Add rl-next/c-api-recoverable-errors

libexpr: Add recoverable errors
This provides an explicit API for call-fail-retry-succeed evaluation flows, such as currently used in NixOps4. An alternative design would simply reset the `Value` to the original thunk instead of `tFailed` under the condition of catching a `RecoverableEvalError`. That is somewhat simpler, but I believe the presence of `tFailed` is beneficial for possible use in the repl; being able to show the error sooner, without re-evaluation. The hasPos method and isEmpty function are required in order to avoid an include loop.
2025-09-10 12:49:41 +02:00 · 2025-09-10 12:49:41 +02:00 · 2025-09-10 12:49:41 +02:00 · 2025-09-10 12:49:41 +02:00 · 2025-09-10 12:49:41 +02:00 · 2025-09-10 10:52:05 +02:00
209 changed files with 4591 additions and 3137 deletions
--- a/.github/actions/install-nix-action/action.yaml
+++ b/.github/actions/install-nix-action/action.yaml
@@ -4,29 +4,15 @@ inputs:
  dogfood:
    description: "Whether to use Nix installed from the latest artifact from master branch"
    required: true # Be explicit about the fact that we are using unreleased artifacts
-  experimental-installer:
-    description: "Whether to use the experimental installer to install Nix"
-    default: false
-  experimental-installer-version:
-    description: "Version of the experimental installer to use. If `latest`, the newest artifact from the default branch is used."
-    # TODO: This should probably be pinned to a release after https://github.com/NixOS/experimental-nix-installer/pull/49 lands in one
-    default: "latest"
  extra_nix_config:
    description: "Gets appended to `/etc/nix/nix.conf` if passed."
  install_url:
    description: "URL of the Nix installer"
    required: false
    default: "https://releases.nixos.org/nix/nix-2.30.2/install"
-  tarball_url:
-    description: "URL of the Nix tarball to use with the experimental installer"
-    required: false
  github_token:
    description: "Github token"
    required: true
-  use_cache:
-    description: "Whether to setup magic-nix-cache"
-    default: true
-    required: false
 runs:
  using: "composite"
  steps:
@@ -51,81 +37,14 @@ runs:

        gh run download "$RUN_ID" --repo "$DOGFOOD_REPO" -n "$INSTALLER_ARTIFACT" -D "$INSTALLER_DOWNLOAD_DIR"
        echo "installer-path=file://$INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-        TARBALL_PATH="$(find "$INSTALLER_DOWNLOAD_DIR" -name 'nix*.tar.xz' -print | head -n 1)"
-        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"

        echo "::notice ::Dogfooding Nix installer from master (https://github.com/$DOGFOOD_REPO/actions/runs/$RUN_ID)"
      env:
        GH_TOKEN: ${{ inputs.github_token }}
        DOGFOOD_REPO: "NixOS/nix"
-    - name: "Gather system info for experimental installer"
-      shell: bash
-      if: ${{ inputs.experimental-installer == 'true' }}
-      run: |
-        echo "::notice Using experimental installer from $EXPERIMENTAL_INSTALLER_REPO (https://github.com/$EXPERIMENTAL_INSTALLER_REPO)"
-
-        if [ "$RUNNER_OS" == "Linux" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="linux"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_OS" == "macOS" ]; then
-          EXPERIMENTAL_INSTALLER_SYSTEM="darwin"
-          echo "EXPERIMENTAL_INSTALLER_SYSTEM=$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_OS: $RUNNER_OS"
-          exit 1
-        fi
-
-        if [ "$RUNNER_ARCH" == "X64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=x86_64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        elif [ "$RUNNER_ARCH" == "ARM64" ]; then
-          EXPERIMENTAL_INSTALLER_ARCH=aarch64
-          echo "EXPERIMENTAL_INSTALLER_ARCH=$EXPERIMENTAL_INSTALLER_ARCH" >> "$GITHUB_ENV"
-        else
-          echo "::error ::Unsupported RUNNER_ARCH: $RUNNER_ARCH"
-          exit 1
-        fi
-
-        echo "EXPERIMENTAL_INSTALLER_ARTIFACT=nix-installer-$EXPERIMENTAL_INSTALLER_ARCH-$EXPERIMENTAL_INSTALLER_SYSTEM" >> "$GITHUB_ENV"
-      env:
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
-    - name: "Download latest experimental installer"
-      shell: bash
-      id: download-latest-experimental-installer
-      if: ${{ inputs.experimental-installer == 'true' && inputs.experimental-installer-version == 'latest' }}
-      run: |
-        RUN_ID=$(gh run list --repo "$EXPERIMENTAL_INSTALLER_REPO" --workflow ci.yml --branch main --status success --json databaseId --jq ".[0].databaseId")
-
-        EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR="$GITHUB_WORKSPACE/$EXPERIMENTAL_INSTALLER_ARTIFACT"
-        mkdir -p "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-
-        gh run download "$RUN_ID" --repo "$EXPERIMENTAL_INSTALLER_REPO" -n "$EXPERIMENTAL_INSTALLER_ARTIFACT" -D "$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR"
-        # Executable permissions are lost in artifacts
-        find $EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR -type f -exec chmod +x {} +
-        echo "installer-path=$EXPERIMENTAL_INSTALLER_DOWNLOAD_DIR" >> "$GITHUB_OUTPUT"
-      env:
-        GH_TOKEN: ${{ inputs.github_token }}
-        EXPERIMENTAL_INSTALLER_REPO: "NixOS/experimental-nix-installer"
    - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
-      if: ${{ inputs.experimental-installer != 'true' }}
      with:
        # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
        extra_nix_config: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/nix-installer-action@786fff0690178f1234e4e1fe9b536e94f5433196 # v20
-      if: ${{ inputs.experimental-installer == 'true' }}
-      with:
-        diagnostic-endpoint: ""
-        # TODO: It'd be nice to use `artifacts.nixos.org` for both of these, maybe through an `/experimental-installer/latest` endpoint? or `/commit/<hash>`?
-        local-root: ${{ inputs.experimental-installer-version == 'latest' && steps.download-latest-experimental-installer.outputs.installer-path || '' }}
-        source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
-        nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
-        extra-conf: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
-      if: ${{ inputs.use_cache == 'true' }}
-      with:
-        diagnostic-endpoint: ''
-        use-flakehub: false
-        use-gha-cache: true
-        source-revision: 92d9581367be2233c2d5714a2640e1339f4087d8 # main
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -27,7 +27,6 @@ jobs:
        extra_nix_config:
          experimental-features = nix-command flakes
        github_token: ${{ secrets.GITHUB_TOKEN }}
-        use_cache: false
    - run: nix flake show --all-systems --json

  tests:
@@ -66,6 +65,7 @@ jobs:
        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
        # The sandbox would otherwise be disabled by default on Darwin
        extra_nix_config: "sandbox = true"
+    - uses: DeterminateSystems/magic-nix-cache-action@main
    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
@@ -140,20 +140,78 @@ jobs:
    - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
    - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"

+  # Steps to test CI automation in your own fork.
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check presence of secrets
+    runs-on: ubuntu-24.04
+    outputs:
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for DockerHub secrets
+        id: secret
+        env:
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
+
  docker_push_image:
-    name: Push docker image to DockerHub and GHCR
-    needs: [tests, vm_tests]
-    if: github.event_name == 'push' && github.ref_name == 'master'
-    uses: ./.github/workflows/docker-push.yml
-    with:
-      ref: ${{ github.sha }}
-      is_master: true
+    needs: [tests, vm_tests, check_secrets]
    permissions:
      contents: read
      packages: write
-    secrets:
-      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
-      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+    if: >-
+      needs.check_secrets.outputs.docker == 'true' &&
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+    - uses: cachix/install-nix-action@v31
+      with:
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
+    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
+    - run: docker load -i ./result/image.tar.gz
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
+    #
+    # Push to Docker Hub first
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # Push to GitHub Container Registry as well
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Push image
+      run: |
+        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
+        # Change all uppercase to lowercase
+        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+
+        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
+        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
+        docker push $IMAGE_ID:$NIX_VERSION
+        docker push $IMAGE_ID:latest
+        # deprecated 2024-02-24
+        docker tag nix:$NIX_VERSION $IMAGE_ID:master
+        docker push $IMAGE_ID:master

  vm_tests:
    runs-on: ubuntu-24.04
@@ -196,6 +254,7 @@ jobs:
          extra_nix_config:
            experimental-features = nix-command flakes
          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh

  profile_build:
@@ -216,6 +275,7 @@ jobs:
        extra_nix_config: |
          experimental-features = flakes nix-command ca-derivations impure-derivations
          max-jobs = 1
+    - uses: DeterminateSystems/magic-nix-cache-action@main
    - run: |
        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
        cat build-time-report.md >> $GITHUB_STEP_SUMMARY
--- a/.github/workflows/docker-push.yml
+++ b/.github/workflows/docker-push.yml
@@ -1,101 +0,0 @@
-name: "Push Docker Image"
-
-on:
-  workflow_call:
-    inputs:
-      ref:
-        description: "Git ref to build the docker image from"
-        required: true
-        type: string
-      is_master:
-        description: "Whether run from master branch"
-        required: true
-        type: boolean
-    secrets:
-      DOCKERHUB_USERNAME:
-        required: true
-      DOCKERHUB_TOKEN:
-        required: true
-
-permissions: {}
-
-jobs:
-  # Steps to test CI automation in your own fork.
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check presence of secrets
-    runs-on: ubuntu-24.04
-    outputs:
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for DockerHub secrets
-        id: secret
-        env:
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
-
-  push:
-    name: Push docker image to DockerHub and GHCR
-    needs: [check_secrets]
-    permissions:
-      contents: read
-      packages: write
-    if: needs.check_secrets.outputs.docker == 'true'
-    runs-on: ubuntu-24.04
-    steps:
-    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        fetch-depth: 0
-        ref: ${{ inputs.ref }}
-    - uses: ./.github/actions/install-nix-action
-      with:
-        dogfood: false
-        extra_nix_config: |
-          experimental-features = flakes nix-command
-    - run: echo NIX_VERSION="$(nix eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - run: nix build .#dockerImage -L
-    - run: docker load -i ./result/image.tar.gz
-    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
-    #
-    # Push to Docker Hub first
-    - name: Login to Docker Hub
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Push to Docker Hub
-      env:
-        IS_MASTER: ${{ inputs.is_master }}
-        DOCKERHUB_REPO: ${{ secrets.DOCKERHUB_USERNAME }}/nix
-      run: |
-        docker tag nix:$NIX_VERSION $DOCKERHUB_REPO:$NIX_VERSION
-        docker push $DOCKERHUB_REPO:$NIX_VERSION
-        if [ "$IS_MASTER" = "true" ]; then
-          docker tag nix:$NIX_VERSION $DOCKERHUB_REPO:master
-          docker push $DOCKERHUB_REPO:master
-        fi
-    # Push to GitHub Container Registry as well
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push to GHCR
-      env:
-        IS_MASTER: ${{ inputs.is_master }}
-      run: |
-        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker push $IMAGE_ID:$NIX_VERSION
-        if [ "$IS_MASTER" = "true" ]; then
-          docker tag nix:$NIX_VERSION $IMAGE_ID:master
-          docker push $IMAGE_ID:master
-        fi
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -18,7 +18,7 @@ jobs:
    runs-on: ubuntu-24.04
    if: github.repository_owner == 'NixOS'
    steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@v6
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
        sync-labels: false
--- a/.github/workflows/upload-release.yml
+++ b/.github/workflows/upload-release.yml
@@ -1,69 +0,0 @@
-name: Upload Release
-on:
-  workflow_dispatch:
-    inputs:
-      eval_id:
-        description: "Hydra evaluation ID"
-        required: true
-        type: number
-      is_latest:
-        description: "Mark as latest release"
-        required: false
-        type: boolean
-        default: false
-permissions:
-  contents: read
-  id-token: write
-  packages: write
-jobs:
-  release:
-    runs-on: ubuntu-24.04
-    environment: releases
-    steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: ./.github/actions/install-nix-action
-        with:
-          dogfood: false # Use stable version
-          use_cache: false # Don't want any cache injection shenanigans
-          extra_nix_config: |
-            experimental-features = nix-command flakes
-      - name: Set NIX_PATH from flake input
-        run: |
-          NIXPKGS_PATH=$(nix build --inputs-from .# nixpkgs#path --print-out-paths --no-link)
-          # Shebangs with perl have issues. Pin nixpkgs this way. nix shell should maybe
-          # get the same uberhack that nix-shell has to support it.
-          echo "NIX_PATH=nixpkgs=$NIXPKGS_PATH" >> "$GITHUB_ENV"
-      - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
-        with:
-          role-to-assume: "arn:aws:iam::080433136561:role/nix-release"
-          role-session-name: nix-release-oidc-${{ github.run_id }}
-          aws-region: eu-west-1
-      - name: Login to Docker Hub
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload release
-        run: |
-          ./maintainers/upload-release.pl \
-            ${{ inputs.eval_id }} \
-            --skip-git
-        env:
-          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
-      - name: Push to GHCR
-        run: |
-          DOCKER_OWNER="ghcr.io/$(echo '${{ github.repository_owner }}' | tr '[A-Z]' '[a-z]')/nix"
-          ./maintainers/upload-release.pl \
-            ${{ inputs.eval_id }} \
-            --skip-git \
-            --skip-s3 \
-            --docker-owner "$DOCKER_OWNER"
-        env:
-          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -161,3 +161,14 @@ pull_request_rules:
        labels:
          - automatic backport
          - merge-queue
+
+  - name: backport patches to 2.31
+    conditions:
+      - label=backport 2.31-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.31-maintenance"
+        labels:
+          - automatic backport
+          - merge-queue
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.31.3
+2.32.0
--- a/doc/manual/anchors.jq
+++ b/doc/manual/anchors.jq
@@ -24,15 +24,8 @@ def map_contents_recursively(transformer):
 def process_command:
    .[0] as $context |
    .[1] as $body |
-    # mdbook 0.5.x uses 'items' instead of 'sections'
-    if $body.items then
-        $body + {
-            items: $body.items | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-        }
-    else
-        $body + {
-            sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
-        }
-    end;
+    $body + {
+        sections: $body.sections | map(map_contents_recursively(if $context.renderer == "html" then transform_anchors_html else transform_anchors_strip end)),
+    };

 process_command
--- a/doc/manual/book.toml.in
+++ b/doc/manual/book.toml.in
@@ -23,3 +23,12 @@ renderers = ["html"]
 command = "jq --from-file ./anchors.jq"

 [output.markdown]
+
+[output.linkcheck]
+# no Internet during the build (in the sandbox)
+follow-web-links = false
+
+# mdbook-linkcheck does not understand [foo]{#bar} style links, resulting in
+# excessive "Potential incomplete link" warnings. No other kind of warning was
+# produced at the time of writing.
+warning-policy = "ignore"
--- a/doc/manual/generate-store-types.nix
+++ b/doc/manual/generate-store-types.nix
@@ -24,9 +24,9 @@ let
    in
    concatStringsSep "\n" (map showEntry storesList);

-  "index.md" = replaceStrings [ "@store-types@" ] [ index ] (
-    readFile ./source/store/types/index.md.in
-  );
+  "index.md" =
+    replaceStrings [ "@store-types@" ] [ index ]
+      (readFile ./source/store/types/index.md.in);

  tableOfContents =
    let
--- a/doc/manual/package.nix
+++ b/doc/manual/package.nix
@@ -6,6 +6,7 @@
  ninja,
  lowdown-unsandboxed,
  mdbook,
+  mdbook-linkcheck,
  jq,
  python3,
  rsync,
@@ -50,6 +51,7 @@ mkMesonDerivation (finalAttrs: {
    ninja
    (lib.getBin lowdown-unsandboxed)
    mdbook
+    mdbook-linkcheck
    jq
    python3
    rsync
--- a/doc/manual/rl-next/c-api-recoverable-errors.md
+++ b/doc/manual/rl-next/c-api-recoverable-errors.md
@@ -0,0 +1,23 @@
+---
+synopsis: "C API: Errors returned from your primops are not treated as recoverable by default"
+prs: [13930]
+---
+
+Nix 2.32 by default remembers the error in the thunk that triggered it.
+
+Previously the following sequence of events worked:
+
+1. Have a thunk that invokes a primop that's defined through the C API
+2. The primop returns an error
+3. Force the thunk again
+4. The primop returns a value
+5. The thunk evaluated successfully
+
+**Resolution**
+
+C API consumers that rely on this must change their recoverable error calls:
+
+```diff
+-nix_set_err_msg(context, NIX_ERR_*, msg);
+nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg);
+```
--- a/doc/manual/rl-next/dropped-compat.md
+++ b/doc/manual/rl-next/dropped-compat.md
@@ -0,0 +1,6 @@
+---
+synopsis: "Removed support for daemons and clients older than Nix 2.0"
+prs: [13951]
+---
+
+We have dropped support in the daemon worker protocol for daemons and clients that don't speak at least version 18 of the protocol. This first Nix release that supports this version is Nix 2.0, released in February 2018.
--- a/doc/manual/source/development/building.md
+++ b/doc/manual/source/development/building.md
@@ -34,7 +34,7 @@ $ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
 To build Nix itself in this shell:

 ```console
-[nix-shell]$ mesonFlags+=" --prefix=$(pwd)/outputs/out"
+[nix-shell]$ out="$(pwd)/outputs/out" dev=$out debug=$out mesonFlags+=" --prefix=${out}"
 [nix-shell]$ dontAddPrefix=1 configurePhase
 [nix-shell]$ buildPhase
 ```
--- a/doc/manual/source/store/building.md
+++ b/doc/manual/source/store/building.md
@@ -12,11 +12,10 @@

 The [`builder`](./derivation/index.md#builder) is executed as follows:

- A temporary directory is created where the build will take place. The
+- A temporary directory is created under the directory specified by
+  `TMPDIR` (default `/tmp`) where the build will take place. The
  current directory is changed to this directory.

-  See the per-store [`build-dir`](@docroot@/store/types/local-store.md#store-local-store-build-dir) setting for more information.
-
 - The environment is cleared and set to the derivation attributes, as
  specified above.

--- a/doc/manual/substitute.py
+++ b/doc/manual/substitute.py
@@ -41,10 +41,6 @@ def recursive_replace(data: dict[str, t.Any], book_root: Path, search_path: Path
            return data | dict(
                sections = [recursive_replace(section, book_root, search_path) for section in sections],
            )
-        case {'items': items}:
-            return data | dict(
-                items = [recursive_replace(item, book_root, search_path) for item in items],
-            )
        case {'Chapter': chapter}:
            path_to_chapter = Path(chapter['path'])
            chapter_content = chapter['content']
--- a/docker.nix
+++ b/docker.nix
@@ -281,7 +281,10 @@ let

          # may get replaced by pkgs.dockerTools.caCertificates
          mkdir -p $out/etc/ssl/certs
+          # Old NixOS compatibility.
          ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
+          # NixOS canonical location
+          ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt

          cat $passwdContentsPath > $out/etc/passwd
          echo "" >> $out/etc/passwd
--- a/flake.lock
+++ b/flake.lock
@@ -63,16 +63,16 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761597516,
-        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "lastModified": 1756178832,
+        "narHash": "sha256-O2CIn7HjZwEGqBrwu9EU76zlmA5dbmna7jL1XUmAId8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "rev": "d98ce345cdab58477ca61855540999c86577d19d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.05-small",
        "repo": "nixpkgs",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@@ -1,7 +1,7 @@
 {
  description = "The purely functional package manager";

-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";

  inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
  inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
@@ -32,7 +32,7 @@
    let
      inherit (nixpkgs) lib;

-      officialRelease = true;
+      officialRelease = false;

      linux32BitSystems = [ "i686-linux" ];
      linux64BitSystems = [
--- a/maintainers/README.md
+++ b/maintainers/README.md
@@ -46,7 +46,7 @@ The team meets twice a week (times are denoted in the [Europe/Amsterdam](https:/
       - mark it as draft if it is blocked on the contributor
       - escalate it back to the team by moving it to To discuss, and leaving a comment as to why the issue needs to be discussed again.

- Work meeting: Mondays 14:00-16:00 Europe/Amsterdam see [calendar](https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com).
+- Work meeting: Mondays 18:00-20:00 Europe/Amsterdam; see [calendar](https://calendar.google.com/calendar/u/0/embed?src=b9o52fobqjak8oq8lfkhg3t0qg@group.calendar.google.com).

