Philipp Otterbein
--- a/doc/manual/source/release-notes/rl-2.8.md
+++ b/doc/manual/source/release-notes/rl-2.8.md
@@ -48,6 +48,6 @@

 * `nix run` is now stricter in what it accepts: members of the `apps`
  flake output are now required to be apps (as defined in [the
-  manual](https://nix.dev/manual/nix/stable/command-ref/new-cli/nix3-run.html#apps)),
+  manual](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-run.html#apps)),
  and members of `packages` or `legacyPackages` must be derivations
  (not apps).
--- a/doc/manual/source/store/building.md
+++ b/doc/manual/source/store/building.md
@@ -12,11 +12,10 @@

 The [`builder`](./derivation/index.md#builder) is executed as follows:

- A temporary directory is created where the build will take place. The
+- A temporary directory is created under the directory specified by
+  `TMPDIR` (default `/tmp`) where the build will take place. The
  current directory is changed to this directory.

-  See the per-store [`build-dir`](@docroot@/store/types/local-store.md#store-local-store-build-dir) setting for more information.
-
 - The environment is cleared and set to the derivation attributes, as
  specified above.

--- a/doc/manual/source/store/derivation/index.md
+++ b/doc/manual/source/store/derivation/index.md
@@ -9,7 +9,7 @@ This is where Nix distinguishes itself.

 ## Store Derivation {#store-derivation}

-A derivation is a specification for running an executable on precisely defined input to produce one or more [store objects][store object].
+A derivation is a specification for running an executable on precisely defined input to produce on more [store objects][store object].
 These store objects are known as the derivation's *outputs*.

 Derivations are *built*, in which case the process is spawned according to the spec, and when it exits, required to leave behind files which will (after post-processing) become the outputs of the derivation.
--- a/doc/manual/source/store/meson.build
+++ b/doc/manual/source/store/meson.build
@@ -1,6 +1,12 @@
 types_dir = custom_target(
-  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
-    '--expr', 'import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)).stores',
+  command : [
+    python.full_path(),
+    '@INPUT0@',
+    '@OUTPUT@',
+    '--'
+  ] + nix_eval_for_docs + [
+    '--expr',
+    'import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)).stores',
  ],
  input : [
    '../../remove_before_wrapper.py',
--- a/doc/manual/substitute.py
+++ b/doc/manual/substitute.py
@@ -41,10 +41,6 @@ def recursive_replace(data: dict[str, t.Any], book_root: Path, search_path: Path
            return data | dict(
                sections = [recursive_replace(section, book_root, search_path) for section in sections],
            )
-        case {'items': items}:
-            return data | dict(
-                items = [recursive_replace(item, book_root, search_path) for item in items],
-            )
        case {'Chapter': chapter}:
            path_to_chapter = Path(chapter['path'])
            chapter_content = chapter['content']
--- a/docker.nix
+++ b/docker.nix
@@ -65,60 +65,61 @@ let
    iana-etc
    gitMinimal
    openssh
-  ]
-  ++ extraPkgs;
+  ] ++ extraPkgs;

-  users = {
+  users =
+    {

-    root = {
-      uid = 0;
-      shell = lib.getExe bashInteractive;
-      home = "/root";
-      gid = 0;
-      groups = [ "root" ];
-      description = "System administrator";
-    };
-
-    nobody = {
-      uid = 65534;
-      shell = lib.getExe' shadow "nologin";
-      home = "/var/empty";
-      gid = 65534;
-      groups = [ "nobody" ];
-      description = "Unprivileged account (don't use!)";
-    };
-
-  }
-  // lib.optionalAttrs (uid != 0) {
-    "${uname}" = {
-      uid = uid;
-      shell = lib.getExe bashInteractive;
-      home = "/home/${uname}";
-      gid = gid;
-      groups = [ "${gname}" ];
-      description = "Nix user";
-    };
-  }
-  // lib.listToAttrs (
-    map (n: {
-      name = "nixbld${toString n}";
-      value = {
-        uid = 30000 + n;
-        gid = 30000;
-        groups = [ "nixbld" ];
-        description = "Nix build user ${toString n}";
+      root = {
+        uid = 0;
+        shell = lib.getExe bashInteractive;
+        home = "/root";
+        gid = 0;
+        groups = [ "root" ];
+        description = "System administrator";
      };
-    }) (lib.lists.range 1 32)
-  );

-  groups = {
-    root.gid = 0;
-    nixbld.gid = 30000;
-    nobody.gid = 65534;
-  }
-  // lib.optionalAttrs (gid != 0) {
-    "${gname}".gid = gid;
-  };
+      nobody = {
+        uid = 65534;
+        shell = lib.getExe' shadow "nologin";
+        home = "/var/empty";
+        gid = 65534;
+        groups = [ "nobody" ];
+        description = "Unprivileged account (don't use!)";
+      };
+
+    }
+    // lib.optionalAttrs (uid != 0) {
+      "${uname}" = {
+        uid = uid;
+        shell = lib.getExe bashInteractive;
+        home = "/home/${uname}";
+        gid = gid;
+        groups = [ "${gname}" ];
+        description = "Nix user";
+      };
+    }
+    // lib.listToAttrs (
+      map (n: {
+        name = "nixbld${toString n}";
+        value = {
+          uid = 30000 + n;
+          gid = 30000;
+          groups = [ "nixbld" ];
+          description = "Nix build user ${toString n}";
+        };
+      }) (lib.lists.range 1 32)
+    );
+
+  groups =
+    {
+      root.gid = 0;
+      nixbld.gid = 30000;
+      nobody.gid = 65534;
+    }
+    // lib.optionalAttrs (gid != 0) {
+      "${gname}".gid = gid;
+    };

  userToPasswd = (
    k:
@@ -310,7 +311,6 @@ let
          # see doc/manual/source/command-ref/files/profiles.md
          ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
          ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
-          ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile

          # see doc/manual/source/command-ref/files/channels.md
          ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
--- a/flake.lock
+++ b/flake.lock
@@ -63,16 +63,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761597516,
-        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
 {
  description = "The purely functional package manager";

-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

  inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
  inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
@@ -32,7 +32,7 @@
    let
      inherit (nixpkgs) lib;

-      officialRelease = true;
+      officialRelease = false;

      linux32BitSystems = [ "i686-linux" ];
      linux64BitSystems = [
@@ -131,107 +131,31 @@
        }
      );

-      /**
-        Produce the `nixComponents` and `nixDependencies` package sets (scopes) for
-        a given `pkgs` and `getStdenv`.
-      */
-      packageSetsFor =
+      overlayFor =
+        getStdenv: final: prev:
        let
-          /**
-            Removes a prefix from the attribute names of a set of splices.
-            This is a completely uninteresting and exists for compatibility only.
-
-            Example:
-            ```nix
-            renameSplicesFrom "pkgs" { pkgsBuildBuild = ...; ... }
-            => { buildBuild = ...; ... }
-            ```
-          */
-          renameSplicesFrom = prefix: x: {
-            buildBuild = x."${prefix}BuildBuild";
-            buildHost = x."${prefix}BuildHost";
-            buildTarget = x."${prefix}BuildTarget";
-            hostHost = x."${prefix}HostHost";
-            hostTarget = x."${prefix}HostTarget";
-            targetTarget = x."${prefix}TargetTarget";
-          };
-
-          /**
-            Adds a prefix to the attribute names of a set of splices.
-            This is a completely uninteresting and exists for compatibility only.
-
-            Example:
-            ```nix
-            renameSplicesTo "self" { buildBuild = ...; ... }
-            => { selfBuildBuild = ...; ... }
-            ```
-          */
-          renameSplicesTo = prefix: x: {
-            "${prefix}BuildBuild" = x.buildBuild;
-            "${prefix}BuildHost" = x.buildHost;
-            "${prefix}BuildTarget" = x.buildTarget;
-            "${prefix}HostHost" = x.hostHost;
-            "${prefix}HostTarget" = x.hostTarget;
-            "${prefix}TargetTarget" = x.targetTarget;
-          };
-
-          /**
-            Takes a function `f` and returns a function that applies `f` pointwise to each splice.
-
-            Example:
-            ```nix
-            mapSplices (x: x * 10) { buildBuild = 1; buildHost = 2; ... }
-            => { buildBuild = 10; buildHost = 20; ... }
-            ```
-          */
-          mapSplices =
-            f:
-            {
-              buildBuild,
-              buildHost,
-              buildTarget,
-              hostHost,
-              hostTarget,
-              targetTarget,
-            }:
-            {
-              buildBuild = f buildBuild;
-              buildHost = f buildHost;
-              buildTarget = f buildTarget;
-              hostHost = f hostHost;
-              hostTarget = f hostTarget;
-              targetTarget = f targetTarget;
-            };
-
+          stdenv = getStdenv final;
        in
-        args@{
-          pkgs,
-          getStdenv ? pkgs: pkgs.stdenv,
-        }:
-        let
-          nixComponentsSplices = mapSplices (
-            pkgs': (packageSetsFor (args // { pkgs = pkgs'; })).nixComponents
-          ) (renameSplicesFrom "pkgs" pkgs);
-          nixDependenciesSplices = mapSplices (
-            pkgs': (packageSetsFor (args // { pkgs = pkgs'; })).nixDependencies
-          ) (renameSplicesFrom "pkgs" pkgs);
+        {
+          nixStable = prev.nix;

          # A new scope, so that we can use `callPackage` to inject our own interdependencies
          # without "polluting" the top level "`pkgs`" attrset.
          # This also has the benefit of providing us with a distinct set of packages
          # we can iterate over.
-          nixComponents =
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixComponents2 =
            lib.makeScopeWithSplicing'
              {
-                inherit (pkgs) splicePackages;
-                inherit (nixDependencies) newScope;
+                inherit (final) splicePackages;
+                inherit (final.nixDependencies2) newScope;
              }
              {
-                otherSplices = renameSplicesTo "self" nixComponentsSplices;
+                otherSplices = final.generateSplicesForMkScope "nixComponents2";
                f = import ./packaging/components.nix {
-                  inherit (pkgs) lib;
+                  inherit (final) lib;
                  inherit officialRelease;
-                  inherit pkgs;
+                  pkgs = final;
                  src = self;
                  maintainers = [ ];
                };
@@ -239,71 +163,29 @@

          # The dependencies are in their own scope, so that they don't have to be
          # in Nixpkgs top level `pkgs` or `nixComponents2`.
-          nixDependencies =
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixDependencies2 =
            lib.makeScopeWithSplicing'
              {
-                inherit (pkgs) splicePackages;
-                inherit (pkgs) newScope; # layered directly on pkgs, unlike nixComponents2 above
+                inherit (final) splicePackages;
+                inherit (final) newScope; # layered directly on pkgs, unlike nixComponents2 above
              }
              {
-                otherSplices = renameSplicesTo "self" nixDependenciesSplices;
+                otherSplices = final.generateSplicesForMkScope "nixDependencies2";
                f = import ./packaging/dependencies.nix {
-                  inherit inputs pkgs;
-                  stdenv = getStdenv pkgs;
+                  inherit inputs stdenv;
+                  pkgs = final;
                };
              };

-          # If the package set is largely empty, we should(?) return empty sets
-          # This is what most package sets in Nixpkgs do. Otherwise, we get
-          # an error message that indicates that some stdenv attribute is missing,
-          # and indeed it will be missing, as seemingly `pkgsTargetTarget` is
-          # very incomplete.
-          fixup = lib.mapAttrs (k: v: if !(pkgs ? nix) then { } else v);
-        in
-        fixup {
-          inherit nixDependencies;
-          inherit nixComponents;
-        };
-
-      overlayFor =
-        getStdenv: final: prev:
-        let
-          packageSets = packageSetsFor {
-            inherit getStdenv;
-            pkgs = final;
-          };
-        in
-        {
-          nixStable = prev.nix;
-
-          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
-          nixComponents2 = packageSets.nixComponents;
-
-          # The dependencies are in their own scope, so that they don't have to be
-          # in Nixpkgs top level `pkgs` or `nixComponents2`.
-          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
-          nixDependencies2 = packageSets.nixDependencies;
-
          nix = final.nixComponents2.nix-cli;
        };

    in
    {
-      overlays.internal = overlayFor (p: p.stdenv);
-
-      /**
-        A Nixpkgs overlay that sets `nix` to something like `packages.<system>.nix-everything`,
-        except dependencies aren't taken from (flake) `nix.inputs.nixpkgs`, but from the Nixpkgs packages
-        where the overlay is used.
-      */
-      overlays.default =
-        final: prev:
-        let
-          packageSets = packageSetsFor { pkgs = final; };
-        in
-        {
-          nix = packageSets.nixComponents.nix-everything;
-        };
+      # A Nixpkgs overlay that overrides the 'nix' and
+      # 'nix-perl-bindings' packages.
+      overlays.default = overlayFor (p: p.stdenv);

