set up builder pipe

2021-06-28 23:16:40 +02:00
250 changed files with 7492 additions and 15327 deletions
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -4,7 +4,6 @@ on:
  push:
 jobs:
  tests:
-    needs: [check_cachix]
    strategy:
      matrix:
        os: [ubuntu-latest, macos-latest]
@@ -14,10 +13,9 @@ jobs:
    - uses: actions/checkout@v2.3.4
      with:
        fetch-depth: 0
-    - uses: cachix/install-nix-action@v14
+    - uses: cachix/install-nix-action@v13
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
    - uses: cachix/cachix-action@v10
-      if: needs.check_cachix.outputs.secret == 'true'
      with:
        name: '${{ env.CACHIX_NAME }}'
        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
@@ -45,7 +43,7 @@ jobs:
      with:
        fetch-depth: 0
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v14
+    - uses: cachix/install-nix-action@v13
    - uses: cachix/cachix-action@v10
      with:
        name: '${{ env.CACHIX_NAME }}'
@@ -63,7 +61,7 @@ jobs:
    steps:
    - uses: actions/checkout@v2.3.4
    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v14
+    - uses: cachix/install-nix-action@v13
      with:
        install_url: '${{needs.installer.outputs.installerURL}}'
        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
--- a/.gitignore
+++ b/.gitignore
@@ -15,7 +15,6 @@ perl/Makefile.config
 /doc/manual/*.1
 /doc/manual/*.5
 /doc/manual/*.8
-/doc/manual/generated/*
 /doc/manual/nix.json
 /doc/manual/conf-file.json
 /doc/manual/builtins.json
@@ -57,6 +56,9 @@ perl/Makefile.config

 /src/nix-prefetch-url/nix-prefetch-url

+# /src/nix-daemon/
+/src/nix-daemon/nix-daemon
+
 /src/nix-collect-garbage/nix-collect-garbage

 # /src/nix-channel/
@@ -74,6 +76,7 @@ perl/Makefile.config
 # /tests/
 /tests/test-tmp
 /tests/common.sh
+/tests/dummy
 /tests/result*
 /tests/restricted-innocent
 /tests/shell
--- a/4
+++ b/4
@@ -4,7 +4,6 @@ makefiles = \
  src/libutil/local.mk \
  src/libutil/tests/local.mk \
  src/libstore/local.mk \
-  src/libstore/tests/local.mk \
  src/libfetchers/local.mk \
  src/libmain/local.mk \
  src/libexpr/local.mk \
@@ -13,7 +12,6 @@ makefiles = \
  src/resolve-system-dependencies/local.mk \
  scripts/local.mk \
  misc/bash/local.mk \
-  misc/fish/local.mk \
  misc/zsh/local.mk \
  misc/systemd/local.mk \
  misc/launchd/local.mk \
@@ -34,4 +32,4 @@ endif

 include mk/lib.mk

-GLOBAL_CXXFLAGS += -g -Wall -include config.h -std=c++17 -I src
+GLOBAL_CXXFLAGS += -g -Wall -include config.h -std=c++17
--- a/Makefile.config.in
+++ b/Makefile.config.in
@@ -1,4 +1,3 @@
-HOST_OS = @host_os@
 AR = @AR@
 BDW_GC_LIBS = @BDW_GC_LIBS@
 BOOST_LDFLAGS = @BOOST_LDFLAGS@
--- a/boehmgc-coroutine-sp-fallback.diff
+++ b/boehmgc-coroutine-sp-fallback.diff
@@ -1,42 +0,0 @@
-diff --git a/pthread_stop_world.c b/pthread_stop_world.c
-index 1cee6a0b..46c3acd9 100644
--- a/pthread_stop_world.c
-+++ b/pthread_stop_world.c
-@@ -674,6 +674,8 @@ GC_INNER void GC_push_all_stacks(void)
-     struct GC_traced_stack_sect_s *traced_stack_sect;
-     pthread_t self = pthread_self();
-     word total_size = 0;
-+    size_t stack_limit;
-+    pthread_attr_t pattr;
- 
-     if (!EXPECT(GC_thr_initialized, TRUE))
-       GC_thr_init();
-@@ -723,6 +725,28 @@ GC_INNER void GC_push_all_stacks(void)
-           hi = p->altstack + p->altstack_size;
-           /* FIXME: Need to scan the normal stack too, but how ? */
-           /* FIXME: Assume stack grows down */
-+        } else {
-+          if (pthread_getattr_np(p->id, &pattr)) {
-+            ABORT("GC_push_all_stacks: pthread_getattr_np failed!");
-+          }
-+          if (pthread_attr_getstacksize(&pattr, &stack_limit)) {
-+            ABORT("GC_push_all_stacks: pthread_attr_getstacksize failed!");
-+          }
-+          // When a thread goes into a coroutine, we lose its original sp until
-+          // control flow returns to the thread.
-+          // While in the coroutine, the sp points outside the thread stack,
-+          // so we can detect this and push the entire thread stack instead,
-+          // as an approximation.
-+          // We assume that the coroutine has similarly added its entire stack.
-+          // This could be made accurate by cooperating with the application
-+          // via new functions and/or callbacks.
-+          #ifndef STACK_GROWS_UP
-+            if (lo >= hi || lo < hi - stack_limit) { // sp outside stack
-+              lo = hi - stack_limit;
-+            }
-+          #else
-+          #error "STACK_GROWS_UP not supported in boost_coroutine2 (as of june 2021), so we don't support it in Nix."
-+          #endif
-         }
-         GC_push_all_stack_sections(lo, hi, traced_stack_sect);
- #       ifdef STACK_GROWS_UP
--- a/configure.ac
+++ b/configure.ac
@@ -32,6 +32,14 @@ AC_ARG_WITH(system, AS_HELP_STRING([--with-system=SYSTEM],[Platform identifier (
        system="$machine_name-`echo $host_os | "$SED" -e's/@<:@0-9.@:>@*$//g'`";;
   esac])

+sys_name=$(uname -s | tr 'A-Z ' 'a-z_')
+
+case $sys_name in
+    cygwin*)
+        sys_name=cygwin
+        ;;
+esac
+
 AC_MSG_RESULT($system)
 AC_SUBST(system)
 AC_DEFINE_UNQUOTED(SYSTEM, ["$system"], [platform identifier ('cpu-os')])
@@ -55,12 +63,10 @@ AC_SYS_LARGEFILE

 # Solaris-specific stuff.
 AC_STRUCT_DIRENT_D_TYPE
-case "$host_os" in
-  solaris*)
+if test "$sys_name" = sunos; then
    # Solaris requires -lsocket -lnsl for network functions
    LDFLAGS="-lsocket -lnsl $LDFLAGS"
-    ;;
-esac
+fi


 # Check for pubsetbuf.
@@ -204,31 +210,28 @@ AC_SUBST(HAVE_LIBCPUID, [$have_libcpuid])


 # Look for libseccomp, required for Linux sandboxing.
-case "$host_os" in
-  linux*)
-    AC_ARG_ENABLE([seccomp-sandboxing],
-                  AS_HELP_STRING([--disable-seccomp-sandboxing],[Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)
-                                ]))
-    if test "x$enable_seccomp_sandboxing" != "xno"; then
-      PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
-                        [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
-      have_seccomp=1
-      AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
-    else
-      have_seccomp=
-    fi
-    ;;
-  *)
+if test "$sys_name" = linux; then
+  AC_ARG_ENABLE([seccomp-sandboxing],
+                AS_HELP_STRING([--disable-seccomp-sandboxing],[Don't build support for seccomp sandboxing (only recommended if your arch doesn't support libseccomp yet!)
+                              ]))
+  if test "x$enable_seccomp_sandboxing" != "xno"; then
+    PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
+                      [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
+    have_seccomp=1
+    AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
+  else
    have_seccomp=
-    ;;
-esac
+  fi
+else
+  have_seccomp=
+fi
 AC_SUBST(HAVE_SECCOMP, [$have_seccomp])


 # Look for aws-cpp-sdk-s3.
 AC_LANG_PUSH(C++)
 AC_CHECK_HEADERS([aws/s3/S3Client.h],
-  [AC_DEFINE([ENABLE_S3], [1], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=1],
+  [AC_DEFINE([ENABLE_S3], [1], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=1], 
  [AC_DEFINE([ENABLE_S3], [0], [Whether to enable S3 support via aws-sdk-cpp.]) enable_s3=])
 AC_SUBST(ENABLE_S3, [$enable_s3])
 AC_LANG_POP(C++)
@@ -260,8 +263,6 @@ AC_ARG_ENABLE(doc-gen, AS_HELP_STRING([--disable-doc-gen],[disable documentation
  doc_generate=$enableval, doc_generate=yes)
 AC_SUBST(doc_generate)

-# Look for lowdown library.
-PKG_CHECK_MODULES([LOWDOWN], [lowdown >= 0.8.0], [CXXFLAGS="$LOWDOWN_CFLAGS $CXXFLAGS"])

 # Setuid installations.
 AC_CHECK_FUNCS([setresuid setreuid lchown])
@@ -273,11 +274,9 @@ AC_CHECK_FUNCS([strsignal posix_fallocate sysconf])

 # This is needed if bzip2 is a static library, and the Nix libraries
 # are dynamic.
-case "${host_os}" in
-  darwin*)
+if test "$(uname)" = "Darwin"; then
    LDFLAGS="-all_load $LDFLAGS"
-    ;;
-esac
+fi


 AC_ARG_WITH(sandbox-shell, AS_HELP_STRING([--with-sandbox-shell=PATH],[path of a statically-linked shell to use as /bin/sh in sandboxes]),
--- a/doc/manual/generate-builtins.nix
+++ b/doc/manual/generate-builtins.nix
@@ -6,11 +6,9 @@ builtins:
 concatStrings (map
  (name:
    let builtin = builtins.${name}; in
-    "<dt><code>${name} "
-    + concatStringsSep " " (map (s: "<var>${s}</var>") builtin.args)
-    + "</code></dt>"
-    + "<dd>\n\n"
-    + builtin.doc
-    + "\n\n</dd>"
+    "  - `builtins.${name}` " + concatStringsSep " " (map (s: "*${s}*") builtin.args)
+    + "  \n\n"
+    + concatStrings (map (s: "    ${s}\n") (splitLines builtin.doc)) + "\n\n"
  )
  (attrNames builtins))
+
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -1,4 +1,4 @@
-{ command, renderLinks ? false }:
+command:

 with builtins;
 with import ./utils.nix;
@@ -20,11 +20,7 @@ let
           categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues def.commands)));
           listCommands = cmds:
             concatStrings (map (name:
-               "* "
-               + (if renderLinks
-                  then "[`${command} ${name}`](./${appendName filename name}.md)"
-                  else "`${command} ${name}`")
-               + " - ${cmds.${name}.description}\n")
+               "* [`${command} ${name}`](./${appendName filename name}.md) - ${cmds.${name}.description}\n")
               (attrNames cmds));
         in
         "where *subcommand* is one of the following:\n\n"
@@ -93,7 +89,7 @@ let
 in

 let
-  manpages = processCommand { filename = "nix"; command = "nix"; def = builtins.fromJSON command; };
+  manpages = processCommand { filename = "nix"; command = "nix"; def = command; };
  summary = concatStrings (map (manpage: "    - [${manpage.command}](command-ref/new-cli/${manpage.name})\n") manpages);
 in
 (listToAttrs manpages) // { "SUMMARY.md" = summary; }
--- a/doc/manual/theme/highlight.js
+++ b/doc/manual/theme/highlight.js
--- a/doc/manual/local.mk
+++ b/doc/manual/local.mk
@@ -1,5 +1,7 @@
 ifeq ($(doc_generate),yes)

+MANUAL_SRCS := $(call rwildcard, $(d)/src, *.md)
+
 # Generate man pages.
 man-pages := $(foreach n, \
  nix-env.1 nix-build.1 nix-shell.1 nix-store.1 nix-instantiate.1 \
@@ -44,7 +46,7 @@ $(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/command-ref/new-cli

 $(d)/src/command-ref/new-cli: $(d)/nix.json $(d)/generate-manpage.nix $(bindir)/nix
 	@rm -rf $@
-	$(trace-gen) $(nix-eval) --write-to $@ --expr 'import doc/manual/generate-manpage.nix { command = builtins.readFile $<; renderLinks = true; }'
+	$(trace-gen) $(nix-eval) --write-to $@ --expr 'import doc/manual/generate-manpage.nix (builtins.fromJSON (builtins.readFile $<))'