  1. Code review on pull requests from [In review](#in-review).
  2. Other chores and tasks.
--- a/maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc
+++ b/maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc
@@ -1,110 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGPtMiwBEAC0sFZW2QW/OaDjKm5zGRpDvHXDsMIUtlHfoi5ce8pocC63W05o
-FSXbUZjZ1VfYO8lT8DFANCzTkiXYaZx0cPRG2pVY4AOQZDNFt5XrAyvw496XCAIM
-DTYGFLjCqgjPt9RUFEy4MyHPJTEpB0x3rXgT4ILNu9vsj9Q0vttps7SpbZ3Ldq5H
-o/BBbLW77q/vNjpYzCbBIXF7ycUGpnNv9Go/WuiDnrBMcyxh+8kjjIHB5cxZSnjJ
-DUv681+m83v+gLZQGX/jexQrrf5JpS0X9qEnhGLrNUDhtyv5ud3Je4EfamkjLVVC
-RlNLofgflOCsl/tP80i+K7S1QdKhUALxuJ6H0prYUflGBDxDyC8XYuJ62TT0OUpa
-vJvgwVlCq8/jq+ykYQXlbuBVOzi5wAuI4l3+HqreSQYPSiwe+6N590Zbafdv1fvN
-WFtZKCTGMqfyaaAnppioH9/+NWkI2AQxaYVasYM/JEYvY9pJgA7alh51jHW4JglP
-ErypKfBKPKJID0QENqYoa3bDDCihuNWhgQf9dxzPlj2ckd35Zb6w4DfuSmtjaa9D
-o0jZVY1JbFuxBqP09+saVPrxLHgmPxjcdzPGQQtAqdO2vyJXNEGLFMoVEZPNaLo3
-QmcIJnT7oSck+4vGfOYtWUHXQynu/Tnwsv2XkA/uyw8HNe+RRMqv/apnzQARAQAB
-tCdTZXJnZWkgWmltbWVybWFuIDxzZXJnZWlAemltbWVybWFuLmZvbz6JAlEEEwEK
-ADsCGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQVim9TDqIC5fZRYRMU+upj
-RI4d+QUCaUbsaAIZAQAKCRAU+upjRI4d+VdDD/492HRaJ/8V7R7VUzkafmb2Hb28
-SLf7oiB8Uq9I7SukiDEaIT1fUhquYWQ9KWpPRNR1TX6ApXnIeuJRMGFoDVIRnmnr
-cKnYYXfqqc81VxIyKvaumB7KWbS7G4Nbor8AH1ouOOOMMS50OTJOWQA4A26inIuG
-n+7L8MeS5aT+3uNKDoTKsidC47vnaxNMcke1taPfbfo7vn69PsRCM/g9/7TQYU8b
-6xp+pM9Ao9nJneRk2YCpsGYRrWTpaik0DFKnfpPKJM/yunhtGLF2IYAp3l1mvHPK
-nnzo92zjpQuZwazEIK+23V1vRT4IjM2BewbJPAzf2/UuxEjjgNQm0tOtH2JhFNeB
-VM0BVrGxWrrwrsmv6lWghTtBc6zRWyHrj/rpjtVQNmeKYrHWJeXwVz1rqgGPmB2N
-k0MZD1UjHHhEs1Cntn7yLmxTPztRJCtR+euRu81Uo2NAvrMJ4xsDjaM0LeLTnzjV
-9AsPjD188dOFyz7VExZum4+XaaEJ41FIPLEqU3U0GAa6stEy0ylSlIN4x9aiXXVW
-xfzHHchS5jK6QAjuZxN8t01GRactNylINRf7uoTECFZTtXNqfeuk0HQxBH0LuKVE
-0PxJbcNI4mVWw1KgTJ8PUVC1IXP3sEpqPdJOYiRXgnpcS26fWOBu0aQ4mhxiaJhr
-/zBfrkLEqp20TdNDZLkCDQRj7TM1ARAAt73xO24curnHTTgXkkVMMRzcMLx3Mb1a
-2FuddxC5hzTpEpw01L91UBrXVJEg9K2KAwP5CtCLgPCqXr47Tm7krvHxWwBksgY/
-6aHRsoPQfCFUZHc0aiO+C4NCzR+aEeGKn66Oc1Hq9oUTpDgiBWhsuEPiyA1OSGF0
-4L0jeTCqfm68kWp4PIK9yuugkdDsoyj6TonuMsb3V5ctHLqop9KH+eHSkUTPo+Lk
-+bxaeAOJ1UfbohgbRbrYKAfsaghhOMDH3R1w2pvtUJz+sDbuQsiPFTqbxsXDTFws
-H4N/AQCYnnvOhqEek2sOEZ19bJXt5UrAr10mX4PGmAkWqE1JWBxpOKG3BXSGOTu1
-3dFhQfPMK+PmvUrs0kcWQr53K/aRUdKKhIfTcMfkqYTGPK5HclHph24WjXj3QFFA
-SjksQTdm6486ZmLZK4CTbAFOPfTF/aWg8gu9v4ihdq6lqHNNXxv2xBAChcd59H7p
-D5zy9z8SpwWR9V5JDmlF6HWIIau1c6lSsQq1xHvYM8EuPe03vJvor+2u/cn5zYF1
-5ZxAuPI2i5vtavg1s8ZGAAogJ9dVcP36LdJfL9quXWvmovkd//qHIepBB+l/zQio
-ZRDZlIcfV3Xycaqsb5OqHGARHE0097koipMt5y/iXlqG4Ruue6Idb8bW96EKpaWj
-kKy/iNfQfQMAEQEAAYkEcgQYAQoAJgIbAhYhBBWKb1MOogLl9lFhExT66mNEjh35
-BQJpRuz3BQkJHCDCAkDBdCAEGQEKAB0WIQRK3hK0WyJ4BicGpcmpsLVXymMjJQUC
-Y+0zNQAKCRCpsLVXymMjJbdSD/9+f1FOOeGDAJI6Duo5fsWnf4xJJdtQtDbz6d2A
-SeDapxeJ3zWfKBD0wu5sISEa0uiWsYSmLtsa2SqVAKHlEaMGRR+tkBMPQ+rvgI4c
-62YjGTgm+IPd+NFIn+ixFU1hpinTh+KhUEoeOwWCvKs9nZfSG9vkienfiG0bBxo2
-zrvBzXA50x5hbUL+ghKu/AVfN9qZDwh30O4KZTwk4g4cM9SeaQa4YvHYIS3IEhDZ
-hGybwrrqV9cs92ln4IJw9WCy9QReBNrdeFgC4+3ziUp1QsG3RvqrtuMttwBVC1Z3
-bj5QjLLOREhhodfvk98t9yVkragObb4rGrLo1mWuF0c4mJGvXwnrqhCMvzv4M+0T
-Zdrmw6YpGkGOaOPghVuwoTtqSAkl+zFWIJS89jidvkYG3EqKAkgLKog/TQReCq13
-HWrF8cMck+Rf2K8k26q/RNZaA9ZUKjLExzz8lsWmd2C7rvkGLrlxnzxz0gGyNR3Q
-KK74vcPhqeABt2GSkHtEXZFFA9IVVzwlRWK3e0S+mVQnZVjNL+cBPn3/hZHMLesB
-CucyYZv+DxvT+JkYXBkGSw4s3hpABqGym7gdPUIa0q4rbBFG6xP5sLLBG4yru8vV
-2dyCMmFqRuxpT49uNfyQ6Vj+dobN6qHnP/9NwfzOixXYBHXR6LBqb/M+iCiJaaIn
-uiRLHwkQFPrqY0SOHfkQpA//W51vj8meuz7snRO+vZFcjLneFFzqfh1Jdz8IqDpO
-CkI5pBJmi8e0oSe6r68MkahiQLlYPwm7d+sjHvJhPWipNKWq/uwCgBs+Ac1lpPXR
-MwLbrZukcLMYlLmb2MrCKmjcMt0BZsZKBNYL3a3X9nHgwXdeqFYS4WQDMCCc09lz
-9YqfdoEsqRO4qN7D0hFqnwjOzb34ixZ6UO8a8ekY9QKxAgWc9fJWGMg6Pjdg4qsK
-nqymOIAdGVOJdoRM46wKGVBvbsF2gNfQU4XyzgJo5vHGFwJm6EoSnODlL5e2wsQh
-uN1oqBt/8ef/plloMEqVBweUBATqSqjRF6IhhYJvWVuQHQL1p1vnV9FebiVj34ir
-Z8ID+o0AnTJcclbUcDwannGJ0cuDcPhk/v/ahVuoMERCi12qnMBo5B/e6Omyh1yB
-4pbf4GATGGQipDQG75eC/kP2GQEqJP5WYN0Ar8Le/AA/2xyL7upW0yIByyXCwGEb
-JRwEgU3+bPyu58bFt8Pftit6J7rA3oBVVMOPrYH5eZwRaj5m2RptwKGL6BfHnhNv
-ZqmCq9EBGX6L1NI0xHMjEFfXJ8jU01XdfG8nCqkwqsHwslXLhqjJphfHcx89YwbV
-/15GCuURAv1cKe/7277sOhcvP/QpQqSWgvYExHw8PeFJcTYtF2NrRgNwcQsWS1Rj
-gXa5Ag0EY+0zcAEQANC5N6kSfezuucAgi+X3BD+MT37mxQyvICSggEJf1LDSmy0+
-bnvD7setL8CP9etTA2fcVNYKI1oboMyhoCnsRP2jDdv1iXOI/hZg4wSb/D1yUkae
-fUpxv3Wuci2QKavH2MfraDD7BFMbsQeMcHtn4Rk216T6jndZHnzT1Ih7iX0XeQPb
-li5fojOiZssgWAVT4HPXFCJB6lI35Hjp35oRYwrtMmu5INinZ79n9h1igGtt1ItZ
-b7rQKNd772Jxcn4UU71ovORSL/xT5i5sxZ+evQOxkpqUAokMOFaoHcOXLmA1NsFv
-yryXHK4Ioq9ap2jKlLTWkJWjua9JZ4AmKhbvT8X4ELxIKSCAdJKAWP8ZHbXNu5MD
-aznyzZQLxSO7uFvu356De75mI5iohZNj5wB5Wju71pBiorTKVj4+iJ4e+xVIzFdG
-hFC0DehNcl2t9w/y8qHwIQ1yUAjXHLXq0/2jsVeH6bU5q/MsgvUP1jcFe0eyOpxy
-CDvyFdzZFbI57TnB/fvcZTRZ5ewXMFpH8gzuoFzAjUAP95UjYKgaGdrNPNIy28Ii
-4zhvdghei2+n9jgiMfcGQg8lyfH5yF0vWWWynX0KcJsRwEZoL2EauVdwq4PcYOoU
-pQFhpcreCjD4LdZ4yRU4InbhcUogXjrQ9Dz01TbPmQD5b5iso21bCEFBXrhzABEB
-AAGJAjwEGAEKACYCGwwWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwg
-hwAKCRAU+upjRI4d+X/XD/sH5xvHPfTJq52v8weFmB52up+DzqG2lyhGdoUQ1Muw
-dRDLTLXLJrFdfpoOo7/j4Scr0rdc7/dpCn0DLcPuCoPxu+SkjEnVehFmZrGSv7Ga
-x9dHr3DBh42fdlX/U/EnDuyosY0JU1gNF2/6FIA+bTTOFE3RxfN906RjslYQDjMZ
-UAlSeLYHOZofdltI0YIr32vrxgdWQGZXPxU4XusDUc0z163OO+TGg7iUNWFZP5Qj
-ubM7e0YbDX0NPIshk8us99YJmrWnhaix1/W5ryO3DXiGaQ7XFi9u7QofRqvRIctg
-QXavdepkzJow9V9qpMECAJePIuICq7rm+xy+njjbuF436W7390bfVBwRr+FPADsl
-jgQP4KvY5rykss30kheom8wNEbveWkhH5oTfH9b7O4KXJfpfJzrlgOWp2BD9JL8t
-/M4HvFXTr2a75H/QbHK5OFrZeGATuv9OTxv7EZvnrPXU+DYTFldpu7TrNNqKCoj3
-ZyXmc3Hhg5kskDhfHJppaeOayuhMOpT3ud1MFzROY5SLVIH8rBR12KUgsCUYQcGs
-Iy0+0QvEGkjb4cAH1NK3VlbqVNsy1RmqRt2B28R2ueewDfTOoqkzt4MmzLqTdnAx
-mTqmHmkEKhEf3K4MRNUPO2yieUg2COk5l6x9HhAnoxxeOZrTmcMsPY/UViG2HEPm
-ybkCDQRj7TRDARAA9DZuKdfKq4Bs2+NwxC0aplljWOl8VIsEVg+Q8agD7/HU6/b6
-Dry0njtWybn2x6Axf/nUdeOC01Fi1lmht/fpj6mRkgAvd/V6P10xnsUoykPSDSTh
-P25MFFGW3JAA82bwdJ4AJpEQvTZG2nTb3237vlBiI1qHQrac8GYkju2O4UfySRN6
-7cyi7bMf2pjWBBOEhaNy4b6CMDsb32P/N5J7sTE/TXgrS+u4ITIgjzSrkUkh5Z+B
-8QVRa7xPIDZJdvZWTEXWu5fgRPZvxbr154GIkWJkFzlDoB1UcO56/uzRUuKhEV6o
-HW3LMUuWdPMjpHpq8hrL0G2rDniJFUtbDFzHdZK1LUU3T2BJM8rjI3D/euph+IDT
-27vl5qo72zCYE/iKzx4FMLZcQvx1kUAxkPX8l+dzZEwKeRIIpFDxQvatRtl+z0bM
-jbkpDb+Yjv66sC4dYRpgTTGX6rok0PWHR3IxDNzyf2j8zQ4LFJ+rVBM1GjGSt6mG
-j9TeL8CVeiSp4SuJ7I/FJVPHsKb50m+BDzeB31qTydNqh2kKr0DVAUa+TUsCr7e0
-OYr8WE2adJcRXIW0qw50xXF+W7/05GqSCVD0dpeOUdBTQTsSkQmM3/0hcj9aVo9e
-UDCM9RF0WRqiDAoHzJFfg+ztamkQI5HO6CklC4Ok22qrHRf6HDNYSuT6QFkAEQEA
-AYkCPQQYAQoAJwMbIAQWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwf
-tAAKCRAU+upjRI4d+Y+cD/9yllG6uo934pcHNsVppZBfREFwSc8ywlbosCuSVpay
-PjSqgrWwDrnqrsk0F2kUdC6rR3BIcXbn+lA9KqylH+cCXAJCkh8EDq6TlQ7Lt5EV
-w1U0MAMXOyxPwDymQ/BO+iDyjXWkRRYgbF5XiFhCfGeuKyhkhACisAgNZ1uA1P5k
-0SJYc14YfEhQkB46Y20SpfVHRsQ46FyNB6GHbmTmfoO8La8VTh++7GBdh85HfvkG
-VNQ3wpi5oXsOLN9+MJOezc0XsW2LQsKQj1/J7QKzGh+lxN5cemsA5aqPzh8dyxeT
-0lYRFp4AHkimqGUomVpRkbegMIPxXqOE+ZAmsddErw0UtmrKxcmMptOJwNgYzEgu
-++2vtqerL/NYp+wsdcWaBjCz2F3NiwHgNli7NSB/FPwucZZ5gN5C4SnmeFzrGdHg
-Oy+tQUN6ayQKljHeBO7CjMlsFNo/dcVrEMa1ShxBMqlj/6ivoEhktLz0Nru4FwNU
-xE5SJYDYfpjD7Ws8y4LoXgWXjFHrMO6N9GzqLN/e8LT7I+w4ps2MrgJ8QSrelmQ3
-rjkxp3uWp5v2lqy4rLfpi9iB6zIAeoN2eU1yOM9joxOYMxKYaYeYyP1Mm90wFol8
-LcTSaN+tVniPddBiL6zvsGBEMbCR9XN3EQ+mErbuw5ovWBOCrr+dvN3FxvD11y4J
-7w==
-=mXYP
-----END PGP PUBLIC KEY BLOCK-----
--- a/maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc
+++ b/maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc
@@ -1,51 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBFZu2zwBCADfatenjH3cvhlU6AeInvp4R0JmPBG942aghFj1Qh57smRcO5Bv
-y9mqrX3UDdmVvu58V3k1k9/GzPnAG1t+c7ohdymv/AMuNY4pE2sfxx7bX+mncTHX
-5wthipn8kTNm4WjREjCJM1Bm5sozzEZetED3+0/dWlnHl8b38evnLsD+WbSrDPVp
-o6M6Eg9IfMwTfcXzdmLmSnGolBWDQ9i1a0x0r3o+sDW5UTnr7jVP+zILcnOZ1Ewl
-Rn9OJ4Qg3ULM7WTMDYpKH4BO7RLR3aJgmsFAHp17vgUnzzFBZ10MCS3UOyUNoyph
-xo3belf7Q9nrHcSNbqSeQuBnW/vafAZUreAlABEBAAG0IkVlbGNvIERvbHN0cmEg
-PGVkb2xzdHJhQGdtYWlsLmNvbT6JATwEEwEIACYCGyMHCwkIBwMCAQYVCAIJCgsE
-FgIDAQIeAQIXgAUCVm7etAIZAQAKCRCBcLRybXGY3q51B/96qt41tmcDSzrj/UTl
-O6rErfW5zFvVsJTZ95Duwu87t/DVhw5lKBQcjALqVddufw1nMzyN/tSOMVDW8xe4
-wMEdcU4+QAMzNX80enuyinsw1glxfLcK0+VbTvqNIfw0sG3MjPqNs6cK2VRfMHK4
-paJjytBVICszNX9TfjLyIpKKoSSo1vqnT47LDZ5GIMy7l9Cs2sO/rqQHSPcR79yz
-8m8tbHpDDEMZmJeklckKP2QoiqnHiIvlisDxLclYnUmNaPdaN/f++qZz5Yqvu1n+
-sNUBA5eLaZH64Uy2SwtABxO3JPJ8nQ2+SFZ7ocFm4Gcdv4aM+Ura9S6fvM91tEJp
-yAQOiQE5BBMBCAAjBQJWbts8AhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AA
-CgkQgXC0cm1xmN6sIAgAielxO8zJREqEkA2xudg/o4e9ZlNZ3X1NvY8OzJH/qlB2
-SmwKqwifhtbC1K0uavXA7eaxdtd2zrI+Yq7IooUyv7juMjHTZhLcFbR5iVkQ4Mfp
-JmeHXJ/ChYKxD5mMj/C3WbCZ91oCSNZ6Iyi5fvQj/691OC4q+y/2NEUcOI8D8cw8
-XKHbKtceFYc+nZmdOv3ZZrNTSN/kszGViNNLKgnpPdDVPtLp+vjXtbmitiFG2HL/
-WfbJ+3Gh2Yr1Vy3O9dWKH++e1AmIv7WWqmUjRFVpqC/wr7/BLaScWT8WKF5vkshU
-gq8Ez1/cuizsgs3wQIZWgXKQK5njvwnbKg+Zmh/uGbQmRWVsY28gRG9sc3RyYSA8
-ZWVsY28uZG9sc3RyYUB0d2VhZy5pbz6JAU4EEwEIADgWIQS1QdVTAScOC88Vyl2B
-cLRybXGY3gUCXELt4gIbIwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCBcLRy
-bXGY3ujFCADfS5D1xHU8KH6TpqgssSggYVq62Wwn/Ga+4XPPetM+ajcXagyH6SwB
-mxlHICcnv9xC93ryiTI10P1ADJl+aBsI66wEdHBU+ty4RTDy4JZNUPtmRCk9LhSc
-mtUO3ry/wtWkRLdJxP49hg7BbQvWoU0M6WODp7SJjPKPWNX64mzHBeOuy+DqGCbM
-lpGNCvW8ahU/ewbm7+xwWmzqLDoWzXjHsdF4QdzMVM/vkAgWEP4y0wEqFASzIYaR
-GNEkBWU4OQVq5Bdm9+wWWAgsbM0FJAQl0GDqnz4QxWzxxCAAXdbh9F5ffafWYsA9
-bise4ZQLkvYo6iUnrcFm4dtZbT8iL3gptCtFZWxjbyBEb2xzdHJhIDxlZWxjby5k
-b2xzdHJhQGxvZ2ljYmxveC5jb20+iQE5BBMBCAAjBQJWbt6nAhsjBwsJCAcDAgEG
-FQgCCQoLBBYCAwECHgECF4AACgkQgXC0cm1xmN4b/wf8DApMV/jSPEpibekrUPQu
-Ye3Z8cxBQuRm/nOPowtPEH/ShAevrCdRiob2nuEZWNoqZ2e5/+6ud07Hs9bslvco
-cDv1jeY1dof1idxfKhH3kfSpuD2XJhuzQBxBqOrIlCS/rdnW+Y9wOGD7+bs9QpcA
-IyAeQGLLkfggAxaGYQ2Aev8pS7i3a/+lOWbFhcTe02I49KemCOJqBorG5FfILLNr
-DjO3EoutNGpuz6rZvc/BlymphWBoAdUmxgoObr7NYWgw9pI8WeE6C7bbSOO7p5aQ
-spWXU7Hm17DkzsVDpaJlyClllqK+DdKza5oWlBMe/P02jD3Y+0P/2rCCyQQwmH3D
-RbkBDQRWbts8AQgA0g556xc08dH5YNEjbCwEt1j+XoRnV4+GfbSJIXOl9joIgzRC
-4IaijvL8+4biWvX7HiybfvBKto0XB1AWLZRC3jWKX5p74I77UAcrD+VQ/roWQqlJ
-BKbiQMlRYEsj/5Xnf72G90IP4DAFKvNl+rLChe+jUySA91BCtrYoP75Sw1BE9Cyz
-xEtm4WUzKAJdXI+ZTBttA2Nbqy+GSuzBs7fSKDwREJaZmVrosvmns+pQVG4WPWf4
-0l4mPguDQmZ9wSWZvBDkpG7AgHYDRYRGkMbAGsVfc6cScN2VsSTa6cbeeAEowKxM
-qx9RbY3WOq6aKAm0qDvow1nl7WwXwe8K0wQxfQARAQABiQEfBBgBCAAJBQJWbts8
-AhsMAAoJEIFwtHJtcZjeuAAH/0YNz2Qe1IAEO5oqEZNFOccL4KxVPrBhWUen83/b
-C6PjOnOqv6q5ztAcms88WIKxBlfzIfq+dzJcbKVS/H7TEXgcaC+7EYW8sJVEsipN
-BtEZ3LQNJ5coDjm7WZygniah1lfXNuiritAXduK5FWNNndqGArEaeZ8Shzdo/Uyi
-b9lOsBIL6xc2ZcnX5f+rTu02LCEtEb0FwCycZLEWYf8hG4k8uttIOZOC+CLk/k8d
-kBmPikMwUVTTV0CdT1cemQKdTaoAaK+kurF6FYXwcnjhRlHrisSt/tVMEwTw4LUM
-3MYf6qfjjvE4HlDwZal8th7ccoQp/flfJIuRv85xCcKK+PI=
-=u5cX
-----END PGP PUBLIC KEY BLOCK-----
--- a/maintainers/keys/README.md
+++ b/maintainers/keys/README.md
@@ -1,13 +0,0 @@
-# Maintainer GPG Keys
-
-Release tags are signed by members of the [Nix maintainer team](https://nixos.org/community/teams/nix/) as part of the [release process](../release-process.md). This directory contains the public GPG keys used for signing.
-
-## Keys
-
- **Eelco Dolstra**
-  GPG Fingerprint: `B541 D553 0127 0E0B CF15 CA5D 8170 B472 6D71 98DE`
-
- **Sergei Zimmerman**
-  GPG Fingerprint: [`158A 6F53 0EA2 02E5 F651 6113 14FA EA63 448E 1DF9`](https://keys.openpgp.org/vks/v1/by-fingerprint/158A6F530EA202E5F651611314FAEA63448E1DF9)
-
-<!-- TODO: Add keys for other Nix team members -->
--- a/maintainers/release-notes-todo
+++ b/maintainers/release-notes-todo
@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+# debug:
+# set -x
+
+START_REF="${1}"
+END_REF="${2:-upstream/master}"
+
+# Get the merge base
+MERGE_BASE=$(git merge-base "$START_REF" "$END_REF")
+unset START_REF
+
+# Get date range
+START_DATE=$(git show -s --format=%cI "$MERGE_BASE")
+END_DATE=$(git show -s --format=%cI "$END_REF")
+
+echo "Checking PRs merged between $START_DATE and $END_DATE" >&2
+
+# Get all commits between merge base and HEAD
+COMMITS=$(git rev-list "$MERGE_BASE..$END_REF")
+
+# Convert to set for fast lookup
+declare -A commit_set
+for commit in $COMMITS; do
+    commit_set["$commit"]=1
+done
+
+# Get the current changelog
+LOG_DONE="$(changelog-d doc/manual/rl-next)"
+is_done(){
+    local nr="$1"
+    echo "$LOG_DONE" | grep -E "^- .*/pull/$nr)"
+}
+
+# Query merged PRs in date range
+gh pr list \
+    --repo NixOS/nix \
+    --state merged \
+    --limit 1000 \
+    --json number,title,author,mergeCommit \
+    --search "merged:$START_DATE..$END_DATE" | \
+jq -r '.[] | [.number, .mergeCommit.oid, .title, .author.login] | @tsv' | \
+while IFS=$'\t' read -r pr_num merge_commit _title author; do
+    # Check if this PR's merge commit is in our branch
+    if [[ -n "${commit_set[$merge_commit]:-}" ]]; then
+        # Full detail, not suitable for comment due to mass ping and duplicate title
+        # echo "- #$pr_num $_title (@$author)"
+        echo "- #$pr_num ($author)"
+        if is_done "$pr_num"
+        then
+            echo "  - [x] has note"
+        else
+            echo "  - [ ] has note"
+        fi
+        echo "  - [ ] skip"
+    fi
+done
--- a/maintainers/release-process.md
+++ b/maintainers/release-process.md
@@ -5,11 +5,11 @@
 The release process is intended to create the following for each
 release:

-* A signed Git tag (public keys in `maintainers/keys/`)
+* A Git tag

 * Binary tarballs in https://releases.nixos.org/?prefix=nix/

-* Docker images (arm64 and amd64 variants, uploaded to DockerHub and GHCR)
+* Docker images

 * Closures in https://cache.nixos.org

@@ -24,6 +24,12 @@ release:
 * In a checkout of the Nix repo, make sure you're on `master` and run
  `git pull`.

+* Compile a release notes to-do list by running
+
+  ```console
+  $ ./maintainers/release-notes-todo PREV_RELEASE HEAD
+  ```
+
 * Compile the release notes by running

  ```console
@@ -98,17 +104,21 @@ release:
  evaluation ID (e.g. `1780832` in
  `https://hydra.nixos.org/eval/1780832`).

-* Tag the release:
+* Tag the release and upload the release artifacts to
+  [`releases.nixos.org`](https://releases.nixos.org/) and [Docker Hub](https://hub.docker.com/):

  ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
  ```

  Note: `IS_LATEST=1` causes the `latest-release` branch to be
  force-updated. This is used by the `nixos.org` website to get the
  [latest Nix manual](https://nixos.org/manual/nixpkgs/unstable/).

-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
+  TODO: This script requires the right AWS credentials. Document.
+
+  TODO: This script currently requires a
+  `/home/eelco/Dev/nix-pristine`.

  TODO: trigger nixos.org netlify: https://docs.netlify.com/configure-builds/build-hooks/

@@ -123,6 +133,8 @@ release:

  Commit and push this to the maintenance branch.

+* Create a backport label.
+
 * Bump the version of `master`:

  ```console
@@ -130,6 +142,7 @@ release:
  $ git pull
  $ NEW_VERSION=2.13.0
  $ echo $NEW_VERSION > .version
+  $ ... edit .mergify.yml to add the previous version ...
  $ git checkout -b bump-$NEW_VERSION
  $ git commit -a -m 'Bump version'
  $ git push --set-upstream origin bump-$NEW_VERSION
@@ -137,10 +150,6 @@ release:

  Make a pull request and auto-merge it.

-* Create a backport label.
-
-* Add the new backport label to `.mergify.yml`.
-
 * Post an [announcement on Discourse](https://discourse.nixos.org/c/announcements/8), including the contents of
  `rl-$VERSION.md`.

@@ -173,18 +182,16 @@ release:
 * Wait for the desired evaluation of the maintenance jobset to finish
  building.

-* Tag the release
+* Run

  ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
  ```

  Omit `IS_LATEST=1` when creating a point release that is not on the
  most recent stable branch. This prevents `nixos.org` to going back
  to an older release.

-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
-
 * Bump the version number of the release branch as above (e.g. to
  `2.12.2`).

--- a/maintainers/upload-release.pl
+++ b/maintainers/upload-release.pl
@@ -1,8 +1,7 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p awscli2 perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 perlPackages.GetoptLongDescriptive gnupg1
+#! nix-shell -i perl -p perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 gnupg1

 use strict;
-use Getopt::Long::Descriptive;
 use Data::Dumper;
 use File::Basename;
 use File::Path;
@@ -14,30 +13,7 @@ use Net::Amazon::S3;

 delete $ENV{'shell'}; # shut up a LWP::UserAgent.pm warning

-my ($opt, $usage) = describe_options(
-    '%c %o <eval-id>',
-    [ 'skip-docker',      'Skip Docker image upload' ],
-    [ 'skip-git',         'Skip Git tagging' ],
-    [ 'skip-s3',          'Skip S3 upload' ],
-    [ 'docker-owner=s',   'Docker image owner', { default => 'nixos/nix' } ],
-    [ 'project-root=s',   'Pristine git repository path' ],
-    [ 's3-endpoint=s',    'Custom S3 endpoint' ],
-    [ 's3-host=s',        'S3 host', { default => 's3-eu-west-1.amazonaws.com' } ],
-    [],
-    [ 'help|h',           'Show this help message', { shortcircuit => 1 } ],
-    [],
-    [ 'Environment variables:' ],
-    [ 'AWS_ACCESS_KEY_ID' ],
-    [ 'AWS_SECRET_ACCESS_KEY' ],
-    [ 'AWS_SESSION_TOKEN   For OIDC' ],
-    [ 'IS_LATEST           Set to "1" to mark as latest release' ],
-);
-
-print($usage->text), exit if $opt->help;
-
-my $evalId = $ARGV[0] or do { print STDERR $usage->text; exit 1 };
-
-die "--project-root is required unless --skip-git is specified\n" unless $opt->skip_git || $opt->project_root;
+my $evalId = $ARGV[0] or die "Usage: $0 EVAL-ID\n";

 my $releasesBucketName = "nix-releases";
 my $channelsBucketName = "nix-channels";
@@ -86,38 +62,25 @@ File::Path::make_path($narCache);
 my $binaryCache = "https://cache.nixos.org/?local-nar-cache=$narCache";

 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'};
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'};
-my $aws_session_token = $ENV{'AWS_SESSION_TOKEN'};
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "No AWS_ACCESS_KEY_ID given.";
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "No AWS_SECRET_ACCESS_KEY given.";

-my ($s3, $releasesBucket, $s3_channels, $channelsBucket);
+my $s3 = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+      host                  => "s3-eu-west-1.amazonaws.com",
+    });

-unless ($opt->skip_s3) {
-    $aws_access_key_id or die "No AWS_ACCESS_KEY_ID given.";
-    $aws_secret_access_key or die "No AWS_SECRET_ACCESS_KEY given.";
+my $releasesBucket = $s3->bucket($releasesBucketName) or die;

-    $s3 = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          host                  => $opt->s3_host,
-          secure                => ($opt->s3_endpoint && $opt->s3_endpoint =~ /^http:/) ? 0 : 1,
-        });
+my $s3_us = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+    });

-    $releasesBucket = $s3->bucket($releasesBucketName) or die;
-
-    $s3_channels = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          $opt->s3_endpoint ? (host => $opt->s3_host) : (),
-          $opt->s3_endpoint ? (secure => ($opt->s3_endpoint =~ /^http:/) ? 0 : 1) : (),
-        });
-
-    $channelsBucket = $s3_channels->bucket($channelsBucketName) or die;
-}
+my $channelsBucket = $s3_us->bucket($channelsBucketName) or die;

 sub getStorePath {
    my ($jobName, $output) = @_;
@@ -152,12 +115,11 @@ sub copyManual {
        File::Path::remove_tree("$tmpDir/manual.tmp", {safe => 1});
    }

-    my $awsEndpoint = $opt->s3_endpoint ? "--endpoint-url " . $opt->s3_endpoint : "";
-    system("aws $awsEndpoint s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
+    system("aws s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
        or die "syncing manual to S3\n";
 }

-copyManual unless $opt->skip_s3;
+copyManual;

 sub downloadFile {
    my ($jobName, $productNr, $dstName) = @_;
@@ -196,12 +158,30 @@ sub downloadFile {
    return $sha256_expected;
 }

-# Upload docker images.
+downloadFile("binaryTarball.i686-linux", "1");
+downloadFile("binaryTarball.x86_64-linux", "1");
+downloadFile("binaryTarball.aarch64-linux", "1");
+downloadFile("binaryTarball.x86_64-darwin", "1");
+downloadFile("binaryTarball.aarch64-darwin", "1");
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
+};
+warn "$@" if $@;
+downloadFile("installerScript", "1");
+
+# Upload docker images to dockerhub.
 my $dockerManifest = "";
 my $dockerManifestLatest = "";
 my $haveDocker = 0;

-unless ($opt->skip_docker) {
 for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
    my $system = $platforms->[0];
    my $dockerPlatform = $platforms->[1];
@@ -215,8 +195,8 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
    print STDERR "loading docker image for $dockerPlatform...\n";
    system("docker load -i $tmpDir/$fn") == 0 or die;

-    my $tag = $opt->docker_owner . ":$version-$dockerPlatform";
-    my $latestTag = $opt->docker_owner . ":latest-$dockerPlatform";
+    my $tag = "nixos/nix:$version-$dockerPlatform";
+    my $latestTag = "nixos/nix:latest-$dockerPlatform";

    print STDERR "tagging $version docker image for $dockerPlatform...\n";
    system("docker tag nix:$version $tag") == 0 or die;
@@ -239,94 +219,68 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
 }

 if ($haveDocker) {
-    my $dockerOwner = $opt->docker_owner;
    print STDERR "creating multi-platform docker manifest...\n";
-    system("docker manifest rm $dockerOwner:$version");
-    system("docker manifest create $dockerOwner:$version $dockerManifest") == 0 or die;
+    system("docker manifest rm nixos/nix:$version");
+    system("docker manifest create nixos/nix:$version $dockerManifest") == 0 or die;
    if ($isLatest) {
        print STDERR "creating latest multi-platform docker manifest...\n";
-        system("docker manifest rm $dockerOwner:latest");
-        system("docker manifest create $dockerOwner:latest $dockerManifestLatest") == 0 or die;
+        system("docker manifest rm nixos/nix:latest");
+        system("docker manifest create nixos/nix:latest $dockerManifestLatest") == 0 or die;
    }

    print STDERR "pushing multi-platform docker manifest...\n";
-    system("docker manifest push $dockerOwner:$version") == 0 or die;
+    system("docker manifest push nixos/nix:$version") == 0 or die;

    if ($isLatest) {
        print STDERR "pushing latest multi-platform docker manifest...\n";
-        system("docker manifest push $dockerOwner:latest") == 0 or die;
+        system("docker manifest push nixos/nix:latest") == 0 or die;
    }
 }
-}

+# Upload nix-fallback-paths.nix.
+write_file("$tmpDir/fallback-paths.nix",
+    "{\n" .
+    "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
+    "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
+    "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
+    "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
+    "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
+    "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
+    "}\n");

 # Upload release files to S3.
-unless ($opt->skip_s3) {
-    downloadFile("binaryTarball.i686-linux", "1");
-    downloadFile("binaryTarball.x86_64-linux", "1");
-    downloadFile("binaryTarball.aarch64-linux", "1");
-    downloadFile("binaryTarball.x86_64-darwin", "1");
-    downloadFile("binaryTarball.aarch64-darwin", "1");
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
-    };
-    warn "$@" if $@;
-    downloadFile("installerScript", "1");
+for my $fn (glob "$tmpDir/*") {
+    my $name = basename($fn);
+    next if $name eq "manual";
+    my $dstKey = "$releaseDir/" . $name;
+    unless (defined $releasesBucket->head_key($dstKey)) {
+        print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";