      hydraJobs = import ./packaging/hydra.nix {
        inherit
@@ -320,11 +202,43 @@

      checks = forAllSystems (
        system:
-        (import ./ci/gha/tests {
-          inherit system;
-          pkgs = nixpkgsFor.${system}.native;
-          nixFlake = self;
-        }).topLevel
+        {
+          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
+          installTests = self.hydraJobs.installTests.${system};
+          nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
+          rl-next =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+            in
+            pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+              LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
+            '';
+          repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };
+
+          /**
+            Checks for our packaging expressions.
+            This shouldn't build anything significant; just check that things
+            (including derivations) are _set up_ correctly.
+          */
+          packaging-overriding =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+              nix = self.packages.${system}.nix;
+            in
+            assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+            if pkgs.stdenv.buildPlatform.isDarwin then
+              lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+            else
+              # If this fails, something might be wrong with how we've wired the scope,
+              # or something could be broken in Nixpkgs.
+              pkgs.testers.testEqualContents {
+                assertion = "trivial patch does not change source contents";
+                expected = "${./.}";
+                actual =
+                  # Same for all components; nix-util is an arbitrary pick
+                  (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+              };
+        }
        // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
          dockerImage = self.hydraJobs.dockerImage.${system};
        }
@@ -337,20 +251,58 @@
        # Add "passthru" tests
        //
          flatMapAttrs
-            {
-              "" = {
-                pkgs = nixpkgsFor.${system}.native;
-              };
-            }
            (
-              nixpkgsPrefix: args:
-              (import ./ci/gha/tests (
-                args
-                // {
-                  nixFlake = self;
-                  componentTestsPrefix = nixpkgsPrefix;
-                }
-              )).componentTests
+              {
+                # Run all tests with UBSAN enabled. Running both with ubsan and
+                # without doesn't seem to have much immediate benefit for doubling
+                # the GHA CI workaround.
+                #
+                # TODO: Work toward enabling "address,undefined" if it seems feasible.
+                # This would maybe require dropping Boost coroutines and ignoring intentional
+                # memory leaks with detect_leaks=0.
+                "" = rec {
+                  nixpkgs = nixpkgsFor.${system}.native;
+                  nixComponents = nixpkgs.nixComponents2.overrideScope (
+                    nixCompFinal: nixCompPrev: {
+                      mesonComponentOverrides = _finalAttrs: prevAttrs: {
+                        mesonFlags =
+                          (prevAttrs.mesonFlags or [ ])
+                          # TODO: Macos builds instrumented with ubsan take very long
+                          # to run functional tests.
+                          ++ lib.optionals (!nixpkgs.stdenv.hostPlatform.isDarwin) [
+                            (lib.mesonOption "b_sanitize" "undefined")
+                          ];
+                      };
+                    }
+                  );
+                };
+              }
+              // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
+                # TODO: enable static builds for darwin, blocked on:
+                #       https://github.com/NixOS/nixpkgs/issues/320448
+                # TODO: disabled to speed up GHA CI.
+                # "static-" = {
+                #   nixpkgs = nixpkgsFor.${system}.native.pkgsStatic;
+                # };
+              }
+            )
+            (
+              nixpkgsPrefix:
+              {
+                nixpkgs,
+                nixComponents ? nixpkgs.nixComponents2,
+              }:
+              flatMapAttrs nixComponents (
+                pkgName: pkg:
+                flatMapAttrs pkg.tests or { } (
+                  testName: test: {
+                    "${nixpkgsPrefix}${pkgName}-${testName}" = test;
+                  }
+                )
+              )
+              // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
+                "${nixpkgsPrefix}nix-functional-tests" = nixComponents.nix-functional-tests;
+              }
            )
        // devFlake.checks.${system} or { }
      );
@@ -513,53 +465,5 @@
            default = self.devShells.${system}.native;
          }
        );
-
-      lib = {
-        /**
-          Creates a package set for a given Nixpkgs instance and stdenv.
-
-          # Inputs
-
-          - `pkgs`: The Nixpkgs instance to use.
-
-          - `getStdenv`: _Optional_ A function that takes a package set and returns the stdenv to use.
-            This needs to be a function in order to support cross compilation - the `pkgs` passed to `getStdenv` can be `pkgsBuildHost` or any other variation needed.
-
-          # Outputs
-
-          The return value is a fresh Nixpkgs scope containing all the packages that are defined in the Nix repository,
-          as well as some internals and parameters, which may be subject to change.
-
-          # Example
-
-          ```console
-          nix repl> :lf NixOS/nix
-          nix-repl> ps = lib.makeComponents { pkgs = import inputs.nixpkgs { crossSystem = "riscv64-linux"; }; }
-          nix-repl> ps
-          {
-            appendPatches = «lambda appendPatches @ ...»;
-            callPackage = «lambda callPackageWith @ ...»;
-            overrideAllMesonComponents = «lambda overrideSource @ ...»;
-            overrideSource = «lambda overrideSource @ ...»;
-            # ...
-            nix-everything
-            # ...
-            nix-store
-            nix-store-c
-            # ...
-          }
-          ```
-        */
-        makeComponents =
-          {
-            pkgs,
-            getStdenv ? pkgs: pkgs.stdenv,
-          }:
-
-          let
-            packageSets = packageSetsFor { inherit getStdenv pkgs; };
-          in
-          packageSets.nixComponents;
-      };
    };
 }
--- a/maintainers/data/release-credits-email-to-handle.json
+++ b/maintainers/data/release-credits-email-to-handle.json
@@ -185,23 +185,5 @@
    "gwenn.lebihan7@gmail.com": "gwennlbh",
    "hey@ewen.works": "gwennlbh",
    "matt@sturgeon.me.uk": "MattSturgeon",
-    "pbsds@hotmail.com": "pbsds",
-    "sergei@zimmerman.foo": "xokdvium",
-    "v@njh.eu": "vog",
-    "pedro.manse@dmk3.com.br": "PedroManse",
-    "arnavgawas707@gmail.com": "aln730",
-    "mkg20001@gmail.com": "mkg20001",
-    "avn@avnik.info": "avnik",
-    "olk@disr.it": "k1gen",
-    "108410815+alurm@users.noreply.github.com": "alurm",
-    "kaction.cc@gmail.com": "KAction",
-    "juhpetersen@gmail.com": "juhp",
-    "opna2608@protonmail.com": "OPNA2608",
-    "jgbailey@gmail.com": "m4dc4p",
-    "justin.bailey@well.co": "jgbailey-well",
-    "130508846+de11n@users.noreply.github.com": "de11n",
-    "ConnorBaker01@Gmail.com": "ConnorBaker",
-    "jsoo1@asu.edu": "jsoo1",
-    "hsngrmpf+github@gmail.com": "DavHau",
-    "matthew@floxdev.com": "mkenigs"
+    "pbsds@hotmail.com": "pbsds"
 }
--- a/maintainers/data/release-credits-handle-to-name.json
+++ b/maintainers/data/release-credits-handle-to-name.json
@@ -162,20 +162,5 @@
    "pbsds": "Peder Bergebakken Sundt",
    "egorkonovalov": "Egor Konovalov",
    "jayeshv": "jayeshv",
-    "vcunat": "Vladim\u00edr \u010cun\u00e1t",
-    "mkenigs": "Matthew Kenigsberg",
-    "alurm": "Alan Urmancheev",
-    "jgbailey-well": "Justin Bailey",
-    "k1gen": "Oleksandr Knyshuk",
-    "juhp": "Jens Petersen",
-    "de11n": "Elliot Cameron",
-    "jsoo1": "John Soo",
-    "m4dc4p": null,
-    "PedroManse": "Manse",
-    "OPNA2608": "Cosima Neidahl",
-    "mkg20001": "Maciej Kr\u00fcger",
-    "avnik": "Alexander V. Nikolaev",
-    "DavHau": null,
-    "aln730": "AGawas",
-    "vog": "Volker Diels-Grabsch"
+    "vcunat": "Vladim\u00edr \u010cun\u00e1t"
 }
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -37,29 +37,118 @@
              fi
            ''}";
          };
-          meson-format =
-            let
-              meson = pkgs.meson.overrideAttrs {
-                doCheck = false;
-                doInstallCheck = false;
-                patches = [
-                  (pkgs.fetchpatch {
-                    url = "https://github.com/mesonbuild/meson/commit/38d29b4dd19698d5cad7b599add2a69b243fd88a.patch";
-                    hash = "sha256-PgPBvGtCISKn1qQQhzBW5XfknUe91i5XGGBcaUK4yeE=";
-                  })
-                ];
-              };
-            in
-            {
-              enable = true;
-              files = "(meson.build|meson.options)$";
-              entry = "${pkgs.writeScript "format-meson" ''
-                #!${pkgs.runtimeShell}
-                for file in "$@"; do
-                  ${lib.getExe meson} format -ic ${../meson.format} "$file"
-                done
-              ''}";
-            };
+          meson-format = {
+            enable = true;
+            files = "(meson.build|meson.options)$";
+            entry = "${pkgs.writeScript "format-meson" ''
+              #!${pkgs.runtimeShell}
+              for file in "$@"; do
+                ${lib.getExe pkgs.meson} format -ic ${../meson.format} "$file"
+              done
+            ''}";
+            excludes = [
+              # We haven't applied formatting to these files yet
+              ''^doc/manual/meson.build$''
+              ''^doc/manual/source/command-ref/meson.build$''
+              ''^doc/manual/source/development/meson.build$''
+              ''^doc/manual/source/language/meson.build$''
+              ''^doc/manual/source/meson.build$''
+              ''^doc/manual/source/release-notes/meson.build$''
+              ''^doc/manual/source/store/meson.build$''
+              ''^misc/bash/meson.build$''
+              ''^misc/fish/meson.build$''
+              ''^misc/launchd/meson.build$''
+              ''^misc/meson.build$''
+              ''^misc/systemd/meson.build$''
+              ''^misc/zsh/meson.build$''
+              ''^nix-meson-build-support/$''
+              ''^nix-meson-build-support/big-objs/meson.build$''
+              ''^nix-meson-build-support/common/meson.build$''
+              ''^nix-meson-build-support/deps-lists/meson.build$''
+              ''^nix-meson-build-support/export/meson.build$''
+              ''^nix-meson-build-support/export-all-symbols/meson.build$''
+              ''^nix-meson-build-support/generate-header/meson.build$''
+              ''^nix-meson-build-support/libatomic/meson.build$''
+              ''^nix-meson-build-support/subprojects/meson.build$''
+              ''^scripts/meson.build$''
+              ''^src/external-api-docs/meson.build$''
+              ''^src/internal-api-docs/meson.build$''
+              ''^src/libcmd/include/nix/cmd/meson.build$''
+              ''^src/libcmd/meson.build$''
+              ''^src/libcmd/nix-meson-build-support$''
+              ''^src/libexpr/include/nix/expr/meson.build$''
+              ''^src/libexpr/meson.build$''
+              ''^src/libexpr/nix-meson-build-support$''
+              ''^src/libexpr-c/meson.build$''
+              ''^src/libexpr-c/nix-meson-build-support$''
+              ''^src/libexpr-test-support/meson.build$''
+              ''^src/libexpr-test-support/nix-meson-build-support$''
+              ''^src/libexpr-tests/meson.build$''
+              ''^src/libexpr-tests/nix-meson-build-support$''
+              ''^src/libfetchers/include/nix/fetchers/meson.build$''
+              ''^src/libfetchers/meson.build$''
+              ''^src/libfetchers/nix-meson-build-support$''
+              ''^src/libfetchers-c/meson.build$''
+              ''^src/libfetchers-c/nix-meson-build-support$''
+              ''^src/libfetchers-tests/meson.build$''
+              ''^src/libfetchers-tests/nix-meson-build-support$''
+              ''^src/libflake/include/nix/flake/meson.build$''
+              ''^src/libflake/meson.build$''
+              ''^src/libflake/nix-meson-build-support$''
+              ''^src/libflake-c/meson.build$''
+              ''^src/libflake-c/nix-meson-build-support$''
+              ''^src/libflake-tests/meson.build$''
+              ''^src/libflake-tests/nix-meson-build-support$''
+              ''^src/libmain/include/nix/main/meson.build$''
+              ''^src/libmain/meson.build$''
+              ''^src/libmain/nix-meson-build-support$''
+              ''^src/libmain-c/meson.build$''
+              ''^src/libmain-c/nix-meson-build-support$''
+              ''^src/libstore/include/nix/store/meson.build$''
+              ''^src/libstore/meson.build$''
+              ''^src/libstore/nix-meson-build-support$''
+              ''^src/libstore/unix/include/nix/store/meson.build$''
+              ''^src/libstore/unix/meson.build$''
+              ''^src/libstore/windows/meson.build$''
+              ''^src/libstore-c/meson.build$''
+              ''^src/libstore-c/nix-meson-build-support$''
+              ''^src/libstore-test-support/include/nix/store/tests/meson.build$''
+              ''^src/libstore-test-support/meson.build$''
+              ''^src/libstore-test-support/nix-meson-build-support$''
+              ''^src/libstore-tests/meson.build$''
