Get rid of SysError and WinError derived classes

All we need is `SystemError`, and the various ways to construct it can
be done with static methods that are more informative. Catching the
derived classes was a footgun that is now impossible, because one can
only has `SystemError` to catch.

I did however make `SysError` and `WinError` top-level function
wrappers in order to avoid churn in the vast majority of call sites.

.github/actions/install-nix-action/action.yaml

@@ -24,8 +24,8 @@ inputs:
     description: "Github token"
     required: true
   use_cache:
-    description: "Whether to setup magic-nix-cache"
-    default: true
+    description: "Whether to setup github actions cache (not implemented currently)"
+    default: false
     required: false
 runs:
   using: "composite"
@@ -122,10 +122,3 @@ runs:
         source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
         nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
         extra-conf: ${{ inputs.extra_nix_config }}
-    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
-      if: ${{ inputs.use_cache == 'true' }}
-      with:
-        diagnostic-endpoint: ''
-        use-flakehub: false
-        use-gha-cache: true
-        source-revision: 92d9581367be2233c2d5714a2640e1339f4087d8 # main

.github/workflows/backport.yml

@@ -26,7 +26,7 @@ jobs:
           # required to find all branches
           fetch-depth: 0
       - name: Create backport PRs
-        uses: korthout/backport-action@d07416681cab29bf2661702f925f020aaa962997 # v3.4.1
+        uses: korthout/backport-action@c656f5d5851037b2b38fb5db2691a03fa229e3b2 # v4.0.1
         id: backport
         with:
           # Config README: https://github.com/korthout/backport-action#backport-action

.github/workflows/ci.yml

@@ -125,13 +125,13 @@ jobs:
         cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
       if: ${{ matrix.instrumented }}
     - name: Upload coverage reports
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: coverage-reports
         path: coverage-reports/
       if: ${{ matrix.instrumented }}
     - name: Upload installer tarball
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: installer-${{matrix.os}}
         path: out/*
@@ -164,7 +164,7 @@ jobs:
     steps:
     - uses: actions/checkout@v6
     - name: Download installer tarball
-      uses: actions/download-artifact@v6
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
       with:
         name: installer-${{matrix.os}}
         path: out
@@ -174,7 +174,7 @@ jobs:
         echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
         TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
         echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
-    - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # v31.8.4
+    - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
       if: ${{ !matrix.experimental-installer }}
       with:
         install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
@@ -197,80 +197,6 @@ jobs:
     - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
     - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
 
-  # Steps to test CI automation in your own fork.
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check presence of secrets
-    runs-on: ubuntu-24.04
-    outputs:
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for DockerHub secrets
-        id: secret
-        env:
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
-
-  docker_push_image:
-    needs: [tests, check_secrets]
-    permissions:
-      contents: read
-      packages: write
-    if: >-
-      needs.check_secrets.outputs.docker == 'true' &&
-      github.event_name == 'push' &&
-      github.ref_name == 'master'
-    runs-on: ubuntu-24.04
-    steps:
-    - uses: actions/checkout@v6
-      with:
-        fetch-depth: 0
-    - uses: ./.github/actions/install-nix-action
-      with:
-        dogfood: false
-        extra_nix_config: |
-          experimental-features = flakes nix-command
-    - run: echo NIX_VERSION="$(nix eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - run: nix build .#dockerImage -L
-    - run: docker load -i ./result/image.tar.gz
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
-    #
-    # Push to Docker Hub first
-    - name: Login to Docker Hub
-      uses: docker/login-action@v3
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
-    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
-    # Push to GitHub Container Registry as well
-    - name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
-      with:
-        registry: ghcr.io
-        username: ${{ github.actor }}
-        password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Push image
-      run: |
-        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
-        # Change all uppercase to lowercase
-        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
-
-        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
-        docker push $IMAGE_ID:$NIX_VERSION
-        docker push $IMAGE_ID:latest
-        # deprecated 2024-02-24
-        docker tag nix:$NIX_VERSION $IMAGE_ID:master
-        docker push $IMAGE_ID:master
-
   flake_regressions:
     needs: tests
     runs-on: ubuntu-24.04
@@ -287,13 +213,21 @@ jobs:
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
-      - uses: ./.github/actions/install-nix-action
+      - name: Download installer tarball
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
-          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
-          extra_nix_config:
-            experimental-features = nix-command flakes
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
+          name: installer-linux
+          path: out
+      - name: Looking up the installer tarball URL
+        id: installer-tarball-url
+        run: |
+          echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+      - uses: cachix/install-nix-action@4e002c8ec80594ecd40e759629461e26c8abed15 # v31.9.0
+        with:
+          install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+          install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+      - name: Run flake regressions tests
+        run: MAX_FLAKES=25 flake-regressions/eval-all.sh
 
   profile_build:
     needs: tests

.github/workflows/upload-release.yml

@@ -0,0 +1,80 @@
+name: Upload Release
+on:
+  workflow_dispatch:
+    inputs:
+      eval_id:
+        description: "Hydra evaluation ID"
+        required: true
+        type: number
+      is_latest:
+        description: "Mark as latest release"
+        required: false
+        type: boolean
+        default: false
+permissions:
+  contents: read
+  id-token: write
+  packages: write
+jobs:
+  release:
+    runs-on: ubuntu-24.04
+    environment: releases
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: false # Use stable version
+          use_cache: false # Don't want any cache injection shenanigans
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+      - name: Set NIX_PATH from flake input
+        run: |
+          NIXPKGS_PATH=$(nix build --inputs-from .# nixpkgs#path --print-out-paths --no-link)
+          # Shebangs with perl have issues. Pin nixpkgs this way. nix shell should maybe
+          # get the same uberhack that nix-shell has to support it.
+          echo "NIX_PATH=nixpkgs=$NIXPKGS_PATH" >> "$GITHUB_ENV"
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+        with:
+          role-to-assume: "arn:aws:iam::080433136561:role/nix-release"
+          role-session-name: nix-release-oidc-${{ github.run_id }}
+          aws-region: eu-west-1
+      - name: Disable containerd image store
+        run: |
+          # Docker 28+ defaults to the containerd image store, which
+          # pushes layers uncompressed instead of gzip. OCI clients
+          # that only support gzip (e.g. go-containerregistry) fail
+          # with "gzip: invalid header". Disabling the containerd
+          # snapshotter restores the classic storage driver, which
+          # preserves gzip-compressed layers through the
+          # `docker load` / `docker push` pipeline.
+          echo '{"features":{"containerd-snapshotter":false}}' | sudo tee /etc/docker/daemon.json > /dev/null
+          sudo systemctl restart docker
+      - name: Login to Docker Hub
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload release
+        run: |
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}
+      - name: Push to GHCR
+        run: |
+          DOCKER_OWNER="ghcr.io/$(echo '${{ github.repository_owner }}' | tr '[A-Z]' '[a-z]')/nix"
+          ./maintainers/upload-release.pl \
+            ${{ inputs.eval_id }} \
+            --skip-git \
+            --skip-s3 \
+            --docker-owner "$DOCKER_OWNER"
+        env:
+          IS_LATEST: ${{ inputs.is_latest && '1' || '' }}

.gitignore

@@ -1,5 +1,7 @@
 # Default meson build dir
 /build
+# Meson creates this file too
+src/.wraplock
 
 # /tests/functional/
 /tests/functional/common/subst-vars.sh

.version

@@ -1 +1 @@
-2.33.0
+2.34.0

doc/manual/meson.build

@@ -26,7 +26,6 @@ bash = find_program('bash', native : true)
 # HTML manual dependencies (conditional)
 if get_option('html-manual')
   mdbook = find_program('mdbook', native : true)
-  rsync = find_program('rsync', required : true, native : true)
 endif
 
 pymod = import('python')
@@ -126,7 +125,12 @@ if get_option('html-manual')
           @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
           @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
           sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
-          @4@ -r -L --exclude='*.drv' --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
+          # Copy source to build directory, excluding the build directory itself
+          # (which is present when built as an individual component).
+          # Use tar with --dereference to copy symlink targets (e.g., JSON examples from tests).
+          (cd @CURRENT_SOURCE_DIR@ && find . -mindepth 1 -maxdepth 1 ! -name build | tar -c --dereference -T - -f -) | (cd @2@ && tar -xf -)
+          chmod -R u+w @2@
+          find @2@ -name '*.drv' -delete
           (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
           rm -rf @2@/manual
           mv @2@/html @2@/manual
@@ -138,7 +142,6 @@ if get_option('html-manual')
         mdbook.full_path(),
         meson.current_build_dir(),
         meson.project_version(),
-        rsync.full_path(),
       ),
     ],
     input : [

doc/manual/package.nix

@@ -10,7 +10,6 @@
   mdbook,
   jq,
   python3,
-  rsync,
   nix-cli,
   changelog-d,
   json-schema-for-humans,
@@ -54,6 +53,8 @@ mkMesonDerivation (finalAttrs: {
         ../../src/libstore-tests/data/nar-info
         ../../src/libstore-tests/data/build-result
         ../../src/libstore-tests/data/dummy-store
+        # For derivation examples referenced by symlinks in doc/manual/source/protocols/json/schema/
+        ../../tests/functional/derivation
         # Too many different types of files to filter for now
         ../../doc/manual
         ./.
@@ -90,7 +91,6 @@ mkMesonDerivation (finalAttrs: {
   ]
   ++ lib.optionals buildHtmlManual [
     mdbook
-    rsync
     json-schema-for-humans
   ]
   ++ lib.optionals (!officialRelease && buildHtmlManual) [

doc/manual/rl-next/beta-installer

@@ -0,0 +1,29 @@
+---
+synopsis: "Rust nix-installer in beta"
+prs: []
+---
+
+The Rust-based rewrite of the Nix installer is now in beta.
+We'd love help testing it out!
+
+To test out the new installer, run:
+```
+curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install
+```
+
+This installer can be run even when you have an existing, script-based Nix installation without any adjustments.
+
+This new installer also comes with the ability to uninstall your Nix installation; run:
+```
+/nix/nix-installer uninstall
+```
+
+This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation).
+
+This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems.
+Thanks to Determinate Systems for all the investment they've put into the installer.
+
+Source for the installer is in https://github.com/NixOS/nix-installer.
+Report any issues in that repo.
+
+For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action.

doc/manual/rl-next/c-api-new-store-methods.md

@@ -0,0 +1,9 @@
+---
+synopsis: "C API: New store API methods"
+prs: [14766]
+---
+
+The C API now includes additional methods:
+
+- `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part
+- `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking

doc/manual/rl-next/ignore-gc-delete-failure.md

@@ -0,0 +1,10 @@
+---
+synopsis: "New setting `ignore-gc-delete-failure` for local stores"
+prs: [15054]
+---
+
+A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added.
+When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths.
+This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store.
+
+This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature.

doc/manual/rl-next/mtls-substituter.md

@@ -0,0 +1,15 @@
+---
+synopsis: Support HTTPS binary caches using mTLS (client certificate) authentication
+issues: [13002]
+prs: [13030]
+---
+
+Added support for `tls-certificate` and `tls-private-key` options in substituter URLs.
+
+Example:
+
+```
+https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem
+```
+
+When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.

doc/manual/rl-next/roots-daemon.md

@@ -0,0 +1,11 @@
+---
+synopsis: New command `nix store roots-daemon` for serving GC roots
+prs: [15143]
+---
+
+New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket.
+It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`.
+
+The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting.
+
+This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store).

doc/manual/rl-next/s3-virtual-hosted-style.md

@@ -0,0 +1,32 @@
+---
+synopsis: S3 binary caches now use virtual-hosted-style addressing by default
+issues: [15208]
+---
+
+S3 binary caches now use virtual-hosted-style URLs
+(`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs
+(`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS
+S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection
+exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads.
+
+A new `addressing-style` store option controls this behavior:
+
+- `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style
+  for custom endpoints.
+- `path`: forces path-style addressing (deprecated by AWS).
+- `virtual`: forces virtual-hosted-style addressing (bucket names must not
+  contain dots).
+
+Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back
+to path-style addressing in `auto` mode, because dotted names create
+multi-level subdomains that break TLS wildcard certificate validation.
+
+Example using path-style for backwards compatibility:
+
+```
+s3://my-bucket/key?region=us-east-1&addressing-style=path
+```
+
+Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing
+idle connections from being silently dropped by intermediate network devices
+(NATs, firewalls, load balancers).

doc/manual/source/SUMMARY.md.in

@@ -135,7 +135,9 @@
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
   - [Nix Archive (NAR) Format](protocols/nix-archive/index.md)
+  - [Nix Cache Info Format](protocols/nix-cache-info.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
+  - [Nix32 Encoding](protocols/nix32.md)
 - [C API](c-api.md)
 - [Glossary](glossary.md)
 - [Development](development/index.md)

doc/manual/source/advanced-topics/eval-profiler.md

@@ -27,7 +27,7 @@ site](https://en.wikipedia.org/wiki/Call_site) position and the name of the
 function being called (when available). For example:
 
 ```
-/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5:primop import
+/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5:primop import
 ```
 
-Here `import` primop is called at `/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5`.
+Here `import` primop is called at `/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5`.

doc/manual/source/command-ref/env-common.md

@@ -57,11 +57,6 @@ Most Nix commands interpret the following environment variables:
 
   Overrides the location of the Nix store (default `prefix/store`).
 
-- <span id="env-NIX_DATA_DIR">[`NIX_DATA_DIR`](#env-NIX_DATA_DIR)</span>
-
-  Overrides the location of the Nix static data directory (default
-  `prefix/share`).
-
 - <span id="env-NIX_LOG_DIR">[`NIX_LOG_DIR`](#env-NIX_LOG_DIR)</span>
 
   Overrides the location of the Nix log directory (default

doc/manual/source/command-ref/files/default-nix-expression.md

@@ -39,11 +39,11 @@ This makes all subscribed channels available as attributes in the default expres
 A symlink that ensures that [`nix-env`] can find the current user's [channels]:
 
 - `~/.nix-defexpr/channels`
-- `$XDG_STATE_HOME/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
+- `$XDG_STATE_HOME/nix/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
 
 This symlink points to:
 
-- `$XDG_STATE_HOME/profiles/channels` for regular users
+- `$XDG_STATE_HOME/nix/profiles/channels` for regular users
 - `$NIX_STATE_DIR/profiles/per-user/root/channels` for `root`
 
 In a multi-user installation, you may also have `~/.nix-defexpr/channels_root`, which links to the channels of the root user.

doc/manual/source/command-ref/files/manifest.nix.md

@@ -114,9 +114,9 @@ Here is an example of how this file might look like after installing `hello` fro
   };
   name = "hello-2.12.1";
   out = {
-    outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+    outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   };
-  outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
+  outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
   outputs = [ "out" ];
   system = "x86_64-linux";
   type = "derivation";

doc/manual/source/command-ref/files/profiles.md

@@ -37,13 +37,13 @@ dr-xr-xr-x 4 root root 4096 Jan  1  1970 share
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/bin:
 total 20
-lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/ijm5k0zqisvkdwjkc77mb9qzb35xfi4m-chromium-86.0.4240.111/bin/chromium
+lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/cyxny9d1zjb9l9103fr6j6kavp3bqjxf-chromium-86.0.4240.111/bin/chromium
 lrwxrwxrwx 7 root root 87 Jan  1  1970 spotify -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/bin/spotify
 lrwxrwxrwx 3 root root 79 Jan  1  1970 zoom-us -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/bin/zoom-us
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/share/applications:
 total 12
-lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/4cf803y4vzfm3gyk3vzhzb2327v0kl8a-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
+lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/sqzyx2l85i6j2a77pnyvglh3bvzwmjjp-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
 lrwxrwxrwx 7 root root 110 Jan  1  1970 spotify.desktop -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/share/applications/spotify.desktop
 lrwxrwxrwx 3 root root 107 Jan  1  1970 us.zoom.Zoom.desktop -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/share/applications/us.zoom.Zoom.desktop
 

doc/manual/source/command-ref/nix-copy-closure.md

@@ -72,11 +72,11 @@ When using public key authentication, you can avoid typing the passphrase with `
 > $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
 > $ nix-copy-closure --to alice@itchy.example.org "$storePath"
 > copying 5 paths...
-> copying path '/nix/store/nrwkk6ak3rgkrxbqhsscb01jpzmslf2r-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/gm61h1y42pqyl6178g90x8zm22n6pyy5-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/ddfzjdykw67s20c35i7a6624by3iz5jv-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/apab5i73dqa09wx0q27b6fbhd1r18ihl-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/g1n2vryg06amvcc1avb2mcq36faly0mh-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/h6q8sqsqfbd3252f9gixqn3z282wds7m-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/imnwvn96lw355giswsk36hx105j4wnpj-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/85301indj7scg34spnfczkz72jgv8wa9-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/ypwfsaljwhzw9iffiysxmxnhjj8v7np0-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/0dklv59zppdsqdvgf0qdvjgzcs5wbwxa-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
 > ```
 