 $(d)/src/command-ref/conf-file.md: $(d)/conf-file.json $(d)/generate-options.nix $(d)/src/command-ref/conf-file-prefix.md $(bindir)/nix
 	@cat doc/manual/src/command-ref/conf-file-prefix.md > $@.tmp
@@ -62,7 +64,6 @@ $(d)/conf-file.json: $(bindir)/nix
 $(d)/src/expressions/builtins.md: $(d)/builtins.json $(d)/generate-builtins.nix $(d)/src/expressions/builtins-prefix.md $(bindir)/nix
 	@cat doc/manual/src/expressions/builtins-prefix.md > $@.tmp
 	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp
-	@cat doc/manual/src/expressions/builtins-suffix.md >> $@.tmp
 	@mv $@.tmp $@

 $(d)/builtins.json: $(bindir)/nix
@@ -73,28 +74,17 @@ $(d)/builtins.json: $(bindir)/nix
 install: $(docdir)/manual/index.html

 # Generate 'nix' manpages.
-install: $(mandir)/man1/nix3-manpages
-man: doc/manual/generated/man1/nix3-manpages
-all: doc/manual/generated/man1/nix3-manpages
-
-$(mandir)/man1/nix3-manpages: doc/manual/generated/man1/nix3-manpages
-	@mkdir -p $(DESTDIR)$$(dirname $@)
-	$(trace-install) install -m 0644 $$(dirname $<)/* $(DESTDIR)$$(dirname $@)
-
-doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
-	@mkdir -p $(DESTDIR)$$(dirname $@)
+install: $(d)/src/command-ref/new-cli
 	$(trace-gen) for i in doc/manual/src/command-ref/new-cli/*.md; do \
 	  name=$$(basename $$i .md); \
-	  tmpFile=$$(mktemp); \
 	  if [[ $$name = SUMMARY ]]; then continue; fi; \
-	  printf "Title: %s\n\n" "$$name" > $$tmpFile; \
-	  cat $$i >> $$tmpFile; \
-	  lowdown -sT man -M section=1 $$tmpFile -o $(DESTDIR)$$(dirname $@)/$$name.1; \
-	  rm $$tmpFile; \
+	  printf "Title: %s\n\n" "$$name" > $$i.tmp; \
+	  cat $$i >> $$i.tmp; \
+	  lowdown -sT man -M section=1 $$i.tmp -o $(mandir)/man1/$$name.1; \
 	done
-	@touch $@

-$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/command-ref/conf-file.md $(d)/src/expressions/builtins.md $(call rwildcard, $(d)/src, *.md)
-	$(trace-gen) RUST_LOG=warn mdbook build doc/manual -d $(DESTDIR)$(docdir)/manual
+$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/command-ref/new-cli $(d)/src/command-ref/conf-file.md $(d)/src/expressions/builtins.md
+	$(trace-gen) RUST_LOG=warn mdbook build doc/manual -d $(docdir)/manual
+	@cp doc/manual/highlight.pack.js $(docdir)/manual/highlight.js

 endif
--- a/doc/manual/src/SUMMARY.md.in
+++ b/doc/manual/src/SUMMARY.md.in
@@ -70,7 +70,6 @@
  - [Hacking](contributing/hacking.md)
  - [CLI guideline](contributing/cli-guideline.md)
 - [Release Notes](release-notes/release-notes.md)
-  - [Release 2.4 (2021-11-01)](release-notes/rl-2.4.md)
  - [Release 2.3 (2019-09-04)](release-notes/rl-2.3.md)
  - [Release 2.2 (2019-01-11)](release-notes/rl-2.2.md)
  - [Release 2.1 (2018-09-02)](release-notes/rl-2.1.md)
--- a/doc/manual/src/expressions/builtins-prefix.md
+++ b/doc/manual/src/expressions/builtins-prefix.md
@@ -9,8 +9,7 @@ scope. Instead, you can access them through the `builtins` built-in
 value, which is a set that contains all built-in functions and values.
 For instance, `derivation` is also available as `builtins.derivation`.

-<dl>
-  <dt><code>derivation <var>attrs</var></code>;
-      <code>builtins.derivation <var>attrs</var></code></dt>
-  <dd><p><var>derivation</var> in described in
-         <a href="derivations.md">its own section</a>.</p></dd>
+  - `derivation` *attrs*; `builtins.derivation` *attrs*\
+
+    `derivation` is described in [its own section](derivations.md).
+
--- a/doc/manual/src/expressions/builtins-suffix.md
+++ b/doc/manual/src/expressions/builtins-suffix.md
@@ -1 +0,0 @@
-</dl>
--- a/doc/manual/src/expressions/language-values.md
+++ b/doc/manual/src/expressions/language-values.md
@@ -139,13 +139,6 @@ Nix has the following basic data types:
    environment variable `NIX_PATH` will be searched for the given file
    or directory name.

-    Antiquotation is supported in any paths except those in angle brackets.
-    `./${foo}-${bar}.nix` is a more convenient way of writing 
-    `./. + "/" + foo + "-" + bar + ".nix"` or `./. + "/${foo}-${bar}.nix"`. At
-    least one slash must appear *before* any antiquotations for this to be
-    recognized as a path. `a.${foo}/b.${bar}` is a syntactically valid division
-    operation. `./a.${foo}/b.${bar}` is a path.
-
  - *Booleans* with values `true` and `false`.

  - The null value, denoted as `null`.
--- a/doc/manual/src/installation/env-variables.md
+++ b/doc/manual/src/installation/env-variables.md
@@ -40,7 +40,7 @@ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
 > **Note**
 > 
 > You must not add the export and then do the install, as the Nix
-> installer will detect the presence of Nix configuration, and abort.
+> installer will detect the presense of Nix configuration, and abort.

 ## `NIX_SSL_CERT_FILE` with macOS and the Nix daemon

--- a/doc/manual/src/installation/prerequisites-source.md
+++ b/doc/manual/src/installation/prerequisites-source.md
@@ -26,6 +26,15 @@
    available for download from the official repository
    <https://github.com/google/brotli>.

+  - The bzip2 compressor program and the `libbz2` library. Thus you must
+    have bzip2 installed, including development headers and libraries.
+    If your distribution does not provide these, you can obtain bzip2
+    from
+    <https://sourceware.org/bzip2/>.
+
+  - `liblzma`, which is provided by XZ Utils. If your distribution does
+    not provide this, you can get it from <https://tukaani.org/xz/>.
+
  - cURL and its library. If your distribution does not provide it, you
    can get it from <https://curl.haxx.se/>.