+              ''^src/libstore-tests/nix-meson-build-support$''
+              ''^src/libutil/meson.build$''
+              ''^src/libutil/nix-meson-build-support$''
+              ''^src/libutil/unix/include/nix/util/meson.build$''
+              ''^src/libutil/unix/meson.build$''
+              ''^src/libutil/windows/meson.build$''
+              ''^src/libutil-c/meson.build$''
+              ''^src/libutil-c/nix-meson-build-support$''
+              ''^src/libutil-test-support/include/nix/util/tests/meson.build$''
+              ''^src/libutil-test-support/meson.build$''
+              ''^src/libutil-test-support/nix-meson-build-support$''
+              ''^src/libutil-tests/meson.build$''
+              ''^src/libutil-tests/nix-meson-build-support$''
+              ''^src/nix/meson.build$''
+              ''^src/nix/nix-meson-build-support$''
+              ''^src/perl/lib/Nix/meson.build$''
+              ''^src/perl/meson.build$''
+              ''^tests/functional/ca/meson.build$''
+              ''^tests/functional/common/meson.build$''
+              ''^tests/functional/dyn-drv/meson.build$''
+              ''^tests/functional/flakes/meson.build$''
+              ''^tests/functional/git-hashing/meson.build$''
+              ''^tests/functional/local-overlay-store/meson.build$''
+              ''^tests/functional/meson.build$''
+              ''^src/libcmd/meson.options$''
+              ''^src/libexpr/meson.options$''
+              ''^src/libstore/meson.options$''
+              ''^src/libutil/meson.options$''
+              ''^src/libutil-c/meson.options$''
+              ''^src/nix/meson.options$''
+              ''^src/perl/meson.options$''
+            ];
+          };
          nixfmt-rfc-style = {
            enable = true;
            excludes = [
@@ -173,6 +262,8 @@
              ''^tests/functional/gc-concurrent\.sh$''
              ''^tests/functional/gc-concurrent2\.builder\.sh$''
              ''^tests/functional/gc-non-blocking\.sh$''
+              ''^tests/functional/git-hashing/common\.sh$''
+              ''^tests/functional/git-hashing/simple\.sh$''
              ''^tests/functional/hash-convert\.sh$''
              ''^tests/functional/impure-derivations\.sh$''
              ''^tests/functional/impure-eval\.sh$''
@@ -248,6 +339,7 @@
              ''^tests/functional/user-envs\.builder\.sh$''
              ''^tests/functional/user-envs\.sh$''
              ''^tests/functional/why-depends\.sh$''
+              ''^src/libutil-tests/data/git/check-data\.sh$''
            ];
          };
        };
--- a/maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc
+++ b/maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc
@@ -1,110 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGPtMiwBEAC0sFZW2QW/OaDjKm5zGRpDvHXDsMIUtlHfoi5ce8pocC63W05o
-FSXbUZjZ1VfYO8lT8DFANCzTkiXYaZx0cPRG2pVY4AOQZDNFt5XrAyvw496XCAIM
-DTYGFLjCqgjPt9RUFEy4MyHPJTEpB0x3rXgT4ILNu9vsj9Q0vttps7SpbZ3Ldq5H
-o/BBbLW77q/vNjpYzCbBIXF7ycUGpnNv9Go/WuiDnrBMcyxh+8kjjIHB5cxZSnjJ
-DUv681+m83v+gLZQGX/jexQrrf5JpS0X9qEnhGLrNUDhtyv5ud3Je4EfamkjLVVC
-RlNLofgflOCsl/tP80i+K7S1QdKhUALxuJ6H0prYUflGBDxDyC8XYuJ62TT0OUpa
-vJvgwVlCq8/jq+ykYQXlbuBVOzi5wAuI4l3+HqreSQYPSiwe+6N590Zbafdv1fvN
-WFtZKCTGMqfyaaAnppioH9/+NWkI2AQxaYVasYM/JEYvY9pJgA7alh51jHW4JglP
-ErypKfBKPKJID0QENqYoa3bDDCihuNWhgQf9dxzPlj2ckd35Zb6w4DfuSmtjaa9D
-o0jZVY1JbFuxBqP09+saVPrxLHgmPxjcdzPGQQtAqdO2vyJXNEGLFMoVEZPNaLo3
-QmcIJnT7oSck+4vGfOYtWUHXQynu/Tnwsv2XkA/uyw8HNe+RRMqv/apnzQARAQAB
-tCdTZXJnZWkgWmltbWVybWFuIDxzZXJnZWlAemltbWVybWFuLmZvbz6JAlEEEwEK
-ADsCGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQVim9TDqIC5fZRYRMU+upj
-RI4d+QUCaUbsaAIZAQAKCRAU+upjRI4d+VdDD/492HRaJ/8V7R7VUzkafmb2Hb28
-SLf7oiB8Uq9I7SukiDEaIT1fUhquYWQ9KWpPRNR1TX6ApXnIeuJRMGFoDVIRnmnr
-cKnYYXfqqc81VxIyKvaumB7KWbS7G4Nbor8AH1ouOOOMMS50OTJOWQA4A26inIuG
-n+7L8MeS5aT+3uNKDoTKsidC47vnaxNMcke1taPfbfo7vn69PsRCM/g9/7TQYU8b
-6xp+pM9Ao9nJneRk2YCpsGYRrWTpaik0DFKnfpPKJM/yunhtGLF2IYAp3l1mvHPK
-nnzo92zjpQuZwazEIK+23V1vRT4IjM2BewbJPAzf2/UuxEjjgNQm0tOtH2JhFNeB
-VM0BVrGxWrrwrsmv6lWghTtBc6zRWyHrj/rpjtVQNmeKYrHWJeXwVz1rqgGPmB2N
-k0MZD1UjHHhEs1Cntn7yLmxTPztRJCtR+euRu81Uo2NAvrMJ4xsDjaM0LeLTnzjV
-9AsPjD188dOFyz7VExZum4+XaaEJ41FIPLEqU3U0GAa6stEy0ylSlIN4x9aiXXVW
-xfzHHchS5jK6QAjuZxN8t01GRactNylINRf7uoTECFZTtXNqfeuk0HQxBH0LuKVE
-0PxJbcNI4mVWw1KgTJ8PUVC1IXP3sEpqPdJOYiRXgnpcS26fWOBu0aQ4mhxiaJhr
-/zBfrkLEqp20TdNDZLkCDQRj7TM1ARAAt73xO24curnHTTgXkkVMMRzcMLx3Mb1a
-2FuddxC5hzTpEpw01L91UBrXVJEg9K2KAwP5CtCLgPCqXr47Tm7krvHxWwBksgY/
-6aHRsoPQfCFUZHc0aiO+C4NCzR+aEeGKn66Oc1Hq9oUTpDgiBWhsuEPiyA1OSGF0
-4L0jeTCqfm68kWp4PIK9yuugkdDsoyj6TonuMsb3V5ctHLqop9KH+eHSkUTPo+Lk
-+bxaeAOJ1UfbohgbRbrYKAfsaghhOMDH3R1w2pvtUJz+sDbuQsiPFTqbxsXDTFws
-H4N/AQCYnnvOhqEek2sOEZ19bJXt5UrAr10mX4PGmAkWqE1JWBxpOKG3BXSGOTu1
-3dFhQfPMK+PmvUrs0kcWQr53K/aRUdKKhIfTcMfkqYTGPK5HclHph24WjXj3QFFA
-SjksQTdm6486ZmLZK4CTbAFOPfTF/aWg8gu9v4ihdq6lqHNNXxv2xBAChcd59H7p
-D5zy9z8SpwWR9V5JDmlF6HWIIau1c6lSsQq1xHvYM8EuPe03vJvor+2u/cn5zYF1
-5ZxAuPI2i5vtavg1s8ZGAAogJ9dVcP36LdJfL9quXWvmovkd//qHIepBB+l/zQio
-ZRDZlIcfV3Xycaqsb5OqHGARHE0097koipMt5y/iXlqG4Ruue6Idb8bW96EKpaWj
-kKy/iNfQfQMAEQEAAYkEcgQYAQoAJgIbAhYhBBWKb1MOogLl9lFhExT66mNEjh35
-BQJpRuz3BQkJHCDCAkDBdCAEGQEKAB0WIQRK3hK0WyJ4BicGpcmpsLVXymMjJQUC
-Y+0zNQAKCRCpsLVXymMjJbdSD/9+f1FOOeGDAJI6Duo5fsWnf4xJJdtQtDbz6d2A
-SeDapxeJ3zWfKBD0wu5sISEa0uiWsYSmLtsa2SqVAKHlEaMGRR+tkBMPQ+rvgI4c
-62YjGTgm+IPd+NFIn+ixFU1hpinTh+KhUEoeOwWCvKs9nZfSG9vkienfiG0bBxo2
-zrvBzXA50x5hbUL+ghKu/AVfN9qZDwh30O4KZTwk4g4cM9SeaQa4YvHYIS3IEhDZ
-hGybwrrqV9cs92ln4IJw9WCy9QReBNrdeFgC4+3ziUp1QsG3RvqrtuMttwBVC1Z3
-bj5QjLLOREhhodfvk98t9yVkragObb4rGrLo1mWuF0c4mJGvXwnrqhCMvzv4M+0T
-Zdrmw6YpGkGOaOPghVuwoTtqSAkl+zFWIJS89jidvkYG3EqKAkgLKog/TQReCq13
-HWrF8cMck+Rf2K8k26q/RNZaA9ZUKjLExzz8lsWmd2C7rvkGLrlxnzxz0gGyNR3Q
-KK74vcPhqeABt2GSkHtEXZFFA9IVVzwlRWK3e0S+mVQnZVjNL+cBPn3/hZHMLesB
-CucyYZv+DxvT+JkYXBkGSw4s3hpABqGym7gdPUIa0q4rbBFG6xP5sLLBG4yru8vV
-2dyCMmFqRuxpT49uNfyQ6Vj+dobN6qHnP/9NwfzOixXYBHXR6LBqb/M+iCiJaaIn
-uiRLHwkQFPrqY0SOHfkQpA//W51vj8meuz7snRO+vZFcjLneFFzqfh1Jdz8IqDpO
-CkI5pBJmi8e0oSe6r68MkahiQLlYPwm7d+sjHvJhPWipNKWq/uwCgBs+Ac1lpPXR
-MwLbrZukcLMYlLmb2MrCKmjcMt0BZsZKBNYL3a3X9nHgwXdeqFYS4WQDMCCc09lz
-9YqfdoEsqRO4qN7D0hFqnwjOzb34ixZ6UO8a8ekY9QKxAgWc9fJWGMg6Pjdg4qsK
-nqymOIAdGVOJdoRM46wKGVBvbsF2gNfQU4XyzgJo5vHGFwJm6EoSnODlL5e2wsQh
-uN1oqBt/8ef/plloMEqVBweUBATqSqjRF6IhhYJvWVuQHQL1p1vnV9FebiVj34ir
-Z8ID+o0AnTJcclbUcDwannGJ0cuDcPhk/v/ahVuoMERCi12qnMBo5B/e6Omyh1yB
-4pbf4GATGGQipDQG75eC/kP2GQEqJP5WYN0Ar8Le/AA/2xyL7upW0yIByyXCwGEb
-JRwEgU3+bPyu58bFt8Pftit6J7rA3oBVVMOPrYH5eZwRaj5m2RptwKGL6BfHnhNv
-ZqmCq9EBGX6L1NI0xHMjEFfXJ8jU01XdfG8nCqkwqsHwslXLhqjJphfHcx89YwbV
-/15GCuURAv1cKe/7277sOhcvP/QpQqSWgvYExHw8PeFJcTYtF2NrRgNwcQsWS1Rj
-gXa5Ag0EY+0zcAEQANC5N6kSfezuucAgi+X3BD+MT37mxQyvICSggEJf1LDSmy0+
-bnvD7setL8CP9etTA2fcVNYKI1oboMyhoCnsRP2jDdv1iXOI/hZg4wSb/D1yUkae
-fUpxv3Wuci2QKavH2MfraDD7BFMbsQeMcHtn4Rk216T6jndZHnzT1Ih7iX0XeQPb
-li5fojOiZssgWAVT4HPXFCJB6lI35Hjp35oRYwrtMmu5INinZ79n9h1igGtt1ItZ
-b7rQKNd772Jxcn4UU71ovORSL/xT5i5sxZ+evQOxkpqUAokMOFaoHcOXLmA1NsFv
-yryXHK4Ioq9ap2jKlLTWkJWjua9JZ4AmKhbvT8X4ELxIKSCAdJKAWP8ZHbXNu5MD
-aznyzZQLxSO7uFvu356De75mI5iohZNj5wB5Wju71pBiorTKVj4+iJ4e+xVIzFdG
-hFC0DehNcl2t9w/y8qHwIQ1yUAjXHLXq0/2jsVeH6bU5q/MsgvUP1jcFe0eyOpxy
-CDvyFdzZFbI57TnB/fvcZTRZ5ewXMFpH8gzuoFzAjUAP95UjYKgaGdrNPNIy28Ii
-4zhvdghei2+n9jgiMfcGQg8lyfH5yF0vWWWynX0KcJsRwEZoL2EauVdwq4PcYOoU
-pQFhpcreCjD4LdZ4yRU4InbhcUogXjrQ9Dz01TbPmQD5b5iso21bCEFBXrhzABEB
-AAGJAjwEGAEKACYCGwwWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwg
-hwAKCRAU+upjRI4d+X/XD/sH5xvHPfTJq52v8weFmB52up+DzqG2lyhGdoUQ1Muw
-dRDLTLXLJrFdfpoOo7/j4Scr0rdc7/dpCn0DLcPuCoPxu+SkjEnVehFmZrGSv7Ga
-x9dHr3DBh42fdlX/U/EnDuyosY0JU1gNF2/6FIA+bTTOFE3RxfN906RjslYQDjMZ
-UAlSeLYHOZofdltI0YIr32vrxgdWQGZXPxU4XusDUc0z163OO+TGg7iUNWFZP5Qj
-ubM7e0YbDX0NPIshk8us99YJmrWnhaix1/W5ryO3DXiGaQ7XFi9u7QofRqvRIctg
-QXavdepkzJow9V9qpMECAJePIuICq7rm+xy+njjbuF436W7390bfVBwRr+FPADsl
-jgQP4KvY5rykss30kheom8wNEbveWkhH5oTfH9b7O4KXJfpfJzrlgOWp2BD9JL8t
-/M4HvFXTr2a75H/QbHK5OFrZeGATuv9OTxv7EZvnrPXU+DYTFldpu7TrNNqKCoj3
-ZyXmc3Hhg5kskDhfHJppaeOayuhMOpT3ud1MFzROY5SLVIH8rBR12KUgsCUYQcGs
-Iy0+0QvEGkjb4cAH1NK3VlbqVNsy1RmqRt2B28R2ueewDfTOoqkzt4MmzLqTdnAx
-mTqmHmkEKhEf3K4MRNUPO2yieUg2COk5l6x9HhAnoxxeOZrTmcMsPY/UViG2HEPm
-ybkCDQRj7TRDARAA9DZuKdfKq4Bs2+NwxC0aplljWOl8VIsEVg+Q8agD7/HU6/b6
-Dry0njtWybn2x6Axf/nUdeOC01Fi1lmht/fpj6mRkgAvd/V6P10xnsUoykPSDSTh
-P25MFFGW3JAA82bwdJ4AJpEQvTZG2nTb3237vlBiI1qHQrac8GYkju2O4UfySRN6
-7cyi7bMf2pjWBBOEhaNy4b6CMDsb32P/N5J7sTE/TXgrS+u4ITIgjzSrkUkh5Z+B
-8QVRa7xPIDZJdvZWTEXWu5fgRPZvxbr154GIkWJkFzlDoB1UcO56/uzRUuKhEV6o
-HW3LMUuWdPMjpHpq8hrL0G2rDniJFUtbDFzHdZK1LUU3T2BJM8rjI3D/euph+IDT
-27vl5qo72zCYE/iKzx4FMLZcQvx1kUAxkPX8l+dzZEwKeRIIpFDxQvatRtl+z0bM
-jbkpDb+Yjv66sC4dYRpgTTGX6rok0PWHR3IxDNzyf2j8zQ4LFJ+rVBM1GjGSt6mG
-j9TeL8CVeiSp4SuJ7I/FJVPHsKb50m+BDzeB31qTydNqh2kKr0DVAUa+TUsCr7e0
-OYr8WE2adJcRXIW0qw50xXF+W7/05GqSCVD0dpeOUdBTQTsSkQmM3/0hcj9aVo9e
-UDCM9RF0WRqiDAoHzJFfg+ztamkQI5HO6CklC4Ok22qrHRf6HDNYSuT6QFkAEQEA
-AYkCPQQYAQoAJwMbIAQWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwf
-tAAKCRAU+upjRI4d+Y+cD/9yllG6uo934pcHNsVppZBfREFwSc8ywlbosCuSVpay
-PjSqgrWwDrnqrsk0F2kUdC6rR3BIcXbn+lA9KqylH+cCXAJCkh8EDq6TlQ7Lt5EV
-w1U0MAMXOyxPwDymQ/BO+iDyjXWkRRYgbF5XiFhCfGeuKyhkhACisAgNZ1uA1P5k
-0SJYc14YfEhQkB46Y20SpfVHRsQ46FyNB6GHbmTmfoO8La8VTh++7GBdh85HfvkG
-VNQ3wpi5oXsOLN9+MJOezc0XsW2LQsKQj1/J7QKzGh+lxN5cemsA5aqPzh8dyxeT
-0lYRFp4AHkimqGUomVpRkbegMIPxXqOE+ZAmsddErw0UtmrKxcmMptOJwNgYzEgu
-++2vtqerL/NYp+wsdcWaBjCz2F3NiwHgNli7NSB/FPwucZZ5gN5C4SnmeFzrGdHg
-Oy+tQUN6ayQKljHeBO7CjMlsFNo/dcVrEMa1ShxBMqlj/6ivoEhktLz0Nru4FwNU
-xE5SJYDYfpjD7Ws8y4LoXgWXjFHrMO6N9GzqLN/e8LT7I+w4ps2MrgJ8QSrelmQ3
-rjkxp3uWp5v2lqy4rLfpi9iB6zIAeoN2eU1yOM9joxOYMxKYaYeYyP1Mm90wFol8
-LcTSaN+tVniPddBiL6zvsGBEMbCR9XN3EQ+mErbuw5ovWBOCrr+dvN3FxvD11y4J
-7w==
-=mXYP
-----END PGP PUBLIC KEY BLOCK-----
--- a/maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc
+++ b/maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc
@@ -1,51 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBFZu2zwBCADfatenjH3cvhlU6AeInvp4R0JmPBG942aghFj1Qh57smRcO5Bv
-y9mqrX3UDdmVvu58V3k1k9/GzPnAG1t+c7ohdymv/AMuNY4pE2sfxx7bX+mncTHX
-5wthipn8kTNm4WjREjCJM1Bm5sozzEZetED3+0/dWlnHl8b38evnLsD+WbSrDPVp
-o6M6Eg9IfMwTfcXzdmLmSnGolBWDQ9i1a0x0r3o+sDW5UTnr7jVP+zILcnOZ1Ewl
-Rn9OJ4Qg3ULM7WTMDYpKH4BO7RLR3aJgmsFAHp17vgUnzzFBZ10MCS3UOyUNoyph
-xo3belf7Q9nrHcSNbqSeQuBnW/vafAZUreAlABEBAAG0IkVlbGNvIERvbHN0cmEg
-PGVkb2xzdHJhQGdtYWlsLmNvbT6JATwEEwEIACYCGyMHCwkIBwMCAQYVCAIJCgsE
-FgIDAQIeAQIXgAUCVm7etAIZAQAKCRCBcLRybXGY3q51B/96qt41tmcDSzrj/UTl
-O6rErfW5zFvVsJTZ95Duwu87t/DVhw5lKBQcjALqVddufw1nMzyN/tSOMVDW8xe4
-wMEdcU4+QAMzNX80enuyinsw1glxfLcK0+VbTvqNIfw0sG3MjPqNs6cK2VRfMHK4
-paJjytBVICszNX9TfjLyIpKKoSSo1vqnT47LDZ5GIMy7l9Cs2sO/rqQHSPcR79yz
-8m8tbHpDDEMZmJeklckKP2QoiqnHiIvlisDxLclYnUmNaPdaN/f++qZz5Yqvu1n+
-sNUBA5eLaZH64Uy2SwtABxO3JPJ8nQ2+SFZ7ocFm4Gcdv4aM+Ura9S6fvM91tEJp
-yAQOiQE5BBMBCAAjBQJWbts8AhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AA
-CgkQgXC0cm1xmN6sIAgAielxO8zJREqEkA2xudg/o4e9ZlNZ3X1NvY8OzJH/qlB2
-SmwKqwifhtbC1K0uavXA7eaxdtd2zrI+Yq7IooUyv7juMjHTZhLcFbR5iVkQ4Mfp
-JmeHXJ/ChYKxD5mMj/C3WbCZ91oCSNZ6Iyi5fvQj/691OC4q+y/2NEUcOI8D8cw8
-XKHbKtceFYc+nZmdOv3ZZrNTSN/kszGViNNLKgnpPdDVPtLp+vjXtbmitiFG2HL/
-WfbJ+3Gh2Yr1Vy3O9dWKH++e1AmIv7WWqmUjRFVpqC/wr7/BLaScWT8WKF5vkshU
-gq8Ez1/cuizsgs3wQIZWgXKQK5njvwnbKg+Zmh/uGbQmRWVsY28gRG9sc3RyYSA8
-ZWVsY28uZG9sc3RyYUB0d2VhZy5pbz6JAU4EEwEIADgWIQS1QdVTAScOC88Vyl2B
-cLRybXGY3gUCXELt4gIbIwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCBcLRy
-bXGY3ujFCADfS5D1xHU8KH6TpqgssSggYVq62Wwn/Ga+4XPPetM+ajcXagyH6SwB
-mxlHICcnv9xC93ryiTI10P1ADJl+aBsI66wEdHBU+ty4RTDy4JZNUPtmRCk9LhSc
-mtUO3ry/wtWkRLdJxP49hg7BbQvWoU0M6WODp7SJjPKPWNX64mzHBeOuy+DqGCbM
-lpGNCvW8ahU/ewbm7+xwWmzqLDoWzXjHsdF4QdzMVM/vkAgWEP4y0wEqFASzIYaR
-GNEkBWU4OQVq5Bdm9+wWWAgsbM0FJAQl0GDqnz4QxWzxxCAAXdbh9F5ffafWYsA9
-bise4ZQLkvYo6iUnrcFm4dtZbT8iL3gptCtFZWxjbyBEb2xzdHJhIDxlZWxjby5k
-b2xzdHJhQGxvZ2ljYmxveC5jb20+iQE5BBMBCAAjBQJWbt6nAhsjBwsJCAcDAgEG
-FQgCCQoLBBYCAwECHgECF4AACgkQgXC0cm1xmN4b/wf8DApMV/jSPEpibekrUPQu
-Ye3Z8cxBQuRm/nOPowtPEH/ShAevrCdRiob2nuEZWNoqZ2e5/+6ud07Hs9bslvco
-cDv1jeY1dof1idxfKhH3kfSpuD2XJhuzQBxBqOrIlCS/rdnW+Y9wOGD7+bs9QpcA
-IyAeQGLLkfggAxaGYQ2Aev8pS7i3a/+lOWbFhcTe02I49KemCOJqBorG5FfILLNr
-DjO3EoutNGpuz6rZvc/BlymphWBoAdUmxgoObr7NYWgw9pI8WeE6C7bbSOO7p5aQ
-spWXU7Hm17DkzsVDpaJlyClllqK+DdKza5oWlBMe/P02jD3Y+0P/2rCCyQQwmH3D
-RbkBDQRWbts8AQgA0g556xc08dH5YNEjbCwEt1j+XoRnV4+GfbSJIXOl9joIgzRC
-4IaijvL8+4biWvX7HiybfvBKto0XB1AWLZRC3jWKX5p74I77UAcrD+VQ/roWQqlJ
-BKbiQMlRYEsj/5Xnf72G90IP4DAFKvNl+rLChe+jUySA91BCtrYoP75Sw1BE9Cyz
-xEtm4WUzKAJdXI+ZTBttA2Nbqy+GSuzBs7fSKDwREJaZmVrosvmns+pQVG4WPWf4
-0l4mPguDQmZ9wSWZvBDkpG7AgHYDRYRGkMbAGsVfc6cScN2VsSTa6cbeeAEowKxM
-qx9RbY3WOq6aKAm0qDvow1nl7WwXwe8K0wQxfQARAQABiQEfBBgBCAAJBQJWbts8
-AhsMAAoJEIFwtHJtcZjeuAAH/0YNz2Qe1IAEO5oqEZNFOccL4KxVPrBhWUen83/b
-C6PjOnOqv6q5ztAcms88WIKxBlfzIfq+dzJcbKVS/H7TEXgcaC+7EYW8sJVEsipN
-BtEZ3LQNJ5coDjm7WZygniah1lfXNuiritAXduK5FWNNndqGArEaeZ8Shzdo/Uyi
-b9lOsBIL6xc2ZcnX5f+rTu02LCEtEb0FwCycZLEWYf8hG4k8uttIOZOC+CLk/k8d
-kBmPikMwUVTTV0CdT1cemQKdTaoAaK+kurF6FYXwcnjhRlHrisSt/tVMEwTw4LUM
-3MYf6qfjjvE4HlDwZal8th7ccoQp/flfJIuRv85xCcKK+PI=
-=u5cX
-----END PGP PUBLIC KEY BLOCK-----
--- a/maintainers/keys/README.md
+++ b/maintainers/keys/README.md
@@ -1,13 +0,0 @@
-# Maintainer GPG Keys
-
-Release tags are signed by members of the [Nix maintainer team](https://nixos.org/community/teams/nix/) as part of the [release process](../release-process.md). This directory contains the public GPG keys used for signing.
-
-## Keys
-
- **Eelco Dolstra**
-  GPG Fingerprint: `B541 D553 0127 0E0B CF15 CA5D 8170 B472 6D71 98DE`
-
- **Sergei Zimmerman**
-  GPG Fingerprint: [`158A 6F53 0EA2 02E5 F651 6113 14FA EA63 448E 1DF9`](https://keys.openpgp.org/vks/v1/by-fingerprint/158A6F530EA202E5F651611314FAEA63448E1DF9)
-
-<!-- TODO: Add keys for other Nix team members -->
--- a/maintainers/onboarding.md
+++ b/maintainers/onboarding.md
@@ -3,9 +3,5 @@