 > **Example**

doc/manual/source/command-ref/nix-env/install.md

@@ -204,7 +204,7 @@ To install a specific [store derivation] (typically created by
 `nix-instantiate`):
 
 ```console
-$ nix-env --install /nix/store/fibjb1bfbpm5mrsxc4mh2d8n37sxh91i-gcc-3.4.3.drv
+$ nix-env --install /nix/store/8la6y31fmm6i4wfmby6avly1wf718xnj-gcc-3.4.3.drv
 ```
 
 To install a specific output path:
@@ -232,7 +232,7 @@ $ nix-env --file '<nixpkgs>' --install --attr hello --dry-run
 (dry run; not doing anything)
 installing ‘hello-2.10’
 this path will be fetched (0.04 MiB download, 0.19 MiB unpacked):
-  /nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10
+  /nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10
   ...
 ```
 

doc/manual/source/command-ref/nix-prefetch-url.md

@@ -76,7 +76,7 @@ $ nix-prefetch-url ftp://ftp.gnu.org/pub/gnu/hello/hello-2.10.tar.gz
 ```console
 $ nix-prefetch-url --print-path mirror://gnu/hello/hello-2.10.tar.gz
 0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i
-/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
+/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
 ```
 
 ```console

doc/manual/source/command-ref/nix-store/add-fixed.md

@@ -34,6 +34,6 @@ This operation has the following options:
 
 ```console
 $ nix-store --add-fixed sha256 ./hello-2.10.tar.gz
-/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
+/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
 ```
 

doc/manual/source/command-ref/nix-store/delete.md

@@ -27,7 +27,7 @@ paths in the store that refer to it (i.e., depend on it).
 # Example
 
 ```console
-$ nix-store --delete /nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4
+$ nix-store --delete /nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4
 0 bytes freed (0.00 MiB)
-error: cannot delete path `/nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4' since it is still alive
+error: cannot delete path `/nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4' since it is still alive
 ```

doc/manual/source/command-ref/nix-store/query.md

@@ -184,9 +184,9 @@ Print the build-time dependencies of `svn`:
 
 ```console
 $ nix-store --query --requisites $(nix-store --query --deriver $(which svn))
-/nix/store/02iizgn86m42q905rddvg4ja975bk2i4-grep-2.5.1.tar.bz2.drv
-/nix/store/07a2bzxmzwz5hp58nf03pahrv2ygwgs3-gcc-wrapper.sh
-/nix/store/0ma7c9wsbaxahwwl04gbw3fcd806ski4-glibc-2.3.4.drv
+/nix/store/y6qa66l9h0pw161crnlk6y16rdrcljx4-grep-2.5.1.tar.bz2.drv
+/nix/store/z716h753s97jhnzvfank2srqbljswpgm-gcc-wrapper.sh
+/nix/store/f39x0q73rjdyvzm93y9wrkfr6x39lb7f-glibc-2.3.4.drv
 ... lots of other paths ...
 ```
 
@@ -199,10 +199,10 @@ Show the build-time dependencies as a tree:
 ```console
 $ nix-store --query --tree $(nix-store --query --deriver $(which svn))
 /nix/store/7i5082kfb6yjbqdbiwdhhza0am2xvh6c-subversion-1.1.4.drv
-+---/nix/store/d8afh10z72n8l1cr5w42366abiblgn54-builder.sh
-+---/nix/store/fmzxmpjx2lh849ph0l36snfj9zdibw67-bash-3.0.drv
-|   +---/nix/store/570hmhmx3v57605cqg9yfvvyh0nnb8k8-bash
-|   +---/nix/store/p3srsbd8dx44v2pg6nbnszab5mcwx03v-builder.sh
++---/nix/store/vxnmkc8l8d2ijjha4xwhkfgx9vvc3q4c-builder.sh
++---/nix/store/rn9776dy82n5qrgz7xbcl1iw4vfkcrkk-bash-3.0.drv
+|   +---/nix/store/x9j20hz6bln1crzn55qifk0bbsm8v5ac-bash
+|   +---/nix/store/ajnn1mcm45wjvn0rlc22gvx2cwhjnazx-builder.sh
 ...
 ```
 

doc/manual/source/command-ref/nix-store/realise.md

@@ -76,7 +76,7 @@ This operation is typically used to build [store derivation]s produced by
 
 ```console
 $ nix-store --realise $(nix-instantiate ./test.nix)
-/nix/store/31axcgrlbfsxzmfff1gyj1bf62hvkby2-aterm-2.3.1
+/nix/store/6gwmy5jcnwdlz6aqqhksz863f1l8xc2w-aterm-2.3.1
 ```
 
 This is essentially what [`nix-build`](@docroot@/command-ref/nix-build.md) does.

doc/manual/source/development/building.md

@@ -3,6 +3,10 @@
 This section provides some notes on how to start hacking on Nix.
 To get the latest version of Nix from GitHub:
 
+> **Note**
+>
+> When checking out the repo on Windows, make sure you have the git setting `core.symlinks` enabled, before cloning, as there are symlinks in the repo.
+
 ```console
 $ git clone https://github.com/NixOS/nix.git
 $ cd nix

doc/manual/source/development/debugging.md

@@ -6,14 +6,7 @@ Additionally, see [Testing Nix](./testing.md) for further instructions on how to
 
 ## Building Nix with Debug Symbols
 
-In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
-
-```console
-[nix-shell]$ export mesonBuildType=debugoptimized
-```
-
-Then, proceed to build Nix as described in [Building Nix](./building.md).
-This will build Nix with debug symbols, which are essential for effective debugging.
+In the development shell, `mesonBuildType` is set automatically to `debugoptimized`. This builds Nix with debug symbols, which are essential for effective debugging.
 
 It is also possible to build without optimization for faster build:
 

doc/manual/source/glossary.md

@@ -136,7 +136,7 @@
 
   > **Example**
   >
-  > `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
+  > `/nix/store/jf6gn2dzna4nmsfbdxsd7kwhsk6gnnlr-git-2.38.1`
 
   See [Store Path](@docroot@/store/store-path.md) for details.
 

doc/manual/source/installation/building-source.md

@@ -6,14 +6,23 @@ It is broken up into multiple Meson packages, which are optionally combined in a
 There are no mandatory extra steps to the building process:
 generic Meson installation instructions like [this](https://mesonbuild.com/Quick-guide.html#using-meson-as-a-distro-packager) should work.
 
-The installation path can be specified by passing the `-Dprefix=prefix`
-to `configure`. The default installation directory is `/usr/local`. You
+```bash
+git clone https://github.com/NixOS/nix.git
+cd nix
+meson setup build
+cd build
+ninja
+(sudo) ninja install
+```
+
+The installation path can be specified by passing `-Dprefix=prefix`
+to `meson setup build`. The default installation directory is `/usr/local`. You
 can change this to any location you like. You must have write permission
 to the *prefix* path.
 
 Nix keeps its *store* (the place where packages are stored) in
 `/nix/store` by default. This can be changed using
-`-Dstore-dir=path`.
+`-Dlibstore:store-dir=path`.
 
 > **Warning**
 >

doc/manual/source/introduction.md

@@ -8,7 +8,7 @@ stores packages in the _Nix store_, usually the directory
 `/nix/store`, where each package has its own unique subdirectory such
 as
 
-    /nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1/
+    /nix/store/q06x3jll2yfzckz2bzqak089p43ixkkq-firefox-33.1/
 
 where `b6gvzjyb2pg0…` is a unique identifier for the package that
 captures all its dependencies (it’s a cryptographic hash of the

doc/manual/source/language/advanced-attributes.md

@@ -338,7 +338,7 @@ Here is more information on the `output*` attributes, and what values they may b
     This will specify the output hash of the single output of a [fixed-output derivation].
 
     The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-    The "nix32" encoding is an adaptation of base-32 encoding.
+    The ["nix32" encoding](@docroot@/protocols/nix32.md) is Nix's variant of base-32 encoding.
 
     > **Note**
     >

doc/manual/source/language/string-context.md

@@ -34,12 +34,12 @@ String context elements come in different forms:
     > [`builtins.storePath`] creates a string with a single constant string context element:
     >
     > ```nix
-    > builtins.getContext (builtins.storePath "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10")
+    > builtins.getContext (builtins.storePath "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10")
     > ```
     > evaluates to
     > ```nix
     > {
-    >   "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10" = {
+    >   "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10" = {
     >     path = true;
     >   };
     > }

doc/manual/source/language/string-interpolation.md

@@ -181,7 +181,7 @@ A derivation interpolates to the [store path] of its first [output](./derivation
 > "${pkgs.hello}"
 > ```
 >
->     "/nix/store/4xpfqf29z4m8vbhrqcz064wfmb46w5r7-hello-2.12.1"
+>     "/nix/store/qnlr7906z0mrl2syrkdbpicffq02nw07-hello-2.12.1"
 
 An attribute set interpolates to the return value of the function in the `__toString` applied to the attribute set itself.
 

doc/manual/source/language/syntax.md

@@ -51,6 +51,7 @@ See [String literals](string-literals.md).
 
   Path literals can also include [string interpolation], besides being [interpolated into other expressions].
 
+  [string interpolation]: ./string-interpolation.md
   [interpolated into other expressions]: ./string-interpolation.md#interpolated-expression
 
   At least one slash (`/`) must appear *before* any interpolated expression for the result to be recognized as a path.
@@ -272,7 +273,7 @@ will crash with an `infinite recursion encountered` error message.
 
 A let-expression allows you to define local variables for an expression.
 
-> *let-in* = `let` [ *identifier* = *expr* ]... `in` *expr*
+> *let-in* = `let` [ *identifier* = *expr* `;` ]... `in` *expr*
 
 Example:
 
@@ -285,6 +286,27 @@ in x + y
 
 This evaluates to `"foobar"`.
 
+There is also another, older, syntax for let expressions that should not be used in new code:
+
+> *let* = `let` `{` *identifier* = *expr* `;` [ *identifier* = *expr* `;`]...  `}`
+
+In this form, the attribute set between the `{` `}` is recursive.
+
+One of the attributes must have the special name `body`,
+which is the result of the expression.
+
+Example:
+
+```nix
+let {
+  foo = bar;
+  bar = "baz";
+  body = foo;
+}
+```
+
+This evaluates to "baz".
+
 ## Inheriting attributes
 
 When defining an [attribute set](./types.md#type-attrs) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).

doc/manual/source/package-management/binary-cache-substituter.md

@@ -19,17 +19,16 @@ whatever port you like:
 $ nix-serve -p 8080
 ```
 
-To check whether it works, try the following on the client:
+To check whether it works, try fetching the [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) file on the client:
 
 ```console
 $ curl http://avalon:8080/nix-cache-info
+StoreDir: /nix/store
+WantMassQuery: 1
+Priority: 30
 ```
 
-which should print something like:
-
-    StoreDir: /nix/store
-    WantMassQuery: 1
-    Priority: 30
+When writing to a binary cache (e.g., with [`nix copy`](@docroot@/command-ref/new-cli/nix3-copy.md)), Nix creates [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) automatically if it doesn't exist.
 
 On the client side, you can tell Nix to use your binary cache using
 `--substituters`, e.g.:

doc/manual/source/protocols/json/build-trace-entry.md

@@ -1,27 +1,21 @@
-{{#include build-trace-entry-v1-fixed.md}}
+{{#include build-trace-entry-v2-fixed.md}}
 
 ## Examples
 
 ### Simple build trace entry
 
 ```json
-{{#include schema/build-trace-entry-v1/simple.json}}
-```
-
-### Build trace entry with dependencies
-
-```json
-{{#include schema/build-trace-entry-v1/with-dependent-realisations.json}}
+{{#include schema/build-trace-entry-v2/simple.json}}
 ```
 
 ### Build trace entry with signature
 
 ```json
-{{#include schema/build-trace-entry-v1/with-signature.json}}
+{{#include schema/build-trace-entry-v2/with-signature.json}}
 ```
 
 <!--
 ## Raw Schema
 
-[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v1.json)
--->
+[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v2.json)
+-->

doc/manual/source/protocols/json/meson.build

@@ -17,7 +17,7 @@ schemas = [
   'derivation-v4',
   'derivation-options-v1',
   'deriving-path-v1',
-  'build-trace-entry-v1',
+  'build-trace-entry-v2',
   'build-result-v1',
   'store-v1',
 ]

doc/manual/source/protocols/json/schema/build-result-v1.yaml

@@ -83,7 +83,7 @@ properties:
         description: |
           A mapping from output names to their build trace entries.
         additionalProperties:
-          "$ref": "build-trace-entry-v1.yaml"
+          "$ref": "build-trace-entry-v2.yaml"
 
   failure:
     type: object

doc/manual/source/protocols/json/schema/build-trace-entry-v2.yaml

@@ -1,5 +1,5 @@
 "$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-trace-entry-v1.json"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-trace-entry-v2.json"
 title: Build Trace Entry
 description: |
   A record of a successful build outcome for a specific derivation output.
@@ -11,10 +11,17 @@ description: |
   > This JSON format is currently
   > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-ca-derivations)
   > and subject to change.
+
+  Verision history:
+
+  - Version 1: Original format
+
+  - Version 2: Remove `dependentRealisations`
+
+type: object
 required:
   - id
   - outPath
-  - dependentRealisations
   - signatures
 allOf:
   - "$ref": "#/$defs/key"
@@ -22,9 +29,11 @@ allOf:
 properties:
   id: {}
   outPath: {}
-  dependentRealisations: {}
   signatures: {}
-additionalProperties: false
+additionalProperties:
+  dependentRealisations:
+    description: deprecated field
+    type: object
 
 "$defs":
   key:
@@ -60,7 +69,6 @@ additionalProperties: false
     type: object
     required:
       - outPath
-      - dependentRealisations
       - signatures
     properties:
       outPath:
@@ -69,19 +77,6 @@ additionalProperties: false
         description: |
           The path to the store object that resulted from building this derivation for the given output name.
 