-    # Upload nix-fallback-paths.nix.
-    write_file("$tmpDir/fallback-paths.nix",
-        "{\n" .
-        "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
-        "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
-        "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
-        "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
-        "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
-        "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
-        "}\n");
+        my $configuration = ();
+        $configuration->{content_type} = "application/octet-stream";

-    for my $fn (glob "$tmpDir/*") {
-        my $name = basename($fn);
-        next if $name eq "manual";
-        my $dstKey = "$releaseDir/" . $name;
-        unless (defined $releasesBucket->head_key($dstKey)) {
-            print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
-
-            my $configuration = ();
-            $configuration->{content_type} = "application/octet-stream";
-
-            if ($fn =~ /.sha256|install|\.nix$/) {
-                $configuration->{content_type} = "text/plain";
-            }
-
-            $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
-                or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+        if ($fn =~ /.sha256|install|\.nix$/) {
+            $configuration->{content_type} = "text/plain";
        }
-    }

-    # Update the "latest" symlink.
-    $channelsBucket->add_key(
-        "nix-latest/install", "",
-        { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
-        or die $channelsBucket->err . ": " . $channelsBucket->errstr
-        if $isLatest;
+        $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
+            or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+    }
 }

+# Update the "latest" symlink.
+$channelsBucket->add_key(
+    "nix-latest/install", "",
+    { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
+    or die $channelsBucket->err . ": " . $channelsBucket->errstr
+    if $isLatest;
+
 # Tag the release in Git.
-unless ($opt->skip_git) {
-    chdir($opt->project_root) or die "Cannot chdir to " . $opt->project_root . ": $!";
-    system("git remote update origin") == 0 or die;
-    system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
-    system("git push origin refs/tags/$version") == 0 or die;
-    system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
-}
+chdir("/home/eelco/Dev/nix-pristine") or die;
+system("git remote update origin") == 0 or die;
+system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
+system("git push --tags") == 0 or die;
+system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;

 File::Path::remove_tree($narCache, {safe => 1});
 File::Path::remove_tree($tmpDir, {safe => 1});
--- a/packaging/dependencies.nix
+++ b/packaging/dependencies.nix
@@ -10,8 +10,27 @@
  stdenv,
 }:

+let
+  prevStdenv = stdenv;
+in
+
 let
  inherit (pkgs) lib;
+
+  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64 then darwinStdenv else prevStdenv;
+
+  # Fix the following error with the default x86_64-darwin SDK:
+  #
+  #     error: aligned allocation function of type 'void *(std::size_t, std::align_val_t)' is only available on macOS 10.13 or newer
+  #
+  # Despite the use of the 10.13 deployment target here, the aligned
+  # allocation function Clang uses with this setting actually works
+  # all the way back to 10.6.
+  # NOTE: this is not just a version constraint, but a request to make Darwin
+  #       provide this version level of support. Removing this minimum version
+  #       request will regress the above error.
+  darwinStdenv = pkgs.overrideSDK prevStdenv { darwinMinVersion = "10.13"; };
+
 in
 scope: {
  inherit stdenv;
@@ -54,9 +73,19 @@ scope: {
    nativeBuildInputs = prevAttrs.nativeBuildInputs ++ [ pkgs.buildPackages.bmake ];
    postInstall =
      lib.replaceStrings [ "lowdown.so.1" "lowdown.1.dylib" ] [ "lowdown.so.2" "lowdown.2.dylib" ]
-        (prevAttrs.postInstall or "");
+        prevAttrs.postInstall;
  });

+  toml11 = pkgs.toml11.overrideAttrs rec {
+    version = "4.4.0";
+    src = pkgs.fetchFromGitHub {
+      owner = "ToruNiina";
+      repo = "toml11";
+      tag = "v${version}";
+      hash = "sha256-sgWKYxNT22nw376ttGsTdg0AMzOwp8QH3E8mx0BZJTQ=";
+    };
+  };
+
  # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
  boost =
    (pkgs.boost.override {
--- a/src/libcmd/installable-flake.cc
+++ b/src/libcmd/installable-flake.cc
@@ -105,8 +105,8 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()

    std::optional<NixInt::Inner> priority;

-    if (attr->maybeGetAttr(state->sOutputSpecified)) {
-    } else if (auto aMeta = attr->maybeGetAttr(state->sMeta)) {
+    if (attr->maybeGetAttr(state->s.outputSpecified)) {
+    } else if (auto aMeta = attr->maybeGetAttr(state->s.meta)) {
        if (auto aPriority = aMeta->maybeGetAttr("priority"))
            priority = aPriority->getInt().value;
    }
@@ -119,12 +119,12 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
                    overloaded{
                        [&](const ExtendedOutputsSpec::Default & d) -> OutputsSpec {
                            StringSet outputsToInstall;
-                            if (auto aOutputSpecified = attr->maybeGetAttr(state->sOutputSpecified)) {
+                            if (auto aOutputSpecified = attr->maybeGetAttr(state->s.outputSpecified)) {
                                if (aOutputSpecified->getBool()) {
                                    if (auto aOutputName = attr->maybeGetAttr("outputName"))
                                        outputsToInstall = {aOutputName->getString()};
                                }
-                            } else if (auto aMeta = attr->maybeGetAttr(state->sMeta)) {
+                            } else if (auto aMeta = attr->maybeGetAttr(state->s.meta)) {
                                if (auto aOutputsToInstall = aMeta->maybeGetAttr("outputsToInstall"))
                                    for (auto & s : aOutputsToInstall->getListOfStrings())
                                        outputsToInstall.insert(s);
--- a/src/libcmd/repl.cc
+++ b/src/libcmd/repl.cc
@@ -669,7 +669,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
                ss << "No documentation found.\n\n";
            }

-            auto markdown = ss.view();
+            auto markdown = toView(ss);
            logger->cout(trim(renderMarkdownToTerminal(markdown)));

        } else
--- a/src/libexpr-c/nix_api_expr.cc
+++ b/src/libexpr-c/nix_api_expr.cc
@@ -40,6 +40,8 @@ static T * unsafe_new_with_self(F && init)
    return new (p) T(init(static_cast<T *>(p)));
 }

+extern "C" {
+
 nix_err nix_libexpr_init(nix_c_context * context)
 {
    if (context)
@@ -287,3 +289,5 @@ void nix_gc_register_finalizer(void * obj, void * cd, void (*finalizer)(void * o
    GC_REGISTER_FINALIZER(obj, finalizer, cd, 0, 0);
 #endif
 }
+
+} // extern "C"
--- a/src/libexpr-c/nix_api_expr_internal.h
+++ b/src/libexpr-c/nix_api_expr_internal.h
@@ -8,6 +8,8 @@
 #include "nix_api_value.h"
 #include "nix/expr/search-path.hh"

+extern "C" {
+
 struct nix_eval_state_builder
 {
    nix::ref<nix::Store> store;
@@ -61,4 +63,6 @@ struct nix_realised_string
    std::vector<StorePath> storePaths;
 };

+} // extern "C"
+
 #endif // NIX_API_EXPR_INTERNAL_H
--- a/src/libexpr-c/nix_api_external.cc
+++ b/src/libexpr-c/nix_api_external.cc
@@ -14,6 +14,8 @@

 #include <nlohmann/json.hpp>

+extern "C" {
+
 void nix_set_string_return(nix_string_return * str, const char * c)
 {
    str->str = c;
@@ -40,6 +42,8 @@ nix_err nix_external_add_string_context(nix_c_context * context, nix_string_cont
    NIXC_CATCH_ERRS
 }

+} // extern "C"
+
 class NixCExternalValue : public nix::ExternalValueBase
 {
    NixCExternalValueDesc & desc;
@@ -170,6 +174,8 @@ public:
    virtual ~NixCExternalValue() override {};
 };

+extern "C" {
+
 ExternalValue * nix_create_external_value(nix_c_context * context, NixCExternalValueDesc * desc, void * v)
 {
    if (context)
@@ -198,3 +204,5 @@ void * nix_get_external_value_content(nix_c_context * context, ExternalValue * b
    }
    NIXC_CATCH_ERRS_NULL
 }
+
+} // extern "C"
--- a/src/libexpr-c/nix_api_value.cc
+++ b/src/libexpr-c/nix_api_value.cc
@@ -1,4 +1,5 @@
 #include "nix/expr/attr-set.hh"
+#include "nix/expr/eval-error.hh"
 #include "nix/util/configuration.hh"
 #include "nix/expr/eval.hh"
 #include "nix/store/globals.hh"
@@ -89,8 +90,13 @@ static void nix_c_primop_wrapper(
    f(userdata, &ctx, (EvalState *) &state, (nix_value **) args, (nix_value *) &vTmp);

    if (ctx.last_err_code != NIX_OK) {
-        /* TODO: Throw different errors depending on the error code */
-        state.error<nix::EvalError>("Error from custom function: %s", *ctx.last_err).atPos(pos).debugThrow();
+        if (ctx.last_err_code == NIX_ERR_RECOVERABLE) {
+            state.error<nix::RecoverableEvalError>("Recoverable error from custom function: %s", *ctx.last_err)
+                .atPos(pos)
+                .debugThrow();
+        } else {
+            state.error<nix::EvalError>("Error from custom function: %s", *ctx.last_err).atPos(pos).debugThrow();
+        }
    }

    if (!vTmp.isValid()) {
@@ -111,6 +117,8 @@ static void nix_c_primop_wrapper(
    v = vTmp;
 }

+extern "C" {
+
 PrimOp * nix_alloc_primop(
    nix_c_context * context,
    PrimOpFun fun,
@@ -175,6 +183,8 @@ ValueType nix_get_type(nix_c_context * context, const nix_value * value)
        switch (v.type()) {
        case nThunk:
            return NIX_TYPE_THUNK;
+        case nFailed:
+            return NIX_TYPE_FAILED;
        case nInt:
            return NIX_TYPE_INT;
        case nFloat:
@@ -592,7 +602,7 @@ nix_err nix_bindings_builder_insert(nix_c_context * context, BindingsBuilder * b
        context->last_err_code = NIX_OK;
    try {
        auto & v = check_value_not_null(value);
-        nix::Symbol s = bb->builder.state.symbols.create(name);
+        nix::Symbol s = bb->builder.state.get().symbols.create(name);
        bb->builder.insert(s, &v);
    }
    NIXC_CATCH_ERRS
@@ -651,3 +661,5 @@ const StorePath * nix_realised_string_get_store_path(nix_realised_string * s, si
 {
    return &s->storePaths[i];
 }
+
+} // extern "C"
--- a/src/libexpr-c/nix_api_value.h
+++ b/src/libexpr-c/nix_api_value.h
@@ -32,7 +32,8 @@ typedef enum {
    NIX_TYPE_ATTRS,
    NIX_TYPE_LIST,
    NIX_TYPE_FUNCTION,
-    NIX_TYPE_EXTERNAL
+    NIX_TYPE_EXTERNAL,
+    NIX_TYPE_FAILED,
 } ValueType;

 // forward declarations
--- a/src/libexpr-tests/json.cc
+++ b/src/libexpr-tests/json.cc
@@ -54,7 +54,7 @@ TEST_F(JSONValueTest, IntNegative)
 TEST_F(JSONValueTest, String)
 {
    Value v;
-    v.mkString("test");
+    v.mkStringNoCopy("test");
    ASSERT_EQ(getJSONValue(v), "\"test\"");
 }

@@ -62,7 +62,7 @@ TEST_F(JSONValueTest, StringQuotes)
 {
    Value v;

-    v.mkString("test\"");
+    v.mkStringNoCopy("test\"");
    ASSERT_EQ(getJSONValue(v), "\"test\\\"\"");
 }

--- a/src/libexpr-tests/meson.build
+++ b/src/libexpr-tests/meson.build
@@ -55,6 +55,7 @@ sources = files(
  'nix_api_expr.cc',
  'nix_api_external.cc',
  'nix_api_value.cc',
+  'nix_api_value_internal.cc',
  'primops.cc',
  'search-path.cc',
  'trivial.cc',
--- a/src/libexpr-tests/nix_api_expr.cc
+++ b/src/libexpr-tests/nix_api_expr.cc
@@ -1,7 +1,5 @@
 #include "nix_api_store.h"
-#include "nix_api_store_internal.h"
 #include "nix_api_util.h"
-#include "nix_api_util_internal.h"
 #include "nix_api_expr.h"
 #include "nix_api_value.h"

@@ -151,8 +149,8 @@ TEST_F(nix_api_expr_test, nix_expr_realise_context_bad_value)
    assert_ctx_ok();
    auto r = nix_string_realise(ctx, state, value, false);
    ASSERT_EQ(nullptr, r);
-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
-    ASSERT_THAT(ctx->last_err, testing::Optional(testing::HasSubstr("cannot coerce")));
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
+    ASSERT_THAT(nix_err_msg(nullptr, ctx, nullptr), testing::HasSubstr("cannot coerce"));
 }

 TEST_F(nix_api_expr_test, nix_expr_realise_context_bad_build)
@@ -168,8 +166,8 @@ TEST_F(nix_api_expr_test, nix_expr_realise_context_bad_build)
    assert_ctx_ok();
    auto r = nix_string_realise(ctx, state, value, false);
    ASSERT_EQ(nullptr, r);
-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
-    ASSERT_THAT(ctx->last_err, testing::Optional(testing::HasSubstr("failed with exit code 1")));
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
+    ASSERT_THAT(nix_err_msg(nullptr, ctx, nullptr), testing::HasSubstr("failed with exit code 1"));
 }

 TEST_F(nix_api_expr_test, nix_expr_realise_context)
@@ -381,12 +379,11 @@ TEST_F(nix_api_expr_test, nix_expr_primop_bad_no_return)
    nix_value * result = nix_alloc_value(ctx, state);
    assert_ctx_ok();
    nix_value_call(ctx, state, primopValue, three, result);
-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
    ASSERT_THAT(
-        ctx->last_err,
-        testing::Optional(
-            testing::HasSubstr("Implementation error in custom function: return value was not initialized")));
-    ASSERT_THAT(ctx->last_err, testing::Optional(testing::HasSubstr("badNoReturn")));
+        nix_err_msg(nullptr, ctx, nullptr),
+        testing::HasSubstr("Implementation error in custom function: return value was not initialized"));
+    ASSERT_THAT(nix_err_msg(nullptr, ctx, nullptr), testing::HasSubstr("badNoReturn"));
 }

 static void primop_bad_return_thunk(
@@ -419,12 +416,11 @@ TEST_F(nix_api_expr_test, nix_expr_primop_bad_return_thunk)
    assert_ctx_ok();
    NIX_VALUE_CALL(ctx, state, result, primopValue, toString, four);

-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
    ASSERT_THAT(
-        ctx->last_err,
-        testing::Optional(
-            testing::HasSubstr("Implementation error in custom function: return value must not be a thunk")));
-    ASSERT_THAT(ctx->last_err, testing::Optional(testing::HasSubstr("badReturnThunk")));
+        nix_err_msg(nullptr, ctx, nullptr),
+        testing::HasSubstr("Implementation error in custom function: return value must not be a thunk"));
+    ASSERT_THAT(nix_err_msg(nullptr, ctx, nullptr), testing::HasSubstr("badReturnThunk"));
 }

 TEST_F(nix_api_expr_test, nix_value_call_multi_no_args)
@@ -441,4 +437,105 @@ TEST_F(nix_api_expr_test, nix_value_call_multi_no_args)
    assert_ctx_ok();
    ASSERT_EQ(3, rInt);
 }
+
+// The following is a test case for retryable thunks.
+// This is a requirement for the current way in which NixOps4 evaluates its deployment expressions.
+// An alternative strategy could be implemented, but unwinding the stack may be a more efficient way to deal with many
+// suspensions/resumptions, compared to e.g. using a thread or coroutine stack for each suspended dependency. This test
+// models the essential bits of a deployment tool that uses such a strategy.
+
+// State for the retryable primop - simulates deployment resource availability
+struct DeploymentResourceState
+{
+    bool vm_created = false;
+};
+
+static void primop_load_resource_input(
+    void * user_data, nix_c_context * context, EvalState * state, nix_value ** args, nix_value * ret)
+{
+    assert(context);
+    assert(state);
+    auto * resource_state = static_cast<DeploymentResourceState *>(user_data);
+
+    // Get the resource input name argument
+    std::string input_name;
+    if (nix_get_string(context, args[0], OBSERVE_STRING(input_name)) != NIX_OK)
+        return;
+
+    // Only handle "vm_id" input - throw for anything else
+    if (input_name != "vm_id") {
+        std::string error_msg = "unknown resource input: " + input_name;
+        nix_set_err_msg(context, NIX_ERR_NIX_ERROR, error_msg.c_str());
+        return;
+    }
+
+    if (resource_state->vm_created) {
+        // VM has been created, return the ID
+        nix_init_string(context, ret, "vm-12345");
+    } else {
+        // VM not created yet, fail with dependency error
+        nix_set_err_msg(context, NIX_ERR_RECOVERABLE, "VM not yet created");
+    }
+}
+
+TEST_F(nix_api_expr_test, nix_expr_thunk_re_evaluation_after_deployment)
+{
+    // This test demonstrates NixOps4's requirement: a thunk calling a primop should be
+    // re-evaluable when deployment resources become available that were not available initially.
+
+    DeploymentResourceState resource_state;
+
+    PrimOp * primop = nix_alloc_primop(
+        ctx,
+        primop_load_resource_input,
+        1,
+        "loadResourceInput",
+        nullptr,
+        "load a deployment resource input",
+        &resource_state);
+    assert_ctx_ok();
+
+    nix_value * primopValue = nix_alloc_value(ctx, state);
+    assert_ctx_ok();
+    nix_init_primop(ctx, primopValue, primop);
+    assert_ctx_ok();
+
+    nix_value * inputName = nix_alloc_value(ctx, state);
+    assert_ctx_ok();
+    nix_init_string(ctx, inputName, "vm_id");
+    assert_ctx_ok();
+
+    // Create a single thunk by using nix_init_apply instead of nix_value_call
+    // This creates a lazy application that can be forced multiple times
+    nix_value * thunk = nix_alloc_value(ctx, state);
+    assert_ctx_ok();
+    nix_init_apply(ctx, thunk, primopValue, inputName);
+    assert_ctx_ok();
+
+    // First force: VM not created yet, should fail
+    nix_value_force(ctx, state, thunk);
+    ASSERT_EQ(NIX_ERR_NIX_ERROR, nix_err_code(ctx));
+    ASSERT_THAT(nix_err_msg(nullptr, ctx, nullptr), testing::HasSubstr("VM not yet created"));
+
+    // Clear the error context for the next attempt
+    nix_c_context_free(ctx);
+    ctx = nix_c_context_create();
+
+    // Simulate deployment process: VM gets created
+    resource_state.vm_created = true;
+
+    // Second force of the SAME thunk: this is where the "failed" value issue appears
+    // With failed value caching, this should fail because the thunk is marked as permanently failed
+    // Without failed value caching (or with retryable failures), this should succeed
+    nix_value_force(ctx, state, thunk);
+
+    // If we get here without error, the thunk was successfully re-evaluated
+    assert_ctx_ok();
+
+    std::string result;
+    nix_get_string(ctx, thunk, OBSERVE_STRING(result));
+    assert_ctx_ok();
+    ASSERT_STREQ("vm-12345", result.c_str());
+}
+
 } // namespace nixC
--- a/src/libexpr-tests/nix_api_external.cc
+++ b/src/libexpr-tests/nix_api_external.cc
@@ -1,9 +1,6 @@
 #include "nix_api_store.h"
-#include "nix_api_store_internal.h"
 #include "nix_api_util.h"
-#include "nix_api_util_internal.h"
 #include "nix_api_expr.h"
-#include "nix_api_expr_internal.h"
 #include "nix_api_value.h"
 #include "nix_api_external.h"

@@ -39,7 +36,7 @@ private:
        std::string type_string = "nix-external<MyExternalValueDesc( ";
        type_string += std::to_string(obj->_x);
        type_string += " )>";
-        res->str = &*type_string.begin();
+        nix_set_string_return(res, &*type_string.begin());
    }
 };

--- a/src/libexpr-tests/nix_api_value.cc
+++ b/src/libexpr-tests/nix_api_value.cc
@@ -1,10 +1,7 @@
 #include "nix_api_store.h"
-#include "nix_api_store_internal.h"
 #include "nix_api_util.h"
-#include "nix_api_util_internal.h"
 #include "nix_api_expr.h"
 #include "nix_api_value.h"
-#include "nix_api_expr_internal.h"

 #include "nix/expr/tests/nix_api_expr.hh"
 #include "nix/util/tests/string_callback.hh"
@@ -16,14 +13,6 @@

 namespace nixC {

-TEST_F(nix_api_expr_test, as_nix_value_ptr)
-{
-    // nix_alloc_value casts nix::Value to nix_value
-    // It should be obvious from the decl that that works, but if it doesn't,
-    // the whole implementation would be utterly broken.
-    ASSERT_EQ(sizeof(nix::Value), sizeof(nix_value));
-}
-
 TEST_F(nix_api_expr_test, nix_value_get_int_invalid)
 {
    ASSERT_EQ(0, nix_get_int(ctx, nullptr));
@@ -320,8 +309,10 @@ TEST_F(nix_api_expr_test, nix_value_init_apply_error)

    // Evaluate it
    nix_value_force(ctx, state, v);
-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
-    ASSERT_THAT(ctx->last_err.value(), testing::HasSubstr("attempt to call something which is not a function but"));
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
+    ASSERT_THAT(
+        nix_err_msg(nullptr, ctx, nullptr),
+        testing::HasSubstr("attempt to call something which is not a function but"));

    // Clean up
    nix_gc_decref(ctx, some_string);
@@ -380,7 +371,9 @@ TEST_F(nix_api_expr_test, nix_value_init_apply_lazy_arg)
    // nix_get_attr_byname isn't lazy (it could have been) so it will throw the exception
    nix_value * foo = nix_get_attr_byname(ctx, r, state, "foo");
    ASSERT_EQ(nullptr, foo);
-    ASSERT_THAT(ctx->last_err.value(), testing::HasSubstr("error message for test case nix_value_init_apply_lazy_arg"));
+    ASSERT_THAT(
+        nix_err_msg(nullptr, ctx, nullptr),
+        testing::HasSubstr("error message for test case nix_value_init_apply_lazy_arg"));

    // Clean up
    nix_gc_decref(ctx, f);
--- a/src/libexpr-tests/nix_api_value_internal.cc
+++ b/src/libexpr-tests/nix_api_value_internal.cc
@@ -0,0 +1,25 @@
+#include "nix_api_store.h"
+#include "nix_api_util.h"
+#include "nix_api_expr.h"
+#include "nix_api_value.h"
+#include "nix_api_expr_internal.h"
+
+#include "nix/expr/tests/nix_api_expr.hh"
+#include "nix/util/tests/string_callback.hh"
+
+#include <gmock/gmock.h>
+#include <cstddef>
+#include <cstdlib>
+#include <gtest/gtest.h>
+
+namespace nixC {
+
+TEST_F(nix_api_expr_test, as_nix_value_ptr)
+{
+    // nix_alloc_value casts nix::Value to nix_value
+    // It should be obvious from the decl that that works, but if it doesn't,
+    // the whole implementation would be utterly broken.
+    ASSERT_EQ(sizeof(nix::Value), sizeof(nix_value));
+}
+
+} // namespace nixC
--- a/src/libexpr-tests/value/print.cc
+++ b/src/libexpr-tests/value/print.cc
@@ -35,14 +35,14 @@ TEST_F(ValuePrintingTests, tBool)
 TEST_F(ValuePrintingTests, tString)
 {
    Value vString;
-    vString.mkString("some-string");
+    vString.mkStringNoCopy("some-string");
    test(vString, "\"some-string\"");
 }

 TEST_F(ValuePrintingTests, tPath)
 {
    Value vPath;
-    vPath.mkString("/foo");
+    vPath.mkStringNoCopy("/foo");
    test(vPath, "\"/foo\"");
 }

@@ -61,7 +61,7 @@ TEST_F(ValuePrintingTests, tAttrs)
    Value vTwo;
    vTwo.mkInt(2);

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("one"), &vOne);
    builder.insert(state.symbols.create("two"), &vTwo);

@@ -196,11 +196,11 @@ TEST_F(ValuePrintingTests, depthAttrs)
    Value vTwo;
    vTwo.mkInt(2);

-    BindingsBuilder builderEmpty(state, state.allocBindings(0));
+    BindingsBuilder builderEmpty = state.buildBindings(0);
    Value vAttrsEmpty;
    vAttrsEmpty.mkAttrs(builderEmpty.finish());

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("one"), &vOne);
    builder.insert(state.symbols.create("two"), &vTwo);
    builder.insert(state.symbols.create("nested"), &vAttrsEmpty);
@@ -208,7 +208,7 @@ TEST_F(ValuePrintingTests, depthAttrs)
    Value vAttrs;
    vAttrs.mkAttrs(builder.finish());

-    BindingsBuilder builder2(state, state.allocBindings(10));
+    BindingsBuilder builder2 = state.buildBindings(10);
    builder2.insert(state.symbols.create("one"), &vOne);
    builder2.insert(state.symbols.create("two"), &vTwo);
    builder2.insert(state.symbols.create("nested"), &vAttrs);
@@ -233,14 +233,14 @@ TEST_F(ValuePrintingTests, depthList)
    Value vTwo;
    vTwo.mkInt(2);

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("one"), &vOne);
    builder.insert(state.symbols.create("two"), &vTwo);

    Value vAttrs;
    vAttrs.mkAttrs(builder.finish());

-    BindingsBuilder builder2(state, state.allocBindings(10));
+    BindingsBuilder builder2 = state.buildBindings(10);
    builder2.insert(state.symbols.create("one"), &vOne);
    builder2.insert(state.symbols.create("two"), &vTwo);
    builder2.insert(state.symbols.create("nested"), &vAttrs);
@@ -290,12 +290,12 @@ TEST_F(StringPrintingTests, maxLengthTruncation)
 TEST_F(ValuePrintingTests, attrsTypeFirst)
 {
    Value vType;
-    vType.mkString("puppy");
+    vType.mkStringNoCopy("puppy");

    Value vApple;
-    vApple.mkString("apple");
+    vApple.mkStringNoCopy("apple");

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("type"), &vType);
    builder.insert(state.symbols.create("apple"), &vApple);

@@ -334,7 +334,7 @@ TEST_F(ValuePrintingTests, ansiColorsBool)
 TEST_F(ValuePrintingTests, ansiColorsString)
 {
    Value v;
-    v.mkString("puppy");
+    v.mkStringNoCopy("puppy");

    test(v, ANSI_MAGENTA "\"puppy\"" ANSI_NORMAL, PrintOptions{.ansiColors = true});
 }
@@ -342,7 +342,7 @@ TEST_F(ValuePrintingTests, ansiColorsString)
 TEST_F(ValuePrintingTests, ansiColorsStringElided)
 {
    Value v;
-    v.mkString("puppy");
+    v.mkStringNoCopy("puppy");

    test(
        v,
@@ -374,7 +374,7 @@ TEST_F(ValuePrintingTests, ansiColorsAttrs)
    Value vTwo;
    vTwo.mkInt(2);

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("one"), &vOne);
    builder.insert(state.symbols.create("two"), &vTwo);

@@ -390,10 +390,10 @@ TEST_F(ValuePrintingTests, ansiColorsAttrs)
 TEST_F(ValuePrintingTests, ansiColorsDerivation)
 {
    Value vDerivation;
-    vDerivation.mkString("derivation");
+    vDerivation.mkStringNoCopy("derivation");

-    BindingsBuilder builder(state, state.allocBindings(10));
-    builder.insert(state.sType, &vDerivation);
+    BindingsBuilder builder = state.buildBindings(10);
+    builder.insert(state.s.type, &vDerivation);

    Value vAttrs;
    vAttrs.mkAttrs(builder.finish());
@@ -413,7 +413,7 @@ TEST_F(ValuePrintingTests, ansiColorsError)
 {
    Value throw_ = state.getBuiltin("throw");
    Value message;
-    message.mkString("uh oh!");
+    message.mkStringNoCopy("uh oh!");
    Value vError;
    vError.mkApp(&throw_, &message);