 - https://github.com/NixOS/nixos-homepage/
 - https://github.com/orgs/NixOS/teams/nix-team
- Matrix rooms
-  - [private] Nix maintainer team
-  - Nix ∪ Lix devs (also private)
-  - any open security issues if present and needed
-
+- Matrix room
 - Team member should subscribe to notifications for the [Nix development category on Discourse](https://discourse.nixos.org/c/dev/nix/50)
--- a/maintainers/release-process.md
+++ b/maintainers/release-process.md
@@ -5,11 +5,11 @@
 The release process is intended to create the following for each
 release:

-* A signed Git tag (public keys in `maintainers/keys/`)
+* A Git tag

 * Binary tarballs in https://releases.nixos.org/?prefix=nix/

-* Docker images (arm64 and amd64 variants, uploaded to DockerHub and GHCR)
+* Docker images

 * Closures in https://cache.nixos.org

@@ -29,7 +29,6 @@ release:
  ```console
  $ export VERSION=X.YY
  $ git checkout -b release-notes
-  $ export GITHUB_TOKEN=...
  $ ./maintainers/release-notes
  ```

@@ -98,17 +97,21 @@ release:
  evaluation ID (e.g. `1780832` in
  `https://hydra.nixos.org/eval/1780832`).

-* Tag the release:
+* Tag the release and upload the release artifacts to
+  [`releases.nixos.org`](https://releases.nixos.org/) and [Docker Hub](https://hub.docker.com/):

  ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
  ```

  Note: `IS_LATEST=1` causes the `latest-release` branch to be
  force-updated. This is used by the `nixos.org` website to get the
  [latest Nix manual](https://nixos.org/manual/nixpkgs/unstable/).

-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
+  TODO: This script requires the right AWS credentials. Document.
+
+  TODO: This script currently requires a
+  `/home/eelco/Dev/nix-pristine`.

  TODO: trigger nixos.org netlify: https://docs.netlify.com/configure-builds/build-hooks/

@@ -173,18 +176,16 @@ release:
 * Wait for the desired evaluation of the maintenance jobset to finish
  building.

-* Tag the release
+* Run

  ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
  ```

  Omit `IS_LATEST=1` when creating a point release that is not on the
  most recent stable branch. This prevents `nixos.org` to going back
  to an older release.

-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
-
 * Bump the version number of the release branch as above (e.g. to
  `2.12.2`).

--- a/maintainers/upload-release.pl
+++ b/maintainers/upload-release.pl
@@ -1,8 +1,7 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p awscli2 perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 perlPackages.GetoptLongDescriptive gnupg1
+#! nix-shell -i perl -p perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 gnupg1

 use strict;
-use Getopt::Long::Descriptive;
 use Data::Dumper;
 use File::Basename;
 use File::Path;
@@ -14,30 +13,7 @@ use Net::Amazon::S3;

 delete $ENV{'shell'}; # shut up a LWP::UserAgent.pm warning

-my ($opt, $usage) = describe_options(
-    '%c %o <eval-id>',
-    [ 'skip-docker',      'Skip Docker image upload' ],
-    [ 'skip-git',         'Skip Git tagging' ],
-    [ 'skip-s3',          'Skip S3 upload' ],
-    [ 'docker-owner=s',   'Docker image owner', { default => 'nixos/nix' } ],
-    [ 'project-root=s',   'Pristine git repository path' ],
-    [ 's3-endpoint=s',    'Custom S3 endpoint' ],
-    [ 's3-host=s',        'S3 host', { default => 's3-eu-west-1.amazonaws.com' } ],
-    [],
-    [ 'help|h',           'Show this help message', { shortcircuit => 1 } ],
-    [],
-    [ 'Environment variables:' ],
-    [ 'AWS_ACCESS_KEY_ID' ],
-    [ 'AWS_SECRET_ACCESS_KEY' ],
-    [ 'AWS_SESSION_TOKEN   For OIDC' ],
-    [ 'IS_LATEST           Set to "1" to mark as latest release' ],
-);
-
-print($usage->text), exit if $opt->help;
-
-my $evalId = $ARGV[0] or do { print STDERR $usage->text; exit 1 };
-
-die "--project-root is required unless --skip-git is specified\n" unless $opt->skip_git || $opt->project_root;
+my $evalId = $ARGV[0] or die "Usage: $0 EVAL-ID\n";

 my $releasesBucketName = "nix-releases";
 my $channelsBucketName = "nix-channels";
@@ -86,38 +62,25 @@ File::Path::make_path($narCache);
 my $binaryCache = "https://cache.nixos.org/?local-nar-cache=$narCache";

 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'};
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'};
-my $aws_session_token = $ENV{'AWS_SESSION_TOKEN'};
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "No AWS_ACCESS_KEY_ID given.";
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "No AWS_SECRET_ACCESS_KEY given.";

-my ($s3, $releasesBucket, $s3_channels, $channelsBucket);
+my $s3 = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+      host                  => "s3-eu-west-1.amazonaws.com",
+    });

-unless ($opt->skip_s3) {
-    $aws_access_key_id or die "No AWS_ACCESS_KEY_ID given.";
-    $aws_secret_access_key or die "No AWS_SECRET_ACCESS_KEY given.";
+my $releasesBucket = $s3->bucket($releasesBucketName) or die;

-    $s3 = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          host                  => $opt->s3_host,
-          secure                => ($opt->s3_endpoint && $opt->s3_endpoint =~ /^http:/) ? 0 : 1,
-        });
+my $s3_us = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+    });

-    $releasesBucket = $s3->bucket($releasesBucketName) or die;
-
-    $s3_channels = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          $opt->s3_endpoint ? (host => $opt->s3_host) : (),
-          $opt->s3_endpoint ? (secure => ($opt->s3_endpoint =~ /^http:/) ? 0 : 1) : (),
-        });
-
-    $channelsBucket = $s3_channels->bucket($channelsBucketName) or die;
-}
+my $channelsBucket = $s3_us->bucket($channelsBucketName) or die;

 sub getStorePath {
    my ($jobName, $output) = @_;
@@ -152,12 +115,11 @@ sub copyManual {
        File::Path::remove_tree("$tmpDir/manual.tmp", {safe => 1});
    }

-    my $awsEndpoint = $opt->s3_endpoint ? "--endpoint-url " . $opt->s3_endpoint : "";
-    system("aws $awsEndpoint s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
+    system("aws s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
        or die "syncing manual to S3\n";
 }

-copyManual unless $opt->skip_s3;
+copyManual;

 sub downloadFile {
    my ($jobName, $productNr, $dstName) = @_;
@@ -196,12 +158,30 @@ sub downloadFile {
    return $sha256_expected;
 }