-      dependentRealisations:
-        type: object
-        title: Underlying Base Build Trace
-        description: |
-          This is for [*derived*](@docroot@/store/build-trace.md#derived) build trace entries to ensure coherence.
-
-          Keys are derivation output IDs (same format as the main `id` field).
-          Values are the store paths that those dependencies resolved to.
-
-          As described in the linked section on derived build trace traces, derived build trace entries must be kept in addition and not instead of the underlying base build entries.
-          This is the set of base build trace entries that this derived build trace is derived from.
-          (The set is also a map since this miniature base build trace must be coherent, mapping each key to a single value.)
-
         patternProperties:
           "^sha256:[0-9a-f]{64}![a-zA-Z_][a-zA-Z0-9_-]*$":
             "$ref": "store-path-v1.yaml"

doc/manual/source/protocols/json/schema/derivation-v4.yaml

@@ -94,8 +94,8 @@ properties:
           >
           > ```json
           > "srcs": [
-          >   "47y241wqdhac3jm5l7nv0x4975mb1975-separate-debug-info.sh",
-          >   "56d0w71pjj9bdr363ym3wj1zkwyqq97j-fix-pop-var-context-error.patch"
+          >   "b8nwz167km1yciqpwzjj24f8jcy8pq1h-separate-debug-info.sh",
+          >   "ihzmilr413r8fb3ah30yjnhlb18c1laz-fix-pop-var-context-error.patch"
           > ]
           > ```
         items:
@@ -140,7 +140,7 @@ properties:
     description: |
       Absolute path of the program used to perform the build.
       Typically this is the `bash` shell
-      (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
+      (e.g. `/nix/store/p4xlj4imjbnm4v0x5jf4qysvyjjlgq1d-bash-4.4-p23/bin/bash`).
 
   args:
     type: array

doc/manual/source/protocols/json/schema/store-path-v1.yaml

@@ -24,7 +24,7 @@ description: |
 
   The format follows this pattern: `${digest}-${name}`
 
-  - **hash**: Digest rendered in a custom variant of [Base32](https://en.wikipedia.org/wiki/Base32) (20 arbitrary bytes become 32 ASCII characters)
+  - **hash**: Digest rendered in [Nix32](@docroot@/protocols/nix32.md), a variant of base-32 (20 hash bytes become 32 ASCII characters)
   - **name**: The package name and optional version/suffix information
 
 type: string

doc/manual/source/protocols/json/schema/store-v1.yaml

@@ -70,7 +70,7 @@ properties:
       "^[A-Za-z0-9+/]{43}=$":
         type: object
         additionalProperties:
-          "$ref": "./build-trace-entry-v1.yaml#/$defs/value"
+          "$ref": "./build-trace-entry-v2.yaml#/$defs/value"
     additionalProperties: false
 
 "$defs":

doc/manual/source/protocols/nix-cache-info.md

@@ -0,0 +1,55 @@
+# Nix Cache Info Format
+
+The `nix-cache-info` file is a metadata file at the root of a [binary cache](@docroot@/package-management/binary-cache-substituter.md) (e.g., `https://cache.example.com/nix-cache-info`).
+
+MIME type: `text/x-nix-cache-info`
+
+## Format
+
+Line-based key-value format:
+
+```
+Key: value
+```
+
+Leading and trailing whitespace is trimmed from values.
+Lines without a colon are ignored.
+Unknown keys are silently ignored.
+
+## Fields
+
+### `StoreDir`
+
+The Nix store directory path that this cache was built for (e.g., `/nix/store`).
+
+If present, Nix verifies that this matches the client's store directory:
+
+```
+error: binary cache 'https://example.com' is for Nix stores with prefix '/nix/store', not '/home/user/nix/store'
+```
+
+### `WantMassQuery`
+
+`1` or `0`. Sets the default for [`want-mass-query`](@docroot@/store/types/http-binary-cache-store.md#store-http-binary-cache-store-want-mass-query).
+
+### `Priority`
+
+Integer. Sets the default for [`priority`](@docroot@/store/types/http-binary-cache-store.md#store-http-binary-cache-store-priority).
+
+## Example
+
+```
+StoreDir: /nix/store
+WantMassQuery: 1
+Priority: 30
+```
+
+## Caching Behavior
+
+Nix caches `nix-cache-info` in the [cache directory](@docroot@/command-ref/env-common.md#env-NIX_CACHE_HOME) with a 7-day TTL.
+
+## See Also
+
+- [HTTP Binary Cache Store](@docroot@/store/types/http-binary-cache-store.md)
+- [Serving a Nix store via HTTP](@docroot@/package-management/binary-cache-substituter.md)
+- [`substituters`](@docroot@/command-ref/conf-file.md#conf-substituters)

doc/manual/source/protocols/nix32.md

@@ -0,0 +1,19 @@
+# Nix32 Encoding
+
+Nix32 is Nix's variant of base-32 encoding, used for [store path digests](@docroot@/protocols/store-path.md), hash output via [`nix hash`](@docroot@/command-ref/new-cli/nix3-hash.md), and the [`outputHash`](@docroot@/language/advanced-attributes.md#adv-attr-outputHash) derivation attribute.
+
+## Alphabet
+
+The Nix32 alphabet consists of these 32 characters:
+
+```
+0 1 2 3 4 5 6 7 8 9 a b c d f g h i j k l m n p q r s v w x y z
+```
+
+The letters `e`, `o`, `u`, and `t` are omitted.
+
+## Byte Order
+
+Nix32 encoding processes the hash bytes from the end (last byte first), while base-16 encoding processes from the beginning (first byte first).
+
+Consequently, the string sort order is determined primarily by the first bytes for base-16, and by the last bytes for Nix32.

doc/manual/source/protocols/store-path.md

@@ -20,12 +20,11 @@ where
 
 - `store-dir` = the [store directory](@docroot@/store/store-path.md#store-directory)
 
-- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`
+- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`.
 
-For the definition of the hash compression algorithm, please refer to the section 5.1 of
-the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf), which also defines the
-specifics of base-32 encoding. Note that base-32 encoding processes the hash bytestring from
-the end, while base-16 processes in from the beginning.
+  Nix uses a custom base-32 encoding called [Nix32](@docroot@/protocols/nix32.md).
+
+  For the definition of the hash compression algorithm, please refer to section 5.1 of the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf).
 
 ## Fingerprint
 

doc/manual/source/release-notes/rl-0.12.md

@@ -80,7 +80,7 @@
           ...
         the following paths will be downloaded/copied (30.02 MiB):
           /nix/store/4m8pvgy2dcjgppf5b4cj5l6wyshjhalj-samba-3.2.4
-          /nix/store/7h1kwcj29ip8vk26rhmx6bfjraxp0g4l-libunwind-0.98.6
+          /nix/store/spc1m987vlibchdx369qwa391s738s7l-libunwind-0.98.6
           ...
 
   - Language features:

doc/manual/source/release-notes/rl-0.8.md

@@ -63,7 +63,7 @@ Nix 0.8 has the following improvements:
     can query all paths that directly or indirectly use a certain Glibc:
 
         $ nix-store -q --referrers-closure \
-            /nix/store/8lz9yc6zgmc0vlqmn2ipcpkjlmbi51vv-glibc-2.3.4
+            /nix/store/1a6mdrjz4wn7b9sfmcw5ggbk1mi281mh-glibc-2.3.4
 
   - The concept of fixed-output derivations has been formalised.
     Previously, functions such as `fetchurl` in Nixpkgs used a hack

doc/manual/source/release-notes/rl-2.0.md

@@ -66,7 +66,7 @@ This release has the following new features:
 
             nix copy --to ssh://machine nixpkgs.hello
 
-            nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
+            nix copy --to ssh://machine /nix/store/qbhyj3blxpw2i6pb7c6grc9185nbnpvy-hello-2.10
 
             nix copy --to ssh://machine '(with import <nixpkgs> {}; hello)'
 
@@ -187,7 +187,7 @@ This release has the following new features:
         former is primarily useful in conjunction with remote stores,
         e.g.
 
-            nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
+            nix ls-store --store https://cache.nixos.org/ -lR /nix/store/qbhyj3blxpw2i6pb7c6grc9185nbnpvy-hello-2.10
 
         lists the contents of path in a binary cache.
 

doc/manual/source/release-notes/rl-2.13.md

@@ -25,7 +25,7 @@
 * Allow explicitly selecting outputs in a store derivation installable, just like we can do with other sorts of installables.
   For example,
   ```shell-session
-  # nix build /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv^dev
+  # nix build /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv^dev
   ```
   now works just as
   ```shell-session

doc/manual/source/release-notes/rl-2.15.md

@@ -18,13 +18,13 @@
 
   For example,
   ```shell-session
-  $ nix path-info /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv
+  $ nix path-info /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv
   ```
 
   now gives info about the derivation itself, while
 
   ```shell-session
-  $ nix path-info /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv^*
+  $ nix path-info /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv^*
   ```
   provides information about each of its outputs.
 

doc/manual/source/release-notes/rl-2.19.md

@@ -45,7 +45,7 @@
     ```json5
     [
       {
-        "path": "/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15",
+        "path": "/nix/store/fvqsvk65d38p8qqir371ii0hyqxvjcw6-bash-5.2-p15",
         "valid": true,
         // ...
       },
@@ -60,7 +60,7 @@
 
     ```json5
     {
-      "/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15": {
+      "/nix/store/fvqsvk65d38p8qqir371ii0hyqxvjcw6-bash-5.2-p15": {
         // ...
       },
       "/nix/store/wffw7l0alvs3iw94cbgi1gmmbmw99sqb-home-manager-path": null,

doc/manual/source/release-notes/rl-2.20.md

@@ -182,7 +182,7 @@
   «partially applied primop map»
 
   nix-repl> builtins.trace lib.id "my-value"
-  trace: «lambda id @ /nix/store/8rrzq23h2zq7sv5l2vhw44kls5w0f654-source/lib/trivial.nix:26:5»
+  trace: «lambda id @ /nix/store/kgr5lnaiiv08wb7k324yv1i1npjmrvjc-source/lib/trivial.nix:26:5»
   "my-value"
   ```
 

doc/manual/source/release-notes/rl-2.33.md

@@ -180,6 +180,21 @@ Additionally the following fields are added to both formats:
 
 The derivation JSON format has been updated from version 3 to version 4:
 
+- **Nested structure with top-level metadata**:
+
+  The output of `nix derivation show` is now wrapped in an object with `version` and `derivations` fields:
+
+  ```json
+  {
+    "version": 4,
+    "derivations": { ... }
+  }
+  ```
+
+  The map from derivation paths to derivation info is nested under the `derivations` field.
+
+  This matches the structure used for `nix path-info --json --json-format 2`, and likewise brings this command into compliance with the JSON guidelines.
+
 - **Restructured inputs**:
 
   Inputs are now nested under an `inputs` object:

doc/manual/source/store/store-path.md

@@ -2,7 +2,7 @@
 
 > **Example**
 >
-> `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
+> `/nix/store/jf6gn2dzna4nmsfbdxsd7kwhsk6gnnlr-git-2.38.1`
 >
 > A rendered store path
 
@@ -22,7 +22,7 @@ Store paths are pairs of
 
 > **Example**
 >
-> - Digest: `b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z`
+> - Digest: `q06x3jll2yfzckz2bzqak089p43ixkkq`
 > - Name:   `firefox-33.1`
 
 To make store objects accessible to operating system processes, stores have to expose store objects through the file system.
@@ -31,14 +31,14 @@ A store path is rendered to a file system path as the concatenation of
 
 - [Store directory](#store-directory) (typically `/nix/store`)
 - Path separator (`/`)
-- Digest rendered in a custom variant of [Base32](https://en.wikipedia.org/wiki/Base32) (20 arbitrary bytes become 32 ASCII characters)
+- Digest rendered in [Nix32](@docroot@/protocols/nix32.md), a variant of base-32 (20 hash bytes become 32 ASCII characters)
 - Hyphen (`-`)
 - Name
 
 > **Example**
 >
 > ```
->   /nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1
+>   /nix/store/q06x3jll2yfzckz2bzqak089p43ixkkq-firefox-33.1
 >   |--------| |------------------------------| |----------|
 > store directory            digest                 name
 > ```

doc/manual/source/store/types/index.md.in

@@ -8,7 +8,7 @@ Stores are specified using a URL-like syntax. For example, the command
 
 ```console
 # nix path-info --store https://cache.nixos.org/ --json \
-  /nix/store/a7gvj343m05j2s32xcnwr35v31ynlypr-coreutils-9.1
+  /nix/store/1542dip9i7k4f24y6hqgd04hmvid9hr5-coreutils-9.1
 ```
 
 fetches information about a store path in the HTTP binary cache

flake.lock

@@ -3,15 +3,15 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
         "type": "github"
       },
       "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -63,15 +63,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763948260,
-        "narHash": "sha256-zZk7fn2ARAqmLwaYTpxBJmj81KIdz11NiWt7ydHHD/M=",
-        "rev": "1c8ba8d3f7634acac4a2094eef7c32ad9106532c",
+        "lastModified": 1771043024,
+        "narHash": "sha256-WoiezqWJQ3OHILah+p6rzNXdJceEAmAhyDFZFZ6pZzY=",
+        "rev": "3aadb7ca9eac2891d52a9dec199d9580a6e2bf44",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.813095.1c8ba8d3f763/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.5960.3aadb7ca9eac/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz"
+        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
       }
     },
     "nixpkgs-23-11": {

flake.nix

@@ -1,12 +1,12 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz";
+  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz";
 
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
   inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
   inputs.flake-compat = {
-    url = "github:edolstra/flake-compat";
+    url = "github:NixOS/flake-compat";
     flake = false;
   };
 
@@ -115,6 +115,9 @@
                     }
                     // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
                       useLLVM = true;
+                    }
+                    // lib.optionalAttrs (crossSystem == "x86_64-w64-mingw32") {
+                      emulator = pkgs: "${pkgs.buildPackages.wineWow64Packages.stable_11}/bin/wine";
                     };
                 overlays = [
                   (overlayFor (pkgs: pkgs.${stdenv}))
@@ -406,6 +409,8 @@
 
               "nix-cmd" = { };
 
+              "nix-nswrapper" = { };
+
               "nix-cli" = { };
 
               "nix-everything" = { };
@@ -418,10 +423,6 @@
                 supportsCross = false;
               };
 
-              "nix-kaitai-struct-checks" = {
-                supportsCross = false;
-              };
-
               "nix-perl-bindings" = {
                 supportsCross = false;
               };

maintainers/flake-module.nix

@@ -88,16 +88,23 @@
               ''^tests/functional/lang/eval-fail-path-slash\.nix$''
               ''^tests/functional/lang/eval-fail-toJSON-non-utf-8\.nix$''
               ''^tests/functional/lang/eval-fail-set\.nix$''
+
+              # Language tests, don't churn the formatting of strings
+              ''^tests/functional/lang/eval-fail-fromTOML-overflow\.nix$''
+              ''^tests/functional/lang/eval-fail-fromTOML-underflow\.nix$''
+              ''^tests/functional/lang/eval-fail-bad-string-interpolation-3\.nix$''
+              ''^tests/functional/lang/eval-fail-bad-string-interpolation-4\.nix$''
+              ''^tests/functional/lang/eval-okay-regex-match2\.nix$''
             ];
           };
           clang-format = {
             enable = true;
             # https://github.com/cachix/git-hooks.nix/pull/532
-            package = pkgs.llvmPackages_latest.clang-tools;
+            package = pkgs.llvmPackages_21.clang-tools;
             excludes = [
               # We don't want to format test data
               # ''tests/(?!nixos/).*\.nix''
-              ''^src/[^/]*-tests/data/.*$''
+              "^src/[^/]*-tests/data/.*$"
 