@@ -430,16 +430,16 @@ TEST_F(ValuePrintingTests, ansiColorsDerivationError)
 {
    Value throw_ = state.getBuiltin("throw");
    Value message;
-    message.mkString("uh oh!");
+    message.mkStringNoCopy("uh oh!");
    Value vError;
    vError.mkApp(&throw_, &message);

    Value vDerivation;
-    vDerivation.mkString("derivation");
+    vDerivation.mkStringNoCopy("derivation");

-    BindingsBuilder builder(state, state.allocBindings(10));
-    builder.insert(state.sType, &vDerivation);
-    builder.insert(state.sDrvPath, &vError);
+    BindingsBuilder builder = state.buildBindings(10);
+    builder.insert(state.s.type, &vDerivation);
+    builder.insert(state.s.drvPath, &vError);

    Value vAttrs;
    vAttrs.mkAttrs(builder.finish());
@@ -553,12 +553,12 @@ TEST_F(ValuePrintingTests, ansiColorsBlackhole)

 TEST_F(ValuePrintingTests, ansiColorsAttrsRepeated)
 {
-    BindingsBuilder emptyBuilder(state, state.allocBindings(1));
+    BindingsBuilder emptyBuilder = state.buildBindings(1);

    Value vEmpty;
    vEmpty.mkAttrs(emptyBuilder.finish());

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("a"), &vEmpty);
    builder.insert(state.symbols.create("b"), &vEmpty);

@@ -570,7 +570,7 @@ TEST_F(ValuePrintingTests, ansiColorsAttrsRepeated)

 TEST_F(ValuePrintingTests, ansiColorsListRepeated)
 {
-    BindingsBuilder emptyBuilder(state, state.allocBindings(1));
+    BindingsBuilder emptyBuilder = state.buildBindings(1);

    Value vEmpty;
    vEmpty.mkAttrs(emptyBuilder.finish());
@@ -586,7 +586,7 @@ TEST_F(ValuePrintingTests, ansiColorsListRepeated)

 TEST_F(ValuePrintingTests, listRepeated)
 {
-    BindingsBuilder emptyBuilder(state, state.allocBindings(1));
+    BindingsBuilder emptyBuilder = state.buildBindings(1);

    Value vEmpty;
    vEmpty.mkAttrs(emptyBuilder.finish());
@@ -609,7 +609,7 @@ TEST_F(ValuePrintingTests, ansiColorsAttrsElided)
    Value vTwo;
    vTwo.mkInt(2);

-    BindingsBuilder builder(state, state.allocBindings(10));
+    BindingsBuilder builder = state.buildBindings(10);
    builder.insert(state.symbols.create("one"), &vOne);
    builder.insert(state.symbols.create("two"), &vTwo);

@@ -635,8 +635,6 @@ TEST_F(ValuePrintingTests, ansiColorsAttrsElided)

 TEST_F(ValuePrintingTests, ansiColorsListElided)
 {
-    BindingsBuilder emptyBuilder(state, state.allocBindings(1));
-
    Value vOne;
    vOne.mkInt(1);

--- a/src/libexpr/attr-set.cc
+++ b/src/libexpr/attr-set.cc
@@ -16,19 +16,19 @@ Bindings * EvalState::allocBindings(size_t capacity)
        throw Error("attribute set of size %d is too big", capacity);
    nrAttrsets++;
    nrAttrsInAttrsets += capacity;
-    return new (allocBytes(sizeof(Bindings) + sizeof(Attr) * capacity)) Bindings((Bindings::size_t) capacity);
+    return new (allocBytes(sizeof(Bindings) + sizeof(Attr) * capacity)) Bindings();
 }

 Value & BindingsBuilder::alloc(Symbol name, PosIdx pos)
 {
-    auto value = state.allocValue();
+    auto value = state.get().allocValue();
    bindings->push_back(Attr(name, value, pos));
    return *value;
 }

 Value & BindingsBuilder::alloc(std::string_view name, PosIdx pos)
 {
-    return alloc(state.symbols.create(name), pos);
+    return alloc(state.get().symbols.create(name), pos);
 }

 void Bindings::sort()
--- a/src/libexpr/eval-cache.cc
+++ b/src/libexpr/eval-cache.cc
@@ -330,7 +330,7 @@ AttrCursor::AttrCursor(
 AttrKey AttrCursor::getKey()
 {
    if (!parent)
-        return {0, root->state.sEpsilon};
+        return {0, root->state.s.epsilon};
    if (!parent->first->cachedValue) {
        parent->first->cachedValue = root->db->getAttr(parent->first->getKey());
        assert(parent->first->cachedValue);
@@ -702,7 +702,7 @@ bool AttrCursor::isDerivation()

 StorePath AttrCursor::forceDerivation()
 {
-    auto aDrvPath = getAttr(root->state.sDrvPath);
+    auto aDrvPath = getAttr(root->state.s.drvPath);
    auto drvPath = root->state.store->parseStorePath(aDrvPath->getString());
    drvPath.requireDerivation();
    if (!root->state.store->isValidPath(drvPath) && !settings.readOnlyMode) {
--- a/src/libexpr/eval-error.cc
+++ b/src/libexpr/eval-error.cc
@@ -113,5 +113,6 @@ template class EvalErrorBuilder<MissingArgumentError>;
 template class EvalErrorBuilder<InfiniteRecursionError>;
 template class EvalErrorBuilder<InvalidPathError>;
 template class EvalErrorBuilder<IFDError>;
+template class EvalErrorBuilder<RecoverableEvalError>;

 } // namespace nix
--- a/src/libexpr/eval-gc.cc
+++ b/src/libexpr/eval-gc.cc
@@ -16,6 +16,7 @@
 #  endif

 #  include <gc/gc_allocator.h>
+#  include <gc/gc_tiny_fl.h> // For GC_GRANULE_BYTES

 #  include <boost/coroutine2/coroutine.hpp>
 #  include <boost/coroutine2/protected_fixedsize_stack.hpp>
@@ -23,6 +24,17 @@

 #endif

+/*
+ * Ensure that Boehm satisfies our alignment requirements. This is the default configuration [^]
+ * and this assertion should never break for any platform. Let's assert it just in case.
+ *
+ * This alignment is particularly useful to be able to use aligned
+ * load/store instructions for loading/writing Values.
+ *
+ * [^]: https://github.com/bdwgc/bdwgc/blob/54ac18ccbc5a833dd7edaff94a10ab9b65044d61/include/gc/gc_tiny_fl.h#L31-L33
+ */
+static_assert(sizeof(void *) * 2 == GC_GRANULE_BYTES, "Boehm GC must use GC_GRANULE_WORDS = 2");
+
 namespace nix {

 #if NIX_USE_BOEHMGC
--- a/src/libexpr/eval-profiler.cc
+++ b/src/libexpr/eval-profiler.cc
@@ -185,7 +185,7 @@ FrameInfo SampleStack::getPrimOpFrameInfo(const PrimOp & primOp, std::span<Value
                /* Error context strings don't actually matter, since we ignore all eval errors. */
                state.forceAttrs(*args[0], pos, "");
                auto attrs = args[0]->attrs();
-                auto nameAttr = state.getAttr(state.sName, attrs, "");
+                auto nameAttr = state.getAttr(state.s.name, attrs, "");
                auto drvName = std::string(state.forceStringNoCtx(*nameAttr->value, pos, ""));
                return DerivationStrictFrameInfo{.callPos = pos, .drvName = std::move(drvName)};
            } catch (...) {
@@ -211,7 +211,7 @@ FrameInfo SampleStack::getFrameInfoFromValueAndPos(const Value & v, std::span<Va
        /* Resolve primOp eagerly. Must not hold on to a reference to a Value. */
        return PrimOpFrameInfo{.expr = v.primOpAppPrimOp(), .callPos = pos};
    else if (state.isFunctor(v)) {
-        const auto functor = v.attrs()->get(state.sFunctor);
+        const auto functor = v.attrs()->get(state.s.functor);
        if (auto pos_ = posCache.lookup(pos); std::holds_alternative<std::monostate>(pos_.origin))
            /* HACK: In case callsite position is unresolved. */
            return FunctorFrameInfo{.pos = functor->pos};
@@ -324,7 +324,7 @@ void SampleStack::saveProfile()
            std::visit([&](auto && info) { info.symbolize(state, os, posCache); }, pos);
        }
        os << " " << count;
-        writeLine(profileFd.get(), os.str());
+        writeLine(profileFd.get(), std::move(os).str());
        /* Clear ostringstream. */
        os.str("");
        os.clear();
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -1,4 +1,5 @@
 #include "nix/expr/eval.hh"
+#include "nix/expr/eval-error.hh"
 #include "nix/expr/eval-settings.hh"
 #include "nix/expr/primops.hh"
 #include "nix/expr/print-options.hh"
@@ -22,10 +23,12 @@
 #include "nix/fetchers/fetch-to-store.hh"
 #include "nix/fetchers/tarball.hh"
 #include "nix/fetchers/input-cache.hh"
+#include "nix/util/current-process.hh"

 #include "parser-tab.hh"

 #include <algorithm>
+#include <exception>
 #include <iostream>
 #include <sstream>
 #include <cstring>
@@ -38,10 +41,6 @@
 #include <nlohmann/json.hpp>
 #include <boost/container/small_vector.hpp>

-#ifndef _WIN32 // TODO use portable implementation
-#  include <sys/resource.h>
-#endif
-
 #include "nix/util/strings-inline.hh"

 using json = nlohmann::json;
@@ -127,6 +126,8 @@ std::string_view showType(ValueType type, bool withArticle)
        return WA("a", "float");
    case nThunk:
        return WA("a", "thunk");
+    case nFailed:
+        return WA("a", "failure");
    }
    unreachable();
 }
@@ -203,124 +204,65 @@ EvalState::EvalState(
    std::shared_ptr<Store> buildStore)
    : fetchSettings{fetchSettings}
    , settings{settings}
-    , sWith(symbols.create("<with>"))
-    , sOutPath(symbols.create("outPath"))
-    , sDrvPath(symbols.create("drvPath"))
-    , sType(symbols.create("type"))
-    , sMeta(symbols.create("meta"))
-    , sName(symbols.create("name"))
-    , sValue(symbols.create("value"))
-    , sSystem(symbols.create("system"))
-    , sOverrides(symbols.create("__overrides"))
-    , sOutputs(symbols.create("outputs"))
-    , sOutputName(symbols.create("outputName"))
-    , sIgnoreNulls(symbols.create("__ignoreNulls"))
-    , sFile(symbols.create("file"))
-    , sLine(symbols.create("line"))
-    , sColumn(symbols.create("column"))
-    , sFunctor(symbols.create("__functor"))
-    , sToString(symbols.create("__toString"))
-    , sRight(symbols.create("right"))
-    , sWrong(symbols.create("wrong"))
-    , sStructuredAttrs(symbols.create("__structuredAttrs"))
-    , sJson(symbols.create("__json"))
-    , sAllowedReferences(symbols.create("allowedReferences"))
-    , sAllowedRequisites(symbols.create("allowedRequisites"))
-    , sDisallowedReferences(symbols.create("disallowedReferences"))
-    , sDisallowedRequisites(symbols.create("disallowedRequisites"))
-    , sMaxSize(symbols.create("maxSize"))
-    , sMaxClosureSize(symbols.create("maxClosureSize"))
-    , sBuilder(symbols.create("builder"))
-    , sArgs(symbols.create("args"))
-    , sContentAddressed(symbols.create("__contentAddressed"))
-    , sImpure(symbols.create("__impure"))
-    , sOutputHash(symbols.create("outputHash"))
-    , sOutputHashAlgo(symbols.create("outputHashAlgo"))
-    , sOutputHashMode(symbols.create("outputHashMode"))
-    , sRecurseForDerivations(symbols.create("recurseForDerivations"))
-    , sDescription(symbols.create("description"))
-    , sSelf(symbols.create("self"))
-    , sEpsilon(symbols.create(""))
-    , sStartSet(symbols.create("startSet"))
-    , sOperator(symbols.create("operator"))
-    , sKey(symbols.create("key"))
-    , sPath(symbols.create("path"))
-    , sPrefix(symbols.create("prefix"))
-    , sOutputSpecified(symbols.create("outputSpecified"))
-    , exprSymbols{
-        .sub = symbols.create("__sub"),
-        .lessThan = symbols.create("__lessThan"),
-        .mul = symbols.create("__mul"),
-        .div = symbols.create("__div"),
-        .or_ = symbols.create("or"),
-        .findFile = symbols.create("__findFile"),
-        .nixPath = symbols.create("__nixPath"),
-        .body = symbols.create("body"),
-    }
+    , symbols(StaticEvalSymbols::staticSymbolTable())
    , repair(NoRepair)
-    , emptyBindings(0)
-    , storeFS(
-        makeMountedSourceAccessor(
-            {
-                {CanonPath::root, makeEmptySourceAccessor()},
-                /* In the pure eval case, we can simply require
-                   valid paths. However, in the *impure* eval
-                   case this gets in the way of the union
-                   mechanism, because an invalid access in the
-                   upper layer will *not* be caught by the union
-                   source accessor, but instead abort the entire
-                   lookup.
+    , emptyBindings(Bindings())
+    , storeFS(makeMountedSourceAccessor({
+          {CanonPath::root, makeEmptySourceAccessor()},
+          /* In the pure eval case, we can simply require
+             valid paths. However, in the *impure* eval
+             case this gets in the way of the union
+             mechanism, because an invalid access in the
+             upper layer will *not* be caught by the union
+             source accessor, but instead abort the entire
+             lookup.

-                   This happens when the store dir in the
-                   ambient file system has a path (e.g. because
-                   another Nix store there), but the relocated
-                   store does not.
+             This happens when the store dir in the
+             ambient file system has a path (e.g. because
+             another Nix store there), but the relocated
+             store does not.

-                   TODO make the various source accessors doing
-                   access control all throw the same type of
-                   exception, and make union source accessor
-                   catch it, so we don't need to do this hack.
-                 */
-                {CanonPath(store->storeDir), store->getFSAccessor(settings.pureEval)},
-            }))
-    , rootFS(
-        ({
-            /* In pure eval mode, we provide a filesystem that only
-               contains the Nix store.
+             TODO make the various source accessors doing
+             access control all throw the same type of
+             exception, and make union source accessor
+             catch it, so we don't need to do this hack.
+           */
+          {CanonPath(store->storeDir), store->getFSAccessor(settings.pureEval)},
+      }))
+    , rootFS(({
+        /* In pure eval mode, we provide a filesystem that only
+           contains the Nix store.

-               If we have a chroot store and pure eval is not enabled,
-               use a union accessor to make the chroot store available
-               at its logical location while still having the
-               underlying directory available. This is necessary for
-               instance if we're evaluating a file from the physical
-               /nix/store while using a chroot store. */
-            auto accessor = getFSSourceAccessor();
+           If we have a chroot store and pure eval is not enabled,
+           use a union accessor to make the chroot store available
+           at its logical location while still having the
+           underlying directory available. This is necessary for
+           instance if we're evaluating a file from the physical
+           /nix/store while using a chroot store. */
+        auto accessor = getFSSourceAccessor();

-            auto realStoreDir = dirOf(store->toRealPath(StorePath::dummy));
-            if (settings.pureEval || store->storeDir != realStoreDir) {
-                accessor = settings.pureEval
-                    ? storeFS
-                    : makeUnionSourceAccessor({accessor, storeFS});
-            }
+        auto realStoreDir = dirOf(store->toRealPath(StorePath::dummy));
+        if (settings.pureEval || store->storeDir != realStoreDir) {
+            accessor = settings.pureEval ? storeFS : makeUnionSourceAccessor({accessor, storeFS});
+        }

-            /* Apply access control if needed. */
-            if (settings.restrictEval || settings.pureEval)
-                accessor = AllowListSourceAccessor::create(accessor, {}, {},
-                    [&settings](const CanonPath & path) -> RestrictedPathError {
-                        auto modeInformation = settings.pureEval
-                            ? "in pure evaluation mode (use '--impure' to override)"
-                            : "in restricted mode";
-                        throw RestrictedPathError("access to absolute path '%1%' is forbidden %2%", path, modeInformation);
-                    });
+        /* Apply access control if needed. */
+        if (settings.restrictEval || settings.pureEval)
+            accessor = AllowListSourceAccessor::create(
+                accessor, {}, {}, [&settings](const CanonPath & path) -> RestrictedPathError {
+                    auto modeInformation = settings.pureEval ? "in pure evaluation mode (use '--impure' to override)"
+                                                             : "in restricted mode";
+                    throw RestrictedPathError("access to absolute path '%1%' is forbidden %2%", path, modeInformation);
+                });

-            accessor;
-        }))
+        accessor;
+    }))
    , corepkgsFS(make_ref<MemorySourceAccessor>())
    , internalFS(make_ref<MemorySourceAccessor>())
    , derivationInternal{corepkgsFS->addFile(
-        CanonPath("derivation-internal.nix"),
+          CanonPath("derivation-internal.nix"),
 #include "primops/derivation.nix.gen.hh"
-    )}
+          )}
    , store(store)
    , buildStore(buildStore ? buildStore : store)
    , inputCache(fetchers::InputCache::create())
@@ -351,10 +293,10 @@ EvalState::EvalState(
    vNull.mkNull();
    vTrue.mkBool(true);
    vFalse.mkBool(false);
-    vStringRegular.mkString("regular");
-    vStringDirectory.mkString("directory");
-    vStringSymlink.mkString("symlink");
-    vStringUnknown.mkString("unknown");
+    vStringRegular.mkStringNoCopy("regular");
+    vStringDirectory.mkStringNoCopy("directory");
+    vStringSymlink.mkStringNoCopy("symlink");
+    vStringUnknown.mkStringNoCopy("unknown");

    /* Construct the Nix expression search path. */
    assert(lookupPath.elements.empty());
@@ -649,12 +591,12 @@ std::optional<EvalState::Doc> EvalState::getDoc(Value & v)
            .name = name,
            .arity = 0, // FIXME: figure out how deep by syntax only? It's not semantically useful though...
            .args = {},
-            .doc = makeImmutableString(s.view()), // NOTE: memory leak when compiled without GC
+            .doc = makeImmutableString(toView(s)), // NOTE: memory leak when compiled without GC
        };
    }
    if (isFunctor(v)) {
        try {
-            Value & functor = *v.attrs()->find(sFunctor)->value;
+            Value & functor = *v.attrs()->find(s.functor)->value;
            Value * vp[] = {&v};
            Value partiallyApplied;
            // The first parameter is not user-provided, and may be
@@ -883,7 +825,7 @@ DebugTraceStacker::DebugTraceStacker(EvalState & evalState, DebugTrace t)

 void Value::mkString(std::string_view s)
 {
-    mkString(makeImmutableString(s));
+    mkStringNoCopy(makeImmutableString(s));
 }

 static const char ** encodeContext(const NixStringContext & context)
@@ -902,12 +844,12 @@ static const char ** encodeContext(const NixStringContext & context)

 void Value::mkString(std::string_view s, const NixStringContext & context)
 {
-    mkString(makeImmutableString(s), encodeContext(context));
+    mkStringNoCopy(makeImmutableString(s), encodeContext(context));
 }

 void Value::mkStringMove(const char * s, const NixStringContext & context)
 {
-    mkString(s, encodeContext(context));
+    mkStringNoCopy(s, encodeContext(context));
 }

 void Value::mkPath(const SourcePath & path)
@@ -978,8 +920,8 @@ void EvalState::mkPos(Value & v, PosIdx p)
    auto origin = positions.originOf(p);
    if (auto path = std::get_if<SourcePath>(&origin)) {
        auto attrs = buildBindings(3);
-        attrs.alloc(sFile).mkString(path->path.abs());
-        makePositionThunks(*this, p, attrs.alloc(sLine), attrs.alloc(sColumn));
+        attrs.alloc(s.file).mkString(path->path.abs());
+        makePositionThunks(*this, p, attrs.alloc(s.line), attrs.alloc(s.column));
        v.mkAttrs(attrs);
    } else
        v.mkNull();
@@ -1245,7 +1187,7 @@ void ExprAttrs::eval(EvalState & state, Env & env, Value & v)
        dynamicEnv = &env2;
        Env * inheritEnv = inheritFromExprs ? buildInheritFromEnv(state, env2) : nullptr;

-        AttrDefs::iterator overrides = attrs.find(state.sOverrides);
+        AttrDefs::iterator overrides = attrs.find(state.s.overrides);
        bool hasOverrides = overrides != attrs.end();

        /* The recursive attributes are evaluated in the new
@@ -1277,7 +1219,7 @@ void ExprAttrs::eval(EvalState & state, Env & env, Value & v)
                *vOverrides,
                [&]() { return vOverrides->determinePos(noPos); },
                "while evaluating the `__overrides` attribute");
-            bindings.grow(state.allocBindings(bindings.capacity() + vOverrides->attrs()->size()));
+            bindings.grow(state.buildBindings(bindings.capacity() + vOverrides->attrs()->size()));
            for (auto & i : *vOverrides->attrs()) {
                AttrDefs::iterator j = attrs.find(i.name);
                if (j != attrs.end()) {
@@ -1717,7 +1659,7 @@ void EvalState::callFunction(Value & fun, std::span<Value *> args, Value & vRes,
            }
        }

-        else if (vCur.type() == nAttrs && (functor = vCur.attrs()->get(sFunctor))) {
+        else if (vCur.type() == nAttrs && (functor = vCur.attrs()->get(s.functor))) {
            /* 'vCur' may be allocated on the stack of the calling
               function, but for functors we may keep a reference, so
               heap-allocate a copy and use that instead. */
@@ -1779,7 +1721,7 @@ void EvalState::autoCallFunction(const Bindings & args, Value & fun, Value & res
    forceValue(fun, pos);

    if (fun.type() == nAttrs) {
-        auto found = fun.attrs()->find(sFunctor);
+        auto found = fun.attrs()->find(s.functor);
        if (found != fun.attrs()->end()) {
            Value * v = allocValue();
            callFunction(*found->value, fun, *v, pos);
@@ -1845,7 +1787,7 @@ void ExprAssert::eval(EvalState & state, Env & env, Value & v)
    if (!state.evalBool(env, cond, pos, "in the condition of the assert statement")) {
        std::ostringstream out;
        cond->show(state.symbols, out);
-        auto exprStr = out.view();
+        auto exprStr = toView(out);

        if (auto eq = dynamic_cast<ExprOpEq *>(cond)) {
            try {
@@ -2122,6 +2064,54 @@ void ExprBlackHole::eval(EvalState & state, [[maybe_unused]] Env & env, Value &
 // always force this to be separate, otherwise forceValue may inline it and take
 // a massive perf hit
 [[gnu::noinline]]
+void EvalState::handleEvalExceptionForThunk(Env * env, Expr * expr, Value & v, const PosIdx pos)
+{
+    v.mkThunk(env, expr);
+    tryFixupBlackHolePos(v, pos);
+
+    auto e = std::current_exception();
+    Value * recovery = nullptr;
+    try {
+        std::rethrow_exception(e);
+    } catch (const RecoverableEvalError & e) {
+        recovery = allocValue();
+    } catch (...) {
+    }
+    if (recovery) {
+        recovery->mkThunk(env, expr);
+    }
+    v.mkFailed(e, recovery);
+}
+
+[[gnu::noinline]]
+void EvalState::handleEvalExceptionForApp(Value & v)
+{
+    auto e = std::current_exception();
+    Value * recovery = nullptr;
+    try {
+        std::rethrow_exception(e);
+    } catch (const RecoverableEvalError & e) {
+        recovery = allocValue();
+    } catch (...) {
+    }
+    if (recovery) {
+        *recovery = v;
+    }
+    v.mkFailed(e, recovery);
+}
+
+[[gnu::noinline]]
+void EvalState::handleEvalFailed(Value & v, const PosIdx pos)
+{
+    assert(v.isFailed());
+    if (auto recoveryValue = v.failed()->recoveryValue) {
+        v = *recoveryValue;
+        forceValue(v, pos);
+    } else {
+        std::rethrow_exception(v.failed()->ex);
+    }
+}
+
 void EvalState::tryFixupBlackHolePos(Value & v, PosIdx pos)
 {
    if (!v.isBlackhole())
@@ -2130,7 +2120,8 @@ void EvalState::tryFixupBlackHolePos(Value & v, PosIdx pos)
    try {
        std::rethrow_exception(e);
    } catch (InfiniteRecursionError & e) {
-        e.atPos(positions[pos]);
+        if (!e.hasPos())
+            e.atPos(positions[pos]);
    } catch (...) {
    }
 }
@@ -2241,7 +2232,7 @@ Bindings::const_iterator EvalState::getAttr(Symbol attrSym, const Bindings * att

 bool EvalState::isFunctor(const Value & fun) const
 {
-    return fun.type() == nAttrs && fun.attrs()->find(sFunctor) != fun.attrs()->end();
+    return fun.type() == nAttrs && fun.attrs()->find(s.functor) != fun.attrs()->end();
 }

 void EvalState::forceFunction(Value & v, const PosIdx pos, std::string_view errorCtx)
@@ -2310,7 +2301,7 @@ bool EvalState::isDerivation(Value & v)
 {
    if (v.type() != nAttrs)
        return false;
-    auto i = v.attrs()->get(sType);
+    auto i = v.attrs()->get(s.type);
    if (!i)
        return false;
    forceValue(*i->value, i->pos);
@@ -2322,7 +2313,7 @@ bool EvalState::isDerivation(Value & v)
 std::optional<std::string>
 EvalState::tryAttrsToString(const PosIdx pos, Value & v, NixStringContext & context, bool coerceMore, bool copyToStore)
 {
-    auto i = v.attrs()->find(sToString);
+    auto i = v.attrs()->find(s.toString);
    if (i != v.attrs()->end()) {
        Value v1;
        callFunction(*i->value, v, v1, pos);
@@ -2368,7 +2359,7 @@ BackedStringView EvalState::coerceToString(
        auto maybeString = tryAttrsToString(pos, v, context, coerceMore, copyToStore);
        if (maybeString)
            return std::move(*maybeString);
-        auto i = v.attrs()->find(sOutPath);
+        auto i = v.attrs()->find(s.outPath);
        if (i == v.attrs()->end()) {
            error<TypeError>(
                "cannot coerce %1% to a string: %2%", showType(v), ValuePrinter(*this, v, errorPrintOptions))
@@ -2475,7 +2466,7 @@ SourcePath EvalState::coerceToPath(const PosIdx pos, Value & v, NixStringContext
    /* Similarly, handle __toString where the result may be a path
       value. */
    if (v.type() == nAttrs) {
-        auto i = v.attrs()->find(sToString);
+        auto i = v.attrs()->find(s.toString);
        if (i != v.attrs()->end()) {
            Value v1;
            callFunction(*i->value, v, v1, pos);
@@ -2665,8 +2656,8 @@ void EvalState::assertEqValues(Value & v1, Value & v2, const PosIdx pos, std::st

    case nAttrs: {
        if (isDerivation(v1) && isDerivation(v2)) {
-            auto i = v1.attrs()->get(sOutPath);
-            auto j = v2.attrs()->get(sOutPath);
+            auto i = v1.attrs()->get(s.outPath);
+            auto j = v2.attrs()->get(s.outPath);
            if (i && j) {
                try {
                    assertEqValues(*i->value, *j->value, pos, errorCtx);
@@ -2755,8 +2746,11 @@ void EvalState::assertEqValues(Value & v1, Value & v2, const PosIdx pos, std::st
        }
        return;

-    case nThunk: // Must not be left by forceValue
-        assert(false);
+    // Cannot be returned by forceValue().
+    case nThunk:
+    case nFailed:
+        unreachable();
+
    default: // Note that we pass compiler flags that should make `default:` unreachable.
        // Also note that this probably ran after `eqValues`, which implements
        // the same logic more efficiently (without having to unwind stacks),
@@ -2819,8 +2813,8 @@ bool EvalState::eqValues(Value & v1, Value & v2, const PosIdx pos, std::string_v
        /* If both sets denote a derivation (type = "derivation"),
           then compare their outPaths. */
        if (isDerivation(v1) && isDerivation(v2)) {
-            auto i = v1.attrs()->get(sOutPath);
-            auto j = v2.attrs()->get(sOutPath);
+            auto i = v1.attrs()->get(s.outPath);
+            auto j = v2.attrs()->get(s.outPath);
            if (i && j)
                return eqValues(*i->value, *j->value, pos, errorCtx);
        }
@@ -2848,8 +2842,11 @@ bool EvalState::eqValues(Value & v1, Value & v2, const PosIdx pos, std::string_v
        // !!!
        return v1.fpoint() == v2.fpoint();