-# Upload docker images.
+downloadFile("binaryTarball.i686-linux", "1");
+downloadFile("binaryTarball.x86_64-linux", "1");
+downloadFile("binaryTarball.aarch64-linux", "1");
+downloadFile("binaryTarball.x86_64-darwin", "1");
+downloadFile("binaryTarball.aarch64-darwin", "1");
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
+};
+warn "$@" if $@;
+downloadFile("installerScript", "1");
+
+# Upload docker images to dockerhub.
 my $dockerManifest = "";
 my $dockerManifestLatest = "";
 my $haveDocker = 0;

-unless ($opt->skip_docker) {
 for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
    my $system = $platforms->[0];
    my $dockerPlatform = $platforms->[1];
@@ -215,8 +195,8 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
    print STDERR "loading docker image for $dockerPlatform...\n";
    system("docker load -i $tmpDir/$fn") == 0 or die;

-    my $tag = $opt->docker_owner . ":$version-$dockerPlatform";
-    my $latestTag = $opt->docker_owner . ":latest-$dockerPlatform";
+    my $tag = "nixos/nix:$version-$dockerPlatform";
+    my $latestTag = "nixos/nix:latest-$dockerPlatform";

    print STDERR "tagging $version docker image for $dockerPlatform...\n";
    system("docker tag nix:$version $tag") == 0 or die;
@@ -239,94 +219,68 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
 }

 if ($haveDocker) {
-    my $dockerOwner = $opt->docker_owner;
    print STDERR "creating multi-platform docker manifest...\n";
-    system("docker manifest rm $dockerOwner:$version");
-    system("docker manifest create $dockerOwner:$version $dockerManifest") == 0 or die;
+    system("docker manifest rm nixos/nix:$version");
+    system("docker manifest create nixos/nix:$version $dockerManifest") == 0 or die;
    if ($isLatest) {
        print STDERR "creating latest multi-platform docker manifest...\n";
-        system("docker manifest rm $dockerOwner:latest");
-        system("docker manifest create $dockerOwner:latest $dockerManifestLatest") == 0 or die;
+        system("docker manifest rm nixos/nix:latest");
+        system("docker manifest create nixos/nix:latest $dockerManifestLatest") == 0 or die;
    }

    print STDERR "pushing multi-platform docker manifest...\n";
-    system("docker manifest push $dockerOwner:$version") == 0 or die;
+    system("docker manifest push nixos/nix:$version") == 0 or die;

    if ($isLatest) {
        print STDERR "pushing latest multi-platform docker manifest...\n";
-        system("docker manifest push $dockerOwner:latest") == 0 or die;
+        system("docker manifest push nixos/nix:latest") == 0 or die;
    }
 }
-}

+# Upload nix-fallback-paths.nix.
+write_file("$tmpDir/fallback-paths.nix",
+    "{\n" .
+    "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
+    "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
+    "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
+    "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
+    "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
+    "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
+    "}\n");

 # Upload release files to S3.
-unless ($opt->skip_s3) {
-    downloadFile("binaryTarball.i686-linux", "1");
-    downloadFile("binaryTarball.x86_64-linux", "1");
-    downloadFile("binaryTarball.aarch64-linux", "1");
-    downloadFile("binaryTarball.x86_64-darwin", "1");
-    downloadFile("binaryTarball.aarch64-darwin", "1");
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
-    };
-    warn "$@" if $@;
-    downloadFile("installerScript", "1");
+for my $fn (glob "$tmpDir/*") {
+    my $name = basename($fn);
+    next if $name eq "manual";
+    my $dstKey = "$releaseDir/" . $name;
+    unless (defined $releasesBucket->head_key($dstKey)) {
+        print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";

-    # Upload nix-fallback-paths.nix.
-    write_file("$tmpDir/fallback-paths.nix",
-        "{\n" .
-        "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
-        "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
-        "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
-        "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
-        "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
-        "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
-        "}\n");
+        my $configuration = ();
+        $configuration->{content_type} = "application/octet-stream";

-    for my $fn (glob "$tmpDir/*") {
-        my $name = basename($fn);
-        next if $name eq "manual";
-        my $dstKey = "$releaseDir/" . $name;
-        unless (defined $releasesBucket->head_key($dstKey)) {
-            print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
-
-            my $configuration = ();
-            $configuration->{content_type} = "application/octet-stream";
-
-            if ($fn =~ /.sha256|install|\.nix$/) {
-                $configuration->{content_type} = "text/plain";
-            }
-
-            $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
-                or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+        if ($fn =~ /.sha256|install|\.nix$/) {
+            $configuration->{content_type} = "text/plain";
        }
-    }

-    # Update the "latest" symlink.
-    $channelsBucket->add_key(
-        "nix-latest/install", "",
-        { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
-        or die $channelsBucket->err . ": " . $channelsBucket->errstr
-        if $isLatest;
+        $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
+            or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+    }
 }

+# Update the "latest" symlink.
+$channelsBucket->add_key(
+    "nix-latest/install", "",
+    { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
+    or die $channelsBucket->err . ": " . $channelsBucket->errstr
+    if $isLatest;
+
 # Tag the release in Git.
-unless ($opt->skip_git) {
-    chdir($opt->project_root) or die "Cannot chdir to " . $opt->project_root . ": $!";
-    system("git remote update origin") == 0 or die;
-    system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
-    system("git push origin refs/tags/$version") == 0 or die;
-    system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
-}
+chdir("/home/eelco/Dev/nix-pristine") or die;
+system("git remote update origin") == 0 or die;
+system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
+system("git push --tags") == 0 or die;
+system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;

 File::Path::remove_tree($narCache, {safe => 1});
 File::Path::remove_tree($tmpDir, {safe => 1});
--- a/meson.build
+++ b/meson.build
@@ -8,6 +8,7 @@ project(
  subproject_dir : 'src',
  default_options : [
    'localstatedir=/nix/var',
+    # hack for trailing newline
  ],
  meson_version : '>= 1.1',
 )
@@ -28,7 +29,7 @@ subproject('nix')
 if get_option('doc-gen')
  subproject('internal-api-docs')
  subproject('external-api-docs')
-  if meson.can_run_host_binaries()
+  if not meson.is_cross_build()
    subproject('nix-manual')
  endif
 endif
--- a/meson.options
+++ b/meson.options
@@ -20,10 +20,3 @@ option(
  value : true,
  description : 'Build language bindings (e.g. Perl)',
 )
-
-option(
-  'benchmarks',
-  type : 'boolean',
-  value : false,
-  description : 'Build benchmarks (requires gbenchmark)',
-)
--- a/misc/freebsd/meson.build
+++ b/misc/freebsd/meson.build
@@ -1,10 +0,0 @@
-configure_file(
-  input : 'nix-daemon.in',
-  output : 'nix-daemon',
-  install : true,
-  install_dir : get_option('prefix') / 'etc/rc.d',
-  install_mode : 'rwxr-xr-x',
-  configuration : {
-    'bindir' : bindir,
-  },
-)
--- a/misc/freebsd/nix-daemon.in
+++ b/misc/freebsd/nix-daemon.in
@@ -1,49 +0,0 @@
-#!/bin/sh
-#
-# PROVIDE: nix_daemon
-# REQUIRE: DAEMON
-# KEYWORD: shutdown
-#
-# Add the following lines to /etc/rc.conf to enable nix-daemon:
-#
-# nix_daemon_enable="YES"
-#
-
-# shellcheck source=/dev/null
-. /etc/rc.subr
-
-name="nix_daemon"
-# shellcheck disable=SC2034
-rcvar="nix_daemon_enable"
-
-load_rc_config $name
-
-: "${nix_daemon_enable:=NO}"
-
-command="@bindir@/nix-daemon"
-command_args=""
-pidfile="/var/run/nix-daemon.pid"
-
-# shellcheck disable=SC2034
-start_cmd="${name}_start"
-# shellcheck disable=SC2034
-stop_cmd="${name}_stop"
-
-nix_daemon_start() {
-    echo "Starting ${name}."
-    # command_args is intentionally unquoted to allow multiple arguments
-    # shellcheck disable=SC2086
-    /usr/sbin/daemon -c -f -p "${pidfile}" "${command}" ${command_args}
-}
-
-nix_daemon_stop() {
-    if [ -f "${pidfile}" ]; then
-        echo "Stopping ${name}."
-        kill -TERM "$(cat "${pidfile}")"
-        rm -f "${pidfile}"
-    else
-        echo "${name} is not running."
-    fi
-}
-
-run_rc_command "$1"
--- a/misc/launchd/meson.build
+++ b/misc/launchd/meson.build
@@ -9,5 +9,5 @@ configure_file(
    # 'storedir' : store_dir,
    # 'localstatedir' : localstatedir,
    # 'bindir' : bindir,
-},
+  },
 )
--- a/misc/meson.build
+++ b/misc/meson.build
@@ -9,7 +9,3 @@ endif
 if host_machine.system() == 'darwin'
  subdir('launchd')
 endif
-
-if host_machine.system() == 'freebsd'
-  subdir('freebsd')
-endif
--- a/nix-meson-build-support/big-objs/meson.build
+++ b/nix-meson-build-support/big-objs/meson.build
@@ -2,5 +2,5 @@ if host_machine.system() == 'windows'
  # libexpr's primops creates a large object
  # Without the following flag, we'll get errors when cross-compiling to mingw32:
  # Fatal error: can't write 66 bytes to section .text of src/libexpr/libnixexpr.dll.p/primops.cc.obj: 'file too big'
-  add_project_arguments([ '-Wa,-mbig-obj' ], language : 'cpp')
+  add_project_arguments([ '-Wa,-mbig-obj' ], language: 'cpp')
 endif
--- a/nix-meson-build-support/common/meson.build
+++ b/nix-meson-build-support/common/meson.build
@@ -18,25 +18,3 @@ add_project_arguments(
  '-Wno-deprecated-declarations',
  language : 'cpp',
 )
-
-# GCC doesn't benefit much from precompiled headers.
-do_pch = cxx.get_id() == 'clang'
-
-# This is a clang-only option for improving build times.
-# It forces the instantiation of templates in the PCH itself and
-# not every translation unit it's included in.
-# It's available starting from clang 11, which is old enough to not
-# bother checking the version.
-# This feature helps in particular with the expensive nlohmann::json template
-# instantiations in libutil and libstore.
-if cxx.get_id() == 'clang'
-  add_project_arguments('-fpch-instantiate-templates', language : 'cpp')
-endif
-
-# Clang gets grumpy about missing libasan symbols if -shared-libasan is not
-# passed when building shared libs, at least on Linux
-if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefined' in get_option(
-  'b_sanitize',
-))
-  add_project_link_arguments('-shared-libasan', language : 'cpp')
-endif
--- a/nix-meson-build-support/default-system-cpu/meson.build
+++ b/nix-meson-build-support/default-system-cpu/meson.build
@@ -1,19 +0,0 @@
-# This attempts to translate meson cpu_family and cpu_name specified via
-# --cross-file [1] into a nix *system double*. Nixpkgs mostly respects ([2]) the
-# conventions outlined in [1].
-#
-# [1]: https://mesonbuild.com/Reference-tables.html#cpu-families
-# [2]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/lib/meson.nix
-
-nix_system_cpu = {'ppc64' : 'powerpc64', 'ppc' : 'powerpc', 'x86' : 'i686'}.get(
-  host_machine.cpu_family(),
-  host_machine.cpu_family(),
-)
-
-if (host_machine.cpu_family() in [ 'ppc64', 'ppc' ]) and host_machine.endian() == 'little'
-  nix_system_cpu += 'le'
-elif host_machine.cpu_family() in [ 'mips64', 'mips' ] and host_machine.endian() == 'little'
-  nix_system_cpu += 'el'
-elif host_machine.cpu_family() == 'arm'
-  nix_system_cpu = host_machine.cpu()
-endif
--- a/nix-meson-build-support/deps-lists/meson.build
+++ b/nix-meson-build-support/deps-lists/meson.build
@@ -6,7 +6,7 @@
 # *interface*.
 #
 # See `man pkg-config` for some details.
-deps_private = []
+deps_private = [ ]

 # These are public dependencies with pkg-config files. Public is the
 # opposite of private: these dependencies are used in installed header
@@ -23,14 +23,14 @@ deps_private = []
 # N.B. For distributions that care about "ABI" stability and not just
 # "API" stability, the private dependencies also matter as they can
 # potentially affect the public ABI.
-deps_public = []
+deps_public = [ ]

 # These are subproject deps (type == "internal"). They are other
 # packages in `/src` in this repo. The private vs public distinction is
 # the same as above.
-deps_private_subproject = []
-deps_public_subproject = []
+deps_private_subproject = [ ]
+deps_public_subproject = [ ]

 # These are dependencencies without pkg-config files. Ideally they are
 # just private, but they may also be public (e.g. boost).
-deps_other = []
+deps_other = [ ]
--- a/nix-meson-build-support/export-all-symbols/meson.build
+++ b/nix-meson-build-support/export-all-symbols/meson.build
@@ -5,7 +5,7 @@ if host_machine.system() == 'cygwin' or host_machine.system() == 'windows'
  # and not detail with this yet.
  #
  # TODO do not do this, and instead do fine-grained export annotations.
-  linker_export_flags = [ '-Wl,--export-all-symbols' ]
+  linker_export_flags = ['-Wl,--export-all-symbols']
 else
  linker_export_flags = []
 endif
--- a/nix-meson-build-support/export/meson.build
+++ b/nix-meson-build-support/export/meson.build
@@ -1,12 +1,12 @@
 requires_private = []
 foreach dep : deps_private_subproject
-  requires_private += dep.name()
+  requires_private  += dep.name()
 endforeach
 requires_private += deps_private

-requires_public = []
+requires_public  = []
 foreach dep : deps_public_subproject
-  requires_public += dep.name()
+  requires_public  += dep.name()
 endforeach
 requires_public += deps_public

@@ -14,7 +14,7 @@ extra_pkg_config_variables = get_variable('extra_pkg_config_variables', {})

 extra_cflags = []
 if not meson.project_name().endswith('-c')
-  extra_cflags += [ '-std=c++23' ]
+    extra_cflags += ['-std=c++2a']
 endif

 import('pkgconfig').generate(
@@ -29,13 +29,10 @@ import('pkgconfig').generate(
  variables : extra_pkg_config_variables,
 )