               # Don't format vendored code
               ''^doc/manual/redirects\.js$''

maintainers/invalidate-store-paths.sh

@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -euo pipefail
+set -x
+
+git ls-files -z \
+    | xargs -0 grep -o '[0123456789abcdfghijklmnpqrsvwxyz]\{32\}' 2> /dev/null \
+    | rev \
+    | cut -d: -f1 \
+    | rev \
+    | sort \
+    | uniq \
+    | while read -r oldhash; do
+        if ! curl --fail -I "https://cache.nixos.org/$oldhash.narinfo" > /dev/null 2>&1; then
+            continue
+        fi
+
+        newhash=$(
+            nix eval --expr "builtins.toFile \"006c6ssvddri1sg34wnw65mzd05pcp3qliylxlhv49binldajba5\" \"$oldhash\"" \
+                | cut -d- -f1 \
+                | cut -d/ -f4
+        )
+
+        msg=$(printf "bad: %s -> %s" "$oldhash" "$newhash")
+        echo "$msg"
+        git ls-files -z \
+            | xargs -0 grep -a -l "$oldhash" 2> /dev/null \
+            | while read -r file; do
+                [ -L "$file" ] && continue
+                perl -pi -e "s/$oldhash/$newhash/g" "$file" || true
+            done || true
+        git commit -am "$msg"
+    done

maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc

@@ -0,0 +1,110 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGPtMiwBEAC0sFZW2QW/OaDjKm5zGRpDvHXDsMIUtlHfoi5ce8pocC63W05o
+FSXbUZjZ1VfYO8lT8DFANCzTkiXYaZx0cPRG2pVY4AOQZDNFt5XrAyvw496XCAIM
+DTYGFLjCqgjPt9RUFEy4MyHPJTEpB0x3rXgT4ILNu9vsj9Q0vttps7SpbZ3Ldq5H
+o/BBbLW77q/vNjpYzCbBIXF7ycUGpnNv9Go/WuiDnrBMcyxh+8kjjIHB5cxZSnjJ
+DUv681+m83v+gLZQGX/jexQrrf5JpS0X9qEnhGLrNUDhtyv5ud3Je4EfamkjLVVC
+RlNLofgflOCsl/tP80i+K7S1QdKhUALxuJ6H0prYUflGBDxDyC8XYuJ62TT0OUpa
+vJvgwVlCq8/jq+ykYQXlbuBVOzi5wAuI4l3+HqreSQYPSiwe+6N590Zbafdv1fvN
+WFtZKCTGMqfyaaAnppioH9/+NWkI2AQxaYVasYM/JEYvY9pJgA7alh51jHW4JglP
+ErypKfBKPKJID0QENqYoa3bDDCihuNWhgQf9dxzPlj2ckd35Zb6w4DfuSmtjaa9D
+o0jZVY1JbFuxBqP09+saVPrxLHgmPxjcdzPGQQtAqdO2vyJXNEGLFMoVEZPNaLo3
+QmcIJnT7oSck+4vGfOYtWUHXQynu/Tnwsv2XkA/uyw8HNe+RRMqv/apnzQARAQAB
+tCdTZXJnZWkgWmltbWVybWFuIDxzZXJnZWlAemltbWVybWFuLmZvbz6JAlEEEwEK
+ADsCGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQVim9TDqIC5fZRYRMU+upj
+RI4d+QUCaUbsaAIZAQAKCRAU+upjRI4d+VdDD/492HRaJ/8V7R7VUzkafmb2Hb28
+SLf7oiB8Uq9I7SukiDEaIT1fUhquYWQ9KWpPRNR1TX6ApXnIeuJRMGFoDVIRnmnr
+cKnYYXfqqc81VxIyKvaumB7KWbS7G4Nbor8AH1ouOOOMMS50OTJOWQA4A26inIuG
+n+7L8MeS5aT+3uNKDoTKsidC47vnaxNMcke1taPfbfo7vn69PsRCM/g9/7TQYU8b
+6xp+pM9Ao9nJneRk2YCpsGYRrWTpaik0DFKnfpPKJM/yunhtGLF2IYAp3l1mvHPK
+nnzo92zjpQuZwazEIK+23V1vRT4IjM2BewbJPAzf2/UuxEjjgNQm0tOtH2JhFNeB
+VM0BVrGxWrrwrsmv6lWghTtBc6zRWyHrj/rpjtVQNmeKYrHWJeXwVz1rqgGPmB2N
+k0MZD1UjHHhEs1Cntn7yLmxTPztRJCtR+euRu81Uo2NAvrMJ4xsDjaM0LeLTnzjV
+9AsPjD188dOFyz7VExZum4+XaaEJ41FIPLEqU3U0GAa6stEy0ylSlIN4x9aiXXVW
+xfzHHchS5jK6QAjuZxN8t01GRactNylINRf7uoTECFZTtXNqfeuk0HQxBH0LuKVE
+0PxJbcNI4mVWw1KgTJ8PUVC1IXP3sEpqPdJOYiRXgnpcS26fWOBu0aQ4mhxiaJhr
+/zBfrkLEqp20TdNDZLkCDQRj7TM1ARAAt73xO24curnHTTgXkkVMMRzcMLx3Mb1a
+2FuddxC5hzTpEpw01L91UBrXVJEg9K2KAwP5CtCLgPCqXr47Tm7krvHxWwBksgY/
+6aHRsoPQfCFUZHc0aiO+C4NCzR+aEeGKn66Oc1Hq9oUTpDgiBWhsuEPiyA1OSGF0
+4L0jeTCqfm68kWp4PIK9yuugkdDsoyj6TonuMsb3V5ctHLqop9KH+eHSkUTPo+Lk
++bxaeAOJ1UfbohgbRbrYKAfsaghhOMDH3R1w2pvtUJz+sDbuQsiPFTqbxsXDTFws
+H4N/AQCYnnvOhqEek2sOEZ19bJXt5UrAr10mX4PGmAkWqE1JWBxpOKG3BXSGOTu1
+3dFhQfPMK+PmvUrs0kcWQr53K/aRUdKKhIfTcMfkqYTGPK5HclHph24WjXj3QFFA
+SjksQTdm6486ZmLZK4CTbAFOPfTF/aWg8gu9v4ihdq6lqHNNXxv2xBAChcd59H7p
+D5zy9z8SpwWR9V5JDmlF6HWIIau1c6lSsQq1xHvYM8EuPe03vJvor+2u/cn5zYF1
+5ZxAuPI2i5vtavg1s8ZGAAogJ9dVcP36LdJfL9quXWvmovkd//qHIepBB+l/zQio
+ZRDZlIcfV3Xycaqsb5OqHGARHE0097koipMt5y/iXlqG4Ruue6Idb8bW96EKpaWj
+kKy/iNfQfQMAEQEAAYkEcgQYAQoAJgIbAhYhBBWKb1MOogLl9lFhExT66mNEjh35
+BQJpRuz3BQkJHCDCAkDBdCAEGQEKAB0WIQRK3hK0WyJ4BicGpcmpsLVXymMjJQUC
+Y+0zNQAKCRCpsLVXymMjJbdSD/9+f1FOOeGDAJI6Duo5fsWnf4xJJdtQtDbz6d2A
+SeDapxeJ3zWfKBD0wu5sISEa0uiWsYSmLtsa2SqVAKHlEaMGRR+tkBMPQ+rvgI4c
+62YjGTgm+IPd+NFIn+ixFU1hpinTh+KhUEoeOwWCvKs9nZfSG9vkienfiG0bBxo2
+zrvBzXA50x5hbUL+ghKu/AVfN9qZDwh30O4KZTwk4g4cM9SeaQa4YvHYIS3IEhDZ
+hGybwrrqV9cs92ln4IJw9WCy9QReBNrdeFgC4+3ziUp1QsG3RvqrtuMttwBVC1Z3
+bj5QjLLOREhhodfvk98t9yVkragObb4rGrLo1mWuF0c4mJGvXwnrqhCMvzv4M+0T
+Zdrmw6YpGkGOaOPghVuwoTtqSAkl+zFWIJS89jidvkYG3EqKAkgLKog/TQReCq13
+HWrF8cMck+Rf2K8k26q/RNZaA9ZUKjLExzz8lsWmd2C7rvkGLrlxnzxz0gGyNR3Q
+KK74vcPhqeABt2GSkHtEXZFFA9IVVzwlRWK3e0S+mVQnZVjNL+cBPn3/hZHMLesB
+CucyYZv+DxvT+JkYXBkGSw4s3hpABqGym7gdPUIa0q4rbBFG6xP5sLLBG4yru8vV
+2dyCMmFqRuxpT49uNfyQ6Vj+dobN6qHnP/9NwfzOixXYBHXR6LBqb/M+iCiJaaIn
+uiRLHwkQFPrqY0SOHfkQpA//W51vj8meuz7snRO+vZFcjLneFFzqfh1Jdz8IqDpO
+CkI5pBJmi8e0oSe6r68MkahiQLlYPwm7d+sjHvJhPWipNKWq/uwCgBs+Ac1lpPXR
+MwLbrZukcLMYlLmb2MrCKmjcMt0BZsZKBNYL3a3X9nHgwXdeqFYS4WQDMCCc09lz
+9YqfdoEsqRO4qN7D0hFqnwjOzb34ixZ6UO8a8ekY9QKxAgWc9fJWGMg6Pjdg4qsK
+nqymOIAdGVOJdoRM46wKGVBvbsF2gNfQU4XyzgJo5vHGFwJm6EoSnODlL5e2wsQh
+uN1oqBt/8ef/plloMEqVBweUBATqSqjRF6IhhYJvWVuQHQL1p1vnV9FebiVj34ir
+Z8ID+o0AnTJcclbUcDwannGJ0cuDcPhk/v/ahVuoMERCi12qnMBo5B/e6Omyh1yB
+4pbf4GATGGQipDQG75eC/kP2GQEqJP5WYN0Ar8Le/AA/2xyL7upW0yIByyXCwGEb
+JRwEgU3+bPyu58bFt8Pftit6J7rA3oBVVMOPrYH5eZwRaj5m2RptwKGL6BfHnhNv
+ZqmCq9EBGX6L1NI0xHMjEFfXJ8jU01XdfG8nCqkwqsHwslXLhqjJphfHcx89YwbV
+/15GCuURAv1cKe/7277sOhcvP/QpQqSWgvYExHw8PeFJcTYtF2NrRgNwcQsWS1Rj
+gXa5Ag0EY+0zcAEQANC5N6kSfezuucAgi+X3BD+MT37mxQyvICSggEJf1LDSmy0+
+bnvD7setL8CP9etTA2fcVNYKI1oboMyhoCnsRP2jDdv1iXOI/hZg4wSb/D1yUkae
+fUpxv3Wuci2QKavH2MfraDD7BFMbsQeMcHtn4Rk216T6jndZHnzT1Ih7iX0XeQPb
+li5fojOiZssgWAVT4HPXFCJB6lI35Hjp35oRYwrtMmu5INinZ79n9h1igGtt1ItZ
+b7rQKNd772Jxcn4UU71ovORSL/xT5i5sxZ+evQOxkpqUAokMOFaoHcOXLmA1NsFv
+yryXHK4Ioq9ap2jKlLTWkJWjua9JZ4AmKhbvT8X4ELxIKSCAdJKAWP8ZHbXNu5MD
+aznyzZQLxSO7uFvu356De75mI5iohZNj5wB5Wju71pBiorTKVj4+iJ4e+xVIzFdG
+hFC0DehNcl2t9w/y8qHwIQ1yUAjXHLXq0/2jsVeH6bU5q/MsgvUP1jcFe0eyOpxy
+CDvyFdzZFbI57TnB/fvcZTRZ5ewXMFpH8gzuoFzAjUAP95UjYKgaGdrNPNIy28Ii
+4zhvdghei2+n9jgiMfcGQg8lyfH5yF0vWWWynX0KcJsRwEZoL2EauVdwq4PcYOoU
+pQFhpcreCjD4LdZ4yRU4InbhcUogXjrQ9Dz01TbPmQD5b5iso21bCEFBXrhzABEB
+AAGJAjwEGAEKACYCGwwWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwg
+hwAKCRAU+upjRI4d+X/XD/sH5xvHPfTJq52v8weFmB52up+DzqG2lyhGdoUQ1Muw
+dRDLTLXLJrFdfpoOo7/j4Scr0rdc7/dpCn0DLcPuCoPxu+SkjEnVehFmZrGSv7Ga
+x9dHr3DBh42fdlX/U/EnDuyosY0JU1gNF2/6FIA+bTTOFE3RxfN906RjslYQDjMZ
+UAlSeLYHOZofdltI0YIr32vrxgdWQGZXPxU4XusDUc0z163OO+TGg7iUNWFZP5Qj
+ubM7e0YbDX0NPIshk8us99YJmrWnhaix1/W5ryO3DXiGaQ7XFi9u7QofRqvRIctg
+QXavdepkzJow9V9qpMECAJePIuICq7rm+xy+njjbuF436W7390bfVBwRr+FPADsl
+jgQP4KvY5rykss30kheom8wNEbveWkhH5oTfH9b7O4KXJfpfJzrlgOWp2BD9JL8t
+/M4HvFXTr2a75H/QbHK5OFrZeGATuv9OTxv7EZvnrPXU+DYTFldpu7TrNNqKCoj3
+ZyXmc3Hhg5kskDhfHJppaeOayuhMOpT3ud1MFzROY5SLVIH8rBR12KUgsCUYQcGs
+Iy0+0QvEGkjb4cAH1NK3VlbqVNsy1RmqRt2B28R2ueewDfTOoqkzt4MmzLqTdnAx
+mTqmHmkEKhEf3K4MRNUPO2yieUg2COk5l6x9HhAnoxxeOZrTmcMsPY/UViG2HEPm
+ybkCDQRj7TRDARAA9DZuKdfKq4Bs2+NwxC0aplljWOl8VIsEVg+Q8agD7/HU6/b6
+Dry0njtWybn2x6Axf/nUdeOC01Fi1lmht/fpj6mRkgAvd/V6P10xnsUoykPSDSTh
+P25MFFGW3JAA82bwdJ4AJpEQvTZG2nTb3237vlBiI1qHQrac8GYkju2O4UfySRN6
+7cyi7bMf2pjWBBOEhaNy4b6CMDsb32P/N5J7sTE/TXgrS+u4ITIgjzSrkUkh5Z+B
+8QVRa7xPIDZJdvZWTEXWu5fgRPZvxbr154GIkWJkFzlDoB1UcO56/uzRUuKhEV6o
+HW3LMUuWdPMjpHpq8hrL0G2rDniJFUtbDFzHdZK1LUU3T2BJM8rjI3D/euph+IDT
+27vl5qo72zCYE/iKzx4FMLZcQvx1kUAxkPX8l+dzZEwKeRIIpFDxQvatRtl+z0bM
+jbkpDb+Yjv66sC4dYRpgTTGX6rok0PWHR3IxDNzyf2j8zQ4LFJ+rVBM1GjGSt6mG
+j9TeL8CVeiSp4SuJ7I/FJVPHsKb50m+BDzeB31qTydNqh2kKr0DVAUa+TUsCr7e0
+OYr8WE2adJcRXIW0qw50xXF+W7/05GqSCVD0dpeOUdBTQTsSkQmM3/0hcj9aVo9e
+UDCM9RF0WRqiDAoHzJFfg+ztamkQI5HO6CklC4Ok22qrHRf6HDNYSuT6QFkAEQEA
+AYkCPQQYAQoAJwMbIAQWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwf
+tAAKCRAU+upjRI4d+Y+cD/9yllG6uo934pcHNsVppZBfREFwSc8ywlbosCuSVpay
+PjSqgrWwDrnqrsk0F2kUdC6rR3BIcXbn+lA9KqylH+cCXAJCkh8EDq6TlQ7Lt5EV
+w1U0MAMXOyxPwDymQ/BO+iDyjXWkRRYgbF5XiFhCfGeuKyhkhACisAgNZ1uA1P5k
+0SJYc14YfEhQkB46Y20SpfVHRsQ46FyNB6GHbmTmfoO8La8VTh++7GBdh85HfvkG
+VNQ3wpi5oXsOLN9+MJOezc0XsW2LQsKQj1/J7QKzGh+lxN5cemsA5aqPzh8dyxeT
+0lYRFp4AHkimqGUomVpRkbegMIPxXqOE+ZAmsddErw0UtmrKxcmMptOJwNgYzEgu
+++2vtqerL/NYp+wsdcWaBjCz2F3NiwHgNli7NSB/FPwucZZ5gN5C4SnmeFzrGdHg
+Oy+tQUN6ayQKljHeBO7CjMlsFNo/dcVrEMa1ShxBMqlj/6ivoEhktLz0Nru4FwNU
+xE5SJYDYfpjD7Ws8y4LoXgWXjFHrMO6N9GzqLN/e8LT7I+w4ps2MrgJ8QSrelmQ3
+rjkxp3uWp5v2lqy4rLfpi9iB6zIAeoN2eU1yOM9joxOYMxKYaYeYyP1Mm90wFol8
+LcTSaN+tVniPddBiL6zvsGBEMbCR9XN3EQ+mErbuw5ovWBOCrr+dvN3FxvD11y4J
+7w==
+=mXYP
+-----END PGP PUBLIC KEY BLOCK-----

maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc

@@ -0,0 +1,51 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBFZu2zwBCADfatenjH3cvhlU6AeInvp4R0JmPBG942aghFj1Qh57smRcO5Bv
+y9mqrX3UDdmVvu58V3k1k9/GzPnAG1t+c7ohdymv/AMuNY4pE2sfxx7bX+mncTHX
+5wthipn8kTNm4WjREjCJM1Bm5sozzEZetED3+0/dWlnHl8b38evnLsD+WbSrDPVp
+o6M6Eg9IfMwTfcXzdmLmSnGolBWDQ9i1a0x0r3o+sDW5UTnr7jVP+zILcnOZ1Ewl
+Rn9OJ4Qg3ULM7WTMDYpKH4BO7RLR3aJgmsFAHp17vgUnzzFBZ10MCS3UOyUNoyph
+xo3belf7Q9nrHcSNbqSeQuBnW/vafAZUreAlABEBAAG0IkVlbGNvIERvbHN0cmEg
+PGVkb2xzdHJhQGdtYWlsLmNvbT6JATwEEwEIACYCGyMHCwkIBwMCAQYVCAIJCgsE
+FgIDAQIeAQIXgAUCVm7etAIZAQAKCRCBcLRybXGY3q51B/96qt41tmcDSzrj/UTl
+O6rErfW5zFvVsJTZ95Duwu87t/DVhw5lKBQcjALqVddufw1nMzyN/tSOMVDW8xe4
+wMEdcU4+QAMzNX80enuyinsw1glxfLcK0+VbTvqNIfw0sG3MjPqNs6cK2VRfMHK4
+paJjytBVICszNX9TfjLyIpKKoSSo1vqnT47LDZ5GIMy7l9Cs2sO/rqQHSPcR79yz
+8m8tbHpDDEMZmJeklckKP2QoiqnHiIvlisDxLclYnUmNaPdaN/f++qZz5Yqvu1n+
+sNUBA5eLaZH64Uy2SwtABxO3JPJ8nQ2+SFZ7ocFm4Gcdv4aM+Ura9S6fvM91tEJp
+yAQOiQE5BBMBCAAjBQJWbts8AhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AA
+CgkQgXC0cm1xmN6sIAgAielxO8zJREqEkA2xudg/o4e9ZlNZ3X1NvY8OzJH/qlB2
+SmwKqwifhtbC1K0uavXA7eaxdtd2zrI+Yq7IooUyv7juMjHTZhLcFbR5iVkQ4Mfp
+JmeHXJ/ChYKxD5mMj/C3WbCZ91oCSNZ6Iyi5fvQj/691OC4q+y/2NEUcOI8D8cw8
+XKHbKtceFYc+nZmdOv3ZZrNTSN/kszGViNNLKgnpPdDVPtLp+vjXtbmitiFG2HL/
+WfbJ+3Gh2Yr1Vy3O9dWKH++e1AmIv7WWqmUjRFVpqC/wr7/BLaScWT8WKF5vkshU
+gq8Ez1/cuizsgs3wQIZWgXKQK5njvwnbKg+Zmh/uGbQmRWVsY28gRG9sc3RyYSA8
+ZWVsY28uZG9sc3RyYUB0d2VhZy5pbz6JAU4EEwEIADgWIQS1QdVTAScOC88Vyl2B
+cLRybXGY3gUCXELt4gIbIwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCBcLRy
+bXGY3ujFCADfS5D1xHU8KH6TpqgssSggYVq62Wwn/Ga+4XPPetM+ajcXagyH6SwB
+mxlHICcnv9xC93ryiTI10P1ADJl+aBsI66wEdHBU+ty4RTDy4JZNUPtmRCk9LhSc
+mtUO3ry/wtWkRLdJxP49hg7BbQvWoU0M6WODp7SJjPKPWNX64mzHBeOuy+DqGCbM
+lpGNCvW8ahU/ewbm7+xwWmzqLDoWzXjHsdF4QdzMVM/vkAgWEP4y0wEqFASzIYaR
+GNEkBWU4OQVq5Bdm9+wWWAgsbM0FJAQl0GDqnz4QxWzxxCAAXdbh9F5ffafWYsA9
+bise4ZQLkvYo6iUnrcFm4dtZbT8iL3gptCtFZWxjbyBEb2xzdHJhIDxlZWxjby5k
+b2xzdHJhQGxvZ2ljYmxveC5jb20+iQE5BBMBCAAjBQJWbt6nAhsjBwsJCAcDAgEG
+FQgCCQoLBBYCAwECHgECF4AACgkQgXC0cm1xmN4b/wf8DApMV/jSPEpibekrUPQu
+Ye3Z8cxBQuRm/nOPowtPEH/ShAevrCdRiob2nuEZWNoqZ2e5/+6ud07Hs9bslvco
+cDv1jeY1dof1idxfKhH3kfSpuD2XJhuzQBxBqOrIlCS/rdnW+Y9wOGD7+bs9QpcA
+IyAeQGLLkfggAxaGYQ2Aev8pS7i3a/+lOWbFhcTe02I49KemCOJqBorG5FfILLNr
+DjO3EoutNGpuz6rZvc/BlymphWBoAdUmxgoObr7NYWgw9pI8WeE6C7bbSOO7p5aQ
+spWXU7Hm17DkzsVDpaJlyClllqK+DdKza5oWlBMe/P02jD3Y+0P/2rCCyQQwmH3D
+RbkBDQRWbts8AQgA0g556xc08dH5YNEjbCwEt1j+XoRnV4+GfbSJIXOl9joIgzRC
+4IaijvL8+4biWvX7HiybfvBKto0XB1AWLZRC3jWKX5p74I77UAcrD+VQ/roWQqlJ
+BKbiQMlRYEsj/5Xnf72G90IP4DAFKvNl+rLChe+jUySA91BCtrYoP75Sw1BE9Cyz
+xEtm4WUzKAJdXI+ZTBttA2Nbqy+GSuzBs7fSKDwREJaZmVrosvmns+pQVG4WPWf4
+0l4mPguDQmZ9wSWZvBDkpG7AgHYDRYRGkMbAGsVfc6cScN2VsSTa6cbeeAEowKxM
+qx9RbY3WOq6aKAm0qDvow1nl7WwXwe8K0wQxfQARAQABiQEfBBgBCAAJBQJWbts8
+AhsMAAoJEIFwtHJtcZjeuAAH/0YNz2Qe1IAEO5oqEZNFOccL4KxVPrBhWUen83/b
+C6PjOnOqv6q5ztAcms88WIKxBlfzIfq+dzJcbKVS/H7TEXgcaC+7EYW8sJVEsipN
+BtEZ3LQNJ5coDjm7WZygniah1lfXNuiritAXduK5FWNNndqGArEaeZ8Shzdo/Uyi
+b9lOsBIL6xc2ZcnX5f+rTu02LCEtEb0FwCycZLEWYf8hG4k8uttIOZOC+CLk/k8d
+kBmPikMwUVTTV0CdT1cemQKdTaoAaK+kurF6FYXwcnjhRlHrisSt/tVMEwTw4LUM
+3MYf6qfjjvE4HlDwZal8th7ccoQp/flfJIuRv85xCcKK+PI=
+=u5cX
+-----END PGP PUBLIC KEY BLOCK-----

maintainers/keys/README.md

@@ -0,0 +1,13 @@
+# Maintainer GPG Keys
+
+Release tags are signed by members of the [Nix maintainer team](https://nixos.org/community/teams/nix/) as part of the [release process](../release-process.md). This directory contains the public GPG keys used for signing.
+
+## Keys
+
+- **Eelco Dolstra**
+  GPG Fingerprint: `B541 D553 0127 0E0B CF15 CA5D 8170 B472 6D71 98DE`
+
+- **Sergei Zimmerman**
+  GPG Fingerprint: [`158A 6F53 0EA2 02E5 F651 6113 14FA EA63 448E 1DF9`](https://keys.openpgp.org/vks/v1/by-fingerprint/158A6F530EA202E5F651611314FAEA63448E1DF9)
+
+<!-- TODO: Add keys for other Nix team members -->

maintainers/release-process.md

@@ -5,11 +5,11 @@
 The release process is intended to create the following for each
 release:
 
-* A Git tag
+* A signed Git tag (public keys in `maintainers/keys/`)
 
 * Binary tarballs in https://releases.nixos.org/?prefix=nix/
 
-* Docker images
+* Docker images (arm64 and amd64 variants, uploaded to DockerHub and GHCR)
 
 * Closures in https://cache.nixos.org
 
@@ -104,21 +104,17 @@ release:
   evaluation ID (e.g. `1780832` in
   `https://hydra.nixos.org/eval/1780832`).
 
-* Tag the release and upload the release artifacts to
-  [`releases.nixos.org`](https://releases.nixos.org/) and [Docker Hub](https://hub.docker.com/):
+* Tag the release:
 
   ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
   ```
 
   Note: `IS_LATEST=1` causes the `latest-release` branch to be
   force-updated. This is used by the `nixos.org` website to get the
   [latest Nix manual](https://nixos.org/manual/nixpkgs/unstable/).
 
-  TODO: This script requires the right AWS credentials. Document.
-
-  TODO: This script currently requires a
-  `/home/eelco/Dev/nix-pristine`.
+* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
 
   TODO: trigger nixos.org netlify: https://docs.netlify.com/configure-builds/build-hooks/
 
@@ -181,16 +177,18 @@ release:
 * Wait for the desired evaluation of the maintenance jobset to finish
   building.
 
-* Run
+* Tag the release
 
   ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
   ```
 
   Omit `IS_LATEST=1` when creating a point release that is not on the
   most recent stable branch. This prevents `nixos.org` to going back
   to an older release.
 
+* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
+
 * Bump the version number of the release branch as above (e.g. to
   `2.12.2`).
 

maintainers/upload-release.pl

@@ -1,7 +1,8 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 gnupg1
+#! nix-shell -i perl -p awscli2 perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 perlPackages.GetoptLongDescriptive gnupg1
 
 use strict;
+use Getopt::Long::Descriptive;
 use Data::Dumper;
 use File::Basename;
 use File::Path;
@@ -13,7 +14,30 @@ use Net::Amazon::S3;
 
 delete $ENV{'shell'}; # shut up a LWP::UserAgent.pm warning
 
-my $evalId = $ARGV[0] or die "Usage: $0 EVAL-ID\n";
+my ($opt, $usage) = describe_options(
+    '%c %o <eval-id>',
+    [ 'skip-docker',      'Skip Docker image upload' ],
+    [ 'skip-git',         'Skip Git tagging' ],
+    [ 'skip-s3',          'Skip S3 upload' ],
+    [ 'docker-owner=s',   'Docker image owner', { default => 'nixos/nix' } ],
+    [ 'project-root=s',   'Pristine git repository path' ],
+    [ 's3-endpoint=s',    'Custom S3 endpoint' ],
+    [ 's3-host=s',        'S3 host', { default => 's3-eu-west-1.amazonaws.com' } ],
+    [],
+    [ 'help|h',           'Show this help message', { shortcircuit => 1 } ],
+    [],
+    [ 'Environment variables:' ],
+    [ 'AWS_ACCESS_KEY_ID' ],
+    [ 'AWS_SECRET_ACCESS_KEY' ],
+    [ 'AWS_SESSION_TOKEN   For OIDC' ],
+    [ 'IS_LATEST           Set to "1" to mark as latest release' ],
+);
+
+print($usage->text), exit if $opt->help;
+
+my $evalId = $ARGV[0] or do { print STDERR $usage->text; exit 1 };
+
+die "--project-root is required unless --skip-git is specified\n" unless $opt->skip_git || $opt->project_root;
 
 my $releasesBucketName = "nix-releases";
 my $channelsBucketName = "nix-channels";
@@ -62,25 +86,38 @@ File::Path::make_path($narCache);
 my $binaryCache = "https://cache.nixos.org/?local-nar-cache=$narCache";
 
 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "No AWS_ACCESS_KEY_ID given.";
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "No AWS_SECRET_ACCESS_KEY given.";
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'};
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'};
+my $aws_session_token = $ENV{'AWS_SESSION_TOKEN'};
 
-my $s3 = Net::Amazon::S3->new(
-    { aws_access_key_id     => $aws_access_key_id,
-      aws_secret_access_key => $aws_secret_access_key,
-      retry                 => 1,
-      host                  => "s3-eu-west-1.amazonaws.com",
-    });
+my ($s3, $releasesBucket, $s3_channels, $channelsBucket);
 
-my $releasesBucket = $s3->bucket($releasesBucketName) or die;
+unless ($opt->skip_s3) {
+    $aws_access_key_id or die "No AWS_ACCESS_KEY_ID given.";
+    $aws_secret_access_key or die "No AWS_SECRET_ACCESS_KEY given.";
 
-my $s3_us = Net::Amazon::S3->new(
-    { aws_access_key_id     => $aws_access_key_id,
-      aws_secret_access_key => $aws_secret_access_key,
-      retry                 => 1,
-    });
+    $s3 = Net::Amazon::S3->new(
+        { aws_access_key_id     => $aws_access_key_id,
+          aws_secret_access_key => $aws_secret_access_key,
+          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
+          retry                 => 1,
+          host                  => $opt->s3_host,
+          secure                => ($opt->s3_endpoint && $opt->s3_endpoint =~ /^http:/) ? 0 : 1,
+        });
 
-my $channelsBucket = $s3_us->bucket($channelsBucketName) or die;
+    $releasesBucket = $s3->bucket($releasesBucketName) or die;
+
+    $s3_channels = Net::Amazon::S3->new(
+        { aws_access_key_id     => $aws_access_key_id,
+          aws_secret_access_key => $aws_secret_access_key,
+          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
+          retry                 => 1,
+          $opt->s3_endpoint ? (host => $opt->s3_host) : (),
+          $opt->s3_endpoint ? (secure => ($opt->s3_endpoint =~ /^http:/) ? 0 : 1) : (),
+        });
+
+    $channelsBucket = $s3_channels->bucket($channelsBucketName) or die;
+}
 
 sub getStorePath {
     my ($jobName, $output) = @_;
@@ -115,11 +152,12 @@ sub copyManual {
         File::Path::remove_tree("$tmpDir/manual.tmp", {safe => 1});
     }
 
-    system("aws s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
+    my $awsEndpoint = $opt->s3_endpoint ? "--endpoint-url " . $opt->s3_endpoint : "";
+    system("aws $awsEndpoint s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
         or die "syncing manual to S3\n";
 }
 
-copyManual;
+copyManual unless $opt->skip_s3;
 
 sub downloadFile {
     my ($jobName, $productNr, $dstName) = @_;
@@ -158,30 +196,12 @@ sub downloadFile {
     return $sha256_expected;
 }
 
-downloadFile("binaryTarball.i686-linux", "1");
-downloadFile("binaryTarball.x86_64-linux", "1");
-downloadFile("binaryTarball.aarch64-linux", "1");
-downloadFile("binaryTarball.x86_64-darwin", "1");
-downloadFile("binaryTarball.aarch64-darwin", "1");
-eval {
-    downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
-};
-warn "$@" if $@;
-eval {
-    downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
-};
-warn "$@" if $@;
-eval {
-    downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
-};
-warn "$@" if $@;
-downloadFile("installerScript", "1");
-
-# Upload docker images to dockerhub.
+# Upload docker images.
 my $dockerManifest = "";
 my $dockerManifestLatest = "";
 my $haveDocker = 0;
 