-    case nThunk: // Must not be left by forceValue
-        assert(false);
+    // Cannot be returned by forceValue().
+    case nThunk:
+    case nFailed:
+        unreachable();
+
    default: // Note that we pass compiler flags that should make `default:` unreachable.
        error<EvalError>("eqValues: cannot compare %1% with %2%", showType(v1), showType(v2))
            .withTrace(pos, errorCtx)
@@ -2889,11 +2886,8 @@ void EvalState::maybePrintStats()

 void EvalState::printStatistics()
 {
-#ifndef _WIN32 // TODO use portable implementation
-    struct rusage buf;
-    getrusage(RUSAGE_SELF, &buf);
-    float cpuTime = buf.ru_utime.tv_sec + ((float) buf.ru_utime.tv_usec / 1000000);
-#endif
+    std::chrono::microseconds cpuTimeDuration = getCpuUserTime();
+    float cpuTime = std::chrono::duration_cast<std::chrono::duration<float>>(cpuTimeDuration).count();

    uint64_t bEnvs = nrEnvs * sizeof(Env) + nrValuesInEnvs * sizeof(Value *);
    uint64_t bLists = nrListElems * sizeof(Value *);
@@ -2915,18 +2909,12 @@ void EvalState::printStatistics()
    if (outPath != "-")
        fs.open(outPath, std::fstream::out);
    json topObj = json::object();
-#ifndef _WIN32 // TODO implement
    topObj["cpuTime"] = cpuTime;
-#endif
    topObj["time"] = {
-#ifndef _WIN32 // TODO implement
        {"cpu", cpuTime},
-#endif
 #if NIX_USE_BOEHMGC
        {GC_is_incremental_mode() ? "gcNonIncremental" : "gc", gcFullOnlyTime},
-#  ifndef _WIN32 // TODO implement
        {GC_is_incremental_mode() ? "gcNonIncrementalFraction" : "gcFraction", gcFullOnlyTime / cpuTime},
-#  endif
 #endif
    };
    topObj["envs"] = {
@@ -3196,8 +3184,7 @@ Expr * EvalState::parse(
        docComments = &it->second;
    }

-    auto result = parseExprFromBuf(
-        text, length, origin, basePath, symbols, settings, positions, *docComments, rootFS, exprSymbols);
+    auto result = parseExprFromBuf(text, length, origin, basePath, symbols, settings, positions, *docComments, rootFS);

    result->bindVars(*this, staticEnv);

--- a/src/libexpr/get-drvs.cc
+++ b/src/libexpr/get-drvs.cc
@@ -45,7 +45,7 @@ PackageInfo::PackageInfo(EvalState & state, ref<Store> store, const std::string
 std::string PackageInfo::queryName() const
 {
    if (name == "" && attrs) {
-        auto i = attrs->find(state->sName);
+        auto i = attrs->find(state->s.name);
        if (i == attrs->end())
            state->error<TypeError>("derivation name missing").debugThrow();
        name = state->forceStringNoCtx(*i->value, noPos, "while evaluating the 'name' attribute of a derivation");
@@ -56,7 +56,7 @@ std::string PackageInfo::queryName() const
 std::string PackageInfo::querySystem() const
 {
    if (system == "" && attrs) {
-        auto i = attrs->find(state->sSystem);
+        auto i = attrs->find(state->s.system);
        system =
            i == attrs->end()
                ? "unknown"
@@ -68,7 +68,7 @@ std::string PackageInfo::querySystem() const
 std::optional<StorePath> PackageInfo::queryDrvPath() const
 {
    if (!drvPath && attrs) {
-        if (auto i = attrs->get(state->sDrvPath)) {
+        if (auto i = attrs->get(state->s.drvPath)) {
            NixStringContext context;
            auto found = state->coerceToStorePath(
                i->pos, *i->value, context, "while evaluating the 'drvPath' attribute of a derivation");
@@ -95,7 +95,7 @@ StorePath PackageInfo::requireDrvPath() const
 StorePath PackageInfo::queryOutPath() const
 {
    if (!outPath && attrs) {
-        auto i = attrs->find(state->sOutPath);
+        auto i = attrs->find(state->s.outPath);
        NixStringContext context;
        if (i != attrs->end())
            outPath = state->coerceToStorePath(
@@ -111,7 +111,7 @@ PackageInfo::Outputs PackageInfo::queryOutputs(bool withPaths, bool onlyOutputsT
    if (outputs.empty()) {
        /* Get the ‘outputs’ list. */
        const Attr * i;
-        if (attrs && (i = attrs->get(state->sOutputs))) {
+        if (attrs && (i = attrs->get(state->s.outputs))) {
            state->forceList(*i->value, i->pos, "while evaluating the 'outputs' attribute of a derivation");

            /* For each output... */
@@ -127,7 +127,7 @@ PackageInfo::Outputs PackageInfo::queryOutputs(bool withPaths, bool onlyOutputsT
                    state->forceAttrs(*out->value, i->pos, "while evaluating an output of a derivation");

                    /* And evaluate its ‘outPath’ attribute. */
-                    auto outPath = out->value->attrs()->get(state->sOutPath);
+                    auto outPath = out->value->attrs()->get(state->s.outPath);
                    if (!outPath)
                        continue; // FIXME: throw error?
                    NixStringContext context;
@@ -146,7 +146,7 @@ PackageInfo::Outputs PackageInfo::queryOutputs(bool withPaths, bool onlyOutputsT
        return outputs;

    const Attr * i;
-    if (attrs && (i = attrs->get(state->sOutputSpecified))
+    if (attrs && (i = attrs->get(state->s.outputSpecified))
        && state->forceBool(*i->value, i->pos, "while evaluating the 'outputSpecified' attribute of a derivation")) {
        Outputs result;
        auto out = outputs.find(queryOutputName());
@@ -181,7 +181,7 @@ PackageInfo::Outputs PackageInfo::queryOutputs(bool withPaths, bool onlyOutputsT
 std::string PackageInfo::queryOutputName() const
 {
    if (outputName == "" && attrs) {
-        auto i = attrs->get(state->sOutputName);
+        auto i = attrs->get(state->s.outputName);
        outputName =
            i ? state->forceStringNoCtx(*i->value, noPos, "while evaluating the output name of a derivation") : "";
    }
@@ -194,7 +194,7 @@ const Bindings * PackageInfo::getMeta()
        return meta;
    if (!attrs)
        return 0;
-    auto a = attrs->get(state->sMeta);
+    auto a = attrs->get(state->s.meta);
    if (!a)
        return 0;
    state->forceAttrs(*a->value, a->pos, "while evaluating the 'meta' attribute of a derivation");
@@ -221,7 +221,7 @@ bool PackageInfo::checkMeta(Value & v)
                return false;
        return true;
    } else if (v.type() == nAttrs) {
-        if (v.attrs()->get(state->sOutPath))
+        if (v.attrs()->get(state->s.outPath))
            return false;
        for (auto & i : *v.attrs())
            if (!checkMeta(*i.value))
@@ -411,7 +411,7 @@ static void getDerivations(
                    should we recurse into it?  => Only if it has a
                    `recurseForDerivations = true' attribute. */
                    if (i->value->type() == nAttrs) {
-                        auto j = i->value->attrs()->get(state.sRecurseForDerivations);
+                        auto j = i->value->attrs()->get(state.s.recurseForDerivations);
                        if (j
                            && state.forceBool(
                                *j->value, j->pos, "while evaluating the attribute `recurseForDerivations`"))
--- a/src/libexpr/include/nix/expr/attr-set.hh
+++ b/src/libexpr/include/nix/expr/attr-set.hh
@@ -5,6 +5,7 @@
 #include "nix/expr/symbol-table.hh"

 #include <algorithm>
+#include <functional>

 namespace nix {

@@ -54,16 +55,14 @@ public:
    PosIdx pos;

 private:
-    size_t size_, capacity_;
+    size_t size_ = 0;
    Attr attrs[0];

-    Bindings(size_t capacity)
-        : size_(0)
-        , capacity_(capacity)
-    {
-    }
-
-    Bindings(const Bindings & bindings) = delete;
+    Bindings() = default;
+    Bindings(const Bindings &) = delete;
+    Bindings(Bindings &&) = delete;
+    Bindings & operator=(const Bindings &) = delete;
+    Bindings & operator=(Bindings &&) = delete;

 public:
    size_t size() const
@@ -82,7 +81,6 @@ public:

    void push_back(const Attr & attr)
    {
-        assert(size_ < capacity_);
        attrs[size_++] = attr;
    }

@@ -136,11 +134,6 @@ public:

    void sort();

-    size_t capacity() const
-    {
-        return capacity_;
-    }
-
    /**
     * Returns the attributes in lexicographically sorted order.
     */
@@ -165,22 +158,29 @@ public:
 * order at the end. The only way to consume a BindingsBuilder is to
 * call finish(), which sorts the bindings.
 */
-class BindingsBuilder
+class BindingsBuilder final
 {
-    Bindings * bindings;
-
 public:
    // needed by std::back_inserter
    using value_type = Attr;
+    using size_type = Bindings::size_t;

-    EvalState & state;
+private:
+    Bindings * bindings;
+    Bindings::size_t capacity_;

-    BindingsBuilder(EvalState & state, Bindings * bindings)
+    friend class EvalState;
+
+    BindingsBuilder(EvalState & state, Bindings * bindings, size_type capacity)
        : bindings(bindings)
+        , capacity_(capacity)
        , state(state)
    {
    }

+public:
+    std::reference_wrapper<EvalState> state;
+
    void insert(Symbol name, Value * value, PosIdx pos = noPos)
    {
        insert(Attr(name, value, pos));
@@ -193,6 +193,7 @@ public:

    void push_back(const Attr & attr)
    {
+        assert(bindings->size() < capacity_);
        bindings->push_back(attr);
    }

@@ -211,16 +212,16 @@ public:
        return bindings;
    }

-    size_t capacity()
+    size_t capacity() const noexcept
    {
-        return bindings->capacity();
+        return capacity_;
    }

-    void grow(Bindings * newBindings)
+    void grow(BindingsBuilder newBindings)
    {
        for (auto & i : *bindings)
-            newBindings->push_back(i);
-        bindings = newBindings;
+            newBindings.push_back(i);
+        std::swap(*this, newBindings);
    }

    friend struct ExprAttrs;
--- a/src/libexpr/include/nix/expr/eval-error.hh
+++ b/src/libexpr/include/nix/expr/eval-error.hh
@@ -56,6 +56,14 @@ MakeError(MissingArgumentError, EvalError);
 MakeError(InfiniteRecursionError, EvalError);
 MakeError(IFDError, EvalBaseError);

+/**
+ * An evaluation error which should be retried instead of rethrown
+ *
+ * A RecoverableEvalError is not an EvalError, because we shouldn't cache it in the eval cache, as it should be retried
+ * anyway.
+ */
+MakeError(RecoverableEvalError, EvalBaseError);
+
 struct InvalidPathError : public EvalError
 {
 public:
--- a/src/libexpr/include/nix/expr/eval-inline.hh
+++ b/src/libexpr/include/nix/expr/eval-inline.hh
@@ -5,6 +5,7 @@
 #include "nix/expr/eval.hh"
 #include "nix/expr/eval-error.hh"
 #include "nix/expr/eval-settings.hh"
+#include <exception>

 namespace nix {

@@ -97,12 +98,19 @@ void EvalState::forceValue(Value & v, const PosIdx pos)
            else
                ExprBlackHole::throwInfiniteRecursionError(*this, v);
        } catch (...) {
-            v.mkThunk(env, expr);
-            tryFixupBlackHolePos(v, pos);
+            handleEvalExceptionForThunk(env, expr, v, pos);
            throw;
        }
-    } else if (v.isApp())
-        callFunction(*v.app().left, *v.app().right, v, pos);
+    } else if (v.isApp()) {
+        try {
+            callFunction(*v.app().left, *v.app().right, v, pos);
+        } catch (...) {
+            handleEvalExceptionForApp(v);
+            throw;
+        }
+    } else if (v.isFailed()) {
+        handleEvalFailed(v, pos);
+    }
 }

 [[gnu::always_inline]]
--- a/src/libexpr/include/nix/expr/eval.hh
+++ b/src/libexpr/include/nix/expr/eval.hh
@@ -213,23 +213,100 @@ struct DebugTrace
    }
 };

+struct StaticEvalSymbols
+{
+    Symbol with, outPath, drvPath, type, meta, name, value, system, overrides, outputs, outputName, ignoreNulls, file,
+        line, column, functor, toString, right, wrong, structuredAttrs, json, allowedReferences, allowedRequisites,
+        disallowedReferences, disallowedRequisites, maxSize, maxClosureSize, builder, args, contentAddressed, impure,
+        outputHash, outputHashAlgo, outputHashMode, recurseForDerivations, description, self, epsilon, startSet,
+        operator_, key, path, prefix, outputSpecified;
+
+    Expr::AstSymbols exprSymbols;
+
+    static constexpr auto preallocate()
+    {
+        StaticSymbolTable alloc;
+
+        StaticEvalSymbols staticSymbols = {
+            .with = alloc.create("<with>"),
+            .outPath = alloc.create("outPath"),
+            .drvPath = alloc.create("drvPath"),
+            .type = alloc.create("type"),
+            .meta = alloc.create("meta"),
+            .name = alloc.create("name"),
+            .value = alloc.create("value"),
+            .system = alloc.create("system"),
+            .overrides = alloc.create("__overrides"),
+            .outputs = alloc.create("outputs"),
+            .outputName = alloc.create("outputName"),
+            .ignoreNulls = alloc.create("__ignoreNulls"),
+            .file = alloc.create("file"),
+            .line = alloc.create("line"),
+            .column = alloc.create("column"),
+            .functor = alloc.create("__functor"),
+            .toString = alloc.create("__toString"),
+            .right = alloc.create("right"),
+            .wrong = alloc.create("wrong"),
+            .structuredAttrs = alloc.create("__structuredAttrs"),
+            .json = alloc.create("__json"),
+            .allowedReferences = alloc.create("allowedReferences"),
+            .allowedRequisites = alloc.create("allowedRequisites"),
+            .disallowedReferences = alloc.create("disallowedReferences"),
+            .disallowedRequisites = alloc.create("disallowedRequisites"),
+            .maxSize = alloc.create("maxSize"),
+            .maxClosureSize = alloc.create("maxClosureSize"),
+            .builder = alloc.create("builder"),
+            .args = alloc.create("args"),
+            .contentAddressed = alloc.create("__contentAddressed"),
+            .impure = alloc.create("__impure"),
+            .outputHash = alloc.create("outputHash"),
+            .outputHashAlgo = alloc.create("outputHashAlgo"),
+            .outputHashMode = alloc.create("outputHashMode"),
+            .recurseForDerivations = alloc.create("recurseForDerivations"),
+            .description = alloc.create("description"),
+            .self = alloc.create("self"),
+            .epsilon = alloc.create(""),
+            .startSet = alloc.create("startSet"),
+            .operator_ = alloc.create("operator"),
+            .key = alloc.create("key"),
+            .path = alloc.create("path"),
+            .prefix = alloc.create("prefix"),
+            .outputSpecified = alloc.create("outputSpecified"),
+            .exprSymbols = {
+                .sub = alloc.create("__sub"),
+                .lessThan = alloc.create("__lessThan"),
+                .mul = alloc.create("__mul"),
+                .div = alloc.create("__div"),
+                .or_ = alloc.create("or"),
+                .findFile = alloc.create("__findFile"),
+                .nixPath = alloc.create("__nixPath"),
+                .body = alloc.create("body"),
+            }};
+
+        return std::pair{staticSymbols, alloc};
+    }
+
+    static consteval StaticEvalSymbols create()
+    {
+        return preallocate().first;
+    }
+
+    static constexpr StaticSymbolTable staticSymbolTable()
+    {
+        return preallocate().second;
+    }
+};
+
 class EvalState : public std::enable_shared_from_this<EvalState>
 {
 public:
+    static constexpr StaticEvalSymbols s = StaticEvalSymbols::create();
+
    const fetchers::Settings & fetchSettings;
    const EvalSettings & settings;
    SymbolTable symbols;
    PosTable positions;

-    const Symbol sWith, sOutPath, sDrvPath, sType, sMeta, sName, sValue, sSystem, sOverrides, sOutputs, sOutputName,
-        sIgnoreNulls, sFile, sLine, sColumn, sFunctor, sToString, sRight, sWrong, sStructuredAttrs, sJson,
-        sAllowedReferences, sAllowedRequisites, sDisallowedReferences, sDisallowedRequisites, sMaxSize, sMaxClosureSize,
-        sBuilder, sArgs, sContentAddressed, sImpure, sOutputHash, sOutputHashAlgo, sOutputHashMode,
-        sRecurseForDerivations, sDescription, sSelf, sEpsilon, sStartSet, sOperator, sKey, sPath, sPrefix,
-        sOutputSpecified;
-
-    const Expr::AstSymbols exprSymbols;
-
    /**
     * If set, force copying files to the Nix store even if they
     * already exist there.
@@ -533,8 +610,28 @@ public:
     */
    inline void forceValue(Value & v, const PosIdx pos);

+private:
+
+    /**
+     * Internal support function for forceValue
+     *
+     * This code is factored out so that it's not in the heavily inlined hot path.
+     */
+    void handleEvalExceptionForThunk(Env * env, Expr * expr, Value & v, const PosIdx pos);
+
+    /**
+     * Internal support function for forceValue
+     *
+     * This code is factored out so that it's not in the heavily inlined hot path.
+     */
+    void handleEvalExceptionForApp(Value & v);
+
+    void handleEvalFailed(Value & v, PosIdx pos);
+
    void tryFixupBlackHolePos(Value & v, PosIdx pos);

+public:
+
    /**
     * Force a value, then recursively force list elements and
     * attributes.
@@ -802,7 +899,7 @@ public:

    BindingsBuilder buildBindings(size_t capacity)
    {
-        return BindingsBuilder(*this, allocBindings(capacity));
+        return BindingsBuilder(*this, allocBindings(capacity), capacity);
    }

    ListBuilder buildList(size_t size)
--- a/src/libexpr/include/nix/expr/nixexpr.hh
+++ b/src/libexpr/include/nix/expr/nixexpr.hh
@@ -158,7 +158,7 @@ struct ExprString : Expr
    ExprString(std::string && s)
        : s(std::move(s))
    {
-        v.mkString(this->s.data());
+        v.mkStringNoCopy(this->s.data());
    };

    Value * maybeThunk(EvalState & state, Env & env) override;
@@ -595,12 +595,17 @@ struct ExprOpNot : Expr
        {                                                                                    \
            return pos;                                                                      \
        }                                                                                    \
-    };
+    }

-MakeBinOp(ExprOpEq, "==") MakeBinOp(ExprOpNEq, "!=") MakeBinOp(ExprOpAnd, "&&") MakeBinOp(ExprOpOr, "||")
-    MakeBinOp(ExprOpImpl, "->") MakeBinOp(ExprOpUpdate, "//") MakeBinOp(ExprOpConcatLists, "++")
+MakeBinOp(ExprOpEq, "==");
+MakeBinOp(ExprOpNEq, "!=");
+MakeBinOp(ExprOpAnd, "&&");
+MakeBinOp(ExprOpOr, "||");
+MakeBinOp(ExprOpImpl, "->");
+MakeBinOp(ExprOpUpdate, "//");
+MakeBinOp(ExprOpConcatLists, "++");

-        struct ExprConcatStrings : Expr
+struct ExprConcatStrings : Expr
 {
    PosIdx pos;
    bool forceString;
--- a/src/libexpr/include/nix/expr/parser-state.hh
+++ b/src/libexpr/include/nix/expr/parser-state.hh
@@ -88,7 +88,7 @@ struct ParserState
    SourcePath basePath;
    PosTable::Origin origin;
    const ref<SourceAccessor> rootFS;
-    const Expr::AstSymbols & s;
+    static constexpr Expr::AstSymbols s = StaticEvalSymbols::create().exprSymbols;
    const EvalSettings & settings;

    void dupAttr(const AttrPath & attrPath, const PosIdx pos, const PosIdx prevPos);
--- a/src/libexpr/include/nix/expr/symbol-table.hh
+++ b/src/libexpr/include/nix/expr/symbol-table.hh
@@ -28,6 +28,8 @@ public:
    }
 };

+class StaticSymbolTable;
+
 /**
 * Symbols have the property that they can be compared efficiently
 * (using an equality test), because the symbol table stores only one
@@ -37,36 +39,38 @@ class Symbol
 {
    friend class SymbolStr;
    friend class SymbolTable;
+    friend class StaticSymbolTable;

 private:
    uint32_t id;

-    explicit Symbol(uint32_t id) noexcept
+    explicit constexpr Symbol(uint32_t id) noexcept
        : id(id)
    {
    }

 public:
-    Symbol() noexcept
+    constexpr Symbol() noexcept
        : id(0)
    {
    }

    [[gnu::always_inline]]
-    explicit operator bool() const noexcept
+    constexpr explicit operator bool() const noexcept
    {
        return id > 0;
    }

-    auto operator<=>(const Symbol other) const noexcept
+    /**
+     * The ID is a private implementation detail that should generally not be observed. However, we expose here just for
+     * sake of `switch...case`, which needs to dispatch on numbers. */
+    [[gnu::always_inline]]
+    constexpr uint32_t getId() const noexcept
    {
-        return id <=> other.id;
+        return id;
    }

-    bool operator==(const Symbol other) const noexcept
-    {
-        return id == other.id;
-    }
+    constexpr auto operator<=>(const Symbol & other) const noexcept = default;

    friend class std::hash<Symbol>;
 };
@@ -118,12 +122,12 @@ public:
        // for multi-threaded implementations: lock store and allocator here
        const auto & [v, idx] = key.store.add(SymbolValue{});
        if (size == 0) {
-            v.mkString("", nullptr);
+            v.mkStringNoCopy("", nullptr);
        } else {
            auto s = key.alloc.allocate(size + 1);
            memcpy(s, key.s.data(), size);
            s[size] = '\0';
-            v.mkString(s, nullptr);
+            v.mkStringNoCopy(s, nullptr);
        }
        v.size_ = size;
        v.idx = idx;
@@ -210,6 +214,39 @@ public:
    };
 };

+class SymbolTable;
+
+/**
+ * Convenience class to statically assign symbol identifiers at compile-time.
+ */
+class StaticSymbolTable
+{
+    static constexpr std::size_t maxSize = 1024;
+
+    struct StaticSymbolInfo
+    {
+        std::string_view str;
+        Symbol sym;
+    };
+
+    std::array<StaticSymbolInfo, maxSize> symbols;
+    std::size_t size = 0;
+
+public:
+    constexpr StaticSymbolTable() = default;
+
+    constexpr Symbol create(std::string_view str)
+    {
+        /* No need to check bounds because out of bounds access is
+           a compilation error. */
+        auto sym = Symbol(size + 1); //< +1 because Symbol with id = 0 is reserved
+        symbols[size++] = {str, sym};
+        return sym;
+    }
+
+    void copyIntoSymbolTable(SymbolTable & symtab) const;
+};
+
 /**
 * Symbol table used by the parser and evaluator to represent and look
 * up identifiers and attributes efficiently.
@@ -232,6 +269,10 @@ private:
    boost::unordered_flat_set<SymbolStr, SymbolStr::Hash, SymbolStr::Equal> symbols{SymbolStr::chunkSize};

 public:
+    SymbolTable(const StaticSymbolTable & staticSymtab)
+    {
+        staticSymtab.copyIntoSymbolTable(*this);
+    }

    /**
     * Converts a string into a symbol.
@@ -276,6 +317,16 @@ public:
    }
 };

+inline void StaticSymbolTable::copyIntoSymbolTable(SymbolTable & symtab) const
+{
+    for (std::size_t i = 0; i < size; ++i) {
+        auto [str, staticSym] = symbols[i];
+        auto sym = symtab.create(str);
+        if (sym != staticSym) [[unlikely]]
+            unreachable();
+    }
+}
+
 } // namespace nix

 template<>
--- a/src/libexpr/include/nix/expr/value.hh
+++ b/src/libexpr/include/nix/expr/value.hh
@@ -2,6 +2,7 @@
 ///@file

 #include <cassert>
+#include <exception>
 #include <span>
 #include <type_traits>
 #include <concepts>
@@ -35,6 +36,7 @@ typedef enum {
    tBool,
    tNull,
    tFloat,
+    tFailed,
    tExternal,
    tPrimOp,
    tAttrs,
@@ -57,6 +59,7 @@ typedef enum {
 */
 typedef enum {
    nThunk,
+    nFailed,
    nInt,
    nFloat,
    nBool,
@@ -265,6 +268,30 @@ struct ValueBase
        size_t size;
        Value * const * elems;
    };
+
+    /**
+      Representation of an evaluation that previously failed.
+
+      `Value` references `Failed` by packed pointer, and its `new` is GC managed.
+
+      @see gc_cleanup std::exception_ptr
+     */
+    class Failed : public gc_cleanup
+    {
+    public:
+        std::exception_ptr ex;
+        /**
+         * Optional value for recovering `RecoverableEvalError`
+         * Must be set iff `ex` is an instance of `RecoverableEvalError`.
+         */
+        Value * recoveryValue;
+
+        Failed(std::exception_ptr ex, Value * recoveryValue)
+            : ex(ex)
+            , recoveryValue(recoveryValue)
+        {
+        }
+    };
 };

 template<typename T>
@@ -291,6 +318,7 @@ struct PayloadTypeToInternalType
    MACRO(PrimOp *, primOp, tPrimOp)                                \
    MACRO(ValueBase::PrimOpApplicationThunk, primOpApp, tPrimOpApp) \
    MACRO(ExternalValueBase *, external, tExternal)                 \
+    MACRO(ValueBase::Failed *, failed, tFailed)                     \
    MACRO(NixFloat, fpoint, tFloat)

 #define NIX_VALUE_PAYLOAD_TYPE(T, FIELD_NAME, DISCRIMINATOR) \
@@ -369,7 +397,7 @@ namespace detail {
 /* Whether to use a specialization of ValueStorage that does bitpacking into
   alignment niches. */
 template<std::size_t ptrSize>
-inline constexpr bool useBitPackedValueStorage = (ptrSize == 8) && (__STDCPP_DEFAULT_NEW_ALIGNMENT__ >= 8);
+inline constexpr bool useBitPackedValueStorage = (ptrSize == 8) && (__STDCPP_DEFAULT_NEW_ALIGNMENT__ >= 16);

 } // namespace detail

@@ -378,7 +406,8 @@ inline constexpr bool useBitPackedValueStorage = (ptrSize == 8) && (__STDCPP_DEF
 * Packs discriminator bits into the pointer alignment niches.
 */
 template<std::size_t ptrSize>
-class ValueStorage<ptrSize, std::enable_if_t<detail::useBitPackedValueStorage<ptrSize>>> : public detail::ValueBase
+class alignas(16) ValueStorage<ptrSize, std::enable_if_t<detail::useBitPackedValueStorage<ptrSize>>>
+    : public detail::ValueBase
 {
    /* Needs a dependent type name in order for member functions (and
     * potentially ill-formed bit casts) to be SFINAE'd out.
@@ -594,6 +623,11 @@ protected:
        path.path = std::bit_cast<const char *>(payload[1]);
    }

+    void getStorage(Failed *& failed) const noexcept
+    {
+        failed = std::bit_cast<Failed *>(payload[1]);
+    }
+
    void setStorage(NixInt integer) noexcept
    {
        setSingleDWordPayload<tInt>(integer.value);
@@ -643,6 +677,11 @@ protected:
    {
        setUntaggablePayload<pdPath>(path.accessor, path.path);
    }
+
+    void setStorage(Failed * failed) noexcept
+    {
+        setSingleDWordPayload<tFailed>(std::bit_cast<PackedPointer>(failed));
+    }
 };

 /**
@@ -865,12 +904,12 @@ public:
    inline bool isThunk() const
    {
        return isa<tThunk>();
-    };
+    }

    inline bool isApp() const
    {
        return isa<tApp>();
-    };
+    }

    inline bool isBlackhole() const;