-meson.override_dependency(
-  meson.project_name(),
-  declare_dependency(
-    include_directories : include_dirs,
-    link_with : this_library,
-    compile_args : [ '-std=c++23' ],
-    dependencies : deps_public_subproject + deps_public,
-    variables : extra_pkg_config_variables,
-  ),
-)
+meson.override_dependency(meson.project_name(), declare_dependency(
+  include_directories : include_dirs,
+  link_with : this_library,
+  compile_args : ['-std=c++2a'],
+  dependencies : deps_public_subproject + deps_public,
+  variables : extra_pkg_config_variables,
+))
--- a/nix-meson-build-support/generate-header/meson.build
+++ b/nix-meson-build-support/generate-header/meson.build
@@ -1,12 +1,7 @@
-bash = find_program('bash', native : true)
+bash = find_program('bash', native: true)

 gen_header = generator(
  bash,
-  arguments : [
-    '-c',
-    '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"',
-    '_ignored_argv0',
-    '@OUTPUT@',
-  ],
+  arguments : [ '-c', '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"', '_ignored_argv0', '@OUTPUT@' ],
  output : '@PLAINNAME@.gen.hh',
 )
--- a/packaging/binary-tarball.nix
+++ b/packaging/binary-tarball.nix
@@ -37,9 +37,6 @@ runCommand "nix-binary-tarball-${version}" env ''
  substitute ${../scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
    --subst-var-by nix ${nix} \
    --subst-var-by cacert ${cacert}
-  substitute ${../scripts/install-freebsd-multi-user.sh} $TMPDIR/install-freebsd-multi-user.sh \
-    --subst-var-by nix ${nix} \
-    --subst-var-by cacert ${cacert}
  substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
    --subst-var-by nix ${nix} \
    --subst-var-by cacert ${cacert}
@@ -51,7 +48,6 @@ runCommand "nix-binary-tarball-${version}" env ''
    shellcheck $TMPDIR/create-darwin-volume.sh
    shellcheck $TMPDIR/install-darwin-multi-user.sh
    shellcheck $TMPDIR/install-systemd-multi-user.sh
-    shellcheck $TMPDIR/install-freebsd-multi-user.sh

    # SC1091: Don't panic about not being able to source
    #         /etc/profile
@@ -68,7 +64,6 @@ runCommand "nix-binary-tarball-${version}" env ''
  chmod +x $TMPDIR/create-darwin-volume.sh
  chmod +x $TMPDIR/install-darwin-multi-user.sh
  chmod +x $TMPDIR/install-systemd-multi-user.sh
-  chmod +x $TMPDIR/install-freebsd-multi-user.sh
  chmod +x $TMPDIR/install-multi-user
  dir=nix-${version}-${system}
  fn=$out/$dir.tar.xz
@@ -87,7 +82,6 @@ runCommand "nix-binary-tarball-${version}" env ''
    $TMPDIR/create-darwin-volume.sh \
    $TMPDIR/install-darwin-multi-user.sh \
    $TMPDIR/install-systemd-multi-user.sh \
-    $TMPDIR/install-freebsd-multi-user.sh \
    $TMPDIR/install-multi-user \
    $TMPDIR/reginfo \
    $(cat ${installerClosureInfo}/store-paths)
--- a/packaging/components.nix
+++ b/packaging/components.nix
@@ -54,12 +54,12 @@ let
    preConfigure =
      prevAttrs.preConfigure or ""
      +
-      # Update the repo-global .version file.
-      # Symlink ./.version points there, but by default only workDir is writable.
-      ''
-        chmod u+w ./.version
-        echo ${finalAttrs.version} > ./.version
-      '';
+        # Update the repo-global .version file.
+        # Symlink ./.version points there, but by default only workDir is writable.
+        ''
+          chmod u+w ./.version
+          echo ${finalAttrs.version} > ./.version
+        '';
  };

  localSourceLayer =
@@ -148,8 +148,7 @@ let
    nativeBuildInputs = [
      meson
      ninja
-    ]
-    ++ prevAttrs.nativeBuildInputs or [ ];
+    ] ++ prevAttrs.nativeBuildInputs or [ ];
    mesonCheckFlags = prevAttrs.mesonCheckFlags or [ ] ++ [
      "--print-errorlogs"
    ];
@@ -366,33 +365,18 @@ in

  nix-cmd = callPackage ../src/libcmd/package.nix { };

-  /**
-    The Nix command line interface. Note that this does not include its tests, whereas `nix-everything` does.
-  */
  nix-cli = callPackage ../src/nix/package.nix { version = fineVersion; };

  nix-functional-tests = callPackage ../tests/functional/package.nix {
    version = fineVersion;
  };

-  /**
-    The manual as would be published on https://nix.dev/reference/nix-manual
-  */
  nix-manual = callPackage ../doc/manual/package.nix { version = fineVersion; };
-  /**
-    Doxygen pages for C++ code
-  */
  nix-internal-api-docs = callPackage ../src/internal-api-docs/package.nix { version = fineVersion; };
-  /**
-    Doxygen pages for the public C API
-  */
  nix-external-api-docs = callPackage ../src/external-api-docs/package.nix { version = fineVersion; };

  nix-perl-bindings = callPackage ../src/perl/package.nix { };

-  /**
-    Combined package that has the CLI, libraries, and (assuming non-cross, no overrides) it requires that all tests succeed.
-  */
  nix-everything = callPackage ../packaging/everything.nix { } // {
    # Note: no `passthru.overrideAllMesonComponents` etc
    #       This would propagate into `nix.overrideAttrs f`, but then discard
--- a/packaging/dependencies.nix
+++ b/packaging/dependencies.nix
@@ -10,8 +10,27 @@
  stdenv,
 }:

+let
+  prevStdenv = stdenv;
+in
+
 let
  inherit (pkgs) lib;
+
+  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64 then darwinStdenv else prevStdenv;
+
+  # Fix the following error with the default x86_64-darwin SDK:
+  #
+  #     error: aligned allocation function of type 'void *(std::size_t, std::align_val_t)' is only available on macOS 10.13 or newer
+  #
+  # Despite the use of the 10.13 deployment target here, the aligned
+  # allocation function Clang uses with this setting actually works
+  # all the way back to 10.6.
+  # NOTE: this is not just a version constraint, but a request to make Darwin
+  #       provide this version level of support. Removing this minimum version
+  #       request will regress the above error.
+  darwinStdenv = pkgs.overrideSDK prevStdenv { darwinMinVersion = "10.13"; };
+
 in
 scope: {
  inherit stdenv;
@@ -31,31 +50,9 @@ scope: {
        requiredSystemFeatures = [ ];
      };

-  boehmgc =
-    (pkgs.boehmgc.override {
-      enableLargeConfig = true;
-    }).overrideAttrs
-      (attrs: {
-        # Increase the initial mark stack size to avoid stack
-        # overflows, since these inhibit parallel marking (see
-        # GC_mark_some()). To check whether the mark stack is too
-        # small, run Nix with GC_PRINT_STATS=1 and look for messages
-        # such as `Mark stack overflow`, `No room to copy back mark
-        # stack`, and `Grew mark stack to ... frames`.
-        NIX_CFLAGS_COMPILE = "-DINITIAL_MARK_STACK_SIZE=1048576";
-      });
-
-  lowdown = pkgs.lowdown.overrideAttrs (prevAttrs: rec {
-    version = "2.0.2";
-    src = pkgs.fetchurl {
-      url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
-      hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
-    };
-    nativeBuildInputs = prevAttrs.nativeBuildInputs ++ [ pkgs.buildPackages.bmake ];
-    postInstall =
-      lib.replaceStrings [ "lowdown.so.1" "lowdown.1.dylib" ] [ "lowdown.so.2" "lowdown.2.dylib" ]
-        (prevAttrs.postInstall or "");
-  });
+  boehmgc = pkgs.boehmgc.override {
+    enableLargeConfig = true;
+  };

  # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
  boost =
@@ -65,7 +62,6 @@ scope: {
        "--with-context"
        "--with-coroutine"
        "--with-iostreams"
-        "--with-url"
      ];
      enableIcu = false;
    }).overrideAttrs
--- a/packaging/dev-shell.nix
+++ b/packaging/dev-shell.nix
@@ -71,16 +71,17 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
    # We use this shell with the local checkout, not unpackPhase.
    src = null;

-    env = {
-      # For `make format`, to work without installing pre-commit
-      _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
-        modular.pre-commit.settings.rawConfig
-      }";
-    }
-    // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-      CC_LD = "mold";
-      CXX_LD = "mold";
-    };
+    env =
+      {
+        # For `make format`, to work without installing pre-commit
+        _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
+          modular.pre-commit.settings.rawConfig
+        }";
+      }
+      // lib.optionalAttrs stdenv.hostPlatform.isLinux {
+        CC_LD = "mold";
+        CXX_LD = "mold";
+      };

    mesonFlags =
      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
@@ -118,25 +119,22 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
        modular.pre-commit.settings.package
        (pkgs.writeScriptBin "pre-commit-hooks-install" modular.pre-commit.settings.installationScript)
        pkgs.buildPackages.nixfmt-rfc-style
-        pkgs.buildPackages.gdb
      ]
      ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
        lib.hiPrio pkgs.buildPackages.clang-tools
      )
      ++ lib.optional stdenv.hostPlatform.isLinux pkgs.buildPackages.mold-wrapped;

-    buildInputs = [
-      pkgs.gbenchmark
-    ]
-    ++ attrs.buildInputs or [ ]
-    ++ pkgs.nixComponents2.nix-util.buildInputs
-    ++ pkgs.nixComponents2.nix-store.buildInputs
-    ++ pkgs.nixComponents2.nix-store-tests.externalBuildInputs
-    ++ pkgs.nixComponents2.nix-fetchers.buildInputs
-    ++ pkgs.nixComponents2.nix-expr.buildInputs
-    ++ pkgs.nixComponents2.nix-expr.externalPropagatedBuildInputs
-    ++ pkgs.nixComponents2.nix-cmd.buildInputs
-    ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.externalBuildInputs
-    ++ lib.optional havePerl pkgs.perl;
+    buildInputs =
+      attrs.buildInputs or [ ]
+      ++ pkgs.nixComponents2.nix-util.buildInputs
+      ++ pkgs.nixComponents2.nix-store.buildInputs
+      ++ pkgs.nixComponents2.nix-store-tests.externalBuildInputs
+      ++ pkgs.nixComponents2.nix-fetchers.buildInputs
+      ++ pkgs.nixComponents2.nix-expr.buildInputs
+      ++ pkgs.nixComponents2.nix-expr.externalPropagatedBuildInputs
+      ++ pkgs.nixComponents2.nix-cmd.buildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.externalBuildInputs
+      ++ lib.optional havePerl pkgs.perl;
  }
 )
--- a/packaging/everything.nix
+++ b/packaging/everything.nix
@@ -47,25 +47,25 @@
 }:

 let
-  libs = {
-    inherit
-      nix-util
-      nix-util-c
-      nix-store
-      nix-store-c
-      nix-fetchers
-      nix-fetchers-c
-      nix-expr
-      nix-expr-c
-      nix-flake
-      nix-flake-c
-      nix-main
-      nix-main-c
-      nix-cmd
-      ;
-  }
-  //
-    lib.optionalAttrs
+  libs =
+    {
+      inherit
+        nix-util
+        nix-util-c
+        nix-store
+        nix-store-c
+        nix-fetchers
+        nix-fetchers-c
+        nix-expr
+        nix-expr-c
+        nix-flake
+        nix-flake-c
+        nix-main
+        nix-main-c
+        nix-cmd
+        ;
+    }
+    // lib.optionalAttrs
      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
      {
        # Currently fails in static build
@@ -127,19 +127,20 @@ stdenv.mkDerivation (finalAttrs: {
  */
  dontFixup = true;

-  checkInputs = [
-    # Make sure the unit tests have passed
-    nix-util-tests.tests.run
-    nix-store-tests.tests.run
-    nix-expr-tests.tests.run
-    nix-fetchers-tests.tests.run
-    nix-flake-tests.tests.run
+  checkInputs =
+    [
+      # Make sure the unit tests have passed
+      nix-util-tests.tests.run
+      nix-store-tests.tests.run
+      nix-expr-tests.tests.run
+      nix-fetchers-tests.tests.run
+      nix-flake-tests.tests.run

-    # Make sure the functional tests have passed
-    nix-functional-tests
-  ]
-  ++
-    lib.optionals (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+      # Make sure the functional tests have passed
+      nix-functional-tests
+    ]
+    ++ lib.optionals
+      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
      [
        # Perl currently fails in static build
        # TODO: Split out tests into a separate derivation?
--- a/packaging/hydra.nix
+++ b/packaging/hydra.nix
@@ -223,17 +223,10 @@ in
  dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);

  # # Line coverage analysis.
-  coverage =
-    (import ./../ci/gha/tests rec {
-      withCoverage = true;
-      pkgs = nixpkgsFor.x86_64-linux.nativeForStdenv.clangStdenv;
-      nixComponents = pkgs.nixComponents2;
-      nixFlake = null;
-      getStdenv = p: p.clangStdenv;
-    }).codeCoverage.coverageReports.overrideAttrs
-      {
-        name = "nix-coverage"; # For historical consistency
-      };
+  # coverage = nixpkgsFor.x86_64-linux.native.nix.override {
+  #   pname = "nix-coverage";
+  #   withCoverageChecks = true;
+  # };