+unless ($opt->skip_docker) {
 for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
     my $system = $platforms->[0];
     my $dockerPlatform = $platforms->[1];
@@ -195,8 +215,8 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
     print STDERR "loading docker image for $dockerPlatform...\n";
     system("docker load -i $tmpDir/$fn") == 0 or die;
 
-    my $tag = "nixos/nix:$version-$dockerPlatform";
-    my $latestTag = "nixos/nix:latest-$dockerPlatform";
+    my $tag = $opt->docker_owner . ":$version-$dockerPlatform";
+    my $latestTag = $opt->docker_owner . ":latest-$dockerPlatform";
 
     print STDERR "tagging $version docker image for $dockerPlatform...\n";
     system("docker tag nix:$version $tag") == 0 or die;
@@ -219,68 +239,94 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
 }
 
 if ($haveDocker) {
+    my $dockerOwner = $opt->docker_owner;
     print STDERR "creating multi-platform docker manifest...\n";
-    system("docker manifest rm nixos/nix:$version");
-    system("docker manifest create nixos/nix:$version $dockerManifest") == 0 or die;
+    system("docker manifest rm $dockerOwner:$version");
+    system("docker manifest create $dockerOwner:$version $dockerManifest") == 0 or die;
     if ($isLatest) {
         print STDERR "creating latest multi-platform docker manifest...\n";
-        system("docker manifest rm nixos/nix:latest");
-        system("docker manifest create nixos/nix:latest $dockerManifestLatest") == 0 or die;
+        system("docker manifest rm $dockerOwner:latest");
+        system("docker manifest create $dockerOwner:latest $dockerManifestLatest") == 0 or die;
     }
 
     print STDERR "pushing multi-platform docker manifest...\n";
-    system("docker manifest push nixos/nix:$version") == 0 or die;
+    system("docker manifest push $dockerOwner:$version") == 0 or die;
 
     if ($isLatest) {
         print STDERR "pushing latest multi-platform docker manifest...\n";
-        system("docker manifest push nixos/nix:latest") == 0 or die;
+        system("docker manifest push $dockerOwner:latest") == 0 or die;
     }
 }
+}
 
-# Upload nix-fallback-paths.nix.
-write_file("$tmpDir/fallback-paths.nix",
-    "{\n" .
-    "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
-    "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
-    "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
-    "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
-    "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
-    "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
-    "}\n");
 
 # Upload release files to S3.
-for my $fn (glob "$tmpDir/*") {
-    my $name = basename($fn);
-    next if $name eq "manual";
-    my $dstKey = "$releaseDir/" . $name;
-    unless (defined $releasesBucket->head_key($dstKey)) {
-        print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
+unless ($opt->skip_s3) {
+    downloadFile("binaryTarball.i686-linux", "1");
+    downloadFile("binaryTarball.x86_64-linux", "1");
+    downloadFile("binaryTarball.aarch64-linux", "1");
+    downloadFile("binaryTarball.x86_64-darwin", "1");
+    downloadFile("binaryTarball.aarch64-darwin", "1");
+    eval {
+        downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
+    };
+    warn "$@" if $@;
+    eval {
+        downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
+    };
+    warn "$@" if $@;
+    eval {
+        downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
+    };
+    warn "$@" if $@;
+    downloadFile("installerScript", "1");
 
-        my $configuration = ();
-        $configuration->{content_type} = "application/octet-stream";
+    # Upload nix-fallback-paths.nix.
+    write_file("$tmpDir/fallback-paths.nix",
+        "{\n" .
+        "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
+        "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
+        "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
+        "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
+        "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
+        "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
+        "}\n");
 
-        if ($fn =~ /.sha256|install|\.nix$/) {
-            $configuration->{content_type} = "text/plain";
+    for my $fn (glob "$tmpDir/*") {
+        my $name = basename($fn);
+        next if $name eq "manual";
+        my $dstKey = "$releaseDir/" . $name;
+        unless (defined $releasesBucket->head_key($dstKey)) {
+            print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
+
+            my $configuration = ();
+            $configuration->{content_type} = "application/octet-stream";
+
+            if ($fn =~ /.sha256|install|\.nix$/) {
+                $configuration->{content_type} = "text/plain";
+            }
+
+            $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
+                or die $releasesBucket->err . ": " . $releasesBucket->errstr;
         }
-
-        $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
-            or die $releasesBucket->err . ": " . $releasesBucket->errstr;
     }
+
+    # Update the "latest" symlink.
+    $channelsBucket->add_key(
+        "nix-latest/install", "",
+        { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
+        or die $channelsBucket->err . ": " . $channelsBucket->errstr
+        if $isLatest;
 }
 
-# Update the "latest" symlink.
-$channelsBucket->add_key(
-    "nix-latest/install", "",
-    { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
-    or die $channelsBucket->err . ": " . $channelsBucket->errstr
-    if $isLatest;
-
 # Tag the release in Git.
-chdir("/home/eelco/Dev/nix-pristine") or die;
-system("git remote update origin") == 0 or die;
-system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
-system("git push --tags") == 0 or die;
-system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
+unless ($opt->skip_git) {
+    chdir($opt->project_root) or die "Cannot chdir to " . $opt->project_root . ": $!";
+    system("git remote update origin") == 0 or die;
+    system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
+    system("git push origin refs/tags/$version") == 0 or die;
+    system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
+}
 
 File::Path::remove_tree($narCache, {safe => 1});
 File::Path::remove_tree($tmpDir, {safe => 1});

meson.build

@@ -24,6 +24,10 @@ subproject('libcmd')
 # Executables
 subproject('nix')
 
+if host_machine.system() == 'linux'
+  subproject('nswrapper')
+endif
+
 # Docs
 if get_option('doc-gen')
   subproject('internal-api-docs')
@@ -63,6 +67,3 @@ subproject('nix-functional-tests')
 if get_option('json-schema-checks')
   subproject('json-schema-checks')
 endif
-if get_option('kaitai-struct-checks')
-  subproject('kaitai-struct-checks')
-endif

meson.options

@@ -28,13 +28,6 @@ option(
   description : 'Build benchmarks (requires gbenchmark)',
 )
 
-option(
-  'kaitai-struct-checks',
-  type : 'boolean',
-  value : true,
-  description : 'Check the Kaitai Struct specifications (requires Kaitai Struct)',
-)
-
 option(
   'json-schema-checks',
   type : 'boolean',

misc/systemd/nix-daemon.service.in

@@ -11,7 +11,7 @@ ExecStart=@@bindir@/nix-daemon nix-daemon --daemon
 KillMode=process
 LimitNOFILE=1048576
 TasksMax=1048576
-Delegate=yes
+Delegate=
 
 [Install]
 WantedBy=multi-user.target

nix-meson-build-support/common/asan-options/meson.build

@@ -1,7 +1,7 @@
 # Clang gets grumpy about missing libasan symbols if -shared-libasan is not
 # passed when building shared libs, at least on Linux
 if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefined' in get_option(
-  'b_sanitize',
+    'b_sanitize',
 ))
   add_project_link_arguments('-shared-libasan', language : 'cpp')
 endif

nix-meson-build-support/common/meson.build

@@ -22,6 +22,8 @@ add_project_arguments(
   '-Werror=undef',
   '-Werror=unused-result',
   '-Werror=sign-compare',
+  '-Werror=return-type',
+  '-Werror=non-virtual-dtor',
   '-Wignored-qualifiers',
   '-Wimplicit-fallthrough',
   '-Wno-deprecated-declarations',
@@ -31,6 +33,13 @@ add_project_arguments(
 # GCC doesn't benefit much from precompiled headers.
 do_pch = cxx.get_id() == 'clang'
 
+if cxx.get_id() == 'gcc'
+  add_project_arguments(
+    '-Wno-interference-size', # Used for C++ ABI only. We don't provide any guarantees about different march tunings.
+    language : 'cpp',
+  )
+endif
+
 # This is a clang-only option for improving build times.
 # It forces the instantiation of templates in the PCH itself and
 # not every translation unit it's included in.
@@ -40,6 +49,11 @@ do_pch = cxx.get_id() == 'clang'
 # instantiations in libutil and libstore.
 if cxx.get_id() == 'clang'
   add_project_arguments('-fpch-instantiate-templates', language : 'cpp')
+  # Catch brace elision bugs: when WorkerProto::Version changed from `unsigned int`
+  # to `struct { unsigned int major; uint8_t minor; }`, `.version = 16` silently
+  # became `.version = {16, 0}` instead of failing, breaking protocol compatibility
+  # in a subtle way
+  add_project_arguments('-Werror=c99-designator', language : 'cpp')
 endif
 
 # Detect if we're using libstdc++ (GCC's standard library)

packaging/binary-tarball.nix

@@ -4,6 +4,7 @@
   buildPackages,
   cacert,
   nix,
+  nixComponents2,
 }:
 
 let
@@ -11,6 +12,7 @@ let
   installerClosureInfo = buildPackages.closureInfo {
     rootPaths = [
       nix
+      nixComponents2.nix-manual.man
       cacert
     ];
   };
@@ -42,6 +44,7 @@ runCommand "nix-binary-tarball-${version}" env ''
     --subst-var-by cacert ${cacert}
   substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
     --subst-var-by nix ${nix} \
+    --subst-var-by nix-manual ${nixComponents2.nix-manual.man} \
     --subst-var-by cacert ${cacert}
 
   if type -p shellcheck; then

packaging/components.nix

@@ -133,7 +133,7 @@ let
       +
         lib.optionalString
           (
-            !stdenv.hostPlatform.isWindows
+            !(stdenv.hostPlatform.isWindows || stdenv.hostPlatform.isCygwin)
             # build failure
             && !stdenv.hostPlatform.isStatic
             # LTO breaks exception handling on x86-64-darwin.
@@ -155,12 +155,14 @@ let
     ];
   };
 
-  mesonBuildLayer = finalAttrs: prevAttrs: {
+  mesonBuildLayer = finalAttrs: prevAttrs: rec {
     nativeBuildInputs = prevAttrs.nativeBuildInputs or [ ] ++ [
       pkg-config
     ];
     separateDebugInfo = !stdenv.hostPlatform.isStatic;
-    hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
+    # needed by separateDebugInfo
+    # SEE: https://github.com/NixOS/nixpkgs/pull/394674/commits/a4d355342976e9e9823fb94f133bc43ebec9da5b
+    __structuredAttrs = separateDebugInfo;
   };
 
   mesonLibraryLayer = finalAttrs: prevAttrs: {
@@ -416,6 +418,8 @@ in
 
   nix-cmd = callPackage ../src/libcmd/package.nix { };
 
+  nix-nswrapper = callPackage ../src/nswrapper/package.nix { };
+
   /**
     The Nix command line interface. Note that this does not include its tests, whereas `nix-everything` does.
   */
@@ -452,11 +456,6 @@ in
   */
   nix-json-schema-checks = callPackage ../src/json-schema-checks/package.nix { };
 
-  /**
-    Kaitai struct schema validation checks
-  */
-  nix-kaitai-struct-checks = callPackage ../src/kaitai-struct-checks/package.nix { };
-
   nix-perl-bindings = callPackage ../src/perl/package.nix { };
 
   /**

packaging/dependencies.nix

@@ -30,32 +30,13 @@ scope: {
         NIX_CFLAGS_COMPILE = "-DINITIAL_MARK_STACK_SIZE=1048576";
       });
 
-  lowdown = pkgs.lowdown.overrideAttrs (prevAttrs: rec {
-    version = "2.0.2";
-    src = pkgs.fetchurl {
-      url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
-      hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
-    };
-    nativeBuildInputs = prevAttrs.nativeBuildInputs ++ [ pkgs.buildPackages.bmake ];
-    postInstall =
-      lib.replaceStrings [ "lowdown.so.1" "lowdown.1.dylib" ] [ "lowdown.so.2" "lowdown.2.dylib" ]
-        (prevAttrs.postInstall or "");
-  });
+  curl = pkgs.curl.override {
+    http3Support = !pkgs.stdenv.hostPlatform.isWindows;
+  };
 
-  # TODO: Remove this when https://github.com/NixOS/nixpkgs/pull/442682 is included in a stable release
-  toml11 =
-    if lib.versionAtLeast pkgs.toml11.version "4.4.0" then
-      pkgs.toml11
-    else
-      pkgs.toml11.overrideAttrs rec {
-        version = "4.4.0";
-        src = pkgs.fetchFromGitHub {
-          owner = "ToruNiina";
-          repo = "toml11";
-          tag = "v${version}";
-          hash = "sha256-sgWKYxNT22nw376ttGsTdg0AMzOwp8QH3E8mx0BZJTQ=";
-        };
-      };
+  libblake3 = pkgs.libblake3.override {
+    useTBB = !(stdenv.hostPlatform.isWindows || stdenv.hostPlatform.isStatic);
+  };
 
   # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
   boost =

packaging/dev-shell.nix

@@ -131,7 +131,7 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
     ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
 
     availableComponents = lib.filterAttrs (
-      k: v: lib.meta.availableOn pkgs.hostPlatform v
+      k: v: lib.meta.availableOn pkgs.stdenv.hostPlatform v
     ) allComponents;
 
     activeComponents = buildInputsClosureCond isInternal (
@@ -142,12 +142,23 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
     internalDrvs = byDrvPath (
       # Drop the attr names (not present in buildInputs anyway)
       lib.attrValues availableComponents
-      ++ lib.concatMap (c: lib.attrValues c.tests or { }) (lib.attrValues availableComponents)
+      ++ lib.concatMap (c: lib.filter (v: !v.meta.broken) (lib.attrValues (c.tests or { }))) (
+        lib.attrValues availableComponents
+      )
     );
 
     isInternal =
       dep: internalDrvs ? ${builtins.unsafeDiscardStringContext dep.drvPath or "_non-existent_"};
 
+    activeComponentNames = lib.listToAttrs (
+      map (c: {
+        name = c.pname or c.name;
+        value = null;
+      }) activeComponents
+    );
+
+    isActiveComponent = name: activeComponentNames ? ${name};
+
   in
   {
     pname = "shell-for-nix";
@@ -190,27 +201,19 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
           }
         );
 
-      small =
-        (finalAttrs.finalPackage.withActiveComponents (
-          c:
-          lib.intersectAttrs (lib.genAttrs [
-            "nix-cli"
-            "nix-util-tests"
-            "nix-store-tests"
-            "nix-expr-tests"
-            "nix-fetchers-tests"
-            "nix-flake-tests"
-            "nix-functional-tests"
-            "nix-perl-bindings"
-          ] (_: null)) c
-        )).overrideAttrs
-          (o: {
-            mesonFlags = o.mesonFlags ++ [
-              # TODO: infer from activeComponents or vice versa
-              "-Dkaitai-struct-checks=false"
-              "-Djson-schema-checks=false"
-            ];
-          });
+      small = finalAttrs.finalPackage.withActiveComponents (
+        c:
+        lib.intersectAttrs (lib.genAttrs [
+          "nix-cli"
+          "nix-util-tests"
+          "nix-store-tests"
+          "nix-expr-tests"
+          "nix-fetchers-tests"
+          "nix-flake-tests"
+          "nix-functional-tests"
+          "nix-perl-bindings"
+        ] (_: null)) c
+      );
     };
 
     # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
@@ -258,10 +261,13 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
 
     # We use this shell with the local checkout, not unpackPhase.
     src = null;
+
     # Workaround https://sourceware.org/pipermail/gdb-patches/2025-October/221398.html
     # Remove when gdb fix is rolled out everywhere.
     separateDebugInfo = false;
 
+    mesonBuildType = "debugoptimized";
+
     env = {
       # For `make format`, to work without installing pre-commit
       _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
@@ -275,21 +281,32 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
 
     dontUseCmakeConfigure = true;
 