@@ -878,17 +917,22 @@ public:
    inline bool isLambda() const
    {
        return isa<tLambda>();
-    };
+    }

    inline bool isPrimOp() const
    {
        return isa<tPrimOp>();
-    };
+    }

    inline bool isPrimOpApp() const
    {
        return isa<tPrimOpApp>();
-    };
+    }
+
+    inline bool isFailed() const
+    {
+        return isa<tFailed>();
+    }

    /**
     * Returns the normal type of a Value. This only returns nThunk if
@@ -925,6 +969,8 @@ public:
            return nExternal;
        case tFloat:
            return nFloat;
+        case tFailed:
+            return nFailed;
        case tThunk:
        case tApp:
            return nThunk;
@@ -960,7 +1006,7 @@ public:
        setStorage(b);
    }

-    inline void mkString(const char * s, const char ** context = 0) noexcept
+    void mkStringNoCopy(const char * s, const char ** context = 0) noexcept
    {
        setStorage(StringWithContext{.c_str = s, .context = context});
    }
@@ -972,7 +1018,6 @@ public:
    void mkStringMove(const char * s, const NixStringContext & context);

    void mkPath(const SourcePath & path);
-    void mkPath(std::string_view path);

    inline void mkPath(SourceAccessor * accessor, const char * path) noexcept
    {
@@ -993,12 +1038,20 @@ public:

    void mkList(const ListBuilder & builder) noexcept
    {
-        if (builder.size == 1)
+        switch (builder.size) {
+        case 0:
+            setStorage(List{.size = 0, .elems = nullptr});
+            break;
+        case 1:
            setStorage(std::array<Value *, 2>{builder.inlineElems[0], nullptr});
-        else if (builder.size == 2)
+            break;
+        case 2:
            setStorage(std::array<Value *, 2>{builder.inlineElems[0], builder.inlineElems[1]});
-        else
+            break;
+        default:
            setStorage(List{.size = builder.size, .elems = builder.elems});
+            break;
+        }
    }

    inline void mkThunk(Env * e, Expr * ex) noexcept
@@ -1040,6 +1093,11 @@ public:
        setStorage(n);
    }

+    inline void mkFailed(std::exception_ptr e, Value * recovery) noexcept
+    {
+        setStorage(new Value::Failed(e, recovery));
+    }
+
    bool isList() const noexcept
    {
        return isa<tListSmall, tListN>();
@@ -1143,6 +1201,11 @@ public:
    {
        return getStorage<Path>().accessor;
    }
+
+    Failed * failed() const noexcept
+    {
+        return getStorage<Failed *>();
+    }
 };

 extern ExprBlackHole eBlackHole;
--- a/src/libexpr/parser.y
+++ b/src/libexpr/parser.y
@@ -68,8 +68,7 @@ Expr * parseExprFromBuf(
    const EvalSettings & settings,
    PosTable & positions,
    DocCommentMap & docComments,
-    const ref<SourceAccessor> rootFS,
-    const Expr::AstSymbols & astSymbols);
+    const ref<SourceAccessor> rootFS);

 }

@@ -542,8 +541,7 @@ Expr * parseExprFromBuf(
    const EvalSettings & settings,
    PosTable & positions,
    DocCommentMap & docComments,
-    const ref<SourceAccessor> rootFS,
-    const Expr::AstSymbols & astSymbols)
+    const ref<SourceAccessor> rootFS)
 {
    yyscan_t scanner;
    LexerState lexerState {
@@ -558,7 +556,6 @@ Expr * parseExprFromBuf(
        .basePath = basePath,
        .origin = lexerState.origin,
        .rootFS = rootFS,
-        .s = astSymbols,
        .settings = settings,
    };

--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -214,20 +214,20 @@ void derivationToValue(
    auto path2 = path.path.abs();
    Derivation drv = state.store->readDerivation(storePath);
    auto attrs = state.buildBindings(3 + drv.outputs.size());
-    attrs.alloc(state.sDrvPath)
+    attrs.alloc(state.s.drvPath)
        .mkString(
            path2,
            {
                NixStringContextElem::DrvDeep{.drvPath = storePath},
            });
-    attrs.alloc(state.sName).mkString(drv.env["name"]);
+    attrs.alloc(state.s.name).mkString(drv.env["name"]);

    auto list = state.buildList(drv.outputs.size());
    for (const auto & [i, o] : enumerate(drv.outputs)) {
        mkOutputString(state, attrs, storePath, o);
        (list[i] = state.allocValue())->mkString(o.first);
    }
-    attrs.alloc(state.sOutputs).mkList(list);
+    attrs.alloc(state.s.outputs).mkList(list);

    auto w = state.allocValue();
    w->mkAttrs(attrs);
@@ -483,42 +483,41 @@ void prim_exec(EvalState & state, const PosIdx pos, Value ** args, Value & v)
 static void prim_typeOf(EvalState & state, const PosIdx pos, Value ** args, Value & v)
 {
    state.forceValue(*args[0], pos);
-    std::string t;
    switch (args[0]->type()) {
    case nInt:
-        t = "int";
+        v.mkStringNoCopy("int");
        break;
    case nBool:
-        t = "bool";
+        v.mkStringNoCopy("bool");
        break;
    case nString:
-        t = "string";
+        v.mkStringNoCopy("string");
        break;
    case nPath:
-        t = "path";
+        v.mkStringNoCopy("path");
        break;
    case nNull:
-        t = "null";
+        v.mkStringNoCopy("null");
        break;
    case nAttrs:
-        t = "set";
+        v.mkStringNoCopy("set");
        break;
    case nList:
-        t = "list";
+        v.mkStringNoCopy("list");
        break;
    case nFunction:
-        t = "lambda";
+        v.mkStringNoCopy("lambda");
        break;
    case nExternal:
-        t = args[0]->external()->typeOf();
+        v.mkString(args[0]->external()->typeOf());
        break;
    case nFloat:
-        t = "float";
+        v.mkStringNoCopy("float");
        break;
    case nThunk:
+    case nFailed:
        unreachable();
    }
-    v.mkString(t);
 }

 static RegisterPrimOp primop_typeOf({
@@ -731,7 +730,7 @@ static void prim_genericClosure(EvalState & state, const PosIdx pos, Value ** ar

    /* Get the start set. */
    auto startSet = state.getAttr(
-        state.sStartSet, args[0]->attrs(), "in the attrset passed as argument to builtins.genericClosure");
+        state.s.startSet, args[0]->attrs(), "in the attrset passed as argument to builtins.genericClosure");

    state.forceList(
        *startSet->value,
@@ -749,7 +748,7 @@ static void prim_genericClosure(EvalState & state, const PosIdx pos, Value ** ar

    /* Get the operator. */
    auto op = state.getAttr(
-        state.sOperator, args[0]->attrs(), "in the attrset passed as argument to builtins.genericClosure");
+        state.s.operator_, args[0]->attrs(), "in the attrset passed as argument to builtins.genericClosure");
    state.forceFunction(
        *op->value, noPos, "while evaluating the 'operator' attribute passed as argument to builtins.genericClosure");

@@ -771,7 +770,7 @@ static void prim_genericClosure(EvalState & state, const PosIdx pos, Value ** ar
            "while evaluating one of the elements generated by (or initially passed to) builtins.genericClosure");

        auto key = state.getAttr(
-            state.sKey,
+            state.s.key,
            e->attrs(),
            "in one of the attrsets generated by (or initially passed to) builtins.genericClosure");
        state.forceValue(*key->value, noPos);
@@ -1076,11 +1075,11 @@ static void prim_tryEval(EvalState & state, const PosIdx pos, Value ** args, Val

    try {
        state.forceValue(*args[0], pos);
-        attrs.insert(state.sValue, args[0]);
+        attrs.insert(state.s.value, args[0]);
        attrs.insert(state.symbols.create("success"), &state.vTrue);
    } catch (AssertionError & e) {
        // `value = false;` is unfortunate but removing it is a breaking change.
-        attrs.insert(state.sValue, &state.vFalse);
+        attrs.insert(state.s.value, &state.vFalse);
        attrs.insert(state.symbols.create("success"), &state.vFalse);
    }

@@ -1292,7 +1291,8 @@ static void prim_derivationStrict(EvalState & state, const PosIdx pos, Value **
    auto attrs = args[0]->attrs();

    /* Figure out the name first (for stack backtraces). */
-    auto nameAttr = state.getAttr(state.sName, attrs, "in the attrset passed as argument to builtins.derivationStrict");
+    auto nameAttr =
+        state.getAttr(state.s.name, attrs, "in the attrset passed as argument to builtins.derivationStrict");

    std::string_view drvName;
    try {
@@ -1366,7 +1366,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
    using nlohmann::json;
    std::optional<StructuredAttrs> jsonObject;
    auto pos = v.determinePos(noPos);
-    auto attr = attrs->find(state.sStructuredAttrs);
+    auto attr = attrs->find(state.s.structuredAttrs);
    if (attr != attrs->end()
        && state.forceBool(
            *attr->value,
@@ -1377,7 +1377,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName

    /* Check whether null attributes should be ignored. */
    bool ignoreNulls = false;
-    attr = attrs->find(state.sIgnoreNulls);
+    attr = attrs->find(state.s.ignoreNulls);
    if (attr != attrs->end())
        ignoreNulls = state.forceBool(
            *attr->value,
@@ -1401,7 +1401,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
    outputs.insert("out");

    for (auto & i : attrs->lexicographicOrder(state.symbols)) {
-        if (i->name == state.sIgnoreNulls)
+        if (i->name == state.s.ignoreNulls)
            continue;
        auto key = state.symbols[i->name];
        vomit("processing attribute '%1%'", key);
@@ -1453,19 +1453,22 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
                    continue;
            }

-            if (i->name == state.sContentAddressed && state.forceBool(*i->value, pos, context_below)) {
-                contentAddressed = true;
-                experimentalFeatureSettings.require(Xp::CaDerivations);
-            }
-
-            else if (i->name == state.sImpure && state.forceBool(*i->value, pos, context_below)) {
-                isImpure = true;
-                experimentalFeatureSettings.require(Xp::ImpureDerivations);
-            }
-
+            switch (i->name.getId()) {
+            case EvalState::s.contentAddressed.getId():
+                if (state.forceBool(*i->value, pos, context_below)) {
+                    contentAddressed = true;
+                    experimentalFeatureSettings.require(Xp::CaDerivations);
+                }
+                break;
+            case EvalState::s.impure.getId():
+                if (state.forceBool(*i->value, pos, context_below)) {
+                    isImpure = true;
+                    experimentalFeatureSettings.require(Xp::ImpureDerivations);
+                }
+                break;
            /* The `args' attribute is special: it supplies the
               command-line arguments to the builder. */
-            else if (i->name == state.sArgs) {
+            case EvalState::s.args.getId():
                state.forceList(*i->value, pos, context_below);
                for (auto elem : i->value->listView()) {
                    auto s = state
@@ -1474,86 +1477,116 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
                                 .toOwned();
                    drv.args.push_back(s);
                }
-            }
-
+                break;
            /* All other attributes are passed to the builder through
               the environment. */
-            else {
+            default:

                if (jsonObject) {

-                    if (i->name == state.sStructuredAttrs)
+                    if (i->name == state.s.structuredAttrs)
                        continue;

                    jsonObject->structuredAttrs.emplace(key, printValueAsJSON(state, true, *i->value, pos, context));

-                    if (i->name == state.sBuilder)
+                    switch (i->name.getId()) {
+                    case EvalState::s.builder.getId():
                        drv.builder = state.forceString(*i->value, context, pos, context_below);
-                    else if (i->name == state.sSystem)
+                        break;
+                    case EvalState::s.system.getId():
                        drv.platform = state.forceStringNoCtx(*i->value, pos, context_below);
-                    else if (i->name == state.sOutputHash)
+                        break;
+                    case EvalState::s.outputHash.getId():
                        outputHash = state.forceStringNoCtx(*i->value, pos, context_below);
-                    else if (i->name == state.sOutputHashAlgo)
+                        break;
+                    case EvalState::s.outputHashAlgo.getId():
                        outputHashAlgo = parseHashAlgoOpt(state.forceStringNoCtx(*i->value, pos, context_below));
-                    else if (i->name == state.sOutputHashMode)
+                        break;
+                    case EvalState::s.outputHashMode.getId():
                        handleHashMode(state.forceStringNoCtx(*i->value, pos, context_below));
-                    else if (i->name == state.sOutputs) {
-                        /* Require ‘outputs’ to be a list of strings. */
+                        break;
+                    case EvalState::s.outputs.getId(): {
+                        /* Require 'outputs' to be a list of strings. */
                        state.forceList(*i->value, pos, context_below);
                        Strings ss;
                        for (auto elem : i->value->listView())
                            ss.emplace_back(state.forceStringNoCtx(*elem, pos, context_below));
                        handleOutputs(ss);
+                        break;
+                    }
+                    default:
+                        break;
                    }

-                    if (i->name == state.sAllowedReferences)
+                    switch (i->name.getId()) {
+                    case EvalState::s.allowedReferences.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'allowedReferences'; use 'outputChecks.<output>.allowedReferences' instead",
                            drvName);
-                    if (i->name == state.sAllowedRequisites)
+                        break;
+                    case EvalState::s.allowedRequisites.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'allowedRequisites'; use 'outputChecks.<output>.allowedRequisites' instead",
                            drvName);
-                    if (i->name == state.sDisallowedReferences)
+                        break;
+                    case EvalState::s.disallowedReferences.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'disallowedReferences'; use 'outputChecks.<output>.disallowedReferences' instead",
                            drvName);
-                    if (i->name == state.sDisallowedRequisites)
+                        break;
+                    case EvalState::s.disallowedRequisites.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'disallowedRequisites'; use 'outputChecks.<output>.disallowedRequisites' instead",
                            drvName);
-                    if (i->name == state.sMaxSize)
+                        break;
+                    case EvalState::s.maxSize.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'maxSize'; use 'outputChecks.<output>.maxSize' instead",
                            drvName);
-                    if (i->name == state.sMaxClosureSize)
+                        break;
+                    case EvalState::s.maxClosureSize.getId():
                        warn(
                            "In a derivation named '%s', 'structuredAttrs' disables the effect of the derivation attribute 'maxClosureSize'; use 'outputChecks.<output>.maxClosureSize' instead",
                            drvName);
+                        break;
+                    default:
+                        break;
+                    }

                } else {
                    auto s = state.coerceToString(pos, *i->value, context, context_below, true).toOwned();
-                    if (i->name == state.sJson) {
+                    if (i->name == state.s.json) {
                        warn(
                            "In derivation '%s': setting structured attributes via '__json' is deprecated, and may be disallowed in future versions of Nix. Set '__structuredAttrs = true' instead.",
                            drvName);
                        drv.structuredAttrs = StructuredAttrs::parse(s);
                    } else {
                        drv.env.emplace(key, s);
-                        if (i->name == state.sBuilder)
+                        switch (i->name.getId()) {
+                        case EvalState::s.builder.getId():
                            drv.builder = std::move(s);
-                        else if (i->name == state.sSystem)
+                            break;
+                        case EvalState::s.system.getId():
                            drv.platform = std::move(s);
-                        else if (i->name == state.sOutputHash)
+                            break;
+                        case EvalState::s.outputHash.getId():
                            outputHash = std::move(s);
-                        else if (i->name == state.sOutputHashAlgo)
+                            break;
+                        case EvalState::s.outputHashAlgo.getId():
                            outputHashAlgo = parseHashAlgoOpt(s);
-                        else if (i->name == state.sOutputHashMode)
+                            break;
+                        case EvalState::s.outputHashMode.getId():
                            handleHashMode(s);
-                        else if (i->name == state.sOutputs)
+                            break;
+                        case EvalState::s.outputs.getId():
                            handleOutputs(tokenizeString<Strings>(s));
+                            break;
+                        default:
+                            break;
+                        }
                    }
                }
+                break;
            }

        } catch (Error & e) {
@@ -1722,7 +1755,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
    }

    auto result = state.buildBindings(1 + drv.outputs.size());
-    result.alloc(state.sDrvPath)
+    result.alloc(state.s.drvPath)
        .mkString(
            drvPathS,
            {
@@ -1939,13 +1972,8 @@ static void prim_dirOf(EvalState & state, const PosIdx pos, Value ** args, Value
        NixStringContext context;
        auto path = state.coerceToString(
            pos, *args[0], context, "while evaluating the first argument passed to 'builtins.dirOf'", false, false);
-        auto pos = path->rfind('/');
-        if (pos == path->npos)
-            v.mkStringMove(".", context);
-        else if (pos == 0)
-            v.mkStringMove("/", context);
-        else
-            v.mkString(path->substr(0, pos), context);
+        auto dir = dirOf(*path);
+        v.mkString(dir, context);
    }
 }

@@ -2011,14 +2039,14 @@ static void prim_findFile(EvalState & state, const PosIdx pos, Value ** args, Va
        state.forceAttrs(*v2, pos, "while evaluating an element of the list passed to builtins.findFile");

        std::string prefix;
-        auto i = v2->attrs()->find(state.sPrefix);
+        auto i = v2->attrs()->find(state.s.prefix);
        if (i != v2->attrs()->end())
            prefix = state.forceStringNoCtx(
                *i->value,
                pos,
                "while evaluating the `prefix` attribute of an element of the list passed to builtins.findFile");

-        i = state.getAttr(state.sPath, v2->attrs(), "in an element of the __nixPath");
+        i = state.getAttr(state.s.path, v2->attrs(), "in an element of the __nixPath");

        NixStringContext context;
        auto path =
@@ -2355,7 +2383,7 @@ static void prim_toXML(EvalState & state, const PosIdx pos, Value ** args, Value
    std::ostringstream out;
    NixStringContext context;
    printValueAsXML(state, true, false, *args[0], out, context, pos);
-    v.mkString(out.view(), context);
+    v.mkString(toView(out), context);
 }

 static RegisterPrimOp primop_toXML({
@@ -2463,7 +2491,7 @@ static void prim_toJSON(EvalState & state, const PosIdx pos, Value ** args, Valu
    std::ostringstream out;
    NixStringContext context;
    printValueAsJSON(state, true, *args[0], pos, out, context);
-    v.mkString(out.view(), context);
+    v.mkString(toView(out), context);
 }

 static RegisterPrimOp primop_toJSON({
@@ -2791,7 +2819,7 @@ static void prim_path(EvalState & state, const PosIdx pos, Value ** args, Value
        if (n == "path")
            path.emplace(state.coerceToPath(
                attr.pos, *attr.value, context, "while evaluating the 'path' attribute passed to 'builtins.path'"));
-        else if (attr.name == state.sName)
+        else if (attr.name == state.s.name)
            name = state.forceStringNoCtx(
                *attr.value, attr.pos, "while evaluating the `name` attribute passed to builtins.path");
        else if (n == "filter")
@@ -3110,7 +3138,7 @@ static void prim_listToAttrs(EvalState & state, const PosIdx pos, Value ** args,
    for (const auto & [n, v2] : enumerate(listView)) {
        state.forceAttrs(*v2, pos, "while evaluating an element of the list passed to builtins.listToAttrs");

-        auto j = state.getAttr(state.sName, v2->attrs(), "in a {name=...; value=...;} pair");
+        auto j = state.getAttr(state.s.name, v2->attrs(), "in a {name=...; value=...;} pair");

        auto name = state.forceStringNoCtx(
            *j->value,
@@ -3137,7 +3165,7 @@ static void prim_listToAttrs(EvalState & state, const PosIdx pos, Value ** args,
        // Note that .value is actually a Value * *; see earlier comments
        Value * v2 = *std::bit_cast<ElemPtr>(attr.value);

-        auto j = state.getAttr(state.sValue, v2->attrs(), "in a {name=...; value=...;} pair");
+        auto j = state.getAttr(state.s.value, v2->attrs(), "in a {name=...; value=...;} pair");
        prev = attr.name;
        bindings.push_back({prev, j->value, j->pos});
    }
@@ -3953,13 +3981,13 @@ static void prim_partition(EvalState & state, const PosIdx pos, Value ** args, V
    auto rlist = state.buildList(rsize);
    if (rsize)
        memcpy(rlist.elems, right.data(), sizeof(Value *) * rsize);
-    attrs.alloc(state.sRight).mkList(rlist);
+    attrs.alloc(state.s.right).mkList(rlist);

    auto wsize = wrong.size();
    auto wlist = state.buildList(wsize);
    if (wsize)
        memcpy(wlist.elems, wrong.data(), sizeof(Value *) * wsize);
-    attrs.alloc(state.sWrong).mkList(wlist);
+    attrs.alloc(state.s.wrong).mkList(wlist);

    v.mkAttrs(attrs);
 }
@@ -4353,7 +4381,7 @@ static void prim_substring(EvalState & state, const PosIdx pos, Value ** args, V
    if (len == 0) {
        state.forceValue(*args[2], pos);
        if (args[2]->type() == nString) {
-            v.mkString("", args[2]->context());
+            v.mkStringNoCopy("", args[2]->context());
            return;
        }
    }
@@ -4878,7 +4906,7 @@ static void prim_parseDrvName(EvalState & state, const PosIdx pos, Value ** args
        state.forceStringNoCtx(*args[0], pos, "while evaluating the first argument passed to builtins.parseDrvName");
    DrvName parsed(name);
    auto attrs = state.buildBindings(2);
-    attrs.alloc(state.sName).mkString(parsed.name);
+    attrs.alloc(state.s.name).mkString(parsed.name);
    attrs.alloc("version").mkString(parsed.version);
    v.mkAttrs(attrs);
 }
--- a/src/libexpr/primops/context.cc
+++ b/src/libexpr/primops/context.cc
@@ -219,7 +219,7 @@ static void prim_getContext(EvalState & state, const PosIdx pos, Value ** args,
            auto list = state.buildList(info.second.outputs.size());
            for (const auto & [i, output] : enumerate(info.second.outputs))
                (list[i] = state.allocValue())->mkString(output);
-            infoAttrs.alloc(state.sOutputs).mkList(list);
+            infoAttrs.alloc(state.s.outputs).mkList(list);
        }
        attrs.alloc(state.store->printStorePath(info.first)).mkAttrs(infoAttrs);
    }
@@ -300,7 +300,7 @@ static void prim_appendContext(EvalState & state, const PosIdx pos, Value ** arg
            }
        }

-        if (auto attr = i.value->attrs()->get(state.sOutputs)) {
+        if (auto attr = i.value->attrs()->get(state.s.outputs)) {
            state.forceList(*attr->value, attr->pos, "while evaluating the `outputs` attribute of a string context");
            if (attr->value->listSize() && !isDerivation(name)) {
                state
--- a/src/libexpr/primops/fetchMercurial.cc
+++ b/src/libexpr/primops/fetchMercurial.cc
@@ -84,7 +84,7 @@ static void prim_fetchMercurial(EvalState & state, const PosIdx pos, Value ** ar
    auto [storePath, input2] = input.fetchToStore(state.store);

    auto attrs2 = state.buildBindings(8);
-    state.mkStorePathString(storePath, attrs2.alloc(state.sOutPath));
+    state.mkStorePathString(storePath, attrs2.alloc(state.s.outPath));
    if (input2.getRef())
        attrs2.alloc("branch").mkString(*input2.getRef());
    // Backward compatibility: set 'rev' to
--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@@ -29,7 +29,7 @@ void emitTreeAttrs(
 {
    auto attrs = state.buildBindings(100);

-    state.mkStorePathString(storePath, attrs.alloc(state.sOutPath));
+    state.mkStorePathString(storePath, attrs.alloc(state.s.outPath));

    // FIXME: support arbitrary input attributes.

@@ -95,7 +95,7 @@ static void fetchTree(

        fetchers::Attrs attrs;

-        if (auto aType = args[0]->attrs()->get(state.sType)) {
+        if (auto aType = args[0]->attrs()->get(state.s.type)) {
            if (type)
                state.error<EvalError>("unexpected argument 'type'").atPos(pos).debugThrow();
            type = state.forceStringNoCtx(
@@ -106,14 +106,14 @@ static void fetchTree(
        attrs.emplace("type", type.value());

        for (auto & attr : *args[0]->attrs()) {
-            if (attr.name == state.sType)
+            if (attr.name == state.s.type)
                continue;
            state.forceValue(*attr.value, attr.pos);
            if (attr.value->type() == nPath || attr.value->type() == nString) {
                auto s = state.coerceToString(attr.pos, *attr.value, context, "", false, false).toOwned();
                attrs.emplace(
                    state.symbols[attr.name],
-                    params.isFetchGit && state.symbols[attr.name] == "url" ? fixGitURL(s) : s);
+                    params.isFetchGit && state.symbols[attr.name] == "url" ? fixGitURL(s).to_string() : s);
            } else if (attr.value->type() == nBool)
                attrs.emplace(state.symbols[attr.name], Explicit<bool>{attr.value->boolean()});
            else if (attr.value->type() == nInt) {
@@ -175,7 +175,7 @@ static void fetchTree(
        if (params.isFetchGit) {
            fetchers::Attrs attrs;
            attrs.emplace("type", "git");
-            attrs.emplace("url", fixGitURL(url));
+            attrs.emplace("url", fixGitURL(url).to_string());
            if (!attrs.contains("exportIgnore")
                && (!attrs.contains("submodules") || !*fetchers::maybeGetBoolAttr(attrs, "submodules"))) {
                attrs.emplace("exportIgnore", Explicit<bool>{true});
--- a/src/libexpr/primops/fromTOML.cc
+++ b/src/libexpr/primops/fromTOML.cc
@@ -136,10 +136,10 @@ static void prim_fromTOML(EvalState & state, const PosIdx pos, Value ** args, Va
                normalizeDatetimeFormat(t);
 #endif
                auto attrs = state.buildBindings(2);
-                attrs.alloc("_type").mkString("timestamp");
+                attrs.alloc("_type").mkStringNoCopy("timestamp");
                std::ostringstream s;
                s << t;
-                auto str = s.view();
+                auto str = toView(s);
                forceNoNullByte(str);
                attrs.alloc("value").mkString(str);
                v.mkAttrs(attrs);
--- a/src/libexpr/print-ambiguous.cc
+++ b/src/libexpr/print-ambiguous.cc
@@ -75,6 +75,9 @@ void printAmbiguous(
            str << "«potential infinite recursion»";
        }
        break;
+    case nFailed:
+        str << "«failed»";
+        break;
    case nFunction:
        if (v.isLambda()) {
            str << "<LAMBDA>";
--- a/src/libexpr/print.cc
+++ b/src/libexpr/print.cc
@@ -272,7 +272,7 @@ private:
    void printDerivation(Value & v)
    {
        std::optional<StorePath> storePath;
-        if (auto i = v.attrs()->get(state.sDrvPath)) {
+        if (auto i = v.attrs()->get(state.s.drvPath)) {
            NixStringContext context;
            storePath =
                state.coerceToStorePath(i->pos, *i->value, context, "while evaluating the drvPath of a derivation");
@@ -460,7 +460,7 @@ private:

                std::ostringstream s;
                s << state.positions[v.lambda().fun->pos];
-                output << " @ " << filterANSIEscapes(s.view());
+                output << " @ " << filterANSIEscapes(toView(s));
            }
        } else if (v.isPrimOp()) {
            if (v.primOp())
@@ -508,6 +508,11 @@ private:
        }
    }

+    void printFailed(Value & v)
+    {
+        output << "«failed»";
+    }
+
    void printExternal(Value & v)
    {
        v.external()->print(output);
@@ -583,6 +588,10 @@ private:
                printThunk(v);
                break;

+            case nFailed:
+                printFailed(v);
+                break;
+
            case nExternal:
                printExternal(v);
                break;
--- a/src/libexpr/value-to-json.cc
+++ b/src/libexpr/value-to-json.cc
@@ -53,7 +53,7 @@ json printValueAsJSON(
            out = *maybeString;
            break;
        }
-        if (auto i = v.attrs()->get(state.sOutPath))
+        if (auto i = v.attrs()->get(state.s.outPath))
            return printValueAsJSON(state, strict, *i->value, i->pos, context, copyToStore);
        else {
            out = json::object();
@@ -96,6 +96,7 @@ json printValueAsJSON(
        break;

    case nThunk:
+    case nFailed:
    case nFunction:
        state.error<TypeError>("cannot convert %1% to JSON", showType(v)).atPos(v.determinePos(pos)).debugThrow();
    }
--- a/src/libexpr/value-to-xml.cc
+++ b/src/libexpr/value-to-xml.cc
@@ -98,14 +98,14 @@ static void printValueAsXML(
            XMLAttrs xmlAttrs;