--- a/doc/manual/src/release-notes/rl-2.4.md
+++ b/doc/manual/src/release-notes/rl-2.4.md
@@ -1,525 +1,8 @@
-# Release 2.4 (2021-11-01)
-
-This is the first release in more than two years and is the result of
-more than 2800 commits from 195 contributors since release 2.3.
-
-## Highlights
-
-* Nix's **error messages** have been improved a lot. For instance,
-  evaluation errors now point out the location of the error:
-
-  ```
-  $ nix build
-  error: undefined variable 'bzip3'
-
-         at /nix/store/449lv242z0zsgwv95a8124xi11sp419f-source/flake.nix:88:13:
-
-             87|           [ curl
-             88|             bzip3 xz brotli editline
-               |             ^
-             89|             openssl sqlite
-  ```
-
-* The **`nix` command** has seen a lot of work and is now almost at
-  feature parity with the old command-line interface (the `nix-*`
-  commands). It aims to be [more modern, consistent and pleasant to
-  use](../contributing/cli-guideline.md) than the old CLI. It is still
-  marked as experimental but its interface should not change much
-  anymore in future releases.
-
-* **Flakes** are a new format to package Nix-based projects in a more
-  discoverable, composable, consistent and reproducible way. A flake
-  is just a repository or tarball containing a file named `flake.nix`
-  that specifies dependencies on other flakes and returns any Nix
-  assets such as packages, Nixpkgs overlays, NixOS modules or CI
-  tests. The new `nix` CLI is primarily based around flakes; for
-  example, a command like `nix run nixpkgs#hello` runs the `hello`
-  application from the `nixpkgs` flake.
-
-  Flakes are currently marked as experimental. For an introduction,
-  see [this blog
-  post](https://www.tweag.io/blog/2020-05-25-flakes/). For detailed
-  information about flake syntax and semantics, see the [`nix flake`
-  manual page](../command-ref/new-cli/nix3-flake.md).
-
-* Nix's store can now be **content-addressed**, meaning that the hash
-  component of a store path is the hash of the path's
-  contents. Previously Nix could only build **input-addressed** store
-  paths, where the hash is computed from the derivation dependency
-  graph. Content-addressing allows deduplication, early cutoff in
-  build systems, and unprivileged closure copying. This is still [an
-  experimental
-  feature](https://discourse.nixos.org/t/content-addressed-nix-call-for-testers/12881).
-
-* The Nix manual has been converted into Markdown, making it easier to
-  contribute. In addition, every `nix` subcommand now has a manual
-  page, documenting every option.
-
-* A new setting that allows **experimental features** to be enabled
-  selectively. This allows us to merge unstable features into Nix more
-  quickly and do more frequent releases.
-
-## Other features
-
-* There are many new `nix` subcommands:
-
-  - `nix develop` is intended to replace `nix-shell`. It has a number
-    of new features:
-
-    * It automatically sets the output environment variables (such as
-      `$out`) to writable locations (such as `./outputs/out`).
-
-    * It can store the environment in a profile. This is useful for
-      offline work.
-
-    * It can run specific phases directly. For instance, `nix develop
-      --build` runs `buildPhase`.
-
-    - It allows dependencies in the Nix store to be "redirected" to
-      arbitrary directories using the `--redirect` flag. This is
-      useful if you want to hack on a package *and* some of its
-      dependencies at the same time.
-
-  - `nix print-dev-env` prints the environment variables and bash
-    functions defined by a derivation. This is useful for users of
-    other shells than bash (especially with `--json`).
-
-  - `nix shell` was previously named `nix run` and is intended to
-    replace `nix-shell -p`, but without the `stdenv` overhead. It
-    simply starts a shell where some packages have been added to
-    `$PATH`.
-
-  - `nix run` (not to be confused with the old subcommand that has
-    been renamed to `nix shell`) runs an "app", a flake output that
-    specifies a command to run, or an eponymous program from a
-    package. For example, `nix run nixpkgs#hello` runs the `hello`
-    program from the `hello` package in `nixpkgs`.
-
-  - `nix flake` is the container for flake-related operations, such as
-    creating a new flake, querying the contents of a flake or updating
-    flake lock files.
-
-  - `nix registry` allows you to query and update the flake registry,
-    which maps identifiers such as `nixpkgs` to concrete flake URLs.
-
-  - `nix profile` is intended to replace `nix-env`. Its main advantage
-    is that it keeps track of the provenance of installed packages
-    (e.g. exactly which flake version a package came from). It also
-    has some helpful subcommands:
-
-    * `nix profile history` shows what packages were added, upgraded
-      or removed between each version of a profile.
-
-    * `nix profile diff-closures` shows the changes between the
-      closures of each version of a profile. This allows you to
-      discover the addition or removal of dependencies or size
-      changes.
-
-    **Warning**: after a profile has been updated using `nix profile`,
-    it is no longer usable with `nix-env`.
-
-  - `nix store diff-closures` shows the differences between the
-    closures of two store paths in terms of the versions and sizes of
-    dependencies in the closures.
-
-  - `nix store make-content-addressable` rewrites an arbitrary closure
-    to make it content-addressed. Such paths can be copied into other
-    stores without requiring signatures.
-
-  - `nix bundle` uses the [`nix-bundle`
-    program](https://github.com/matthewbauer/nix-bundle) to convert a
-    closure into a self-extracting executable.
-
-  - Various other replacements for the old CLI, e.g. `nix store gc`,
-    `nix store delete`, `nix store repair`, `nix nar dump-path`, `nix
-    store prefetch-file`, `nix store prefetch-tarball`, `nix key` and
-    `nix daemon`.
-
-* Nix now has an **evaluation cache** for flake outputs. For example,
-  a second invocation of the command `nix run nixpkgs#firefox` will
-  not need to evaluate the `firefox` attribute because it's already in
-  the evaluation cache. This is made possible by the hermetic
-  evaluation model of flakes.
-
-* The new `--offline` flag disables substituters and causes all
-  locally cached tarballs and repositories to be considered
-  up-to-date.
-
-* The new `--refresh` flag causes all locally cached tarballs and
-  repositories to be considered out-of-date.
-
-* Many `nix` subcommands now have a `--json` option to produce
-  machine-readable output.
-
-* `nix repl` has a new `:doc` command to show documentation about
-  builtin functions (e.g. `:doc builtins.map`).
-
-* Binary cache stores now have an option `index-debug-info` to create
-  an index of DWARF debuginfo files for use by
-  [`dwarffs`](https://github.com/edolstra/dwarffs).
-
-* To support flakes, Nix now has an extensible mechanism for fetching
-  source trees. Currently it has the following backends:
-
-  * Git repositories
-
-  * Mercurial repositories
-
-  * GitHub and GitLab repositories (an optimisation for faster
-    fetching than Git)
-
-  * Tarballs
-
-  * Arbitrary directories
-
-  The fetcher infrastructure is exposed via flake input specifications
-  and via the `fetchTree` built-in.
-
-* **Languages changes**: the only new language feature is that you can
-  now have antiquotations in paths, e.g. `./${foo}` instead of `./. +
-  foo`.
-
-* **New built-in functions**:
-
-  - `builtins.fetchTree` allows fetching a source tree using any
-    backends supported by the fetcher infrastructure. It subsumes the
-    functionality of existing built-ins like `fetchGit`,
-    `fetchMercurial` and `fetchTarball`.
-
-  - `builtins.getFlake` fetches a flake and returns its output
-    attributes. This function should not be used inside flakes! Use
-    flake inputs instead.
-
-  - `builtins.floor` and `builtins.ceil` round a floating-point number
-    down and up, respectively.
-
-* Experimental support for recursive Nix. This means that Nix
-  derivations can now call Nix to build other derivations. This is not
-  in a stable state yet and not well
-  [documented](https://github.com/NixOS/nix/commit/c4d7c76b641d82b2696fef73ce0ac160043c18da).
-
-* The new experimental feature `no-url-literals` disables URL
-  literals. This helps to implement [RFC
-  45](https://github.com/NixOS/rfcs/pull/45).
-
-* Nix now uses `libarchive` to decompress and unpack tarballs and zip
-  files, so `tar` is no longer required.
-
-* The priority of substituters can now be overridden using the
-  `priority` substituter setting (e.g. `--substituters
-  'http://cache.nixos.org?priority=100 daemon?priority=10'`).
-
-* `nix edit` now supports non-derivation attributes, e.g. `nix edit
-  .#nixosConfigurations.bla`.
-
-* The `nix` command now provides command line completion for `bash`,
-  `zsh` and `fish`. Since the support for getting completions is built
-  into `nix`, it's easy to add support for other shells.
-
-* The new `--log-format` flag selects what Nix's output looks like. It
-  defaults to a terse progress indicator. There is a new
-  `internal-json` output format for use by other programs.
-
-* `nix eval` has a new `--apply` flag that applies a function to the
-  evaluation result.
-
-* `nix eval` has a new `--write-to` flag that allows it to write a
-  nested attribute set of string leaves to a corresponding directory
-  tree.
-
-* Memory improvements: many operations that add paths to the store or
-  copy paths between stores now run in constant memory.
-
-* Many `nix` commands now support the flag `--derivation` to operate
-  on a `.drv` file itself instead of its outputs.
-
-* There is a new store called `dummy://` that does not support
-  building or adding paths. This is useful if you want to use the Nix
-  evaluator but don't have a Nix store.
-
-* The `ssh-ng://` store now allows substituting paths on the remote,
-  as `ssh://` already did.
-
-* When auto-calling a function with an ellipsis, all arguments are now
-  passed.
-
-* New `nix-shell` features:
-
-  - It preserves the `PS1` environment variable if
-    `NIX_SHELL_PRESERVE_PROMPT` is set.
-
-  - With `-p`, it passes any `--arg`s as Nixpkgs arguments.
-
-  - Support for structured attributes.
-
-* `nix-prefetch-url` has a new `--executable` flag.
-
-* On `x86_64` systems, [`x86_64` microarchitecture
-  levels](https://lwn.net/Articles/844831/) are mapped to additional
-  system types (e.g. `x86_64-v1-linux`).
-
-* The new `--eval-store` flag allows you to use a different store for
-  evaluation than for building or storing the build result. This is
-  primarily useful when you want to query whether something exists in
-  a read-only store, such as a binary cache:
-
-  ```
-  # nix path-info --json --store https://cache.nixos.org \
-    --eval-store auto nixpkgs#hello
-  ```
-
-  (Here `auto` indicates the local store.)
-
-* The Nix daemon has a new low-latency mechanism for copying
-  closures. This is useful when building on remote stores such as
-  `ssh-ng://`.
-
-* Plugins can now register `nix` subcommands.
-
-## Incompatible changes
-
-* The `nix` command is now marked as an experimental feature. This
-  means that you need to add
-
-  > experimental-features = nix-command
-
-  to your `nix.conf` if you want to use it, or pass
-  `--extra-experimental-features nix-command` on the command line.
-
-* The `nix` command no longer has a syntax for referring to packages
-  in a channel. This means that the following no longer works:
-
-  > nix build nixpkgs.hello # Nix 2.3
-
-  Instead, you can either use the `#` syntax to select a package from
-  a flake, e.g.
-
-  > nix build nixpkgs#hello
-
-  Or, if you want to use the `nixpkgs` channel in the `NIX_PATH`
-  environment variable:
-
-  > nix build -f '<nixpkgs>' hello
-
-* The old `nix run` has been renamed to `nix shell`, while there is a
-  new `nix run` that runs a default command. So instead of
-
-  > nix run nixpkgs.hello -c hello # Nix 2.3
-
-  you should use
-
-  > nix shell nixpkgs#hello -c hello
-
-  or just
-
-  > nix run nixpkgs#hello
-
-  if the command you want to run has the same name as the package.
-
-* It is now an error to modify the `plugin-files` setting via a
-  command-line flag that appears after the first non-flag argument to
-  any command, including a subcommand to `nix`. For example,
-  `nix-instantiate default.nix --plugin-files ""` must now become
-  `nix-instantiate --plugin-files "" default.nix`.
-
-* We no longer release source tarballs. If you want to build from
-  source, please build from the tags in the Git repository.
-
-## Contributors
-
-This release has contributions from
-Adam Höse,
-Albert Safin,
-Alex Kovar,
-Alex Zero,
-Alexander Bantyev,
-Alexandre Esteves,
-Alyssa Ross,
-Anatole Lucet,
-Anders Kaseorg,
-Andreas Rammhold,
-Antoine Eiche,
-Antoine Martin,
-Arnout Engelen,
-Arthur Gautier,
-aszlig,
-Ben Burdette,
-Benjamin Hipple,
-Bernardo Meurer,
-Björn Gohla,
-Bjørn Forsman,
-Bob van der Linden,
-Brian Leung,
-Brian McKenna,
-Brian Wignall,
-Bruce Toll,
-Bryan Richter,
-Calle Rosenquist,
-Calvin Loncaric,
-Carlo Nucera,
-Carlos D'Agostino,
-Chaz Schlarp,
-Christian Höppner,
-Christian Kampka,
-Chua Hou,
-Chuck,
-Cole Helbling,
-Daiderd Jordan,
-Dan Callahan,
-Dani,
-Daniel Fitzpatrick,
-Danila Fedorin,
-Daniël de Kok,
-Danny Bautista,
-DavHau,
-David McFarland,
-Dima,
-Domen Kožar,
-Dominik Schrempf,
-Dominique Martinet,
-dramforever,
-Dustin DeWeese,
-edef,
-Eelco Dolstra,
-Emilio Karakey,
-Emily,
-Eric Culp,
-Ersin Akinci,
-Fabian Möller,
-Farid Zakaria,
-Federico Pellegrin,
-Finn Behrens,
-Florian Franzen,
-Félix Baylac-Jacqué,
-Gabriel Gonzalez,
-Geoff Reedy,
-Georges Dubus,
-Graham Christensen,
-Greg Hale,
-Greg Price,
-Gregor Kleen,
-Gregory Hale,
-Griffin Smith,
-Guillaume Bouchard,
-Harald van Dijk,
-illustris,
-Ivan Zvonimir Horvat,
-Jade,
-Jake Waksbaum,
-jakobrs,
-James Ottaway,
-Jan Tojnar,
-Janne Heß,
-Jaroslavas Pocepko,
-Jarrett Keifer,
-Jeremy Schlatter,
-Joachim Breitner,
-Joe Hermaszewski,
-Joe Pea,
-John Ericson,
-Jonathan Ringer,
-Josef Kemetmüller,
-Joseph Lucas,
-Jude Taylor,
-Julian Stecklina,
-Julien Tanguy,
-Jörg Thalheim,
-Kai Wohlfahrt,
-keke,
-Keshav Kini,
-Kevin Quick,
-Kevin Stock,
-Kjetil Orbekk,
-Krzysztof Gogolewski,
-kvtb,
-Lars Mühmel,
-Leonhard Markert,
-Lily Ballard,
-Linus Heckemann,
-Lorenzo Manacorda,
-Lucas Desgouilles,
-Lucas Franceschino,
-Lucas Hoffmann,
-Luke Granger-Brown,
-Madeline Haraj,
-Marwan Aljubeh,
-Mat Marini,
-Mateusz Piotrowski,
-Matthew Bauer,
-Matthew Kenigsberg,
-Mauricio Scheffer,
-Maximilian Bosch,
-Michael Adler,
-Michael Bishop,
-Michael Fellinger,
-Michael Forney,
-Michael Reilly,
-mlatus,
-Mykola Orliuk,
-Nathan van Doorn,
-Naïm Favier,
-ng0,
-Nick Van den Broeck,
-Nicolas Stig124 Formichella,
-Niels Egberts,
-Niklas Hambüchen,
-Nikola Knezevic,
-oxalica,
-p01arst0rm,
-Pamplemousse,
-Patrick Hilhorst,
-Paul Opiyo,
-Pavol Rusnak,
-Peter Kolloch,
-Philipp Bartsch,
-Philipp Middendorf,
-Piotr Szubiakowski,
-Profpatsch,
-Puck Meerburg,
-Ricardo M. Correia,
-Rickard Nilsson,
-Robert Hensing,
-Robin Gloster,
-Rodrigo,
-Rok Garbas,
-Ronnie Ebrin,
-Rovanion Luckey,
-Ryan Burns,
-Ryan Mulligan,
-Ryne Everett,
-Sam Doshi,
-Sam Lidder,
-Samir Talwar,
-Samuel Dionne-Riel,
-Sebastian Ullrich,
-Sergei Trofimovich,
-Sevan Janiyan,
-Shao Cheng,
-Shea Levy,
-Silvan Mosberger,
-Stefan Frijters,
-Stefan Jaax,
-sternenseemann,
-Steven Shaw,
-Stéphan Kochen,
-SuperSandro2000,
-Suraj Barkale,
-Taeer Bar-Yam,
-Thomas Churchman,
-Théophane Hufschmitt,
-Timothy DeHerrera,
-Timothy Klim,
-Tobias Möst,
-Tobias Pflug,
-Tom Bereknyei,
-Travis A. Everett,
-Ujjwal Jain,
-Vladimír Čunát,
-Wil Taylor,
-Will Dietz,
-Yaroslav Bolyukin,
-Yestin L. Harrison,
-YI,
-Yorick van Pelt,
-Yuriy Taraday and
-zimbatm.
+# Release 2.4 (202X-XX-XX)
+
+  - It is now an error to modify the `plugin-files` setting via a
+    command-line flag that appears after the first non-flag argument
+    to any command, including a subcommand to `nix`. For example,
+    `nix-instantiate default.nix --plugin-files ""` must now become
+    `nix-instantiate --plugin-files "" default.nix`.
+  - Plugins that add new `nix` subcommands are now actually respected.
--- a/flake.lock
+++ b/flake.lock
@@ -3,26 +3,27 @@
    "lowdown-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1633514407,
-        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
+        "lastModified": 1617481909,
+        "narHash": "sha256-SqnfOFuLuVRRNeVJr1yeEPJue/qWoCp5N6o5Kr///p4=",
        "owner": "kristapsdz",
        "repo": "lowdown",
-        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
+        "rev": "148f9b2f586c41b7e36e73009db43ea68c7a1a4d",
        "type": "github"
      },
      "original": {
        "owner": "kristapsdz",
+        "ref": "VERSION_0_8_4",
        "repo": "lowdown",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1632864508,
-        "narHash": "sha256-d127FIvGR41XbVRDPVvozUPQ/uRHbHwvfyKHwEt5xFM=",
+        "lastModified": 1624862269,
+        "narHash": "sha256-JFcsh2+7QtfKdJFoPibLFPLgIW6Ycnv8Bts9a7RYme0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "82891b5e2c2359d7e58d08849e4c89511ab94234",
+        "rev": "f77036342e2b690c61c97202bf48f2ce13acc022",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -2,7 +2,7 @@
  description = "The purely functional package manager";

  inputs.nixpkgs.url = "nixpkgs/nixos-21.05-small";
-  inputs.lowdown-src = { url = "github:kristapsdz/lowdown"; flake = false; };
+  inputs.lowdown-src = { url = "github:kristapsdz/lowdown/VERSION_0_8_4"; flake = false; };

  outputs = { self, nixpkgs, lowdown-src }:

@@ -14,14 +14,12 @@
        then ""
        else "pre${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}_${self.shortRev or "dirty"}";

-      officialRelease = true;
+      officialRelease = false;

      linux64BitSystems = [ "x86_64-linux" "aarch64-linux" ];
      linuxSystems = linux64BitSystems ++ [ "i686-linux" ];
      systems = linuxSystems ++ [ "x86_64-darwin" "aarch64-darwin" ];

-      crossSystems = [ "armv6l-linux" "armv7l-linux" ];
-
      forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system);

      # Memoize nixpkgs for different platforms for efficiency.
@@ -70,7 +68,7 @@
          [
            buildPackages.bison
            buildPackages.flex
-            (lib.getBin buildPackages.lowdown-nix)
+            (lib.getBin buildPackages.lowdown)
            buildPackages.mdbook
            buildPackages.autoconf-archive
            buildPackages.autoreconfHook
@@ -78,10 +76,10 @@

            # Tests
            buildPackages.git
-            buildPackages.mercurial # FIXME: remove? only needed for tests
+            buildPackages.mercurial
            buildPackages.jq
          ]
-          ++ lib.optionals stdenv.hostPlatform.isLinux [(buildPackages.util-linuxMinimal or buildPackages.utillinuxMinimal)];
+          ++ lib.optionals stdenv.isLinux [(pkgs.util-linuxMinimal or pkgs.utillinuxMinimal)];

        buildDeps =
          [ curl
@@ -89,12 +87,13 @@
            openssl sqlite
            libarchive
            boost
-            lowdown-nix
+            nlohmann_json
+            lowdown
            gmock
          ]
          ++ lib.optionals stdenv.isLinux [libseccomp]
          ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
-          ++ lib.optional stdenv.hostPlatform.isx86_64 libcpuid;
+          ++ lib.optional stdenv.isx86_64 libcpuid;

        awsDeps = lib.optional (stdenv.isLinux || stdenv.isDarwin)
          (aws-sdk-cpp.override {
@@ -103,13 +102,7 @@
          });

        propagatedDeps =
-          [ ((boehmgc.override {
-              enableLargeConfig = true;
-            }).overrideAttrs(o: {
-              patches = (o.patches or []) ++ [
-                ./boehmgc-coroutine-sp-fallback.diff
-              ];
-            }))
+          [ (boehmgc.override { enableLargeConfig = true; })
          ];

        perlDeps =
@@ -126,7 +119,8 @@
          ''
            mkdir -p $out/nix-support

-            # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
+            # Converts /nix/store/50p3qk8kka9dl6wyq40vydq945k0j3kv-nix-2.4pre20201102_550e11f/bin/nix
+            # To 50p3qk8kka9dl6wyq40vydq945k0j3kv/bin/nix
            tarballPath() {
              # Remove the store prefix
              local path=''${1#${builtins.storeDir}/}
@@ -139,11 +133,10 @@

            substitute ${./scripts/install.in} $out/install \
              ${pkgs.lib.concatMapStrings
-                (system: let
-                    tarball = if builtins.elem system crossSystems then self.hydraJobs.binaryTarballCross.x86_64-linux.${system} else self.hydraJobs.binaryTarball.${system};
-                  in '' \
-                  --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
-                  --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
+                (system:
+                  '' \
+                  --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${self.hydraJobs.binaryTarball.${system}}/*.tar.xz) \
+                  --replace '@tarballPath_${system}@' $(tarballPath ${self.hydraJobs.binaryTarball.${system}}/*.tar.xz) \
                  ''
                )
                systems
@@ -152,15 +145,13 @@
            echo "file installer $out/install" >> $out/nix-support/hydra-build-products
          '';

-      testNixVersions = pkgs: client: daemon: with commonDeps pkgs; with pkgs.lib; pkgs.stdenv.mkDerivation {
+      testNixVersions = pkgs: client: daemon: with commonDeps pkgs; pkgs.stdenv.mkDerivation {
        NIX_DAEMON_PACKAGE = daemon;
        NIX_CLIENT_PACKAGE = client;
-        name =
-          "nix-tests"
-          + optionalString
-            (versionAtLeast daemon.version "2.4pre20211005" &&
-             versionAtLeast client.version "2.4pre20211005")
-            "-${client.version}-against-${daemon.version}";
+        # Must keep this name short as OSX has a rather strict limit on the
+        # socket path length, and this name appears in the path of the
+        # nix-daemon socket used in the tests
+        name = "nix-tests";
        inherit version;

        src = self;
@@ -179,92 +170,21 @@
        installPhase = ''
          mkdir -p $out
        '';
+        installCheckPhase = "make installcheck";

-        installCheckPhase = "make installcheck -j$NIX_BUILD_CORES -l$NIX_BUILD_CORES";
      };

-      binaryTarball = buildPackages: nix: pkgs: let
-        inherit (pkgs) cacert;
-        installerClosureInfo = buildPackages.closureInfo { rootPaths = [ nix cacert ]; };
-      in
-
-      buildPackages.runCommand "nix-binary-tarball-${version}"
-        { #nativeBuildInputs = lib.optional (system != "aarch64-linux") shellcheck;
-          meta.description = "Distribution-independent Nix bootstrap binaries for ${pkgs.system}";
-        }
-        ''
-          cp ${installerClosureInfo}/registration $TMPDIR/reginfo
-          cp ${./scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
-          substitute ${./scripts/install-nix-from-closure.sh} $TMPDIR/install \
-            --subst-var-by nix ${nix} \
-            --subst-var-by cacert ${cacert}
-
-          substitute ${./scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
-            --subst-var-by nix ${nix} \
-            --subst-var-by cacert ${cacert}
-          substitute ${./scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
-            --subst-var-by nix ${nix} \
-            --subst-var-by cacert ${cacert}
-          substitute ${./scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
-            --subst-var-by nix ${nix} \
-            --subst-var-by cacert ${cacert}
-
-          if type -p shellcheck; then
-            # SC1090: Don't worry about not being able to find
-            #         $nix/etc/profile.d/nix.sh
-            shellcheck --exclude SC1090 $TMPDIR/install
-            shellcheck $TMPDIR/create-darwin-volume.sh
-            shellcheck $TMPDIR/install-darwin-multi-user.sh
-            shellcheck $TMPDIR/install-systemd-multi-user.sh
-
-            # SC1091: Don't panic about not being able to source
-            #         /etc/profile
-            # SC2002: Ignore "useless cat" "error", when loading
-            #         .reginfo, as the cat is a much cleaner
-            #         implementation, even though it is "useless"
-            # SC2116: Allow ROOT_HOME=$(echo ~root) for resolving
-            #         root's home directory
-            shellcheck --external-sources \
-              --exclude SC1091,SC2002,SC2116 $TMPDIR/install-multi-user
-          fi
-
-          chmod +x $TMPDIR/install
-          chmod +x $TMPDIR/create-darwin-volume.sh
-          chmod +x $TMPDIR/install-darwin-multi-user.sh
-          chmod +x $TMPDIR/install-systemd-multi-user.sh
-          chmod +x $TMPDIR/install-multi-user
-          dir=nix-${version}-${pkgs.system}
-          fn=$out/$dir.tar.xz
-          mkdir -p $out/nix-support
-          echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
-          tar cvfJ $fn \
-            --owner=0 --group=0 --mode=u+rw,uga+r \
-            --absolute-names \
-            --hard-dereference \
-            --transform "s,$TMPDIR/install,$dir/install," \
-            --transform "s,$TMPDIR/create-darwin-volume.sh,$dir/create-darwin-volume.sh," \
-            --transform "s,$TMPDIR/reginfo,$dir/.reginfo," \
-            --transform "s,$NIX_STORE,$dir/store,S" \
-            $TMPDIR/install \
-            $TMPDIR/create-darwin-volume.sh \
-            $TMPDIR/install-darwin-multi-user.sh \
-            $TMPDIR/install-systemd-multi-user.sh \
-            $TMPDIR/install-multi-user \
-            $TMPDIR/reginfo \
-            $(cat ${installerClosureInfo}/store-paths)
-        '';
-
    in {

      # A Nixpkgs overlay that overrides the 'nix' and
      # 'nix.perl-bindings' packages.
      overlay = final: prev: {

+        # An older version of Nix to test against when using the daemon.
+        # Currently using `nixUnstable` as the stable one doesn't respect
+        # `NIX_DAEMON_SOCKET_PATH` which is needed for the tests.
        nixStable = prev.nix;

-        # Forward from the previous stage as we don’t want it to pick the lowdown override
-        nixUnstable = prev.nixUnstable;
-
        nix = with final; with commonDeps pkgs; stdenv.mkDerivation {
          name = "nix-${version}";
          inherit version;
@@ -334,6 +254,7 @@
                xz
                pkgs.perl
                boost
+                nlohmann_json
              ]
              ++ lib.optional (stdenv.isLinux || stdenv.isDarwin) libsodium
              ++ lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.Security;
@@ -350,14 +271,21 @@

        };

-        lowdown-nix = with final; stdenv.mkDerivation rec {
-          name = "lowdown-0.9.0";
+        lowdown = with final; stdenv.mkDerivation rec {
+          name = "lowdown-0.8.4";
+
+          /*
+          src = fetchurl {
+            url = "https://kristaps.bsd.lv/lowdown/snapshots/${name}.tar.gz";
+            hash = "sha512-U9WeGoInT9vrawwa57t6u9dEdRge4/P+0wLxmQyOL9nhzOEUU2FRz2Be9H0dCjYE7p2v3vCXIYk40M+jjULATw==";
+          };
+          */

          src = lowdown-src;

          outputs = [ "out" "bin" "dev" ];

-          nativeBuildInputs = [ buildPackages.which ];
+          nativeBuildInputs = [ which ];

          configurePhase = ''
              ${if (stdenv.isDarwin && stdenv.isAarch64) then "echo \"HAVE_SANDBOX_INIT=false\" > configure.local" else ""}
@@ -376,33 +304,92 @@

        buildStatic = nixpkgs.lib.genAttrs linux64BitSystems (system: self.packages.${system}.nix-static);

-        buildCross = nixpkgs.lib.genAttrs crossSystems (crossSystem:
-          nixpkgs.lib.genAttrs ["x86_64-linux"] (system: self.packages.${system}."nix-${crossSystem}"));
-
        # Perl bindings for various platforms.
        perlBindings = nixpkgs.lib.genAttrs systems (system: self.packages.${system}.nix.perl-bindings);

        # Binary tarball for various platforms, containing a Nix store
        # with the closure of 'nix' package, and the second half of
        # the installation script.
-        binaryTarball = nixpkgs.lib.genAttrs systems (system: binaryTarball nixpkgsFor.${system} nixpkgsFor.${system}.nix nixpkgsFor.${system});
+        binaryTarball = nixpkgs.lib.genAttrs systems (system:

-        binaryTarballCross = nixpkgs.lib.genAttrs ["x86_64-linux"] (system: builtins.listToAttrs (map (crossSystem: {
-          name = crossSystem;
-          value = let
-            nixpkgsCross = import nixpkgs {
-              inherit system crossSystem;
-              overlays = [ self.overlay ];
-            };
-          in binaryTarball nixpkgsFor.${system} self.packages.${system}."nix-${crossSystem}" nixpkgsCross;
-        }) crossSystems));
+          with nixpkgsFor.${system};
+
+          let
+            installerClosureInfo = closureInfo { rootPaths = [ nix cacert ]; };
+          in
+
+          runCommand "nix-binary-tarball-${version}"
+            { #nativeBuildInputs = lib.optional (system != "aarch64-linux") shellcheck;
+              meta.description = "Distribution-independent Nix bootstrap binaries for ${system}";
+            }
+            ''
+              cp ${installerClosureInfo}/registration $TMPDIR/reginfo
+              cp ${./scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
+              substitute ${./scripts/install-nix-from-closure.sh} $TMPDIR/install \
+                --subst-var-by nix ${nix} \
+                --subst-var-by cacert ${cacert}
+
+              substitute ${./scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
+                --subst-var-by nix ${nix} \
+                --subst-var-by cacert ${cacert}
+              substitute ${./scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
+                --subst-var-by nix ${nix} \
+                --subst-var-by cacert ${cacert}
+              substitute ${./scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
+                --subst-var-by nix ${nix} \
+                --subst-var-by cacert ${cacert}
+
+              if type -p shellcheck; then
+                # SC1090: Don't worry about not being able to find
+                #         $nix/etc/profile.d/nix.sh
+                shellcheck --exclude SC1090 $TMPDIR/install
+                shellcheck $TMPDIR/create-darwin-volume.sh
+                shellcheck $TMPDIR/install-darwin-multi-user.sh
+                shellcheck $TMPDIR/install-systemd-multi-user.sh
+
+                # SC1091: Don't panic about not being able to source
+                #         /etc/profile
+                # SC2002: Ignore "useless cat" "error", when loading
+                #         .reginfo, as the cat is a much cleaner
+                #         implementation, even though it is "useless"
+                # SC2116: Allow ROOT_HOME=$(echo ~root) for resolving
+                #         root's home directory
+                shellcheck --external-sources \
+                  --exclude SC1091,SC2002,SC2116 $TMPDIR/install-multi-user
+              fi
+
+              chmod +x $TMPDIR/install
+              chmod +x $TMPDIR/create-darwin-volume.sh
+              chmod +x $TMPDIR/install-darwin-multi-user.sh
+              chmod +x $TMPDIR/install-systemd-multi-user.sh
+              chmod +x $TMPDIR/install-multi-user
+              dir=nix-${version}-${system}
+              fn=$out/$dir.tar.xz
+              mkdir -p $out/nix-support
+              echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
+              tar cvfJ $fn \
+                --owner=0 --group=0 --mode=u+rw,uga+r \
+                --absolute-names \
+                --hard-dereference \
+                --transform "s,$TMPDIR/install,$dir/install," \
+                --transform "s,$TMPDIR/create-darwin-volume.sh,$dir/create-darwin-volume.sh," \
+                --transform "s,$TMPDIR/reginfo,$dir/.reginfo," \
+                --transform "s,$NIX_STORE,$dir/store,S" \
+                $TMPDIR/install \
+                $TMPDIR/create-darwin-volume.sh \
+                $TMPDIR/install-darwin-multi-user.sh \
+                $TMPDIR/install-systemd-multi-user.sh \
+                $TMPDIR/install-multi-user \
+                $TMPDIR/reginfo \
+                $(cat ${installerClosureInfo}/store-paths)
+            '');

        # The first half of the installation script. This is uploaded
        # to https://nixos.org/nix/install. It downloads the binary
        # tarball for the user's system and calls the second half of the
        # installation script.
-        installerScript = installScriptFor [ "x86_64-linux" "i686-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" "armv6l-linux" "armv7l-linux" ];
-        installerScriptForGHA = installScriptFor [ "x86_64-linux" "x86_64-darwin" "armv6l-linux" "armv7l-linux"];
+        installerScript = installScriptFor [ "x86_64-linux" "i686-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ];
+        installerScriptForGHA = installScriptFor [ "x86_64-linux" "x86_64-darwin" ];

        # Line coverage analysis.
        coverage =
@@ -491,11 +478,7 @@
          let pkgs = nixpkgsFor.${system}; in
          pkgs.runCommand "install-tests" {
            againstSelf = testNixVersions pkgs pkgs.nix pkgs.pkgs.nix;
-            againstCurrentUnstable =
-              # FIXME: temporarily disable this on macOS because of #3605.
-              if system == "x86_64-linux"
-              then testNixVersions pkgs pkgs.nix pkgs.nixUnstable
-              else null;
+            againstCurrentUnstable = testNixVersions pkgs pkgs.nix pkgs.nixUnstable;
            # Disabled because the latest stable version doesn't handle
            # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
            # againstLatestStable = testNixVersions pkgs pkgs.nix pkgs.nixStable;
@@ -504,7 +487,7 @@

      packages = forAllSystems (system: {
        inherit (nixpkgsFor.${system}) nix;
-      } // (nixpkgs.lib.optionalAttrs (builtins.elem system linux64BitSystems) {
+      } // nixpkgs.lib.optionalAttrs (builtins.elem system linux64BitSystems) {
        nix-static = let
          nixpkgs = nixpkgsFor.${system}.pkgsStatic;
        in with commonDeps nixpkgs; nixpkgs.stdenv.mkDerivation {
@@ -542,49 +525,8 @@
          stripAllList = ["bin"];

          strictDeps = true;
-
-          hardeningDisable = [ "pie" ];
        };
-      } // builtins.listToAttrs (map (crossSystem: {
-        name = "nix-${crossSystem}";
-        value = let
-          nixpkgsCross = import nixpkgs {
-            inherit system crossSystem;
-            overlays = [ self.overlay ];
-          };
-        in with commonDeps nixpkgsCross; nixpkgsCross.stdenv.mkDerivation {
-          name = "nix-${version}";
-
-          src = self;
-
-          VERSION_SUFFIX = versionSuffix;
-
-          outputs = [ "out" "dev" "doc" ];
-
-          nativeBuildInputs = nativeBuildDeps;
-          buildInputs = buildDeps ++ propagatedDeps;
-
-          configureFlags = [ "--sysconfdir=/etc" "--disable-doc-gen" ];
-
-          enableParallelBuilding = true;
-
-          makeFlags = "profiledir=$(out)/etc/profile.d";
-
-          doCheck = true;
-
-          installFlags = "sysconfdir=$(out)/etc";
-
-          postInstall = ''
-            mkdir -p $doc/nix-support
-            echo "doc manual $doc/share/doc/nix/manual" >> $doc/nix-support/hydra-build-products
-            mkdir -p $out/nix-support
-            echo "file binary-dist $out/bin/nix" >> $out/nix-support/hydra-build-products
-          '';
-
-          doInstallCheck = true;
-          installCheckFlags = "sysconfdir=$(out)/etc";
-        };
-      }) crossSystems)));
+      });

      defaultPackage = forAllSystems (system: self.packages.${system}.nix);

--- a/maintainers/upload-release.pl
+++ b/maintainers/upload-release.pl
@@ -83,12 +83,12 @@ sub downloadFile {

    if (!-e $tmpFile) {
        print STDERR "downloading $srcFile to $tmpFile...\n";
-        system("NIX_REMOTE=https://cache.nixos.org/ nix store cat '$srcFile' > '$tmpFile'") == 0
+        system("NIX_REMOTE=https://cache.nixos.org/ nix cat-store '$srcFile' > '$tmpFile'") == 0
            or die "unable to fetch $srcFile\n";
    }

    my $sha256_expected = $buildInfo->{buildproducts}->{$productNr}->{sha256hash} or die;
-    my $sha256_actual = `nix hash file --base16 --type sha256 '$tmpFile'`;
+    my $sha256_actual = `nix hash-file --base16 --type sha256 '$tmpFile'`;
    chomp $sha256_actual;
    if ($sha256_expected ne $sha256_actual) {
        print STDERR "file $tmpFile is corrupt, got $sha256_actual, expected $sha256_expected\n";
@@ -110,9 +110,6 @@ downloadFile("binaryTarball.i686-linux", "1");
 downloadFile("binaryTarball.x86_64-linux", "1");
 downloadFile("binaryTarball.aarch64-linux", "1");
 downloadFile("binaryTarball.x86_64-darwin", "1");
-downloadFile("binaryTarball.aarch64-darwin", "1");
-downloadFile("binaryTarballCross.x86_64-linux.armv6l-linux", "1");
-downloadFile("binaryTarballCross.x86_64-linux.armv7l-linux", "1");
 downloadFile("installerScript", "1");

 for my $fn (glob "$tmpDir/*") {
@@ -156,7 +153,6 @@ write_file("$nixpkgsDir/nixos/modules/installer/tools/nix-fallback-paths.nix",
           "  i686-linux = \"" . getStorePath("build.i686-linux") . "\";\n" .
           "  aarch64-linux = \"" . getStorePath("build.aarch64-linux") . "\";\n" .
           "  x86_64-darwin = \"" . getStorePath("build.x86_64-darwin") . "\";\n" .
-           "  aarch64-darwin = \"" . getStorePath("build.aarch64-darwin") . "\";\n" .
           "}\n");

 system("cd $nixpkgsDir && git commit -a -m 'nix-fallback-paths.nix: Update to $version'") == 0 or die;
--- a/misc/fish/completion.fish
+++ b/misc/fish/completion.fish
@@ -1,37 +0,0 @@
-function _nix_complete
-  # Get the current command up to a cursor.
-  # - Behaves correctly even with pipes and nested in commands like env.
-  # - TODO: Returns the command verbatim (does not interpolate variables).
-  #   That might not be optimal for arguments like -f.
-  set -l nix_args (commandline --current-process --tokenize --cut-at-cursor)
-  # --cut-at-cursor with --tokenize removes the current token so we need to add it separately.
-  # https://github.com/fish-shell/fish-shell/issues/7375
-  # Can be an empty string.
-  set -l current_token (commandline --current-token --cut-at-cursor)
-
-  # Nix wants the index of the argv item to complete but the $nix_args variable
-  # also contains the program name (argv[0]) so we would need to subtract 1.
-  # But the variable also misses the current token so it cancels out.
-  set -l nix_arg_to_complete (count $nix_args)
-
-  env NIX_GET_COMPLETIONS=$nix_arg_to_complete $nix_args $current_token
-end
-
-function _nix_accepts_files
-  set -l response (_nix_complete)
-  # First line is either filenames or no-filenames.
-  test $response[1] = 'filenames'
-end
-
-function _nix
-  set -l response (_nix_complete)
-  # Skip the first line since it handled by _nix_accepts_files.
-  # Tail lines each contain a command followed by a tab character and, optionally, a description.
-  # This is also the format fish expects.
-  string collect -- $response[2..-1]
-end
-
-# Disable file path completion if paths do not belong in the current context.
-complete --command nix --condition 'not _nix_accepts_files' --no-files
-
-complete --command nix --arguments '(_nix)'
--- a/misc/fish/local.mk
+++ b/misc/fish/local.mk
@@ -1 +0,0 @@
-$(eval $(call install-file-as, $(d)/completion.fish, $(datarootdir)/fish/vendor_completions.d/nix.fish, 0644))
--- a/misc/launchd/local.mk
+++ b/misc/launchd/local.mk
@@ -1,4 +1,4 @@
-ifdef HOST_DARWIN
+ifeq ($(OS), Darwin)

  $(eval $(call install-data-in, $(d)/org.nixos.nix-daemon.plist, $(prefix)/Library/LaunchDaemons))

--- a/misc/systemd/local.mk
+++ b/misc/systemd/local.mk
@@ -1,4 +1,4 @@
-ifdef HOST_LINUX
+ifeq ($(OS), Linux)

  $(foreach n, nix-daemon.socket nix-daemon.service, $(eval $(call install-file-in, $(d)/$(n), $(prefix)/lib/systemd/system, 0644)))

--- a/misc/upstart/local.mk
+++ b/misc/upstart/local.mk
@@ -1,4 +1,4 @@
-ifdef HOST_LINUX
+ifeq ($(OS), Linux)

  $(foreach n, nix-daemon.conf, $(eval $(call install-file-in, $(d)/$(n), $(sysconfdir)/init, 0644)))