-    mesonFlags =
-      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
-      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents2.nix-store.mesonFlags)
-      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents2.nix-fetchers.mesonFlags)
-      ++ lib.optionals havePerl (
-        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
-      )
-      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
-      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
+    mesonFlags = [
+      (lib.mesonBool "json-schema-checks" (isActiveComponent "nix-json-schema-checks"))
+    ]
+    ++ map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
+    ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents2.nix-store.mesonFlags)
+    ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents2.nix-fetchers.mesonFlags)
+    ++ lib.optionals havePerl (
+      map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
+    )
+    ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
+    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
 
     nativeBuildInputs =
       let
         inputs =
           dedupByString (v: "${v}") (
-            lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.nativeBuildInputs) activeComponents)
+            lib.filter (x: !isInternal x) (
+              lib.lists.concatMap (
+                # Nix manual has a build-time dependency on nix, but we
+                # don't want to do a native build just to enter the cross
+                # dev shell.
+                #
+                # TODO: think of a more principled fix for this.
+                c: lib.filter (f: f.pname or null != "nix") c.nativeBuildInputs
+              ) activeComponents
+            )
           )
           ++ lib.optional (
             !buildCanExecuteHost
@@ -305,8 +322,8 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
             pkgs.buildPackages.nixfmt-rfc-style
             pkgs.buildPackages.shellcheck
             pkgs.buildPackages.include-what-you-use
-            pkgs.buildPackages.gdb
           ]
+          ++ lib.optional stdenv.hostPlatform.isUnix pkgs.buildPackages.gdb
           ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
             lib.hiPrio pkgs.buildPackages.clang-tools
           )
@@ -322,13 +339,13 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
       )
     );
 
-    buildInputs = [
-      pkgs.gbenchmark
-    ]
-    ++ dedupByString (v: "${v}") (
-      lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.buildInputs) activeComponents)
-    )
-    ++ lib.optional havePerl pkgs.perl;
+    buildInputs =
+      # TODO change Nixpkgs to mark gbenchmark as building on Windows
+      lib.optional stdenv.hostPlatform.isUnix pkgs.gbenchmark
+      ++ dedupByString (v: "${v}") (
+        lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.buildInputs) activeComponents)
+      )
+      ++ lib.optional havePerl pkgs.perl;
 
     propagatedBuildInputs = dedupByString (v: "${v}") (
       lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.propagatedBuildInputs) activeComponents)

packaging/everything.nix

@@ -31,6 +31,8 @@
 
   nix-cmd,
 
+  nix-nswrapper,
+
   nix-cli,
 
   nix-functional-tests,
@@ -171,6 +173,9 @@ stdenv.mkDerivation (finalAttrs: {
       # Forwarded outputs
       ln -sT ${nix-manual} $doc
       ln -sT ${nix-manual.man} $man
+    ''
+    + lib.optionalString stdenv.isLinux ''
+      lndir ${nix-nswrapper} $out
     '';
 
   passthru = {

packaging/hydra.nix

@@ -57,6 +57,7 @@ let
         "nix-flake"
         "nix-flake-c"
         "nix-flake-tests"
+        "nix-nswrapper"
         "nix-main"
         "nix-main-c"
         "nix-cmd"
@@ -72,7 +73,6 @@ let
         "nix-manual-manpages-only"
         "nix-internal-api-docs"
         "nix-external-api-docs"
-        "nix-kaitai-struct-checks"
       ]
     );
 in

scripts/install-multi-user.sh

@@ -52,9 +52,10 @@ readonly PROFILE_FISH_PREFIXES=(
 readonly PROFILE_NIX_FILE_FISH="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.fish"
 
 readonly NIX_INSTALLED_NIX="@nix@"
+readonly NIX_INSTALLED_NIX_MAN="@nix-manual@"
 readonly NIX_INSTALLED_CACERT="@cacert@"
-#readonly NIX_INSTALLED_NIX="/nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6"
-#readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
+#readonly NIX_INSTALLED_NIX="/nix/store/byi37zv50wnfrpp4d81z3spswd5zva37-nix-2.3.6"
+#readonly NIX_INSTALLED_CACERT="/nix/store/7pi45g541xa8ahwgpbpy7ggsl0xj1jj6-nss-cacert-3.49.2"
 EXTRACTED_NIX_PATH="$(dirname "$0")"
 readonly EXTRACTED_NIX_PATH
 
@@ -969,6 +970,8 @@ setup_default_profile() {
     task "Setting up the default profile"
     _sudo "to install a bootstrapping Nix in to the default profile" \
           HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_NIX"
+    _sudo "to install Nix man pages in to the default profile" \
+          HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_NIX_MAN"
 
     if [ -z "${NIX_SSL_CERT_FILE:-}" ] || ! [ -f "${NIX_SSL_CERT_FILE:-}" ] || cert_in_store; then
         _sudo "to install a bootstrapping SSL certificate just for Nix in to the default profile" \

scripts/install-systemd-multi-user.sh

@@ -38,6 +38,7 @@ escape_systemd_env() {
 create_systemd_proxy_env() {
     vars="http_proxy https_proxy ftp_proxy all_proxy no_proxy HTTP_PROXY HTTPS_PROXY FTP_PROXY ALL_PROXY NO_PROXY"
     for v in $vars; do
+        # shellcheck disable=SC2268
         if [ "x${!v:-}" != "x" ]; then
             echo "Environment=${v}=$(escape_systemd_env "${!v}")"
         fi

src/json-schema-checks/meson.build

@@ -62,9 +62,11 @@ schemas = [
   },
   {
     'stem' : 'build-trace-entry',
-    'schema' : schema_dir / 'build-trace-entry-v1.yaml',
+    'schema' : schema_dir / 'build-trace-entry-v2.yaml',
     'files' : [
       'simple.json',
+      # The field is no longer supported, but we want to show that we
+      # ignore it during parsing.
       'with-dependent-realisations.json',
       'with-signature.json',
     ],

src/kaitai-struct-checks/meson.build

@@ -1,77 +0,0 @@
-# Run with:
-#     meson test --suite kaitai-struct
-# Run with: (without shell / configure)
-#     nix build .#nix-kaitai-struct-checks
-
-project(
-  'nix-kaitai-struct-checks',
-  'cpp',
-  version : files('.version'),
-  default_options : [
-    'cpp_std=c++23',
-    # TODO(Qyriad): increase the warning level
-    'warning_level=1',
-    'errorlogs=true', # Please print logs for tests that fail
-  ],
-  meson_version : '>= 1.1',
-  license : 'LGPL-2.1-or-later',
-)
-
-kaitai_runtime_dep = dependency('kaitai-struct-cpp-stl-runtime', required : true)
-gtest_dep = dependency('gtest')
-gtest_main_dep = dependency('gtest_main', required : true)
-
-# Find the Kaitai Struct compiler
-ksc = find_program('ksc', required : true)
-
-kaitai_generated_srcs = custom_target(
-  'kaitai-generated-sources',
-  input : [ 'nar.ksy' ],
-  output : [ 'nix_nar.cpp', 'nix_nar.h' ],
-  command : [
-    ksc,
-    '@INPUT@',
-    '--target', 'cpp_stl',
-    '--outdir',
-    meson.current_build_dir(),
-  ],
-)
-
-nar_kaitai_lib = library(
-  'nix-nar-kaitai-lib',
-  kaitai_generated_srcs,
-  dependencies : [ kaitai_runtime_dep ],
-  install : true,
-)
-
-nar_kaitai_dep = declare_dependency(
-  link_with : nar_kaitai_lib,
-  sources : kaitai_generated_srcs[1],
-)
-
-# The nar directory is a committed symlink to the actual nars location
-nars_dir = meson.current_source_dir() / 'nars'
-
-# Get all example files
-nars = [
-  'dot.nar',
-]
-
-test_deps = [
-  nar_kaitai_dep,
-  kaitai_runtime_dep,
-  gtest_main_dep,
-]
-
-this_exe = executable(
-  meson.project_name(),
-  'test-parse-nar.cc',
-  dependencies : test_deps,
-)
-
-test(
-  meson.project_name(),
-  this_exe,
-  env : [ 'NIX_NARS_DIR=' + nars_dir ],
-  protocol : 'gtest',
-)

src/kaitai-struct-checks/nar.ksy

@@ -1 +0,0 @@
-../../doc/manual/source/protocols/nix-archive/nar.ksy

src/kaitai-struct-checks/nars

@@ -1 +0,0 @@
-../libutil-tests/data/nars

src/kaitai-struct-checks/package.nix

@@ -1,70 +0,0 @@
-# Run with: nix build .#nix-kaitai-struct-checks
-# or: `nix develop .#nix-kaitai-struct-checks` to enter a dev shell
-{
-  lib,
-  mkMesonDerivation,
-  gtest,
-  meson,
-  ninja,
-  pkg-config,
-  kaitai-struct-compiler,
-  fetchzip,
-  kaitai-struct-cpp-stl-runtime,
-  # Configuration Options
-  version,
-}:
-let
-  inherit (lib) fileset;
-in
-mkMesonDerivation (finalAttrs: {
-  pname = "nix-kaitai-struct-checks";
-  inherit version;
-
-  workDir = ./.;
-  fileset = lib.fileset.unions [
-    ../../nix-meson-build-support
-    ./nix-meson-build-support
-    ./.version
-    ../../.version
-    ../../doc/manual/source/protocols/nix-archive/nar.ksy
-    ./nars
-    ../../src/libutil-tests/data
-    ./meson.build
-    ./nar.ksy
-    (fileset.fileFilter (file: file.hasExt "cc") ./.)
-    (fileset.fileFilter (file: file.hasExt "hh") ./.)
-  ];
-
-  outputs = [ "out" ];
-
-  buildInputs = [
-    gtest
-    kaitai-struct-cpp-stl-runtime
-  ];
-
-  nativeBuildInputs = [
-    meson
-    ninja
-    pkg-config
-    # This can go away when we bump up to 25.11
-    (kaitai-struct-compiler.overrideAttrs (finalAttrs: {
-      version = "0.11";
-      src = fetchzip {
-        url = "https://github.com/kaitai-io/kaitai_struct_compiler/releases/download/${version}/kaitai-struct-compiler-${version}.zip";
-        sha256 = "sha256-j9TEilijqgIiD0GbJfGKkU1FLio9aTopIi1v8QT1b+A=";
-      };
-    }))
-  ];
-
-  doCheck = true;
-
-  mesonCheckFlags = [ "--print-errorlogs" ];
-
-  postInstall = ''
-    touch $out
-  '';
-
-  meta = {
-    platforms = lib.platforms.unix;
-  };
-})

src/kaitai-struct-checks/test-parse-nar.cc

@@ -1,48 +0,0 @@
-#include <gtest/gtest.h>
-#include <filesystem>
-#include <fstream>
-#include <vector>
-#include <string>
-
-#include <kaitai/kaitaistream.h>
-
-#include <fstream>
-#include <string>
-#include <vector>
-
-#include "nix_nar.h"
-
-static const std::vector<std::string> NarFiles = {
-    "empty.nar",
-    "dot.nar",
-    "dotdot.nar",
-    "executable-after-contents.nar",
-    "invalid-tag-instead-of-contents.nar",
-    "name-after-node.nar",
-    "nul-character.nar",
-    "slash.nar",
-};
-
-class NarParseTest : public ::testing::TestWithParam<std::string>
-{};
-
-TEST_P(NarParseTest, ParseSucceeds)
-{
-    const auto nar_file = GetParam();
-
-    const char * nars_dir_env = std::getenv("NIX_NARS_DIR");
-    if (nars_dir_env == nullptr) {
-        FAIL() << "NIX_NARS_DIR environment variable not set.";
-    }
-
-    const std::filesystem::path nar_file_path = std::filesystem::path(nars_dir_env) / "dot.nar";
-    ASSERT_TRUE(std::filesystem::exists(nar_file_path)) << "Missing test file: " << nar_file_path;
-
-    std::ifstream ifs(nar_file_path, std::ifstream::binary);
-    ASSERT_TRUE(ifs.is_open()) << "Failed to open file: " << nar_file;
-    kaitai::kstream ks(&ifs);
-    nix_nar_t nar(&ks);
-    ASSERT_TRUE(nar.root_node() != nullptr) << "Failed to parse NAR file: " << nar_file;
-}
-
-INSTANTIATE_TEST_SUITE_P(AllNarFiles, NarParseTest, ::testing::ValuesIn(NarFiles));

src/libcmd/command.cc

@@ -4,6 +4,7 @@
 #include "nix/cmd/command.hh"
 #include "nix/cmd/legacy.hh"
 #include "nix/cmd/markdown.hh"
+#include "nix/store/globals.hh"
 #include "nix/store/store-open.hh"
 #include "nix/store/local-fs-store.hh"
 #include "nix/store/derivations.hh"
@@ -63,6 +64,25 @@ void NixMultiCommand::run()
     command->second->run();
 }
 
+StoreConfigCommand::StoreConfigCommand() {}
+
+ref<StoreConfig> StoreConfigCommand::getStoreConfig()
+{
+    if (!_storeConfig)
+        _storeConfig = createStoreConfig();
+    return ref<StoreConfig>(_storeConfig);
+}
+
+ref<StoreConfig> StoreConfigCommand::createStoreConfig()
+{
+    return resolveStoreConfig(StoreReference{settings.storeUri.get()});
+}
+
+void StoreConfigCommand::run()
+{
+    run(getStoreConfig());
+}
+
 StoreCommand::StoreCommand() {}
 
 ref<Store> StoreCommand::getStore()
@@ -74,12 +94,20 @@ ref<Store> StoreCommand::getStore()
 
 ref<Store> StoreCommand::createStore()
 {
-    return openStore();
+    auto store = getStoreConfig()->openStore();
+    store->init();
+    return store;
 }
 
-void StoreCommand::run()
+void StoreCommand::run(ref<StoreConfig> storeConfig)
 {
-    run(getStore());
+    // We can either efficiently implement getStore/createStore with memoization,
+    // or use the StoreConfig passed in run.
+    // It's more efficient to memoize, especially since there are some direct users
+    // of getStore. The StoreConfig in both cases should be the same, though.
+    auto store = getStore();
+    assert(&*storeConfig == &store->config);
+    run(std::move(store));
 }
 
 CopyCommand::CopyCommand()
@@ -88,28 +116,28 @@ CopyCommand::CopyCommand()
         .longName = "from",
         .description = "URL of the source Nix store.",
         .labels = {"store-uri"},
-        .handler = {&srcUri},
+        .handler = {[this](std::string s) { srcUri = StoreReference::parse(s); }},
     });
 
     addFlag({
         .longName = "to",
         .description = "URL of the destination Nix store.",
         .labels = {"store-uri"},
-        .handler = {&dstUri},
+        .handler = {[this](std::string s) { dstUri = StoreReference::parse(s); }},
     });
 }
 
-ref<Store> CopyCommand::createStore()
+ref<StoreConfig> CopyCommand::createStoreConfig()
 {
-    return srcUri.empty() ? StoreCommand::createStore() : openStore(srcUri);
+    return !srcUri ? StoreCommand::createStoreConfig() : resolveStoreConfig(StoreReference{*srcUri});
 }
 
 ref<Store> CopyCommand::getDstStore()
 {
-    if (srcUri.empty() && dstUri.empty())
+    if (!srcUri && !dstUri)
         throw UsageError("you must pass '--from' and/or '--to'");
 
-    return dstUri.empty() ? openStore() : openStore(dstUri);
+    return !dstUri ? openStore() : openStore(StoreReference{*dstUri});
 }
 
 EvalCommand::EvalCommand()
@@ -131,7 +159,7 @@ EvalCommand::~EvalCommand()
 ref<Store> EvalCommand::getEvalStore()
 {
     if (!evalStore)
-        evalStore = evalStoreUrl ? openStore(*evalStoreUrl) : getStore();
+        evalStore = evalStoreUrl ? openStore(StoreReference{*evalStoreUrl}) : getStore();
     return ref<Store>(evalStore);
 }
 