            Path drvPath;
-            if (auto a = v.attrs()->get(state.sDrvPath)) {
+            if (auto a = v.attrs()->get(state.s.drvPath)) {
                if (strict)
                    state.forceValue(*a->value, a->pos);
                if (a->value->type() == nString)
                    xmlAttrs["drvPath"] = drvPath = a->value->c_str();
            }

-            if (auto a = v.attrs()->get(state.sOutPath)) {
+            if (auto a = v.attrs()->get(state.s.outPath)) {
                if (strict)
                    state.forceValue(*a->value, a->pos);
                if (a->value->type() == nString)
@@ -170,6 +170,11 @@ static void printValueAsXML(

    case nThunk:
        doc.writeEmptyElement("unevaluated");
+        break;
+
+    case nFailed:
+        doc.writeEmptyElement("failed");
+        break;
    }
 }

--- a/src/libfetchers-c/nix_api_fetchers.cc
+++ b/src/libfetchers-c/nix_api_fetchers.cc
@@ -2,6 +2,8 @@
 #include "nix_api_fetchers_internal.hh"
 #include "nix_api_util_internal.h"

+extern "C" {
+
 nix_fetchers_settings * nix_fetchers_settings_new(nix_c_context * context)
 {
    try {
@@ -17,3 +19,5 @@ void nix_fetchers_settings_free(nix_fetchers_settings * settings)
 {
    delete settings;
 }
+
+} // extern "C"
--- a/src/libfetchers-tests/git-utils.cc
+++ b/src/libfetchers-tests/git-utils.cc
@@ -175,12 +175,6 @@ TEST_F(GitUtilsTest, peel_reference)

 TEST(GitUtils, isLegalRefName)
 {
-    ASSERT_TRUE(isLegalRefName("A/b"));
-    ASSERT_TRUE(isLegalRefName("AaA/b"));
-    ASSERT_TRUE(isLegalRefName("FOO/BAR/BAZ"));
-    ASSERT_TRUE(isLegalRefName("HEAD"));
-    ASSERT_TRUE(isLegalRefName("refs/tags/1.2.3"));
-    ASSERT_TRUE(isLegalRefName("refs/heads/master"));
    ASSERT_TRUE(isLegalRefName("foox"));
    ASSERT_TRUE(isLegalRefName("1337"));
    ASSERT_TRUE(isLegalRefName("foo.baz"));
--- a/src/libfetchers/git-lfs-fetch.cc
+++ b/src/libfetchers/git-lfs-fetch.cc
@@ -25,7 +25,7 @@ static void downloadToSink(
    std::string sha256Expected,
    size_t sizeExpected)
 {
-    FileTransferRequest request(url);
+    FileTransferRequest request(parseURL(url));
    Headers headers;
    if (authHeader.has_value())
        headers.push_back({"Authorization", *authHeader});
@@ -69,7 +69,8 @@ static LfsApiInfo getLfsApi(const ParsedURL & url)

        args.push_back("--");
        args.push_back("git-lfs-authenticate");
-        args.push_back(url.path);
+        // FIXME %2F encode slashes? Does this command take/accept percent encoding?
+        args.push_back(url.renderPath(/*encode=*/false));
        args.push_back("download");

        auto [status, output] = runProgram({.program = "ssh", .args = args});
@@ -179,7 +180,7 @@ Fetch::Fetch(git_repository * repo, git_oid rev)

    const auto remoteUrl = lfs::getLfsEndpointUrl(repo);

-    this->url = nix::parseURL(nix::fixGitURL(remoteUrl)).canonicalise();
+    this->url = nix::fixGitURL(remoteUrl).canonicalise();
 }

 bool Fetch::shouldFetch(const CanonPath & path) const
@@ -207,7 +208,7 @@ std::vector<nlohmann::json> Fetch::fetchUrls(const std::vector<Pointer> & pointe
    auto api = lfs::getLfsApi(this->url);
    auto url = api.endpoint + "/objects/batch";
    const auto & authHeader = api.authHeader;
-    FileTransferRequest request(url);
+    FileTransferRequest request(parseURL(url));
    request.post = true;
    Headers headers;
    if (authHeader.has_value())
--- a/src/libfetchers/git-utils.cc
+++ b/src/libfetchers/git-utils.cc
@@ -12,7 +12,6 @@

 #include <git2/attr.h>
 #include <git2/blob.h>
-#include <git2/branch.h>
 #include <git2/commit.h>
 #include <git2/config.h>
 #include <git2/describe.h>
@@ -29,7 +28,6 @@
 #include <git2/submodule.h>
 #include <git2/sys/odb_backend.h>
 #include <git2/sys/mempack.h>
-#include <git2/tag.h>
 #include <git2/tree.h>

 #include <iostream>
@@ -570,23 +568,34 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>

    void verifyCommit(const Hash & rev, const std::vector<fetchers::PublicKey> & publicKeys) override
    {
+        // Map of SSH key types to their internal OpenSSH representations
+        static const std::unordered_map<std::string_view, std::string_view> keyTypeMap = {
+            {"ssh-dsa", "ssh-dsa"},
+            {"ssh-ecdsa", "ssh-ecdsa"},
+            {"ssh-ecdsa-sk", "sk-ecdsa-sha2-nistp256@openssh.com"},
+            {"ssh-ed25519", "ssh-ed25519"},
+            {"ssh-ed25519-sk", "sk-ssh-ed25519@openssh.com"},
+            {"ssh-rsa", "ssh-rsa"}};
+
        // Create ad-hoc allowedSignersFile and populate it with publicKeys
        auto allowedSignersFile = createTempFile().second;
        std::string allowedSigners;
+
        for (const fetchers::PublicKey & k : publicKeys) {
-            if (k.type != "ssh-dsa" && k.type != "ssh-ecdsa" && k.type != "ssh-ecdsa-sk" && k.type != "ssh-ed25519"
-                && k.type != "ssh-ed25519-sk" && k.type != "ssh-rsa")
+            auto it = keyTypeMap.find(k.type);
+            if (it == keyTypeMap.end()) {
+                std::string supportedTypes;
+                for (const auto & [type, _] : keyTypeMap) {
+                    supportedTypes += fmt("  %s\n", type);
+                }
                throw Error(
-                    "Unknown key type '%s'.\n"
-                    "Please use one of\n"
-                    "- ssh-dsa\n"
-                    "  ssh-ecdsa\n"
-                    "  ssh-ecdsa-sk\n"
-                    "  ssh-ed25519\n"
-                    "  ssh-ed25519-sk\n"
-                    "  ssh-rsa",
-                    k.type);
-            allowedSigners += "* " + k.type + " " + k.key + "\n";
+                    "Invalid SSH key type '%s' in publicKeys.\n"
+                    "Please use one of:\n%s",
+                    k.type,
+                    supportedTypes);
+            }
+
+            allowedSigners += fmt("* %s %s\n", it->second, k.key);
        }
        writeFile(allowedSignersFile, allowedSigners);

@@ -1313,33 +1322,63 @@ GitRepo::WorkdirInfo GitRepo::getCachedWorkdirInfo(const std::filesystem::path &
    return workdirInfo;
 }

+/**
+ * Checks that the git reference is valid and normalizes slash '/' sequences.
+ *
+ * Accepts shorthand references (one-level refnames are allowed).
+ */
+bool isValidRefNameAllowNormalizations(const std::string & refName)
+{
+    /* Unfortunately libgit2 doesn't expose the limit in headers, but its internal
+       limit is also 1024. */
+    std::array<char, 1024> normalizedRefBuffer;
+
+    /* It would be nice to have a better API like git_reference_name_is_valid, but
+     * with GIT_REFERENCE_FORMAT_REFSPEC_SHORTHAND flag. libgit2 uses it internally
+     * but doesn't expose it in public headers [1].
+     * [1]:
+     * https://github.com/libgit2/libgit2/blob/9d5f1bacc23594c2ba324c8f0d41b88bf0e9ef04/src/libgit2/refs.c#L1362-L1365
+     */
+
+    auto res = git_reference_normalize_name(
+        normalizedRefBuffer.data(),
+        normalizedRefBuffer.size(),
+        refName.c_str(),
+        GIT_REFERENCE_FORMAT_ALLOW_ONELEVEL | GIT_REFERENCE_FORMAT_REFSPEC_SHORTHAND);
+
+    return res == 0;
+}
+
 bool isLegalRefName(const std::string & refName)
 {
    initLibGit2();

+    /* Since `git_reference_normalize_name` is the best API libgit2 has for verifying
+     * reference names with shorthands (see comment in normalizeRefName), we need to
+     * ensure that exceptions to the validity checks imposed by normalization [1] are checked
+     * explicitly.
+     * [1]: https://git-scm.com/docs/git-check-ref-format#Documentation/git-check-ref-format.txt---normalize
+     */
+
    /* Check for cases that don't get rejected by libgit2.
     * FIXME: libgit2 should reject this. */
    if (refName == "@")
        return false;

+    /* Leading slashes and consecutive slashes are stripped during normalizatiton. */
+    if (refName.starts_with('/') || refName.find("//") != refName.npos)
+        return false;
+
+    /* Refer to libgit2. */
+    if (!isValidRefNameAllowNormalizations(refName))
+        return false;
+
    /* libgit2 doesn't barf on DEL symbol.
     * FIXME: libgit2 should reject this. */
    if (refName.find('\177') != refName.npos)
        return false;

-    for (auto * func : {
-             git_reference_name_is_valid,
-             git_branch_name_is_valid,
-             git_tag_name_is_valid,
-         }) {
-        int valid = 0;
-        if (func(&valid, refName.c_str()))
-            throw Error("checking git reference '%s': %s", refName, git_error_last()->message);
-        if (valid)
-            return true;
-    }
-
-    return false;
+    return true;
 }

 } // namespace nix
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -163,8 +163,8 @@ struct GitInputScheme : InputScheme
 {
    std::optional<Input> inputFromURL(const Settings & settings, const ParsedURL & url, bool requireTree) const override
    {
-        if (url.scheme != "git" && url.scheme != "git+http" && url.scheme != "git+https" && url.scheme != "git+ssh"
-            && url.scheme != "git+file")
+        auto parsedScheme = parseUrlScheme(url.scheme);
+        if (parsedScheme.application != "git")
            return {};

        auto url2(url);
@@ -233,9 +233,7 @@ struct GitInputScheme : InputScheme

        Input input{settings};
        input.attrs = attrs;
-        auto url = fixGitURL(getStrAttr(attrs, "url"));
-        parseURL(url);
-        input.attrs["url"] = url;
+        input.attrs["url"] = fixGitURL(getStrAttr(attrs, "url")).to_string();
        getShallowAttr(input);
        getSubmodulesAttr(input);
        getAllRefsAttr(input);
@@ -464,8 +462,8 @@ struct GitInputScheme : InputScheme

        // Why are we checking for bare repository?
        // well if it's a bare repository we want to force a git fetch rather than copying the folder
-        bool isBareRepository = url.scheme == "file" && pathExists(url.path) && !pathExists(url.path + "/.git");
-        //
+        auto isBareRepository = [](PathView path) { return pathExists(path) && !pathExists(path + "/.git"); };
+
        // FIXME: here we turn a possibly relative path into an absolute path.
        // This allows relative git flake inputs to be resolved against the
        // **current working directory** (as in POSIX), which tends to work out
@@ -474,8 +472,10 @@ struct GitInputScheme : InputScheme
        //
        // See: https://discourse.nixos.org/t/57783 and #9708
        //
-        if (url.scheme == "file" && !forceHttp && !isBareRepository) {
-            if (!isAbsolute(url.path)) {
+        if (url.scheme == "file" && !forceHttp && !isBareRepository(renderUrlPathEnsureLegal(url.path))) {
+            auto path = renderUrlPathEnsureLegal(url.path);
+
+            if (!isAbsolute(path)) {
                warn(
                    "Fetching Git repository '%s', which uses a path relative to the current directory. "
                    "This is not supported and will stop working in a future release. "
@@ -485,10 +485,10 @@ struct GitInputScheme : InputScheme

            // If we don't check here for the path existence, then we can give libgit2 any directory
            // and it will initialize them as git directories.
-            if (!pathExists(url.path)) {
-                throw Error("The path '%s' does not exist.", url.path);
+            if (!pathExists(path)) {
+                throw Error("The path '%s' does not exist.", path);
            }
-            repoInfo.location = std::filesystem::absolute(url.path);
+            repoInfo.location = std::filesystem::absolute(path);
        } else {
            if (url.scheme == "file")
                /* Query parameters are meaningless for file://, but
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@@ -19,7 +19,7 @@ namespace nix::fetchers {

 struct DownloadUrl
 {
-    std::string url;
+    ParsedURL url;
    Headers headers;
 };

@@ -38,7 +38,8 @@ struct GitArchiveInputScheme : InputScheme
        if (url.scheme != schemeName())
            return {};

-        auto path = tokenizeString<std::vector<std::string>>(url.path, "/");
+        /* This ignores empty path segments for back-compat. Older versions used a tokenizeString here. */
+        auto path = url.pathSegments(/*skipEmpty=*/true) | std::ranges::to<std::vector<std::string>>();

        std::optional<Hash> rev;
        std::optional<std::string> ref;
@@ -139,12 +140,12 @@ struct GitArchiveInputScheme : InputScheme
        auto repo = getStrAttr(input.attrs, "repo");
        auto ref = input.getRef();
        auto rev = input.getRev();
-        auto path = owner + "/" + repo;
+        std::vector<std::string> path{owner, repo};
        assert(!(ref && rev));
        if (ref)
-            path += "/" + *ref;
+            path.push_back(*ref);
        if (rev)
-            path += "/" + rev->to_string(HashFormat::Base16, false);
+            path.push_back(rev->to_string(HashFormat::Base16, false));
        auto url = ParsedURL{
            .scheme = std::string{schemeName()},
            .path = path,
@@ -420,7 +421,7 @@ struct GitHubInputScheme : GitArchiveInputScheme
        const auto url =
            fmt(urlFmt, host, getOwner(input), getRepo(input), input.getRev()->to_string(HashFormat::Base16, false));

-        return DownloadUrl{url, headers};
+        return DownloadUrl{parseURL(url), headers};
    }

    void clone(const Input & input, const Path & destDir) const override
@@ -500,7 +501,7 @@ struct GitLabInputScheme : GitArchiveInputScheme
                input.getRev()->to_string(HashFormat::Base16, false));

        Headers headers = makeHeadersWithAuthTokens(*input.settings, host, input);
-        return DownloadUrl{url, headers};
+        return DownloadUrl{parseURL(url), headers};
    }

    void clone(const Input & input, const Path & destDir) const override
@@ -592,7 +593,7 @@ struct SourceHutInputScheme : GitArchiveInputScheme
                input.getRev()->to_string(HashFormat::Base16, false));

        Headers headers = makeHeadersWithAuthTokens(*input.settings, host, input);
-        return DownloadUrl{url, headers};
+        return DownloadUrl{parseURL(url), headers};
    }

    void clone(const Input & input, const Path & destDir) const override
--- a/src/libfetchers/include/nix/fetchers/git-utils.hh
+++ b/src/libfetchers/include/nix/fetchers/git-utils.hh
@@ -158,12 +158,9 @@ struct Setter
 };

 /**
- * Checks that the string can be a valid git reference, branch or tag name.
- * Accepts shorthand references (one-level refnames are allowed), pseudorefs
- * like `HEAD`.
+ * Checks that the git reference is valid and normalized.
 *
- * @note This is a coarse test to make sure that the refname is at least something
- * that Git can make sense of.
+ * Accepts shorthand references (one-level refnames are allowed).
 */
 bool isLegalRefName(const std::string & refName);

--- a/src/libfetchers/indirect.cc
+++ b/src/libfetchers/indirect.cc
@@ -14,7 +14,8 @@ struct IndirectInputScheme : InputScheme
        if (url.scheme != "flake")
            return {};

-        auto path = tokenizeString<std::vector<std::string>>(url.path, "/");
+        /* This ignores empty path segments for back-compat. Older versions used a tokenizeString here. */
+        auto path = url.pathSegments(/*skipEmpty=*/true) | std::ranges::to<std::vector<std::string>>();

        std::optional<Hash> rev;
        std::optional<std::string> ref;
@@ -82,16 +83,15 @@ struct IndirectInputScheme : InputScheme

    ParsedURL toURL(const Input & input) const override
    {
-        ParsedURL url;
-        url.scheme = "flake";
-        url.path = getStrAttr(input.attrs, "id");
+        ParsedURL url{
+            .scheme = "flake",
+            .path = {getStrAttr(input.attrs, "id")},
+        };
        if (auto ref = input.getRef()) {
-            url.path += '/';
-            url.path += *ref;
+            url.path.push_back(*ref);
        };
        if (auto rev = input.getRev()) {
-            url.path += '/';
-            url.path += rev->gitRev();
+            url.path.push_back(rev->gitRev());
        };
        return url;
    }
--- a/src/libfetchers/mercurial.cc
+++ b/src/libfetchers/mercurial.cc
@@ -120,7 +120,7 @@ struct MercurialInputScheme : InputScheme
    {
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        if (url.scheme == "file" && !input.getRef() && !input.getRev())
-            return url.path;
+            return renderUrlPathEnsureLegal(url.path);
        return {};
    }

@@ -152,7 +152,7 @@ struct MercurialInputScheme : InputScheme
    {
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        bool isLocal = url.scheme == "file";
-        return {isLocal, isLocal ? url.path : url.to_string()};
+        return {isLocal, isLocal ? renderUrlPathEnsureLegal(url.path) : url.to_string()};
    }

    StorePath fetchToStore(ref<Store> store, Input & input) const
--- a/src/libfetchers/path.cc
+++ b/src/libfetchers/path.cc
@@ -20,7 +20,7 @@ struct PathInputScheme : InputScheme

        Input input{settings};
        input.attrs.insert_or_assign("type", "path");
-        input.attrs.insert_or_assign("path", url.path);
+        input.attrs.insert_or_assign("path", renderUrlPathEnsureLegal(url.path));

        for (auto & [name, value] : url.query)
            if (name == "rev" || name == "narHash")
@@ -74,7 +74,7 @@ struct PathInputScheme : InputScheme
        query.erase("__final");
        return ParsedURL{
            .scheme = "path",
-            .path = getStrAttr(input.attrs, "path"),
+            .path = splitString<std::vector<std::string>>(getStrAttr(input.attrs, "path"), "/"),
            .query = query,
        };
    }
--- a/src/libfetchers/tarball.cc
+++ b/src/libfetchers/tarball.cc
@@ -43,7 +43,7 @@ DownloadFileResult downloadFile(
    if (cached && !cached->expired)
        return useCached();

-    FileTransferRequest request(url);
+    FileTransferRequest request(ValidURL{url});
    request.headers = headers;
    if (cached)
        request.expectedETag = getStrAttr(cached->value, "etag");
@@ -107,20 +107,20 @@ DownloadFileResult downloadFile(
 }

 static DownloadTarballResult downloadTarball_(
-    const Settings & settings, const std::string & url, const Headers & headers, const std::string & displayPrefix)
+    const Settings & settings, const std::string & urlS, const Headers & headers, const std::string & displayPrefix)
 {
+    ValidURL url = urlS;

    // Some friendly error messages for common mistakes.
    // Namely lets catch when the url is a local file path, but
    // it is not in fact a tarball.
-    if (url.rfind("file://", 0) == 0) {
-        // Remove "file://" prefix to get the local file path
-        std::string localPath = percentDecode(url.substr(7));
-        if (!std::filesystem::exists(localPath)) {
+    if (url.scheme() == "file") {
+        std::filesystem::path localPath = renderUrlPathEnsureLegal(url.path());
+        if (!exists(localPath)) {
            throw Error("tarball '%s' does not exist.", localPath);
        }
-        if (std::filesystem::is_directory(localPath)) {
-            if (std::filesystem::exists(localPath + "/.git")) {
+        if (is_directory(localPath)) {
+            if (exists(localPath / ".git")) {
                throw Error(
                    "tarball '%s' is a git repository, not a tarball. Please use `git+file` as the scheme.", localPath);
            }
@@ -128,7 +128,7 @@ static DownloadTarballResult downloadTarball_(
        }
    }

-    Cache::Key cacheKey{"tarball", {{"url", url}}};
+    Cache::Key cacheKey{"tarball", {{"url", urlS}}};

    auto cached = settings.getCache()->lookupExpired(cacheKey);

@@ -166,7 +166,7 @@ static DownloadTarballResult downloadTarball_(

    /* Note: if the download is cached, `importTarball()` will receive
       no data, which causes it to import an empty tarball. */
-    auto archive = hasSuffix(toLower(parseURL(url).path), ".zip") ? ({
+    auto archive = !url.path().empty() && hasSuffix(toLower(url.path().back()), ".zip") ? ({
        /* In streaming mode, libarchive doesn't handle
           symlinks in zip files correctly (#10649). So write
           the entire file to disk so libarchive can access it
@@ -180,7 +180,7 @@ static DownloadTarballResult downloadTarball_(
        }
        TarArchive{path};
    })
-                                                                  : TarArchive{*source};
+                                                                                        : TarArchive{*source};
    auto tarballCache = getTarballCache();
    auto parseSink = tarballCache->getFileSystemObjectSink();
    auto lastModified = unpackTarfileToSink(archive, *parseSink);
@@ -234,8 +234,11 @@ struct CurlInputScheme : InputScheme
 {
    const StringSet transportUrlSchemes = {"file", "http", "https"};

-    bool hasTarballExtension(std::string_view path) const
+    bool hasTarballExtension(const ParsedURL & url) const
    {
+        if (url.path.empty())
+            return false;
+        const auto & path = url.path.back();
        return hasSuffix(path, ".zip") || hasSuffix(path, ".tar") || hasSuffix(path, ".tgz")
               || hasSuffix(path, ".tar.gz") || hasSuffix(path, ".tar.xz") || hasSuffix(path, ".tar.bz2")
               || hasSuffix(path, ".tar.zst");
@@ -336,7 +339,7 @@ struct FileInputScheme : CurlInputScheme
        auto parsedUrlScheme = parseUrlScheme(url.scheme);
        return transportUrlSchemes.count(std::string(parsedUrlScheme.transport))
               && (parsedUrlScheme.application ? parsedUrlScheme.application.value() == schemeName()
-                                               : (!requireTree && !hasTarballExtension(url.path)));
+                                               : (!requireTree && !hasTarballExtension(url)));
    }

    std::pair<ref<SourceAccessor>, Input> getAccessor(ref<Store> store, const Input & _input) const override
@@ -373,7 +376,7 @@ struct TarballInputScheme : CurlInputScheme

        return transportUrlSchemes.count(std::string(parsedUrlScheme.transport))
               && (parsedUrlScheme.application ? parsedUrlScheme.application.value() == schemeName()
-                                               : (requireTree || hasTarballExtension(url.path)));
+                                               : (requireTree || hasTarballExtension(url)));
    }

    std::pair<ref<SourceAccessor>, Input> getAccessor(ref<Store> store, const Input & _input) const override
--- a/src/libflake-c/nix_api_flake.cc
+++ b/src/libflake-c/nix_api_flake.cc
@@ -10,6 +10,8 @@

 #include "nix/flake/flake.hh"

+extern "C" {
+
 nix_flake_settings * nix_flake_settings_new(nix_c_context * context)
 {
    nix_clear_err(context);
@@ -203,3 +205,5 @@ nix_value * nix_locked_flake_get_output_attrs(
    }
    NIXC_CATCH_ERRS_NULL
 }
+
+} // extern "C"
--- a/src/libflake-tests/flakeref.cc
+++ b/src/libflake-tests/flakeref.cc
@@ -2,6 +2,7 @@

 #include "nix/fetchers/fetch-settings.hh"
 #include "nix/flake/flakeref.hh"
+#include "nix/fetchers/attrs.hh"

 namespace nix {

@@ -90,6 +91,158 @@ TEST(parseFlakeRef, GitArchiveInput)
    }
 }

+struct InputFromURLTestCase
+{
+    std::string url;
+    fetchers::Attrs attrs;
+    std::string description;
+    std::string expectedUrl = url;
+};
+
+class InputFromURLTest : public ::testing::WithParamInterface<InputFromURLTestCase>, public ::testing::Test
+{};
+
+TEST_P(InputFromURLTest, attrsAreCorrectAndRoundTrips)
+{
+    experimentalFeatureSettings.experimentalFeatures.get().insert(Xp::Flakes);
+    fetchers::Settings fetchSettings;
+
+    const auto & testCase = GetParam();
+
+    auto flakeref = parseFlakeRef(fetchSettings, testCase.url);
+
+    EXPECT_EQ(flakeref.toAttrs(), testCase.attrs);
+    EXPECT_EQ(flakeref.to_string(), testCase.expectedUrl);
+
+    auto input = fetchers::Input::fromURL(fetchSettings, flakeref.to_string());
+
+    EXPECT_EQ(input.toURLString(), testCase.expectedUrl);
+    EXPECT_EQ(input.toAttrs(), testCase.attrs);
+
+    // Round-trip check.
+    auto input2 = fetchers::Input::fromURL(fetchSettings, input.toURLString());
+    EXPECT_EQ(input, input2);
+    EXPECT_EQ(input.toURLString(), input2.toURLString());
+}
+
+using fetchers::Attr;
+
+INSTANTIATE_TEST_SUITE_P(
+    InputFromURL,
+    InputFromURLTest,
+    ::testing::Values(
+        InputFromURLTestCase{
+            .url = "flake:nixpkgs",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                },
+            .description = "basic_indirect",
+        },
+        InputFromURLTestCase{
+            .url = "flake:nixpkgs/branch",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                },
+            .description = "basic_indirect_branch",
+        },
+        InputFromURLTestCase{
+            .url = "nixpkgs/branch",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                },
+            .description = "flake_id_ref_branch",
+            .expectedUrl = "flake:nixpkgs/branch",
+        },
+        InputFromURLTestCase{
+            .url = "nixpkgs/branch/2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                    {"rev", Attr("2aae6c35c94fcfb415dbe95f408b9ce91ee846ed")},
+                },
+            .description = "flake_id_ref_branch_trailing_slash",
+            .expectedUrl = "flake:nixpkgs/branch/2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+        },
+        // The following tests are for back-compat with lax parsers in older versions
+        // that used `tokenizeString` for splitting path segments, which ignores empty
+        // strings.
+        InputFromURLTestCase{
+            .url = "nixpkgs/branch////",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                },
+            .description = "flake_id_ref_branch_ignore_empty_trailing_segments",
+            .expectedUrl = "flake:nixpkgs/branch",
+        },
+        InputFromURLTestCase{
+            .url = "nixpkgs/branch///2aae6c35c94fcfb415dbe95f408b9ce91ee846ed///",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                    {"rev", Attr("2aae6c35c94fcfb415dbe95f408b9ce91ee846ed")},
+                },
+            .description = "flake_id_ref_branch_ignore_empty_segments_ref_rev",
+            .expectedUrl = "flake:nixpkgs/branch/2aae6c35c94fcfb415dbe95f408b9ce91ee846ed",
+        },
+        InputFromURLTestCase{
+            // Note that this is different from above because the "flake id" shorthand
+            // doesn't allow this.
+            .url = "flake:/nixpkgs///branch////",
+            .attrs =
+                {
+                    {"id", Attr("nixpkgs")},
+                    {"type", Attr("indirect")},
+                    {"ref", Attr("branch")},
+                },
+            .description = "indirect_branch_empty_segments_everywhere",
+            .expectedUrl = "flake:nixpkgs/branch",
+        },
+        InputFromURLTestCase{
+            // TODO: Technically this has an empty authority, but it's ignored
+            // for now. Yes, this is what all versions going back to at least
+            // 2.18 did and yes, this should not be allowed.
+            .url = "github://////owner%42/////repo%41///branch%43////",
+            .attrs =
+                {
+                    {"type", Attr("github")},
+                    {"owner", Attr("ownerB")},
+                    {"repo", Attr("repoA")},
+                    {"ref", Attr("branchC")},
+                },
+            .description = "github_ref_slashes_in_path_everywhere",
+            .expectedUrl = "github:ownerB/repoA/branchC",
+        },
+        InputFromURLTestCase{
+            // FIXME: Subgroups in gitlab URLs are busted. This double-encoding
+            // behavior exists since 2.18. See issue #9161 and PR #8845.
+            .url = "gitlab:/owner%252Fsubgroup/////repo%41///branch%43////",
+            .attrs =
+                {
+                    {"type", Attr("gitlab")},
+                    {"owner", Attr("owner%2Fsubgroup")},
+                    {"repo", Attr("repoA")},
+                    {"ref", Attr("branchC")},
+                },
+            .description = "gitlab_ref_slashes_in_path_everywhere_with_pct_encoding",
+            .expectedUrl = "gitlab:owner%252Fsubgroup/repoA/branchC",
+        }),
+    [](const ::testing::TestParamInfo<InputFromURLTestCase> & info) { return info.param.description; });
+
 TEST(to_string, doesntReencodeUrl)
 {
    fetchers::Settings fetchSettings;
--- a/src/libflake/flake.cc
+++ b/src/libflake/flake.cc
@@ -232,7 +232,7 @@ static Flake readFlake(
        .path = flakePath,
    };