  # Nix's manual
  manual = nixpkgsFor.x86_64-linux.native.nixComponents2.nix-manual;
@@ -247,9 +240,7 @@ in
  # System tests.
  tests =
    import ../tests/nixos {
-      inherit lib nixpkgs;
-      pkgs = nixpkgsFor.x86_64-linux.native;
-      nixComponents = nixpkgsFor.x86_64-linux.native.nixComponents2;
+      inherit lib nixpkgs nixpkgsFor;
      inherit (self.inputs) nixpkgs-23-11;
    }
    // {
--- a/ci/gha/tests/build-checks
+++ b/ci/gha/tests/build-checks
--- a/scripts/install-freebsd-multi-user.sh
+++ b/scripts/install-freebsd-multi-user.sh
@@ -1,173 +0,0 @@
-#!/usr/bin/env bash
-
-set -eu
-set -o pipefail
-
-# System specific settings
-# FreeBSD typically uses UIDs from 1001+ for regular users,
-# so we'll use a range that's unlikely to conflict
-export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
-export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
-export NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"
-
-# FreeBSD service paths
-readonly SERVICE_SRC=/etc/rc.d/nix-daemon
-readonly SERVICE_DEST=/usr/local/etc/rc.d/nix-daemon
-
-poly_cure_artifacts() {
-    :
-}
-
-poly_service_installed_check() {
-    if [ -f "$SERVICE_DEST" ]; then
-        return 0
-    else
-        return 1
-    fi
-}
-
-poly_service_uninstall_directions() {
-    cat <<EOF
-$1. Delete the rc.d service
-
-  sudo service nix-daemon stop
-  sudo rm -f $SERVICE_DEST
-  sudo sysrc -x nix_daemon_enable
-
-EOF
-}
-
-poly_service_setup_note() {
-    cat <<EOF
- - link the nix-daemon rc.d service to $SERVICE_DEST
-
-EOF
-}
-
-poly_extra_try_me_commands() {
-    cat <<EOF
-  $ sudo service nix-daemon start
-EOF
-}
-
-poly_configure_nix_daemon_service() {
-    task "Setting up the nix-daemon rc.d service"
-
-    # Ensure the rc.d directory exists
-    _sudo "to create the rc.d directory" \
-          mkdir -p /usr/local/etc/rc.d
-
-    # Link the pre-installed rc.d script
-    _sudo "to set up the nix-daemon service" \
-          ln -sfn "/nix/var/nix/profiles/default$SERVICE_SRC" "$SERVICE_DEST"
-
-    _sudo "to enable the nix-daemon service" \
-          sysrc nix_daemon_enable=YES
-
-    _sudo "to start the nix-daemon" \
-          service nix-daemon start
-}
-
-poly_group_exists() {
-    pw group show "$1" > /dev/null 2>&1
-}
-
-poly_group_id_get() {
-    pw group show "$1" | cut -d: -f3
-}
-
-poly_create_build_group() {
-    _sudo "Create the Nix build group, $NIX_BUILD_GROUP_NAME" \
-          pw groupadd -n "$NIX_BUILD_GROUP_NAME" -g "$NIX_BUILD_GROUP_ID" >&2
-}
-
-poly_user_exists() {
-    pw user show "$1" > /dev/null 2>&1
-}
-
-poly_user_id_get() {
-    pw user show "$1" | cut -d: -f3
-}
-
-poly_user_hidden_get() {
-    # FreeBSD doesn't have a concept of hidden users like macOS
-    echo "0"
-}
-
-poly_user_hidden_set() {
-    # No-op on FreeBSD
-    true
-}
-
-poly_user_home_get() {
-    pw user show "$1" | cut -d: -f9
-}
-
-poly_user_home_set() {
-    _sudo "in order to give $1 a safe home directory" \
-          pw usermod -n "$1" -d "$2"
-}
-
-poly_user_note_get() {
-    pw user show "$1" | cut -d: -f8
-}
-
-poly_user_note_set() {
-    _sudo "in order to give $1 a useful comment" \
-          pw usermod -n "$1" -c "$2"
-}
-
-poly_user_shell_get() {
-    pw user show "$1" | cut -d: -f10
-}
-
-poly_user_shell_set() {
-    _sudo "in order to prevent $1 from logging in" \
-          pw usermod -n "$1" -s "$2"
-}
-
-poly_user_in_group_check() {
-    groups "$1" 2>/dev/null | grep -q "\<$2\>"
-}
-
-poly_user_in_group_set() {
-    _sudo "Add $1 to the $2 group" \
-          pw groupmod -n "$2" -m "$1"
-}
-
-poly_user_primary_group_get() {
-    pw user show "$1" | cut -d: -f4
-}
-
-poly_user_primary_group_set() {
-    _sudo "to let the nix daemon use this user for builds" \
-          pw usermod -n "$1" -g "$2"
-}
-
-poly_create_build_user() {
-    username=$1
-    uid=$2
-    builder_num=$3
-
-    _sudo "Creating the Nix build user, $username" \
-          pw useradd \
-          -n "$username" \
-          -u "$uid" \
-          -g "$NIX_BUILD_GROUP_NAME" \
-          -G "$NIX_BUILD_GROUP_NAME" \
-          -d /var/empty \
-          -s /sbin/nologin \
-          -c "Nix build user $builder_num"
-}
-
-poly_prepare_to_install() {
-    # FreeBSD-specific preparation steps
-    :
-}
-
-poly_configure_default_profile_targets() {
-    # FreeBSD-specific profile locations
-    # FreeBSD uses /usr/local/etc for third-party shell configurations
-    # Include both profile (for login shells) and bashrc (for interactive shells)
-    echo "/usr/local/etc/profile /usr/local/etc/bashrc /usr/local/etc/profile.d/nix.sh /usr/local/etc/zshrc"
-}
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@@ -33,8 +33,7 @@ readonly NIX_BUILD_GROUP_NAME="nixbld"
 readonly NIX_ROOT="/nix"
 readonly NIX_EXTRA_CONF=${NIX_EXTRA_CONF:-}

-# PROFILE_TARGETS will be set later after OS-specific scripts are loaded
-PROFILE_TARGETS=()
+readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/etc/bash.bashrc" "/etc/zsh/zshrc")
 readonly PROFILE_BACKUP_SUFFIX=".backup-before-nix"
 readonly PROFILE_NIX_FILE="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"

@@ -100,14 +99,6 @@ is_os_darwin() {
    fi
 }

-is_os_freebsd() {
-    if [ "$(uname -s)" = "FreeBSD" ]; then
-        return 0
-    else
-        return 1
-    fi
-}
-
 contact_us() {
    echo "You can open an issue at"
    echo "https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md"
@@ -507,10 +498,6 @@ You have aborted the installation.
 EOF
        fi
    fi
-
-    if is_os_freebsd; then
-        ok "Detected FreeBSD, will set up rc.d service for nix-daemon"
-    fi
 }

 setup_report() {
@@ -847,7 +834,7 @@ install_from_extracted_nix() {
    (
        cd "$EXTRACTED_NIX_PATH"

-        if is_os_darwin || is_os_freebsd; then
+        if is_os_darwin; then
            _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
                  cp -RPp ./store/* "$NIX_ROOT/store/"
        else
@@ -1002,22 +989,11 @@ main() {
        # shellcheck source=./install-systemd-multi-user.sh
        . "$EXTRACTED_NIX_PATH/install-systemd-multi-user.sh" # most of this works on non-systemd distros also
        check_required_system_specific_settings "install-systemd-multi-user.sh"
-    elif is_os_freebsd; then
-        # shellcheck source=./install-freebsd-multi-user.sh
-        . "$EXTRACTED_NIX_PATH/install-freebsd-multi-user.sh"
-        check_required_system_specific_settings "install-freebsd-multi-user.sh"
    else
        failure "Sorry, I don't know what to do on $(uname)"
    fi


-    # Set profile targets after OS-specific scripts are loaded
-    if command -v poly_configure_default_profile_targets > /dev/null 2>&1; then
-        PROFILE_TARGETS=($(poly_configure_default_profile_targets))
-    else
-        PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/etc/bash.bashrc" "/etc/zsh/zshrc")
-    fi
-
    welcome_to_nix

    if ! is_root; then
--- a/scripts/install-nix-from-tarball.sh
+++ b/scripts/install-nix-from-tarball.sh
@@ -26,10 +26,8 @@ if [ -z "$HOME" ]; then
    exit 1
 fi

-OS="$(uname -s)"
-
 # macOS support for 10.12.6 or higher
-if [ "$OS" = "Darwin" ]; then
+if [ "$(uname -s)" = "Darwin" ]; then
    IFS='.' read -r macos_major macos_minor macos_patch << EOF
 $(sw_vers -productVersion)
 EOF
@@ -41,11 +39,11 @@ EOF
 fi

 # Determine if we could use the multi-user installer or not
-if [ "$OS" = "Linux" ] || [ "$OS" = "FreeBSD" ]; then
-    echo "Note: a multi-user installation is possible. See https://nix.dev/manual/nix/stable/installation/installing-binary.html#multi-user-installation" >&2
+if [ "$(uname -s)" = "Linux" ]; then
+    echo "Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation" >&2
 fi

-case "$OS" in
+case "$(uname -s)" in
    "Darwin")
        INSTALL_MODE=daemon;;
    *)
@@ -62,7 +60,7 @@ while [ $# -gt 0 ]; do
            ACTION=install
            ;;
        --no-daemon)
-            if [ "$OS" = "Darwin" ]; then
+            if [ "$(uname -s)" = "Darwin" ]; then
                printf '\e[1;31mError: --no-daemon installs are no-longer supported on Darwin/macOS!\e[0m\n' >&2
                exit 1
            fi
@@ -98,7 +96,7 @@ while [ $# -gt 0 ]; do
                echo "              providing multi-user support and better isolation for local builds."
                echo "              Both for security and reproducibility, this method is recommended if"
                echo "              supported on your platform."
-                echo "              See https://nix.dev/manual/nix/stable/installation/installing-binary.html#multi-user-installation"
+                echo "              See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation"
                echo ""
                echo " --no-daemon: Simple, single-user installation that does not require root and is"
                echo "              trivial to uninstall."
@@ -125,13 +123,6 @@ while [ $# -gt 0 ]; do
 done

 if [ "$INSTALL_MODE" = "daemon" ]; then
-    # Check for bash on systems that don't have it by default
-    if [ "$OS" = "FreeBSD" ] && ! command -v bash >/dev/null 2>&1; then
-        printf '\e[1;31mError: bash is required for multi-user installation but was not found.\e[0m\n' >&2
-        printf 'Please install bash first:\n' >&2
-        printf '  pkg install bash\n' >&2
-        exit 1
-    fi
    printf '\e[1;31mSwitching to the Multi-user Installer\e[0m\n'
    exec "$self/install-multi-user" $ACTION
    exit 0
@@ -153,7 +144,7 @@ if ! [ -e "$dest" ]; then
 fi

 if ! [ -w "$dest" ]; then
-    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nix.dev/manual/nix/stable/installation/multi-user.html. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
+    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nixos.org/manual/nix/stable/installation/multi-user.html. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
    exit 1
 fi

@@ -176,7 +167,7 @@ for i in $(cd "$self/store" >/dev/null && echo ./*); do
        rm -rf "$i_tmp"
    fi
    if ! [ -e "$dest/store/$i" ]; then
-        if [ "$OS" = "Darwin" ] || [ "$OS" = "FreeBSD" ]; then
+        if [ "$(uname -s)" = "Darwin" ]; then
            cp -RPp "$self/store/$i" "$i_tmp"
        else
            cp -RP --preserve=ownership,timestamps "$self/store/$i" "$i_tmp"
--- a/scripts/meson.build
+++ b/scripts/meson.build
@@ -2,19 +2,19 @@ configure_file(
  input : 'nix-profile.sh.in',
  output : 'nix-profile.sh',
  configuration : {
-    'localstatedir' : localstatedir,
-  },
+    'localstatedir': localstatedir,
+  }
 )

 foreach rc : [ '.sh', '.fish', '-daemon.sh', '-daemon.fish' ]
  configure_file(
-    input : 'nix-profile' + rc + '.in',
+    input : 'nix-profile' + rc  + '.in',
    output : 'nix' + rc,
    install : true,
    install_dir : get_option('profile-dir'),
    install_mode : 'rw-r--r--',
    configuration : {
-      'localstatedir' : localstatedir,
+      'localstatedir': localstatedir,
    },
  )
 endforeach
--- a/ci/gha/tests/prepare-installer-for-github-actions
+++ b/ci/gha/tests/prepare-installer-for-github-actions
--- a/scripts/serve-installer-for-github-actions
+++ b/scripts/serve-installer-for-github-actions
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+if [[ ! -d out ]]; then
+  echo "run prepare-installer-for-github-actions first"
+  exit 1
+fi
+cd out
+PORT=${PORT:-8126}
+nohup python -m http.server "$PORT" >/dev/null 2>&1 &
+pid=$!
+
+while ! curl -s "http://localhost:$PORT"; do
+  sleep 1
+  if ! kill -0 $pid; then
+    echo "Failed to start http server"
+    exit 1
+  fi
+done
+
+echo 'To install nix, run the following command:'
+echo "sh <(curl http://localhost:$PORT/install) --tarball-url-prefix http://localhost:$PORT"
--- a/src/nix/build-remote/build-remote.cc
+++ b/src/nix/build-remote/build-remote.cc
@@ -22,7 +22,6 @@
 #include "nix/store/local-store.hh"
 #include "nix/cmd/legacy.hh"
 #include "nix/util/experimental-features.hh"
-#include "nix/store/globals.hh"

 using namespace nix;
 using std::cin;
--- a/src/external-api-docs/meson.build
+++ b/src/external-api-docs/meson.build
@@ -1,5 +1,4 @@
-project(
-  'nix-external-api-docs',
+project('nix-external-api-docs',
  version : files('.version'),
  meson_version : '>= 1.1',
  license : 'LGPL-2.1-or-later',
@@ -11,7 +10,7 @@ doxygen_cfg = configure_file(
  input : 'doxygen.cfg.in',
  output : 'doxygen.cfg',
  configuration : {
-    'PROJECT_NUMBER' : meson.project_version(),
+    'PROJECT_NUMBER': meson.project_version(),
    'OUTPUT_DIRECTORY' : meson.current_build_dir(),
    'src' : fs.parent(fs.parent(meson.project_source_root())),
  },
@@ -21,7 +20,7 @@ doxygen = find_program('doxygen', native : true, required : true)

 custom_target(
  'external-api-docs',
-  command : [ doxygen, doxygen_cfg ],
+  command : [ doxygen , doxygen_cfg ],
  input : [
    doxygen_cfg,
  ],
--- a/src/internal-api-docs/doxygen.cfg.in
+++ b/src/internal-api-docs/doxygen.cfg.in
@@ -57,7 +57,9 @@ INPUT                  = \
  @src@/libutil/args \
  @src@/libutil-tests \
  @src@/libutil-test-support/tests \
-  @src@/nix
+  @src@/nix \
+  @src@/nix-env \
+  @src@/nix-store

 # If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
 # in the source code. If set to NO, only conditional compilation will be
--- a/src/internal-api-docs/meson.build
+++ b/src/internal-api-docs/meson.build
@@ -1,5 +1,4 @@
-project(
-  'nix-internal-api-docs',
+project('nix-internal-api-docs',
  version : files('.version'),
  meson_version : '>= 1.1',
  license : 'LGPL-2.1-or-later',
@@ -11,7 +10,7 @@ doxygen_cfg = configure_file(
  input : 'doxygen.cfg.in',
  output : 'doxygen.cfg',
  configuration : {
-    'PROJECT_NUMBER' : meson.project_version(),
+    'PROJECT_NUMBER': meson.project_version(),
    'OUTPUT_DIRECTORY' : meson.current_build_dir(),
    'BUILD_ROOT' : meson.build_root(),
    'src' : fs.parent(fs.parent(meson.project_source_root())) / 'src',
@@ -22,7 +21,7 @@ doxygen = find_program('doxygen', native : true, required : true)

 custom_target(
  'internal-api-docs',
-  command : [ doxygen, doxygen_cfg ],
+  command : [ doxygen , doxygen_cfg ],
  input : [
    doxygen_cfg,
  ],
--- a/src/libcmd/common-eval-args.cc
+++ b/src/libcmd/common-eval-args.cc
@@ -15,7 +15,6 @@
 #include "nix/fetchers/fetch-to-store.hh"
 #include "nix/cmd/compatibility-settings.hh"
 #include "nix/expr/eval-settings.hh"
-#include "nix/store/globals.hh"

 namespace nix {

--- a/src/libcmd/include/nix/cmd/common-eval-args.hh
+++ b/src/libcmd/include/nix/cmd/common-eval-args.hh
@@ -82,7 +82,7 @@ private:
 };