@@ -257,18 +285,18 @@ MixProfile::MixProfile()
     });
 }
 
-void MixProfile::updateProfile(const StorePath & storePath)
+void MixProfile::updateProfile(Store & store_, const StorePath & storePath)
 {
     if (!profile)
         return;
-    auto store = getDstStore().dynamic_pointer_cast<LocalFSStore>();
+    auto * store = dynamic_cast<LocalFSStore *>(&store_);
     if (!store)
         throw Error("'--profile' is not supported for this Nix store");
     auto profile2 = absPath(*profile);
     switchLink(profile2, createGeneration(*store, profile2, storePath));
 }
 
-void MixProfile::updateProfile(const BuiltPaths & buildables)
+void MixProfile::updateProfile(Store & store, const BuiltPaths & buildables)
 {
     if (!profile)
         return;
@@ -292,14 +320,16 @@ void MixProfile::updateProfile(const BuiltPaths & buildables)
         throw UsageError(
             "'--profile' requires that the arguments produce a single store path, but there are %d", result.size());
 
-    updateProfile(result[0]);
+    updateProfile(store, result[0]);
 }
 
 MixDefaultProfile::MixDefaultProfile()
 {
-    profile = getDefaultProfile().string();
+    profile = getDefaultProfile(settings.getProfileDirsOptions()).string();
 }
 
+static constexpr auto environmentVariablesCategory = "Options that change environment variables";
+
 MixEnvironment::MixEnvironment()
     : ignoreEnvironment(false)
 {

src/libcmd/common-eval-args.cc

@@ -148,7 +148,7 @@ MixEvalArgs::MixEvalArgs()
           )",
         .category = category,
         .labels = {"store-url"},
-        .handler = {&evalStoreUrl},
+        .handler = {[this](std::string s) { evalStoreUrl = StoreReference::parse(s); }},
     });
 }
 

src/libcmd/get-build-log.cc

@@ -0,0 +1,31 @@
+#include "nix/cmd/get-build-log.hh"
+#include "nix/store/log-store.hh"
+#include "nix/store/store-open.hh"
+
+namespace nix {
+
+std::string fetchBuildLog(ref<Store> store, const StorePath & path, std::string_view what)
+{
+    auto subs = getDefaultSubstituters();
+
+    subs.push_front(store);
+
+    for (auto & sub : subs) {
+        auto * logSubP = dynamic_cast<LogStore *>(&*sub);
+        if (!logSubP) {
+            printInfo("Skipped '%s' which does not support retrieving build logs", sub->config.getHumanReadableURI());
+            continue;
+        }
+        auto & logSub = *logSubP;
+
+        auto log = logSub.getBuildLog(path);
+        if (!log)
+            continue;
+        printInfo("got build log for '%s' from '%s'", what, logSub.config.getHumanReadableURI());
+        return *log;
+    }
+
+    throw Error("build log of '%s' is not available", what);
+}
+
+} // namespace nix

src/libcmd/include/nix/cmd/command.hh

@@ -5,6 +5,7 @@
 #include "nix/util/args.hh"
 #include "nix/cmd/common-eval-args.hh"
 #include "nix/store/path.hh"
+#include "nix/store/store-reference.hh"
 #include "nix/flake/lockfile.hh"
 
 #include <optional>
@@ -40,28 +41,43 @@ struct NixMultiCommand : MultiCommand, virtual Command
 // For the overloaded run methods
 #pragma GCC diagnostic ignored "-Woverloaded-virtual"
 
+/**
+ * A command that requires a \ref StoreConfig store configuration.
+ */
+struct StoreConfigCommand : virtual Command
+{
+    StoreConfigCommand();
+    void run() override;
+
+    /**
+     * Return the default Nix store configuration.
+     */
+    ref<StoreConfig> getStoreConfig();
+
+    virtual ref<StoreConfig> createStoreConfig();
+    /**
+     * Main entry point, with a `StoreConfig` provided
+     */
+    virtual void run(ref<StoreConfig>) = 0;
+
+private:
+    std::shared_ptr<StoreConfig> _storeConfig;
+};
+
 /**
  * A command that requires a \ref Store "Nix store".
  */
-struct StoreCommand : virtual Command
+struct StoreCommand : virtual StoreConfigCommand
 {
     StoreCommand();
-    void run() override;
+    void run(ref<StoreConfig>) override;
 
     /**
      * Return the default Nix store.
      */
     ref<Store> getStore();
 
-    /**
-     * Return the destination Nix store.
-     */
-    virtual ref<Store> getDstStore()
-    {
-        return getStore();
-    }
-
-    virtual ref<Store> createStore();
+    ref<Store> createStore();
     /**
      * Main entry point, with a `Store` provided
      */
@@ -77,13 +93,13 @@ private:
  */
 struct CopyCommand : virtual StoreCommand
 {
-    std::string srcUri, dstUri;
+    std::optional<StoreReference> srcUri, dstUri;
 
     CopyCommand();
 
-    ref<Store> createStore() override;
+    ref<StoreConfig> createStoreConfig() override;
 
-    ref<Store> getDstStore() override;
+    ref<Store> getDstStore();
 };
 
 /**
@@ -315,11 +331,11 @@ struct MixProfile : virtual StoreCommand
     MixProfile();
 
     /* If 'profile' is set, make it point at 'storePath'. */
-    void updateProfile(const StorePath & storePath);
+    void updateProfile(Store & store, const StorePath & storePath);
 
     /* If 'profile' is set, make it point at the store path produced
        by 'buildables'. */
-    void updateProfile(const BuiltPaths & buildables);
+    void updateProfile(Store & store, const BuiltPaths & buildables);
 };
 
 struct MixDefaultProfile : MixProfile

src/libcmd/include/nix/cmd/common-eval-args.hh

@@ -6,6 +6,7 @@
 #include "nix/main/common-args.hh"
 #include "nix/expr/search-path.hh"
 #include "nix/expr/eval-settings.hh"
+#include "nix/store/store-reference.hh"
 
 #include <filesystem>
 
@@ -55,7 +56,7 @@ struct MixEvalArgs : virtual Args, virtual MixRepair
 
     LookupPath lookupPath;
 
-    std::optional<std::string> evalStoreUrl;
+    std::optional<StoreReference> evalStoreUrl;
 
 private:
     struct AutoArgExpr

src/libcmd/include/nix/cmd/get-build-log.hh

@@ -0,0 +1,23 @@
+#pragma once
+///@file
+
+#include "nix/store/store-api.hh"
+
+#include <string>
+#include <string_view>
+
+namespace nix {
+
+/**
+ * Fetch the build log for a store path, searching the store and its
+ * substituters.
+ *
+ * @param store The store to search (and its substituters).
+ * @param path The store path to get the build log for.
+ * @param what A description of what we're fetching the log for (used in messages).
+ * @return The build log content.
+ * @throws Error if the build log is not available.
+ */
+std::string fetchBuildLog(ref<Store> store, const StorePath & path, std::string_view what);
+
+} // namespace nix

src/libcmd/include/nix/cmd/meson.build

@@ -9,6 +9,7 @@ headers = files(
   'common-eval-args.hh',
   'compatibility-settings.hh',
   'editor-for.hh',
+  'get-build-log.hh',
   'installable-attr-path.hh',
   'installable-derived-path.hh',
   'installable-flake.hh',
@@ -20,4 +21,5 @@ headers = files(
   'network-proxy.hh',
   'repl-interacter.hh',
   'repl.hh',
+  'unix-socket-server.hh',
 )

src/libcmd/include/nix/cmd/repl-interacter.hh

@@ -14,6 +14,7 @@ namespace detail {
 struct ReplCompleterMixin
 {
     virtual StringSet completePrefix(const std::string & prefix) = 0;
+    virtual ~ReplCompleterMixin() = default;
 };
 }; // namespace detail
 

src/libcmd/include/nix/cmd/repl.hh

@@ -25,7 +25,7 @@ struct AbstractNixRepl
      * @todo this is a layer violation
      *
      * @param programName Name of the command, e.g. `nix` or `nix-env`.
-     * @param args aguments to the command.
+     * @param args arguments to the command.
      */
     using RunNix =
         void(const std::string & programName, const Strings & args, const std::optional<std::string> & input);
@@ -37,7 +37,6 @@ struct AbstractNixRepl
      */
     static std::unique_ptr<AbstractNixRepl> create(
         const LookupPath & lookupPath,
-        nix::ref<Store> store,
         ref<EvalState> state,
         std::function<AnnotatedValues()> getValues,
         RunNix * runNix = nullptr);

src/libcmd/include/nix/cmd/unix-socket-server.hh

@@ -0,0 +1,79 @@
+#pragma once
+///@file
+
+#include "nix/util/file-descriptor.hh"
+
+#include <filesystem>
+#include <functional>
+#include <optional>
+#include <sys/types.h>
+
+namespace nix::unix {
+
+/**
+ * Information about the identity of the peer on a Unix domain socket connection.
+ */
+struct PeerInfo
+{
+    std::optional<pid_t> pid;
+    std::optional<uid_t> uid;
+    std::optional<gid_t> gid;
+};
+
+/**
+ * Get the identity of the caller, if possible.
+ */
+PeerInfo getPeerInfo(Descriptor remote);
+
+/**
+ * Callback type for handling new connections.
+ *
+ * The callback receives ownership of the connection and is responsible
+ * for handling it (e.g., forking a child process, spawning a thread, etc.).
+ *
+ * @param socket The accepted connection file descriptor.
+ * @param closeListeners A callback to close the listening sockets.
+ *   Useful in forked child processes to release the bound sockets.
+ */
+using UnixSocketHandler = std::function<void(AutoCloseFD socket, std::function<void()> closeListeners)>;
+
+/**
+ * Options for the serve loop.
+ *
+ * Only used if no systemd socket activation is detected.
+ */
+struct ServeUnixSocketOptions
+{
+    /**
+     * The Unix domain socket path to create and listen on.
+     */
+    std::filesystem::path socketPath;
+
+    /**
+     * Mode for the created socket file.
+     */
+    mode_t socketMode = 0666;
+};
+
+/**
+ * Run a server loop that accepts connections and calls the handler for each.
+ *
+ * This function handles:
+ * - systemd socket activation (via LISTEN_FDS environment variable)
+ * - Creating and binding a Unix domain socket if no activation is detected
+ * - Polling for incoming connections
+ * - Accepting connections
+ *
+ * For each accepted connection, the handler is called with the connection
+ * file descriptor. The handler takes ownership of the file descriptor and
+ * is responsible for closing it when done.
+ *
+ * This function never returns normally. It runs until interrupted
+ * (e.g., via SIGINT), at which point it throws `Interrupted`.
+ *
+ * @param options Configuration for the server.
+ * @param handler Callback invoked for each accepted connection.
+ */
+[[noreturn]] void serveUnixSocket(const ServeUnixSocketOptions & options, UnixSocketHandler handler);
+
+} // namespace nix::unix

src/libcmd/installable-flake.cc

@@ -203,8 +203,10 @@ FlakeRef InstallableFlake::nixpkgsFlakeRef() const
 
     if (auto nixpkgsInput = lockedFlake->lockFile.findInput({"nixpkgs"})) {
         if (auto lockedNode = std::dynamic_pointer_cast<const flake::LockedNode>(nixpkgsInput)) {
-            debug("using nixpkgs flake '%s'", lockedNode->lockedRef);
-            return std::move(lockedNode->lockedRef);
+            if (lockedNode->isFlake) {
+                debug("using nixpkgs flake '%s'", lockedNode->lockedRef);
+                return std::move(lockedNode->lockedRef);
+            }
         }
     }
 

src/libcmd/installables.cc

@@ -116,7 +116,11 @@ MixFlakeOptions::MixFlakeOptions()
         .labels = {"input-path"},
         .handler = {[&](std::string s) {
             warn("'--update-input' is a deprecated alias for 'flake update' and will be removed in a future version.");
-            lockFlags.inputUpdates.insert(flake::parseInputAttrPath(s));
+            auto path = flake::NonEmptyInputAttrPath::parse(s);
+            if (!path)
+                throw UsageError(
+                    "--update-input was passed a zero-length input path, which would refer to the flake itself, not an input");
+            lockFlags.inputUpdates.insert(*path);
         }},
         .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
             completeFlakeInputAttrPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
@@ -125,14 +129,18 @@ MixFlakeOptions::MixFlakeOptions()
 
     addFlag({
         .longName = "override-input",
-        .description = "Override a specific flake input (e.g. `dwarffs/nixpkgs`). This implies `--no-write-lock-file`.",
+        .description =
+            "Override a specific flake input (e.g. `dwarffs/nixpkgs`). The input path must not be empty. This implies `--no-write-lock-file`.",
         .category = category,
         .labels = {"input-path", "flake-url"},
         .handler = {[&](std::string inputAttrPath, std::string flakeRef) {
             lockFlags.writeLockFile = false;
+            auto path = flake::NonEmptyInputAttrPath::parse(inputAttrPath);
+            if (!path)
+                throw UsageError(
+                    "--override-input was passed a zero-length input path, which would refer to the flake itself, not an input");
             lockFlags.inputOverrides.insert_or_assign(
-                flake::parseInputAttrPath(inputAttrPath),
-                parseFlakeRef(fetchSettings, flakeRef, absPath(getCommandBaseDir()).string(), true));
+                std::move(*path), parseFlakeRef(fetchSettings, flakeRef, absPath(getCommandBaseDir()).string(), true));
         }},
         .completer = {[&](AddCompletions & completions, size_t n, std::string_view prefix) {
             if (n == 0) {
@@ -575,16 +583,12 @@ static void throwBuildErrors(std::vector<KeyedBuildResult> & buildResults, const
     auto failedResult = failed.begin();
     if (failedResult != failed.end()) {
         if (failed.size() == 1) {
-            failedResult->second->rethrow();
+            throw *failedResult->second;
         } else {
             StringSet failedPaths;
             for (; failedResult != failed.end(); failedResult++) {
-                if (!failedResult->second->errorMsg.empty()) {
-                    logError(
-                        ErrorInfo{
-                            .level = lvlError,
-                            .msg = failedResult->second->errorMsg,
-                        });
+                if (!failedResult->second->message().empty()) {
+                    logError(failedResult->second->info());
                 }
                 failedPaths.insert(failedResult->first->path.to_string(store));
             }

src/libcmd/meson.build

@@ -74,6 +74,7 @@ sources = files(
   'command.cc',
   'common-eval-args.cc',
   'editor-for.cc',
+  'get-build-log.cc',
   'installable-attr-path.cc',
   'installable-derived-path.cc',
   'installable-flake.cc',
@@ -86,6 +87,12 @@ sources = files(
   'repl.cc',
 )
 
+if host_machine.system() != 'windows'
+  sources += files(
+    'unix/unix-socket-server.cc',
+  )
+endif
+
 subdir('include/nix/cmd')
 
 subdir('nix-meson-build-support/export-all-symbols')

src/libcmd/repl-interacter.cc

@@ -40,8 +40,8 @@ void sigintHandler(int signo)
 static detail::ReplCompleterMixin * curRepl; // ugly
 
 #if !USE_READLINE
-static char * completionCallback(char * s, int * match)
-{
+static char * completionCallback(char * s, int * match) noexcept
+try {
     auto possible = curRepl->completePrefix(s);
     if (possible.size() == 1) {
         *match = 1;
@@ -73,10 +73,12 @@ static char * completionCallback(char * s, int * match)
 
     *match = 0;
     return nullptr;
+} catch (...) {
+    return nullptr;
 }
 
-static int listPossibleCallback(char * s, char *** avp)
-{
+static int listPossibleCallback(char * s, char *** avp) noexcept
+try {
     auto possible = curRepl->completePrefix(s);
 
     if (possible.size() > (std::numeric_limits<int>::max() / sizeof(char *)))
@@ -105,6 +107,9 @@ static int listPossibleCallback(char * s, char *** avp)
     *avp = vp;
 
     return ac;
+} catch (...) {
+    *avp = nullptr;
+    return 0;
 }
 #endif