--- a/mk/lib.mk
+++ b/mk/lib.mk
@@ -10,25 +10,8 @@ bin-scripts :=
 noinst-scripts :=
 man-pages :=
 install-tests :=
+OS = $(shell uname -s)

-ifdef HOST_OS
-  HOST_KERNEL = $(firstword $(subst -, ,$(HOST_OS)))
-  ifeq ($(HOST_KERNEL), cygwin)
-    HOST_CYGWIN = 1
-  endif
-  ifeq ($(patsubst darwin%,,$(HOST_KERNEL)),)
-    HOST_DARWIN = 1
-  endif
-  ifeq ($(patsubst freebsd%,,$(HOST_KERNEL)),)
-    HOST_FREEBSD = 1
-  endif
-  ifeq ($(HOST_KERNEL), linux)
-    HOST_LINUX = 1
-  endif
-  ifeq ($(patsubst solaris%,,$(HOST_KERNEL)),)
-    HOST_SOLARIS = 1
-  endif
-endif

 # Hack to define a literal space.
 space :=
@@ -67,16 +50,16 @@ endif
 BUILD_SHARED_LIBS ?= 1

 ifeq ($(BUILD_SHARED_LIBS), 1)
-  ifdef HOST_CYGWIN
+  ifeq (CYGWIN,$(findstring CYGWIN,$(OS)))
    GLOBAL_CFLAGS += -U__STRICT_ANSI__ -D_GNU_SOURCE
    GLOBAL_CXXFLAGS += -U__STRICT_ANSI__ -D_GNU_SOURCE
  else
    GLOBAL_CFLAGS += -fPIC
    GLOBAL_CXXFLAGS += -fPIC
  endif
-  ifndef HOST_DARWIN
-   ifndef HOST_SOLARIS
-    ifndef HOST_FREEBSD
+  ifneq ($(OS), Darwin)
+   ifneq ($(OS), SunOS)
+    ifneq ($(OS), FreeBSD)
     GLOBAL_LDFLAGS += -Wl,--no-copy-dt-needed-entries
    endif
   endif
--- a/mk/libraries.mk
+++ b/mk/libraries.mk
@@ -1,9 +1,9 @@
 libs-list :=

-ifdef HOST_DARWIN
+ifeq ($(OS), Darwin)
  SO_EXT = dylib
 else
-  ifdef HOST_CYGWIN
+  ifeq (CYGWIN,$(findstring CYGWIN,$(OS)))
    SO_EXT = dll
  else
    SO_EXT = so
@@ -59,7 +59,7 @@ define build-library
  $(1)_OBJS := $$(addprefix $(buildprefix), $$(addsuffix .o, $$(basename $$(_srcs))))
  _libs := $$(foreach lib, $$($(1)_LIBS), $$($$(lib)_PATH))

-  ifdef HOST_CYGWIN
+  ifeq (CYGWIN,$(findstring CYGWIN,$(OS)))
    $(1)_INSTALL_DIR ?= $$(bindir)
  else
    $(1)_INSTALL_DIR ?= $$(libdir)
@@ -73,18 +73,18 @@ define build-library
  ifeq ($(BUILD_SHARED_LIBS), 1)

    ifdef $(1)_ALLOW_UNDEFINED
-      ifdef HOST_DARWIN
+      ifeq ($(OS), Darwin)
        $(1)_LDFLAGS += -undefined suppress -flat_namespace
      endif
    else
-      ifndef HOST_DARWIN
-        ifndef HOST_CYGWIN
+      ifneq ($(OS), Darwin)
+        ifneq (CYGWIN,$(findstring CYGWIN,$(OS)))
          $(1)_LDFLAGS += -Wl,-z,defs
        endif
      endif
    endif

-    ifndef HOST_DARWIN
+    ifneq ($(OS), Darwin)
      $(1)_LDFLAGS += -Wl,-soname=$$($(1)_NAME).$(SO_EXT)
    endif

@@ -93,7 +93,7 @@ define build-library
    $$($(1)_PATH): $$($(1)_OBJS) $$(_libs) | $$(_d)/
 	$$(trace-ld) $(CXX) -o $$(abspath $$@) -shared $$(LDFLAGS) $$(GLOBAL_LDFLAGS) $$($(1)_OBJS) $$($(1)_LDFLAGS) $$($(1)_LDFLAGS_PROPAGATED) $$(foreach lib, $$($(1)_LIBS), $$($$(lib)_LDFLAGS_USE)) $$($(1)_LDFLAGS_UNINSTALLED)

-    ifndef HOST_DARWIN
+    ifneq ($(OS), Darwin)
      $(1)_LDFLAGS_USE += -Wl,-rpath,$$(abspath $$(_d))
    endif
    $(1)_LDFLAGS_USE += -L$$(_d) -l$$(patsubst lib%,%,$$(strip $$($(1)_NAME)))
@@ -108,7 +108,7 @@ define build-library
 	$$(trace-ld) $(CXX) -o $$@ -shared $$(LDFLAGS) $$(GLOBAL_LDFLAGS) $$($(1)_OBJS) $$($(1)_LDFLAGS) $$($(1)_LDFLAGS_PROPAGATED) $$(foreach lib, $$($(1)_LIBS), $$($$(lib)_LDFLAGS_USE_INSTALLED))

    $(1)_LDFLAGS_USE_INSTALLED += -L$$(DESTDIR)$$($(1)_INSTALL_DIR) -l$$(patsubst lib%,%,$$(strip $$($(1)_NAME)))
-    ifndef HOST_DARWIN
+    ifneq ($(OS), Darwin)
      ifeq ($(SET_RPATH_TO_LIBS), 1)
        $(1)_LDFLAGS_USE_INSTALLED += -Wl,-rpath,$$($(1)_INSTALL_DIR)
      else
@@ -125,8 +125,8 @@ define build-library
    $(1)_PATH := $$(_d)/$$($(1)_NAME).a

    $$($(1)_PATH): $$($(1)_OBJS) | $$(_d)/
-	$$(trace-ld) $(LD) -Ur -o $$(_d)/$$($(1)_NAME).o $$?
-	$$(trace-ar) $(AR) crs $$@ $$(_d)/$$($(1)_NAME).o
+	$(trace-ld) $(LD) -Ur -o $$(_d)/$$($(1)_NAME).o $$?
+	$(trace-ar) $(AR) crs $$@ $$(_d)/$$($(1)_NAME).o

    $(1)_LDFLAGS_USE += $$($(1)_PATH) $$($(1)_LDFLAGS)

--- a/mk/tests.mk
+++ b/mk/tests.mk
@@ -13,7 +13,3 @@ define run-install-test
 endef

 .PHONY: check installcheck
-
-print-top-help += \
-  echo "  check: Run unit tests"; \
-  echo "  installcheck: Run functional tests";
--- a/nix-rust/local.mk
+++ b/nix-rust/local.mk
@@ -11,12 +11,12 @@ libnixrust_INSTALL_PATH := $(libdir)/libnixrust.$(SO_EXT)
 libnixrust_LDFLAGS_USE := -L$(d)/target/$(RUST_DIR) -lnixrust
 libnixrust_LDFLAGS_USE_INSTALLED := -L$(libdir) -lnixrust

-ifdef HOST_LINUX
+ifeq ($(OS), Linux)
 libnixrust_LDFLAGS_USE += -ldl
 libnixrust_LDFLAGS_USE_INSTALLED += -ldl
 endif

-ifdef HOST_DARWIN
+ifeq ($(OS), Darwin)
 libnixrust_BUILD_FLAGS = NIX_LDFLAGS="-undefined dynamic_lookup"
 else
 libnixrust_LDFLAGS_USE += -Wl,-rpath,$(abspath $(d)/target/$(RUST_DIR))
@@ -31,7 +31,7 @@ $(libnixrust_PATH): $(call rwildcard, $(d)/src, *.rs) $(d)/Cargo.toml

 $(libnixrust_INSTALL_PATH): $(libnixrust_PATH)
 	$(target-gen) cp $^ $@
-ifdef HOST_DARWIN
+ifeq ($(OS), Darwin)
 	install_name_tool -id $@ $@
 endif

@@ -40,7 +40,7 @@ clean: clean-rust
 clean-rust:
 	$(suppress) rm -rfv nix-rust/target

-ifndef HOST_DARWIN
+ifneq ($(OS), Darwin)
 check: rust-tests

 rust-tests:
--- a/perl/Makefile
+++ b/perl/Makefile
@@ -1,6 +1,6 @@
 makefiles = local.mk

-GLOBAL_CXXFLAGS += -g -Wall -std=c++17 -I ../src
+GLOBAL_CXXFLAGS += -g -Wall -std=c++17

 -include Makefile.config

--- a/perl/Makefile.config.in
+++ b/perl/Makefile.config.in
@@ -1,4 +1,3 @@
-HOST_OS = @host_os@
 CC = @CC@
 CFLAGS = @CFLAGS@
 CXX = @CXX@
--- a/perl/configure.ac
+++ b/perl/configure.ac
@@ -7,8 +7,6 @@ CXXFLAGS=
 AC_PROG_CC
 AC_PROG_CXX

-AC_CANONICAL_HOST
-
 # Use 64-bit file system calls so that we can support files > 2 GiB.
 AC_SYS_LARGEFILE

--- a/perl/lib/Nix/Store.pm
+++ b/perl/lib/Nix/Store.pm
@@ -22,7 +22,6 @@ our @EXPORT = qw(
    derivationFromPath
    addTempRoot
    getBinDir getStoreDir
-    queryRawRealisation
 );

 our $VERSION = '0.15';
--- a/perl/lib/Nix/Store.xs
+++ b/perl/lib/Nix/Store.xs
@@ -15,7 +15,6 @@
 #include "crypto.hh"

 #include <sodium.h>
-#include <nlohmann/json.hpp>


 using namespace nix;
@@ -121,18 +120,6 @@ SV * queryPathInfo(char * path, int base32)
            croak("%s", e.what());
        }

-SV * queryRawRealisation(char * outputId)
-    PPCODE:
-      try {
-        auto realisation = store()->queryRealisation(DrvOutput::parse(outputId));
-        if (realisation)
-            XPUSHs(sv_2mortal(newSVpv(realisation->toJSON().dump().c_str(), 0)));
-        else
-            XPUSHs(sv_2mortal(newSVpv("", 0)));
-      } catch (Error & e) {
-        croak("%s", e.what());
-      }
-

 SV * queryPathFromHashPart(char * hashPart)
    PPCODE:
--- a/perl/local.mk
+++ b/perl/local.mk
@@ -28,7 +28,7 @@ Store_CXXFLAGS = \

 Store_LDFLAGS := $(SODIUM_LIBS) $(NIX_LIBS)

-ifdef HOST_CYGWIN
+ifeq (CYGWIN,$(findstring CYGWIN,$(OS)))
  archlib = $(shell perl -E 'use Config; print $$Config{archlib};')
  libperl = $(shell perl -E 'use Config; print $$Config{libperl};')
  Store_LDFLAGS += $(shell find ${archlib} -name ${libperl})
--- a/scripts/create-darwin-volume.sh
+++ b/scripts/create-darwin-volume.sh
@@ -715,8 +715,7 @@ create_volume() {
    # 6) getting special w/ awk may be fragile, but doing it to:
    #    - save time over running slow diskutil commands
    #    - skirt risk we grab wrong volume if multiple match
-    _sudo "to create a new APFS volume '$NIX_VOLUME_LABEL' on $NIX_VOLUME_USE_DISK" \
-        /usr/sbin/diskutil apfs addVolume "$NIX_VOLUME_USE_DISK" "$NIX_VOLUME_FS" "$NIX_VOLUME_LABEL" -nomount | /usr/bin/awk '/Created new APFS Volume/ {print $5}'
+    /usr/sbin/diskutil apfs addVolume "$NIX_VOLUME_USE_DISK" "$NIX_VOLUME_FS" "$NIX_VOLUME_LABEL" -nomount | /usr/bin/awk '/Created new APFS Volume/ {print $5}'
 }

 volume_uuid_from_special() {
@@ -739,6 +738,7 @@ await_volume() {
 setup_volume() {
    local use_special use_uuid profile_packages
    task "Creating a Nix volume" >&2
+    # DOING: I'm tempted to wrap this call in a grep to get the new disk special without doing anything too complex, but this sudo wrapper *is* a little complex, so it'll be a PITA unless maybe we can skip sudo on this. Let's just try it without.