 /**
- * @param baseDir Optional [base directory](https://nix.dev/manual/nix/development/glossary#gloss-base-directory)
+ * @param baseDir Optional [base directory](https://nixos.org/manual/nix/unstable/glossary#gloss-base-directory)
 */
 SourcePath lookupFileArg(EvalState & state, std::string_view s, const Path * baseDir = nullptr);

--- a/src/libcmd/include/nix/cmd/meson.build
+++ b/src/libcmd/include/nix/cmd/meson.build
@@ -1,6 +1,6 @@
 # Public headers directory

-include_dirs = [ include_directories('../..') ]
+include_dirs = [include_directories('../..')]

 headers = files(
  'built-path.hh',
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@@ -178,16 +178,10 @@ MixFlakeOptions::MixFlakeOptions()
            for (auto & [inputName, input] : flake.lockFile.root->inputs) {
                auto input2 = flake.lockFile.findInput({inputName}); // resolve 'follows' nodes
                if (auto input3 = std::dynamic_pointer_cast<const flake::LockedNode>(input2)) {
-                    fetchers::Attrs extraAttrs;
-
-                    if (!input3->lockedRef.subdir.empty()) {
-                        extraAttrs["dir"] = input3->lockedRef.subdir;
-                    }
-
                    overrideRegistry(
                        fetchers::Input::fromAttrs(fetchSettings, {{"type", "indirect"}, {"id", inputName}}),
                        input3->lockedRef.input,
-                        extraAttrs);
+                        {});
                }
            }
        }},
--- a/src/libcmd/markdown.cc
+++ b/src/libcmd/markdown.cc
@@ -37,17 +37,9 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
        .vmargin = 0,
 #  endif
        .feat = LOWDOWN_COMMONMARK | LOWDOWN_FENCED | LOWDOWN_DEFLIST | LOWDOWN_TABLES,
-        .oflags =
-#  if HAVE_LOWDOWN_1_4
-            LOWDOWN_TERM_NORELLINK // To render full links while skipping relative ones
-#  else
-            LOWDOWN_TERM_NOLINK
-#  endif
+        .oflags = LOWDOWN_TERM_NOLINK,
    };

-    if (!isTTY())
-        opts.oflags |= LOWDOWN_TERM_NOANSI;
-
    auto doc = lowdown_doc_new(&opts);
    if (!doc)
        throw Error("cannot allocate Markdown document");
@@ -73,7 +65,7 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
    if (!rndr_res)
        throw Error("allocation error while rendering Markdown");

-    return std::string(buf->data, buf->size);
+    return filterANSIEscapes(std::string(buf->data, buf->size), !isTTY());
 }

 std::string renderMarkdownToTerminal(std::string_view markdown)
--- a/src/libcmd/meson.build
+++ b/src/libcmd/meson.build
@@ -1,9 +1,7 @@
-project(
-  'nix-cmd',
-  'cpp',
+project('nix-cmd', 'cpp',
  version : files('.version'),
  default_options : [
-    'cpp_std=c++23',
+    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
    'errorlogs=true', # Please print logs for tests that fail
@@ -18,7 +16,8 @@ subdir('nix-meson-build-support/deps-lists')

 configdata = configuration_data()

-deps_private_maybe_subproject = []
+deps_private_maybe_subproject = [
+]
 deps_public_maybe_subproject = [
  dependency('nix-util'),
  dependency('nix-store'),
@@ -32,18 +31,11 @@ subdir('nix-meson-build-support/subprojects')
 nlohmann_json = dependency('nlohmann_json', version : '>= 3.9')
 deps_public += nlohmann_json

-lowdown = dependency(
-  'lowdown',
-  version : '>= 0.9.0',
-  required : get_option('markdown'),
-)
+lowdown = dependency('lowdown', version : '>= 0.9.0', required : get_option('markdown'))
 deps_private += lowdown
 configdata.set('HAVE_LOWDOWN', lowdown.found().to_int())
 # The API changed slightly around terminal initialization.
-configdata.set(
-  'HAVE_LOWDOWN_1_4',
-  lowdown.version().version_compare('>= 1.4.0').to_int(),
-)
+configdata.set('HAVE_LOWDOWN_1_4', lowdown.version().version_compare('>= 1.4.0').to_int())

 readline_flavor = get_option('readline-flavor')
 if readline_flavor == 'editline'
@@ -58,7 +50,7 @@ endif
 configdata.set(
  'USE_READLINE',
  (readline_flavor == 'readline').to_int(),
-  description : 'Use readline instead of editline',
+  description: 'Use readline instead of editline',
 )

 config_priv_h = configure_file(
@@ -97,10 +89,9 @@ this_library = library(
  config_priv_h,
  dependencies : deps_public + deps_private + deps_other,
  include_directories : include_dirs,
-  link_args : linker_export_flags,
+  link_args: linker_export_flags,
  prelink : true, # For C++ static initializers
  install : true,
-  cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
 )

 install_headers(headers, subdir : 'nix/cmd', preserve_path : true)
--- a/src/libcmd/meson.options
+++ b/src/libcmd/meson.options
@@ -2,14 +2,14 @@

 option(
  'markdown',
-  type : 'feature',
-  description : 'Enable Markdown rendering in the Nix binary (requires lowdown)',
+  type: 'feature',
+  description: 'Enable Markdown rendering in the Nix binary (requires lowdown)',
 )

 option(
  'readline-flavor',
  type : 'combo',
-  choices : [ 'editline', 'readline' ],
+  choices : ['editline', 'readline'],
  value : 'editline',
  description : 'Which library to use for nice line editing with the Nix language REPL',
 )
--- a/src/libcmd/package.nix
+++ b/src/libcmd/package.nix
@@ -53,8 +53,7 @@ mkMesonLibrary (finalAttrs: {

  buildInputs = [
    ({ inherit editline readline; }.${readlineFlavor})
-  ]
-  ++ lib.optional enableMarkdown lowdown;
+  ] ++ lib.optional enableMarkdown lowdown;

  propagatedBuildInputs = [
    nix-util
--- a/src/libcmd/pch/precompiled-headers.hh
+++ b/src/libcmd/pch/precompiled-headers.hh
@@ -1,4 +0,0 @@
-#include "nix/cmd/installables.hh"
-#include "nix/expr/eval.hh"
-#include "nix/util/util.hh"
-#include "nix/flake/flake.hh"
--- a/src/libcmd/repl.cc
+++ b/src/libcmd/repl.cc
@@ -574,15 +574,14 @@ ProcessLineResult NixRepl::processLine(std::string line)
            for (auto & sub : subs) {
                auto * logSubP = dynamic_cast<LogStore *>(&*sub);
                if (!logSubP) {
-                    printInfo(
-                        "Skipped '%s' which does not support retrieving build logs", sub->config.getHumanReadableURI());
+                    printInfo("Skipped '%s' which does not support retrieving build logs", sub->getUri());
                    continue;
                }
                auto & logSub = *logSubP;

                auto log = logSub.getBuildLog(drvPath);
                if (log) {
-                    printInfo("got build log for '%s' from '%s'", drvPathRaw, logSub.config.getHumanReadableURI());
+                    printInfo("got build log for '%s' from '%s'", drvPathRaw, logSub.getUri());
                    logger->writeToStdout(*log);
                    foundLog = true;
                    break;
@@ -669,7 +668,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
                ss << "No documentation found.\n\n";
            }

-            auto markdown = ss.view();
+            auto markdown = toView(ss);
            logger->cout(trim(renderMarkdownToTerminal(markdown)));

        } else
@@ -916,7 +915,6 @@ ReplExitStatus AbstractNixRepl::runSimple(ref<EvalState> evalState, const ValMap
        return values;
    };
    LookupPath lookupPath = {};
-    // NOLINTNEXTLINE(clang-analyzer-cplusplus.NewDelete)
    auto repl = std::make_unique<NixRepl>(
        lookupPath,
        openStore(),
--- a/src/libexpr-c/meson.build
+++ b/src/libexpr-c/meson.build
@@ -1,9 +1,7 @@
-project(
-  'nix-expr-c',
-  'cpp',
+project('nix-expr-c', 'cpp',
  version : files('.version'),
  default_options : [
-    'cpp_std=c++23',
+    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
    'errorlogs=true', # Please print logs for tests that fail
@@ -35,7 +33,7 @@ sources = files(
  'nix_api_value.cc',
 )

-include_dirs = [ include_directories('.') ]
+include_dirs = [include_directories('.')]

 headers = files(
  'nix_api_expr.h',
@@ -52,7 +50,7 @@ this_library = library(
  sources,
  dependencies : deps_public + deps_private + deps_other,
  include_directories : include_dirs,
-  link_args : linker_export_flags,
+  link_args: linker_export_flags,
  prelink : true, # For C++ static initializers
  install : true,
 )
--- a/src/libexpr-test-support/include/nix/expr/tests/meson.build
+++ b/src/libexpr-test-support/include/nix/expr/tests/meson.build
@@ -6,4 +6,5 @@ headers = files(
  'libexpr.hh',
  'nix_api_expr.hh',
  'value/context.hh',
+  # hack for trailing newline
 )
--- a/src/libexpr-test-support/meson.build
+++ b/src/libexpr-test-support/meson.build
@@ -1,9 +1,7 @@
-project(
-  'nix-expr-test-support',
-  'cpp',
+project('nix-expr-test-support', 'cpp',
  version : files('.version'),
  default_options : [
-    'cpp_std=c++23',
+    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
    'errorlogs=true', # Please print logs for tests that fail
@@ -16,7 +14,8 @@ cxx = meson.get_compiler('cpp')

 subdir('nix-meson-build-support/deps-lists')

-deps_private_maybe_subproject = []
+deps_private_maybe_subproject = [
+]
 deps_public_maybe_subproject = [
  dependency('nix-util'),
  dependency('nix-util-test-support'),
@@ -48,7 +47,7 @@ this_library = library(
  include_directories : include_dirs,
  # TODO: Remove `-lrapidcheck` when https://github.com/emil-e/rapidcheck/pull/326
  #       is available. See also ../libutil/build.meson
-  link_args : linker_export_flags + [ '-lrapidcheck' ],
+  link_args: linker_export_flags + ['-lrapidcheck'],
  prelink : true, # For C++ static initializers
  install : true,
 )
--- a/src/libexpr-test-support/tests/value/context.cc
+++ b/src/libexpr-test-support/tests/value/context.cc
@@ -1,4 +1,3 @@
-#include <exception> // Needed by rapidcheck on Darwin
 #include <rapidcheck.h>

 #include "nix/store/tests/path.hh"
--- a/src/libexpr-tests/derived-path.cc
+++ b/src/libexpr-tests/derived-path.cc
@@ -1,6 +1,5 @@
 #include <nlohmann/json.hpp>
 #include <gtest/gtest.h>
-#include <exception> // Needed by rapidcheck on Darwin
 #include <rapidcheck/gtest.h>

 #include "nix/store/tests/derived-path.hh"
--- a/src/libexpr-tests/meson.build
+++ b/src/libexpr-tests/meson.build
@@ -1,9 +1,7 @@
-project(
-  'nix-expr-tests',
-  'cpp',
+project('nix-expr-tests', 'cpp',
  version : files('.version'),
  default_options : [
-    'cpp_std=c++23',
+    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
    'errorlogs=true', # Please print logs for tests that fail
@@ -21,7 +19,8 @@ deps_private_maybe_subproject = [
  dependency('nix-expr-c'),
  dependency('nix-expr-test-support'),
 ]
-deps_public_maybe_subproject = []
+deps_public_maybe_subproject = [
+]
 subdir('nix-meson-build-support/subprojects')

 subdir('nix-meson-build-support/export-all-symbols')
@@ -63,7 +62,7 @@ sources = files(
  'value/value.cc',
 )

-include_dirs = [ include_directories('.') ]
+include_dirs = [include_directories('.')]


 this_exe = executable(
@@ -73,16 +72,15 @@ this_exe = executable(
  dependencies : deps_private_subproject + deps_private + deps_other,
  include_directories : include_dirs,
  # TODO: -lrapidcheck, see ../libutil-support/build.meson
-  link_args : linker_export_flags + [ '-lrapidcheck' ],
+  link_args: linker_export_flags + ['-lrapidcheck'],
  install : true,
-  cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
 )

 test(
  meson.project_name(),
  this_exe,
  env : {
-    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
+    '_NIX_TEST_UNIT_DATA': meson.current_source_dir() / 'data',
  },
  protocol : 'gtest',
 )
--- a/src/libexpr-tests/pch/precompiled-headers.hh
+++ b/src/libexpr-tests/pch/precompiled-headers.hh
@@ -1,4 +0,0 @@
-#include "nix/expr/tests/libexpr.hh"
-
-#include <gtest/gtest.h>
-#include <gmock/gmock.h>
--- a/src/libexpr/eval-cache.cc
+++ b/src/libexpr/eval-cache.cc
@@ -4,7 +4,6 @@
 #include "nix/expr/eval.hh"
 #include "nix/expr/eval-inline.hh"
 #include "nix/store/store-api.hh"
-#include "nix/store/globals.hh"
 // Need specialization involving `SymbolStr` just in this one module.
 #include "nix/util/strings-inline.hh"

@@ -70,10 +69,10 @@ struct AttrDb
    {
        auto state(_state->lock());

-        auto cacheDir = std::filesystem::path(getCacheDir()) / "eval-cache-v6";
+        Path cacheDir = getCacheDir() + "/eval-cache-v5";
        createDirs(cacheDir);

-        auto dbPath = cacheDir / (fingerprint.to_string(HashFormat::Base16, false) + ".sqlite");
+        Path dbPath = cacheDir + "/" + fingerprint.to_string(HashFormat::Base16, false) + ".sqlite";

        state->db = SQLite(dbPath);
        state->db.isCache();
--- a/src/libexpr/eval-gc.cc
+++ b/src/libexpr/eval-gc.cc
@@ -15,6 +15,8 @@
 #    include <pthread_np.h>
 #  endif

+#  include <gc/gc.h>
+#  include <gc/gc_cpp.h>
 #  include <gc/gc_allocator.h>

 #  include <boost/coroutine2/coroutine.hpp>
@@ -51,9 +53,6 @@ static inline void initGCReal()

    GC_INIT();

-    /* Enable parallel marking. */
-    GC_allow_register_threads();
-
    /* Register valid displacements in case we are using alignment niches
       for storing the type information. This way tagged pointers are considered
       to be valid, even when they are not aligned. */
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Eelco Dolstra	1de323e9df	Merge branch 'master' (reformat)	2025-07-23 21:23:25 +02:00
Eelco Dolstra	4eb2df09d1	Merge branch 'master' (pre-reformat)	2025-07-23 21:23:16 +02:00
Eelco Dolstra	3dc1b99be5	AllowListSourceAccessor: Make thread-safe	2025-07-15 19:44:13 +02:00
@@ -1 +1 @@
 .31.4
 .31.0