-    if (auto description = vInfo.attrs()->get(state.sDescription)) {
+    if (auto description = vInfo.attrs()->get(state.s.description)) {
        expectType(state, nString, *description->value, description->pos);
        flake.description = description->value->c_str();
    }
@@ -253,7 +253,7 @@ static Flake readFlake(

        if (outputs->value->isLambda() && outputs->value->lambda().fun->hasFormals()) {
            for (auto & formal : outputs->value->lambda().fun->formals->formals) {
-                if (formal.name != state.sSelf)
+                if (formal.name != state.s.self)
                    flake.inputs.emplace(
                        state.symbols[formal.name],
                        FlakeInput{.ref = parseFlakeRef(state.fetchSettings, std::string(state.symbols[formal.name]))});
@@ -305,7 +305,8 @@ static Flake readFlake(
    }

    for (auto & attr : *vInfo.attrs()) {
-        if (attr.name != state.sDescription && attr.name != sInputs && attr.name != sOutputs && attr.name != sNixConfig)
+        if (attr.name != state.s.description && attr.name != sInputs && attr.name != sOutputs
+            && attr.name != sNixConfig)
            throw Error(
                "flake '%s' has an unsupported attribute '%s', at %s",
                resolvedRef,
--- a/src/libflake/flakeref.cc
+++ b/src/libflake/flakeref.cc
@@ -80,8 +80,7 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(

    std::smatch match;
    auto succeeds = std::regex_match(url, match, pathFlakeRegex);
-    if (!succeeds)
-        throw Error("invalid flakeref '%s'", url);
+    assert(succeeds);
    auto path = match[1].str();
    auto query = decodeQuery(match[3].str(), /*lenient=*/true);
    auto fragment = percentDecode(match[5].str());
@@ -144,7 +143,7 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(
                    auto parsedURL = ParsedURL{
                        .scheme = "git+file",
                        .authority = ParsedURL::Authority{},
-                        .path = flakeRoot,
+                        .path = splitString<std::vector<std::string>>(flakeRoot, "/"),
                        .query = query,
                        .fragment = fragment,
                    };
@@ -173,7 +172,13 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(

    return fromParsedURL(
        fetchSettings,
-        {.scheme = "path", .authority = ParsedURL::Authority{}, .path = path, .query = query, .fragment = fragment},
+        {
+            .scheme = "path",
+            .authority = ParsedURL::Authority{},
+            .path = splitString<std::vector<std::string>>(path, "/"),
+            .query = query,
+            .fragment = fragment,
+        },
        isFlake);
 }

@@ -193,8 +198,8 @@ parseFlakeIdRef(const fetchers::Settings & fetchSettings, const std::string & ur
    if (std::regex_match(url, match, flakeRegex)) {
        auto parsedURL = ParsedURL{
            .scheme = "flake",
-            .authority = ParsedURL::Authority{},
-            .path = match[1],
+            .authority = std::nullopt,
+            .path = splitString<std::vector<std::string>>(match[1].str(), "/"),
        };

        return std::make_pair(
@@ -212,8 +217,12 @@ std::optional<std::pair<FlakeRef, std::string>> parseURLFlakeRef(
 {
    try {
        auto parsed = parseURL(url, /*lenient=*/true);
-        if (baseDir && (parsed.scheme == "path" || parsed.scheme == "git+file") && !isAbsolute(parsed.path))
-            parsed.path = absPath(parsed.path, *baseDir);
+        if (baseDir && (parsed.scheme == "path" || parsed.scheme == "git+file")) {
+            /* Here we know that the path must not contain encoded '/' or NUL bytes. */
+            auto path = renderUrlPathEnsureLegal(parsed.path);
+            if (!isAbsolute(path))
+                parsed.path = splitString<std::vector<std::string>>(absPath(path, *baseDir), "/");
+        }
        return fromParsedURL(fetchSettings, std::move(parsed), isFlake);
    } catch (BadURL &) {
        return std::nullopt;
--- a/src/libflake/url-name.cc
+++ b/src/libflake/url-name.cc
@@ -27,16 +27,21 @@ std::optional<std::string> getNameFromURL(const ParsedURL & url)
        return match.str(2);
    }

+    /* This is not right, because special chars like slashes within the
+       path fragments should be percent encoded, but I don't think any
+       of the regexes above care. */
+    auto path = concatStringsSep("/", url.path);
+
    /* If this is a github/gitlab/sourcehut flake, use the repo name */
-    if (std::regex_match(url.scheme, gitProviderRegex) && std::regex_match(url.path, match, secondPathSegmentRegex))
+    if (std::regex_match(url.scheme, gitProviderRegex) && std::regex_match(path, match, secondPathSegmentRegex))
        return match.str(1);

    /* If it is a regular git flake, use the directory name */
-    if (std::regex_match(url.scheme, gitSchemeRegex) && std::regex_match(url.path, match, lastPathSegmentRegex))
+    if (std::regex_match(url.scheme, gitSchemeRegex) && std::regex_match(path, match, lastPathSegmentRegex))
        return match.str(1);

    /* If there is no fragment, take the last element of the path */
-    if (std::regex_match(url.path, match, lastPathSegmentRegex))
+    if (std::regex_match(path, match, lastPathSegmentRegex))
        return match.str(1);

    /* If even that didn't work, the URL does not contain enough info to determine a useful name */
--- a/src/libmain-c/nix_api_main.cc
+++ b/src/libmain-c/nix_api_main.cc
@@ -5,6 +5,8 @@

 #include "nix/main/plugin.hh"

+extern "C" {
+
 nix_err nix_init_plugins(nix_c_context * context)
 {
    if (context)
@@ -14,3 +16,5 @@ nix_err nix_init_plugins(nix_c_context * context)
    }
    NIXC_CATCH_ERRS
 }
+
+} // extern "C"
--- a/src/libmain/progress-bar.cc
+++ b/src/libmain/progress-bar.cc
@@ -183,7 +183,7 @@ public:
        std::ostringstream oss;
        showErrorInfo(oss, ei, loggerSettings.showTrace.get());

-        log(*state, ei.level, oss.view());
+        log(*state, ei.level, toView(oss));
    }

    void log(State & state, Verbosity lvl, std::string_view s)
--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -320,29 +320,34 @@ int handleExceptions(const std::string & programName, std::function<void()> fun)
    std::string error = ANSI_RED "error:" ANSI_NORMAL " ";
    try {
        try {
-            fun();
-        } catch (...) {
-            /* Subtle: we have to make sure that any `interrupted'
-               condition is discharged before we reach printMsg()
-               below, since otherwise it will throw an (uncaught)
-               exception. */
-            setInterruptThrown();
-            throw;
+            try {
+                fun();
+            } catch (...) {
+                /* Subtle: we have to make sure that any `interrupted'
+                   condition is discharged before we reach printMsg()
+                   below, since otherwise it will throw an (uncaught)
+                   exception. */
+                setInterruptThrown();
+                throw;
+            }
+        } catch (Exit & e) {
+            return e.status;
+        } catch (UsageError & e) {
+            logError(e.info());
+            printError("Try '%1% --help' for more information.", programName);
+            return 1;
+        } catch (BaseError & e) {
+            logError(e.info());
+            return e.info().status;
+        } catch (std::bad_alloc & e) {
+            printError(error + "out of memory");
+            return 1;
+        } catch (std::exception & e) {
+            printError(error + e.what());
+            return 1;
        }
-    } catch (Exit & e) {
-        return e.status;
-    } catch (UsageError & e) {
-        logError(e.info());
-        printError("Try '%1% --help' for more information.", programName);
-        return 1;
-    } catch (BaseError & e) {
-        logError(e.info());
-        return e.info().status;
-    } catch (std::bad_alloc & e) {
-        printError(error + "out of memory");
-        return 1;
-    } catch (std::exception & e) {
-        printError(error + e.what());
+    } catch (...) {
+        /* In case logger also throws just give up. */
        return 1;
    }

--- a/src/libstore-c/nix_api_store.cc
+++ b/src/libstore-c/nix_api_store.cc
@@ -10,6 +10,8 @@

 #include "nix/store/globals.hh"

+extern "C" {
+
 nix_err nix_libstore_init(nix_c_context * context)
 {
    if (context)
@@ -91,7 +93,7 @@ nix_store_get_version(nix_c_context * context, Store * store, nix_get_string_cal
    NIXC_CATCH_ERRS
 }

-bool nix_store_is_valid_path(nix_c_context * context, Store * store, StorePath * path)
+bool nix_store_is_valid_path(nix_c_context * context, Store * store, const StorePath * path)
 {
    if (context)
        context->last_err_code = NIX_OK;
@@ -129,7 +131,7 @@ nix_err nix_store_realise(
    Store * store,
    StorePath * path,
    void * userdata,
-    void (*callback)(void * userdata, const char *, const char *))
+    void (*callback)(void * userdata, const char *, const StorePath *))
 {
    if (context)
        context->last_err_code = NIX_OK;
@@ -144,8 +146,8 @@ nix_err nix_store_realise(
        if (callback) {
            for (const auto & result : results) {
                for (const auto & [outputName, realisation] : result.builtOutputs) {
-                    auto op = store->ptr->printStorePath(realisation.outPath);
-                    callback(userdata, outputName.c_str(), op.c_str());
+                    StorePath p{realisation.outPath};
+                    callback(userdata, outputName.c_str(), &p);
                }
            }
        }
@@ -180,3 +182,5 @@ nix_err nix_store_copy_closure(nix_c_context * context, Store * srcStore, Store
    }
    NIXC_CATCH_ERRS
 }
+
+} // extern "C"
--- a/src/libstore-c/nix_api_store.h
+++ b/src/libstore-c/nix_api_store.h
@@ -148,7 +148,7 @@ void nix_store_path_free(StorePath * p);
 * @param[in] path Path to check
 * @return true or false, error info in context
 */
-bool nix_store_is_valid_path(nix_c_context * context, Store * store, StorePath * path);
+bool nix_store_is_valid_path(nix_c_context * context, Store * store, const StorePath * path);

 /**
 * @brief Get the physical location of a store path
@@ -190,7 +190,7 @@ nix_err nix_store_realise(
    Store * store,
    StorePath * path,
    void * userdata,
-    void (*callback)(void * userdata, const char * outname, const char * out));
+    void (*callback)(void * userdata, const char * outname, const StorePath * out));

 /**
 * @brief get the version of a nix store.
--- a/src/libstore-c/nix_api_store_internal.h
+++ b/src/libstore-c/nix_api_store_internal.h
@@ -2,6 +2,8 @@
 #define NIX_API_STORE_INTERNAL_H
 #include "nix/store/store-api.hh"

+extern "C" {
+
 struct Store
 {
    nix::ref<nix::Store> ptr;
@@ -12,4 +14,6 @@ struct StorePath
    nix::StorePath path;
 };

+} // extern "C"
+
 #endif
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_4.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_4.txt
@@ -1 +0,0 @@
-ssh://userinfo@[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0]?a=b&c=d
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_5.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_5.txt
@@ -1 +0,0 @@
-ssh://userinfo@[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25eth0]?a=b&c=d
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_6.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_6.txt
@@ -1 +0,0 @@
-ssh://userinfo@fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25?a=b&c=d
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_7.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_7.txt
@@ -1 +0,0 @@
-ssh://userinfo@fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0?a=b&c=d
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_8.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_8.txt
@@ -1 +0,0 @@
-ssh://fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0?a=b&c=d
--- a/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_9.txt
+++ b/src/libstore-tests/data/store-reference/ssh_unbracketed_ipv6_9.txt
@@ -1 +0,0 @@
-ssh://fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0
--- a/src/libstore-tests/derivation-parser-bench.cc
+++ b/src/libstore-tests/derivation-parser-bench.cc
@@ -28,12 +28,33 @@ static void BM_ParseRealDerivationFile(benchmark::State & state, const std::stri
    state.SetBytesProcessed(state.iterations() * content.size());
 }

+// Benchmark unparsing real derivation files
+static void BM_UnparseRealDerivationFile(benchmark::State & state, const std::string & filename)
+{
+    // Read the file once
+    std::ifstream file(filename);
+    std::stringstream buffer;
+    buffer << file.rdbuf();
+    std::string content = buffer.str();
+
+    auto store = openStore("dummy://");
+    ExperimentalFeatureSettings xpSettings;
+    auto drv = parseDerivation(*store, std::string(content), "test", xpSettings);
+
+    for (auto _ : state) {
+        auto unparsed = drv.unparse(*store, /*maskOutputs=*/false);
+        benchmark::DoNotOptimize(unparsed);
+        assert(unparsed.size() == content.size());
+    }
+    state.SetBytesProcessed(state.iterations() * content.size());
+}
+
 // Register benchmarks for actual test derivation files if they exist
 BENCHMARK_CAPTURE(
-    BM_ParseRealDerivationFile,
-    hello,
-    getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value_or(NIX_UNIT_TEST_DATA) + "/derivation/hello.drv");
+    BM_ParseRealDerivationFile, hello, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/hello.drv");
 BENCHMARK_CAPTURE(
-    BM_ParseRealDerivationFile,
-    firefox,
-    getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value_or(NIX_UNIT_TEST_DATA) + "/derivation/firefox.drv");
+    BM_ParseRealDerivationFile, firefox, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/firefox.drv");
+BENCHMARK_CAPTURE(
+    BM_UnparseRealDerivationFile, hello, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/hello.drv");
+BENCHMARK_CAPTURE(
+    BM_UnparseRealDerivationFile, firefox, getEnvNonEmpty("_NIX_TEST_UNIT_DATA").value() + "/derivation/firefox.drv");
--- a/src/libstore-tests/local-store.cc
+++ b/src/libstore-tests/local-store.cc
@@ -36,7 +36,7 @@ TEST(LocalStore, constructConfig_rootPath)
 TEST(LocalStore, constructConfig_to_string)
 {
    LocalStoreConfig config{"local", "", {}};
-    EXPECT_EQ(config.getReference().render(), "local");
+    EXPECT_EQ(config.getReference().to_string(), "local");
 }

 } // namespace nix
--- a/src/libstore-tests/meson.build
+++ b/src/libstore-tests/meson.build
@@ -130,10 +130,13 @@ if get_option('benchmarks')
    link_args : linker_export_flags,
    install : true,
    cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
-    cpp_args : [
-      '-DNIX_UNIT_TEST_DATA="' + meson.current_source_dir() + '/data"',
-    ],
  )

-  benchmark('nix-store-benchmarks', benchmark_exe)
+  benchmark(
+    'nix-store-benchmarks',
+    benchmark_exe,
+    env : {
+      '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
+    },
+  )
 endif
--- a/src/libstore-tests/nix_api_store.cc
+++ b/src/libstore-tests/nix_api_store.cc
@@ -1,7 +1,5 @@
 #include "nix_api_util.h"
-#include "nix_api_util_internal.h"
 #include "nix_api_store.h"
-#include "nix_api_store_internal.h"

 #include "nix/store/tests/nix_api_store.hh"
 #include "nix/util/tests/string_callback.hh"
@@ -65,7 +63,7 @@ TEST_F(nix_api_store_test, nix_store_get_storedir)
 TEST_F(nix_api_store_test, InvalidPathFails)
 {
    nix_store_parse_path(ctx, store, "invalid-path");
-    ASSERT_EQ(ctx->last_err_code, NIX_ERR_NIX_ERROR);
+    ASSERT_EQ(nix_err_code(ctx), NIX_ERR_NIX_ERROR);
 }

 TEST_F(nix_api_store_test, ReturnsValidStorePath)
@@ -80,7 +78,7 @@ TEST_F(nix_api_store_test, ReturnsValidStorePath)
 TEST_F(nix_api_store_test, SetsLastErrCodeToNixOk)
 {
    StorePath * path = nix_store_parse_path(ctx, store, (nixStoreDir + PATH_SUFFIX).c_str());
-    ASSERT_EQ(ctx->last_err_code, NIX_OK);
+    ASSERT_EQ(nix_err_code(ctx), NIX_OK);
    nix_store_path_free(path);
 }

@@ -103,7 +101,7 @@ TEST_F(nix_api_util_context, nix_store_open_dummy)
 {
    nix_libstore_init(ctx);
    Store * store = nix_store_open(ctx, "dummy://", nullptr);
-    ASSERT_EQ(NIX_OK, ctx->last_err_code);
+    ASSERT_EQ(NIX_OK, nix_err_code(ctx));
    ASSERT_STREQ("dummy://", store->ptr->config.getReference().render(/*withParams=*/true).c_str());

    std::string str;
@@ -117,7 +115,7 @@ TEST_F(nix_api_util_context, nix_store_open_invalid)
 {
    nix_libstore_init(ctx);
    Store * store = nix_store_open(ctx, "invalid://", nullptr);
-    ASSERT_EQ(NIX_ERR_NIX_ERROR, ctx->last_err_code);
+    ASSERT_EQ(NIX_ERR_NIX_ERROR, nix_err_code(ctx));
    ASSERT_EQ(nullptr, store);
    nix_store_free(store);
 }
--- a/src/libstore-tests/s3.cc
+++ b/src/libstore-tests/s3.cc
@@ -21,7 +21,7 @@ class ParsedS3URLTest : public ::testing::WithParamInterface<ParsedS3URLTestCase
 TEST_P(ParsedS3URLTest, parseS3URLSuccessfully)
 {
    const auto & testCase = GetParam();
-    auto parsed = ParsedS3URL::parse(testCase.url);
+    auto parsed = ParsedS3URL::parse(parseURL(testCase.url));
    ASSERT_EQ(parsed, testCase.expected);
 }

@@ -33,51 +33,57 @@ INSTANTIATE_TEST_SUITE_P(
            "s3://my-bucket/my-key.txt",
            {
                .bucket = "my-bucket",
-                .key = "my-key.txt",
+                .key = {"my-key.txt"},
            },
-            "basic_s3_bucket"},
+            "basic_s3_bucket",
+        },
        ParsedS3URLTestCase{
            "s3://prod-cache/nix/store/abc123.nar.xz?region=eu-west-1",
            {
                .bucket = "prod-cache",
-                .key = "nix/store/abc123.nar.xz",
+                .key = {"nix", "store", "abc123.nar.xz"},
                .region = "eu-west-1",
            },
-            "with_region"},
+            "with_region",
+        },
        ParsedS3URLTestCase{
            "s3://bucket/key?region=us-west-2&profile=prod&endpoint=custom.s3.com&scheme=https&region=us-east-1",
            {
                .bucket = "bucket",
-                .key = "key",
+                .key = {"key"},
                .profile = "prod",
                .region = "us-west-2", //< using the first parameter (decodeQuery ignores dupicates)
                .scheme = "https",
                .endpoint = ParsedURL::Authority{.host = "custom.s3.com"},
            },
-            "complex"},
+            "complex",
+        },
        ParsedS3URLTestCase{
            "s3://cache/file.txt?profile=production&region=ap-southeast-2",
            {
                .bucket = "cache",
-                .key = "file.txt",
+                .key = {"file.txt"},
                .profile = "production",
                .region = "ap-southeast-2",
            },
-            "with_profile_and_region"},
+            "with_profile_and_region",
+        },
        ParsedS3URLTestCase{
            "s3://bucket/key?endpoint=https://minio.local&scheme=http",
            {
                .bucket = "bucket",
-                .key = "key",
+                .key = {"key"},
                /* TODO: Figure out what AWS SDK is doing when both endpointOverride and scheme are set. */
                .scheme = "http",
                .endpoint =
                    ParsedURL{
                        .scheme = "https",
                        .authority = ParsedURL::Authority{.host = "minio.local"},
+                        .path = {""},
                    },
            },
-            "with_absolute_endpoint_uri"}),
+            "with_absolute_endpoint_uri",
+        }),
    [](const ::testing::TestParamInfo<ParsedS3URLTestCase> & info) { return info.param.description; });

 TEST(InvalidParsedS3URLTest, parseS3URLErrors)
@@ -86,11 +92,114 @@ TEST(InvalidParsedS3URLTest, parseS3URLErrors)
        testing::HasSubstrIgnoreANSIMatcher("error: URI has a missing or invalid bucket name"));

    /* Empty bucket (authority) */
-    ASSERT_THAT([]() { ParsedS3URL::parse("s3:///key"); }, invalidBucketMatcher);
+    ASSERT_THAT([]() { ParsedS3URL::parse(parseURL("s3:///key")); }, invalidBucketMatcher);
    /* Invalid bucket name */
-    ASSERT_THAT([]() { ParsedS3URL::parse("s3://127.0.0.1"); }, invalidBucketMatcher);
+    ASSERT_THAT([]() { ParsedS3URL::parse(parseURL("s3://127.0.0.1")); }, invalidBucketMatcher);
 }

+// Parameterized test for s3ToHttpsUrl conversion
+struct S3ToHttpsConversionTestCase
+{
+    ParsedS3URL input;
+    ParsedURL expected;
+    std::string expectedRendered;
+    std::string description;
+};
+
+class S3ToHttpsConversionTest : public ::testing::WithParamInterface<S3ToHttpsConversionTestCase>,
+                                public ::testing::Test
+{};
+
+TEST_P(S3ToHttpsConversionTest, ConvertsCorrectly)
+{
+    const auto & testCase = GetParam();
+    auto result = testCase.input.toHttpsUrl();
+    EXPECT_EQ(result, testCase.expected) << "Failed for: " << testCase.description;
+    EXPECT_EQ(result.to_string(), testCase.expectedRendered);
+}
+
+INSTANTIATE_TEST_SUITE_P(
+    S3ToHttpsConversion,
+    S3ToHttpsConversionTest,
+    ::testing::Values(
+        S3ToHttpsConversionTestCase{
+            ParsedS3URL{
+                .bucket = "my-bucket",
+                .key = {"my-key.txt"},
+            },
+            ParsedURL{
+                .scheme = "https",
+                .authority = ParsedURL::Authority{.host = "s3.us-east-1.amazonaws.com"},
+                .path = {"", "my-bucket", "my-key.txt"},
+            },
+            "https://s3.us-east-1.amazonaws.com/my-bucket/my-key.txt",
+            "basic_s3_default_region",
+        },
+        S3ToHttpsConversionTestCase{
+            ParsedS3URL{
+                .bucket = "prod-cache",
+                .key = {"nix", "store", "abc123.nar.xz"},
+                .region = "eu-west-1",
+            },
+            ParsedURL{
+                .scheme = "https",
+                .authority = ParsedURL::Authority{.host = "s3.eu-west-1.amazonaws.com"},
+                .path = {"", "prod-cache", "nix", "store", "abc123.nar.xz"},
+            },
+            "https://s3.eu-west-1.amazonaws.com/prod-cache/nix/store/abc123.nar.xz",
+            "with_eu_west_1_region",
+        },
+        S3ToHttpsConversionTestCase{
+            ParsedS3URL{
+                .bucket = "bucket",
+                .key = {"key"},
+                .scheme = "http",
+                .endpoint = ParsedURL::Authority{.host = "custom.s3.com"},
+            },
+            ParsedURL{
+                .scheme = "http",
+                .authority = ParsedURL::Authority{.host = "custom.s3.com"},
+                .path = {"", "bucket", "key"},
+            },
+            "http://custom.s3.com/bucket/key",
+            "custom_endpoint_authority",
+        },
+        S3ToHttpsConversionTestCase{
+            ParsedS3URL{
+                .bucket = "bucket",
+                .key = {"key"},
+                .endpoint =
+                    ParsedURL{
+                        .scheme = "http",
+                        .authority = ParsedURL::Authority{.host = "server", .port = 9000},
+                        .path = {""},
+                    },
+            },
+            ParsedURL{
+                .scheme = "http",
+                .authority = ParsedURL::Authority{.host = "server", .port = 9000},
+                .path = {"", "bucket", "key"},
+            },
+            "http://server:9000/bucket/key",
+            "custom_endpoint_with_port",
+        },
+        S3ToHttpsConversionTestCase{
+            ParsedS3URL{
+                .bucket = "bucket",
+                .key = {"path", "to", "file.txt"},
+                .region = "ap-southeast-2",
+                .scheme = "https",
+            },
+            ParsedURL{
+                .scheme = "https",
+                .authority = ParsedURL::Authority{.host = "s3.ap-southeast-2.amazonaws.com"},
+                .path = {"", "bucket", "path", "to", "file.txt"},
+            },
+            "https://s3.ap-southeast-2.amazonaws.com/bucket/path/to/file.txt",
+            "complex_path_and_region",
+        }),
+    [](const ::testing::TestParamInfo<S3ToHttpsConversionTestCase> & info) { return info.param.description; });
+
 } // namespace nix

 #endif
--- a/src/libstore-tests/store-reference.cc
+++ b/src/libstore-tests/store-reference.cc
@@ -183,64 +183,4 @@ static StoreReference sshIPv6AuthorityWithUserinfoAndParams{

 URI_TEST_READ(ssh_unbracketed_ipv6_3, sshIPv6AuthorityWithUserinfoAndParams)

-static const StoreReference sshIPv6AuthorityWithUserinfoAndParamsAndZoneId{
-    .variant =
-        StoreReference::Specified{
-            .scheme = "ssh",
-            .authority = "userinfo@[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25eth0]",
-        },
-    .params =
-        {
-            {"a", "b"},
-            {"c", "d"},
-        },
-};
-
-URI_TEST_READ(ssh_unbracketed_ipv6_4, sshIPv6AuthorityWithUserinfoAndParamsAndZoneId)
-URI_TEST_READ(ssh_unbracketed_ipv6_5, sshIPv6AuthorityWithUserinfoAndParamsAndZoneId)
-
-static const StoreReference sshIPv6AuthorityWithUserinfoAndParamsAndZoneIdTricky{
-    .variant =
-        StoreReference::Specified{
-            .scheme = "ssh",
-            .authority = "userinfo@[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%2525]",
-        },
-    .params =
-        {
-            {"a", "b"},
-            {"c", "d"},
-        },
-};
-
-// Non-standard syntax where the IPv6 literal appears without brackets. In
-// this case don't considering %25 to be a pct-encoded % and just take it as a
-// literal value. 25 is a perfectly legal ZoneId value in theory.
-URI_TEST_READ(ssh_unbracketed_ipv6_6, sshIPv6AuthorityWithUserinfoAndParamsAndZoneIdTricky)
-URI_TEST_READ(ssh_unbracketed_ipv6_7, sshIPv6AuthorityWithUserinfoAndParamsAndZoneId)
-
-static const StoreReference sshIPv6AuthorityWithParamsAndZoneId{
-    .variant =
-        StoreReference::Specified{
-            .scheme = "ssh",
-            .authority = "[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25eth0]",
-        },
-    .params =
-        {
-            {"a", "b"},
-            {"c", "d"},
-        },
-};
-
-URI_TEST_READ(ssh_unbracketed_ipv6_8, sshIPv6AuthorityWithParamsAndZoneId)
-
-static const StoreReference sshIPv6AuthorityWithZoneId{
-    .variant =
-        StoreReference::Specified{
-            .scheme = "ssh",
-            .authority = "[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25eth0]",
-        },
-};
-
-URI_TEST_READ(ssh_unbracketed_ipv6_9, sshIPv6AuthorityWithZoneId)
-
 } // namespace nix
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .31.3
 .32.0
				`@@ -1 +0,0 @@`
				`ssh://userinfo@[fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0]?a=b&c=d`
				`@@ -1 +0,0 @@`
				`ssh://userinfo@fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%25?a=b&c=d`
				`@@ -1 +0,0 @@`
				`ssh://fea5:23e1:3916:fc24:cb52:2837:2ecb:ea8e%eth0?a=b&c=d`