    use_special="${NIX_VOLUME_USE_SPECIAL:-$(create_volume)}"

@@ -759,11 +759,6 @@ setup_volume() {

    await_volume

-    if [ "$(/usr/sbin/diskutil info -plist "$NIX_ROOT" | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then
-        _sudo "to set enableOwnership (enabling users to own files)" \
-            /usr/sbin/diskutil enableOwnership "$NIX_ROOT"
-    fi
-
    # TODO: below is a vague kludge for now; I just don't know
    # what if any safe action there is to take here. Also, the
    # reminder isn't very helpful.
--- a/scripts/install-darwin-multi-user.sh
+++ b/scripts/install-darwin-multi-user.sh
@@ -13,22 +13,11 @@ NIX_BUILD_USER_NAME_TEMPLATE="_nixbld%d"
 read_only_root() {
    # this touch command ~should~ always produce an error
    # as of this change I confirmed /usr/bin/touch emits:
-    # "touch: /: Operation not permitted" Monterey
    # "touch: /: Read-only file system" Catalina+ and Big Sur
    # "touch: /: Permission denied" Mojave
    # (not matching prefix for compat w/ coreutils touch in case using
    # an explicit path causes problems; its prefix differs)
-    case "$(/usr/bin/touch / 2>&1)" in
-        *"Read-only file system") # Catalina, Big Sur
-            return 0
-            ;;
-        *"Operation not permitted") # Monterey
-            return 0
-            ;;
-        *)
-            return 1
-            ;;
-    esac
+    [[ "$(/usr/bin/touch / 2>&1)" = *"Read-only file system" ]]

    # Avoiding the slow semantic way to get this information (~330ms vs ~8ms)
    # unless using touch causes problems. Just in case, that approach is:
@@ -78,7 +67,7 @@ poly_service_installed_check() {
 poly_service_uninstall_directions() {
    echo "$1. Remove macOS-specific components:"
    if should_create_volume && test_nix_volume_mountd_installed; then
-        nix_volume_mountd_uninstall_directions
+        darwin_volume_uninstall_directions
    fi
    if test_nix_daemon_installed; then
        nix_daemon_uninstall_directions
@@ -217,8 +206,4 @@ poly_prepare_to_install() {
 EOF
        setup_darwin_volume
    fi
-
-    if [ "$(diskutil info -plist /nix | xmllint --xpath "(/plist/dict/key[text()='GlobalPermissionsEnabled'])/following-sibling::*[1]" -)" = "<false/>" ]; then
-        failure "This script needs a /nix volume with global permissions! This may require running sudo diskutil enableOwnership /nix."
-    fi
 }
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@@ -33,7 +33,7 @@ NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"
 readonly NIX_ROOT="/nix"
 readonly NIX_EXTRA_CONF=${NIX_EXTRA_CONF:-}

-readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/etc/bash.bashrc" "/etc/zsh/zshrc")
+readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshenv" "/etc/bash.bashrc" "/etc/zsh/zshenv")
 readonly PROFILE_BACKUP_SUFFIX=".backup-before-nix"
 readonly PROFILE_NIX_FILE="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"

@@ -701,10 +701,7 @@ install_from_extracted_nix() {
        cd "$EXTRACTED_NIX_PATH"

        _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
-              cp -RLp ./store/* "$NIX_ROOT/store/"
-
-        _sudo "to make the new store non-writable at $NIX_ROOT/store" \
-              chmod -R ugo-w "$NIX_ROOT/store/"
+              rsync -rlpt --chmod=-w ./store/* "$NIX_ROOT/store/"

        if [ -d "$NIX_INSTALLED_NIX" ]; then
            echo "      Alright! We have our first nix at $NIX_INSTALLED_NIX"
--- a/scripts/install-nix-from-closure.sh
+++ b/scripts/install-nix-from-closure.sh
@@ -106,11 +106,12 @@ while [ $# -gt 0 ]; do
                echo ""
                echo " --no-channel-add:    Don't add any channels. nixpkgs-unstable is installed by default."
                echo ""
-                echo " --no-modify-profile: Don't modify the user profile to automatically load nix."
+                echo " --no-modify-profile: Skip channel installation. When not provided nixpkgs-unstable"
+                echo "                      is installed by default."
                echo ""
                echo " --daemon-user-count: Number of build users to create. Defaults to 32."
                echo ""
-                echo " --nix-extra-conf-file: Path to nix.conf to prepend when installing /etc/nix/nix.conf"
+                echo " --nix-extra-conf-file: Path to nix.conf to prepend when installing /etc/nix.conf"
                echo ""
                if [ -n "${INVOKED_FROM_INSTALL_IN:-}" ]; then
                    echo " --tarball-url-prefix URL: Base URL to download the Nix tarball from."
--- a/scripts/install.in
+++ b/scripts/install.in
@@ -40,23 +40,13 @@ case "$(uname -s).$(uname -m)" in
        path=@tarballPath_aarch64-linux@
        system=aarch64-linux
        ;;
-    Linux.armv6l_linux)
-        hash=@tarballHash_armv6l-linux@
-        path=@tarballPath_armv6l-linux@
-        system=armv6l-linux
-        ;;
-    Linux.armv7l_linux)
-        hash=@tarballHash_armv7l-linux@
-        path=@tarballPath_armv7l-linux@
-        system=armv7l-linux
-        ;;
    Darwin.x86_64)
        hash=@tarballHash_x86_64-darwin@
        path=@tarballPath_x86_64-darwin@
        system=x86_64-darwin
        ;;
    Darwin.arm64|Darwin.aarch64)
-        hash=@tarballHash_aarch64-darwin@
+        hash=@binaryTarball_aarch64-darwin@
        path=@tarballPath_aarch64-darwin@
        system=aarch64-darwin
        ;;
@@ -76,21 +66,14 @@ fi

 tarball=$tmpDir/nix-@nixVersion@-$system.tar.xz

+require_util curl "download the binary tarball"
 require_util tar "unpack the binary tarball"
 if [ "$(uname -s)" != "Darwin" ]; then
    require_util xz "unpack the binary tarball"
 fi

-if command -v wget > /dev/null 2>&1; then
-    fetch() { wget "$1" -O "$2"; }
-elif command -v curl > /dev/null 2>&1; then
-    fetch() { curl -L "$1" -o "$2"; }
-else
-    oops "you don't have wget or curl installed, which I need to download the binary tarball"
-fi
-
 echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
-fetch "$url" "$tarball" || oops "failed to download '$url'"
+curl -L "$url" -o "$tarball" || oops "failed to download '$url'"

 if command -v sha256sum > /dev/null 2>&1; then
    hash2="$(sha256sum -b "$tarball" | cut -c1-64)"
--- a/src/build-remote/build-remote.cc
+++ b/src/build-remote/build-remote.cc
@@ -130,14 +130,11 @@ static int main_build_remote(int argc, char * * argv)
                for (auto & m : machines) {
                    debug("considering building on remote machine '%s'", m.storeUri);

-                    if (m.enabled
-                        && (neededSystem == "builtin"
-                            || std::find(m.systemTypes.begin(),
-                                m.systemTypes.end(),
-                                neededSystem) != m.systemTypes.end()) &&
+                    if (m.enabled && std::find(m.systemTypes.begin(),
+                            m.systemTypes.end(),
+                            neededSystem) != m.systemTypes.end() &&
                        m.allSupported(requiredFeatures) &&
-                        m.mandatoryMet(requiredFeatures))
-                    {
+                        m.mandatoryMet(requiredFeatures)) {
                        rightType = true;
                        AutoCloseFD free;
                        uint64_t load = 0;
@@ -273,7 +270,7 @@ connected:

        {
            Activity act(*logger, lvlTalkative, actUnknown, fmt("copying dependencies to '%s'", storeUri));
-            copyPaths(*store, *sshStore, store->parseStorePathSet(inputs), NoRepair, NoCheckSigs, substitute);
+            copyPaths(store, ref<Store>(sshStore), store->parseStorePathSet(inputs), NoRepair, NoCheckSigs, substitute);
        }

        uploadLock = -1;
@@ -324,7 +321,7 @@ connected:
            if (auto localStore = store.dynamic_pointer_cast<LocalStore>())
                for (auto & path : missingPaths)
                    localStore->locksHeld.insert(store->printStorePath(path)); /* FIXME: ugly */
-            copyPaths(*sshStore, *store, missingPaths, NoRepair, NoCheckSigs, NoSubstitute);
+            copyPaths(ref<Store>(sshStore), store, missingPaths, NoRepair, NoCheckSigs, NoSubstitute);
        }
        // XXX: Should be done as part of `copyPaths`
        for (auto & realisation : missingRealisations) {
--- a/src/libcmd/command.cc
+++ b/src/libcmd/command.cc
@@ -54,30 +54,6 @@ void StoreCommand::run()
    run(getStore());
 }

-EvalCommand::EvalCommand()
-{
-}
-
-EvalCommand::~EvalCommand()
-{
-    if (evalState)
-        evalState->printStats();
-}
-
-ref<Store> EvalCommand::getEvalStore()
-{
-    if (!evalStore)
-        evalStore = evalStoreUrl ? openStore(*evalStoreUrl) : getStore();
-    return ref<Store>(evalStore);
-}
-
-ref<EvalState> EvalCommand::getEvalState()
-{
-    if (!evalState)
-        evalState = std::make_shared<EvalState>(searchPath, getEvalStore(), getStore());
-    return ref<EvalState>(evalState);
-}
-
 BuiltPathsCommand::BuiltPathsCommand(bool recursive)
    : recursive(recursive)
 {
@@ -115,12 +91,12 @@ void BuiltPathsCommand::run(ref<Store> store)
        for (auto & p : store->queryAllValidPaths())
            paths.push_back(BuiltPath::Opaque{p});
    } else {
-        paths = toBuiltPaths(getEvalStore(), store, realiseMode, operateOn, installables);
+        paths = toBuiltPaths(store, realiseMode, operateOn, installables);
        if (recursive) {
            // XXX: This only computes the store path closure, ignoring
            // intermediate realisations
            StorePathSet pathsRoots, pathsClosure;
-            for (auto & root : paths) {
+            for (auto & root: paths) {
                auto rootFromThis = root.outPaths();
                pathsRoots.insert(rootFromThis.begin(), rootFromThis.end());
            }
@@ -138,20 +114,17 @@ StorePathsCommand::StorePathsCommand(bool recursive)
 {
 }

-void StorePathsCommand::run(ref<Store> store, BuiltPaths && paths)
+void StorePathsCommand::run(ref<Store> store, BuiltPaths paths)
 {
-    StorePathSet storePaths;
-    for (auto & builtPath : paths)
-        for (auto & p : builtPath.outPaths())
-            storePaths.insert(p);
+    StorePaths storePaths;
+    for (auto& builtPath : paths)
+        for (auto& p : builtPath.outPaths())
+            storePaths.push_back(p);

-    auto sorted = store->topoSortPaths(storePaths);
-    std::reverse(sorted.begin(), sorted.end());
-
-    run(store, std::move(sorted));
+    run(store, std::move(storePaths));
 }

-void StorePathCommand::run(ref<Store> store, std::vector<StorePath> && storePaths)
+void StorePathCommand::run(ref<Store> store, std::vector<StorePath> storePaths)
 {
    if (storePaths.size() != 1)
        throw UsageError("this command requires exactly one store path");
@@ -203,10 +176,10 @@ void MixProfile::updateProfile(const BuiltPaths & buildables)

    for (auto & buildable : buildables) {
        std::visit(overloaded {
-            [&](const BuiltPath::Opaque & bo) {
+            [&](BuiltPath::Opaque bo) {
                result.push_back(bo.path);
            },
-            [&](const BuiltPath::Built & bfd) {
+            [&](BuiltPath::Built bfd) {
                for (auto & output : bfd.outputs) {
                    result.push_back(output.second);
                }
@@ -215,7 +188,7 @@ void MixProfile::updateProfile(const BuiltPaths & buildables)
    }

    if (result.size() != 1)
-        throw UsageError("'--profile' requires that the arguments produce a single store path, but there are %d", result.size());
+        throw Error("'--profile' requires that the arguments produce a single store path, but there are %d", result.size());

    updateProfile(result[0]);
 }
--- a/src/libcmd/command.hh
+++ b/src/libcmd/command.hh
@@ -45,18 +45,11 @@ private:

 struct EvalCommand : virtual StoreCommand, MixEvalArgs
 {
-    EvalCommand();
-
-    ~EvalCommand();
-
-    ref<Store> getEvalStore();
-
    ref<EvalState> getEvalState();

-private:
-    std::shared_ptr<Store> evalStore;
-
    std::shared_ptr<EvalState> evalState;
+
+    ~EvalCommand();
 };

 struct MixFlakeOptions : virtual Args, EvalCommand
@@ -108,8 +101,6 @@ enum class Realise {
       exists. */
    Derivation,
    /* Evaluate in dry-run mode. Postcondition: nothing. */
-    // FIXME: currently unused, but could be revived if we can
-    // evaluate derivations in-memory.
    Nothing
 };

@@ -169,7 +160,7 @@ public:

    using StoreCommand::run;

-    virtual void run(ref<Store> store, BuiltPaths && paths) = 0;
+    virtual void run(ref<Store> store, BuiltPaths paths) = 0;

    void run(ref<Store> store) override;

@@ -182,9 +173,9 @@ struct StorePathsCommand : public BuiltPathsCommand

    using BuiltPathsCommand::run;

-    virtual void run(ref<Store> store, std::vector<StorePath> && storePaths) = 0;
+    virtual void run(ref<Store> store, std::vector<StorePath> storePaths) = 0;

-    void run(ref<Store> store, BuiltPaths && paths) override;
+    void run(ref<Store> store, BuiltPaths paths) override;
 };

 /* A command that operates on exactly one store path. */
@@ -194,7 +185,7 @@ struct StorePathCommand : public StorePathsCommand

    virtual void run(ref<Store> store, const StorePath & storePath) = 0;

-    void run(ref<Store> store, std::vector<StorePath> && storePaths) override;
+    void run(ref<Store> store, std::vector<StorePath> storePaths) override;
 };

 /* A helper class for registering commands globally. */
@@ -225,37 +216,26 @@ static RegisterCommand registerCommand2(std::vector<std::string> && name)
    return RegisterCommand(std::move(name), [](){ return make_ref<T>(); });
 }

-BuiltPaths build(
-    ref<Store> evalStore,
-    ref<Store> store, Realise mode,
-    const std::vector<std::shared_ptr<Installable>> & installables,
-    BuildMode bMode = bmNormal);
+BuiltPaths build(ref<Store> store, Realise mode,
+    std::vector<std::shared_ptr<Installable>> installables, BuildMode bMode = bmNormal);

-std::set<StorePath> toStorePaths(
-    ref<Store> evalStore,
-    ref<Store> store,
-    Realise mode,
-    OperateOn operateOn,
-    const std::vector<std::shared_ptr<Installable>> & installables);
+std::set<StorePath> toStorePaths(ref<Store> store,
+    Realise mode, OperateOn operateOn,
+    std::vector<std::shared_ptr<Installable>> installables);

-StorePath toStorePath(
-    ref<Store> evalStore,
-    ref<Store> store,
-    Realise mode,
-    OperateOn operateOn,
+StorePath toStorePath(ref<Store> store,
+    Realise mode, OperateOn operateOn,
    std::shared_ptr<Installable> installable);

-std::set<StorePath> toDerivations(
-    ref<Store> store,
-    const std::vector<std::shared_ptr<Installable>> & installables,
+std::set<StorePath> toDerivations(ref<Store> store,
+    std::vector<std::shared_ptr<Installable>> installables,
    bool useDeriver = false);

 BuiltPaths toBuiltPaths(
-    ref<Store> evalStore,
    ref<Store> store,
    Realise mode,
    OperateOn operateOn,
-    const std::vector<std::shared_ptr<Installable>> & installables);
+    std::vector<std::shared_ptr<Installable>> installables);

 /* Helper function to generate args that invoke $EDITOR on
   filename:lineno. */
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@@ -58,13 +58,9 @@ MixFlakeOptions::MixFlakeOptions()

    addFlag({
        .longName = "no-registries",
-        .description =
-          "Don't allow lookups in the flake registries. This option is deprecated; use `--no-use-registries`.",
+        .description = "Don't allow lookups in the flake registries.",
        .category = category,
-        .handler = {[&]() {
-            lockFlags.useRegistries = false;
-            warn("'--no-registries' is deprecated; use '--no-use-registries'");
-        }}
+        .handler = {&lockFlags.useRegistries, false}
    });

    addFlag({
@@ -175,50 +171,14 @@ Strings SourceExprCommand::getDefaultFlakeAttrPathPrefixes()

 void SourceExprCommand::completeInstallable(std::string_view prefix)
 {
-    if (file) {
-        evalSettings.pureEval = false;
-        auto state = getEvalState();
-        Expr *e = state->parseExprFromFile(
-            resolveExprPath(state->checkSourcePath(lookupFileArg(*state, *file)))
-        );
+    if (file) return; // FIXME

-        Value root;
-        state->eval(e, root);
-
-        auto autoArgs = getAutoArgs(*state);
-
-        std::string prefix_ = std::string(prefix);
-        auto sep = prefix_.rfind('.');
-        std::string searchWord;
-        if (sep != std::string::npos) {
-            searchWord = prefix_.substr(sep, std::string::npos);
-            prefix_ = prefix_.substr(0, sep);
-        } else {
-            searchWord = prefix_;
-            prefix_ = "";
-        }
-
-        Value &v1(*findAlongAttrPath(*state, prefix_, *autoArgs, root).first);
-        state->forceValue(v1);
-        Value v2;
-        state->autoCallFunction(*autoArgs, v1, v2);
-
-        if (v2.type() == nAttrs) {
-            for (auto & i : *v2.attrs) {
-                std::string name = i.name;
-                if (name.find(searchWord) == 0) {
-                    completions->add(i.name);
-                }
-            }
-        }
-    } else {
-        completeFlakeRefWithFragment(
-            getEvalState(),
-            lockFlags,
-            getDefaultFlakeAttrPathPrefixes(),
-            getDefaultFlakeAttrPaths(),
-            prefix);
-    }
+    completeFlakeRefWithFragment(
+        getEvalState(),
+        lockFlags,
+        getDefaultFlakeAttrPathPrefixes(),
+        getDefaultFlakeAttrPaths(),
+        prefix);
 }

 void completeFlakeRefWithFragment(
@@ -289,6 +249,19 @@ void completeFlakeRefWithFragment(
    completeFlakeRef(evalState->store, prefix);
 }

+ref<EvalState> EvalCommand::getEvalState()
+{
+    if (!evalState)
+        evalState = std::make_shared<EvalState>(searchPath, getStore());
+    return ref<EvalState>(evalState);
+}
+
+EvalCommand::~EvalCommand()
+{
+    if (evalState)
+        evalState->printStats();
+}
+
 void completeFlakeRef(ref<Store> store, std::string_view prefix)
 {
    if (prefix == "")
@@ -378,7 +351,6 @@ DerivedPaths InstallableValue::toDerivedPaths()
    DerivedPaths res;

    std::map<StorePath, std::set<std::string>> drvsToOutputs;
-    RealisedPath::Set drvsToCopy;

    // Group by derivation, helps with .all in particular
    for (auto & drv : toDerivations()) {
@@ -386,7 +358,6 @@ DerivedPaths InstallableValue::toDerivedPaths()
        if (outputName == "")
            throw Error("derivation '%s' lacks an 'outputName' attribute", state->store->printStorePath(drv.drvPath));
        drvsToOutputs[drv.drvPath].insert(outputName);
-        drvsToCopy.insert(drv.drvPath);
    }

    for (auto & i : drvsToOutputs)
@@ -602,10 +573,10 @@ InstallableFlake::getCursors(EvalState & state)

 std::shared_ptr<flake::LockedFlake> InstallableFlake::getLockedFlake() const
 {
-    flake::LockFlags lockFlagsApplyConfig = lockFlags;
-    lockFlagsApplyConfig.applyNixConfig = true;
    if (!_lockedFlake) {
-        _lockedFlake = std::make_shared<flake::LockedFlake>(lockFlake(*state, flakeRef, lockFlagsApplyConfig));
+        _lockedFlake = std::make_shared<flake::LockedFlake>(lockFlake(*state, flakeRef, lockFlags));
+        _lockedFlake->flake.config.apply();
+        // FIXME: send new config to the daemon.
    }
    return _lockedFlake;
 }
@@ -654,17 +625,6 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
        for (auto & s : ss) {
            std::exception_ptr ex;

-            if (s.find('/') != std::string::npos) {
-                try {
-                    result.push_back(std::make_shared<InstallableStorePath>(store, store->followLinksToStorePath(s)));
-                    continue;
-                } catch (BadStorePath &) {
-                } catch (...) {
-                    if (!ex)
-                        ex = std::current_exception();
-                }
-            }
-
            try {
                auto [flakeRef, fragment] = parseFlakeRefWithFragment(s, absPath("."));
                result.push_back(std::make_shared<InstallableFlake>(
@@ -679,7 +639,25 @@ std::vector<std::shared_ptr<Installable>> SourceExprCommand::parseInstallables(
                ex = std::current_exception();
            }

+            if (s.find('/') != std::string::npos) {
+                try {
+                    result.push_back(std::make_shared<InstallableStorePath>(store, store->followLinksToStorePath(s)));
+                    continue;
+                } catch (BadStorePath &) {
+                } catch (...) {
+                    if (!ex)
+                        ex = std::current_exception();
+                }
+            }
+
            std::rethrow_exception(ex);
+
+            /*
+            throw Error(
+                pathExists(s)
+                ? "path '%s' is not a flake or a store path"
+                : "don't know how to handle argument '%s'", s);
+            */
        }
    }

@@ -694,24 +672,25 @@ std::shared_ptr<Installable> SourceExprCommand::parseInstallable(
    return installables.front();
 }

-BuiltPaths getBuiltPaths(ref<Store> evalStore, ref<Store> store, const DerivedPaths & hopefullyBuiltPaths)
+BuiltPaths getBuiltPaths(ref<Store> store, DerivedPaths hopefullyBuiltPaths)
 {
    BuiltPaths res;
-    for (const auto & b : hopefullyBuiltPaths)
+    for (auto& b : hopefullyBuiltPaths)
        std::visit(
            overloaded{
-                [&](const DerivedPath::Opaque & bo) {
+                [&](DerivedPath::Opaque bo) {
                    res.push_back(BuiltPath::Opaque{bo.path});
                },
-                [&](const DerivedPath::Built & bfd) {
+                [&](DerivedPath::Built bfd) {
                    OutputPathMap outputs;
-                    auto drv = evalStore->readDerivation(bfd.drvPath);
-                    auto outputHashes = staticOutputHashes(*evalStore, drv); // FIXME: expensive
+                    auto drv = store->readDerivation(bfd.drvPath);
+                    auto outputHashes = staticOutputHashes(*store, drv);
                    auto drvOutputs = drv.outputsAndOptPaths(*store);
-                    for (auto & output : bfd.outputs) {
+                    for (auto& output : bfd.outputs) {
                        if (!outputHashes.count(output))
                            throw Error(
-                                "the derivation '%s' doesn't have an output named '%s'",
+                                "the derivation '%s' doesn't have an output "
+                                "named '%s'",
                                store->printStorePath(bfd.drvPath), output);
                        if (settings.isExperimentalFeatureEnabled(
                                "ca-derivations")) {
@@ -722,7 +701,7 @@ BuiltPaths getBuiltPaths(ref<Store> evalStore, ref<Store> store, const DerivedPa
                            if (!realisation)
                                throw Error(
                                    "cannot operate on an output of unbuilt "
-                                    "content-addressed derivation '%s'",
+                                    "content-addresed derivation '%s'",
                                    outputId.to_string());
                            outputs.insert_or_assign(
                                output, realisation->outPath);
@@ -743,12 +722,8 @@ BuiltPaths getBuiltPaths(ref<Store> evalStore, ref<Store> store, const DerivedPa
    return res;
 }

-BuiltPaths build(
-    ref<Store> evalStore,
-    ref<Store> store,
-    Realise mode,
-    const std::vector<std::shared_ptr<Installable>> & installables,
-    BuildMode bMode)
+BuiltPaths build(ref<Store> store, Realise mode,
+    std::vector<std::shared_ptr<Installable>> installables, BuildMode bMode)
 {
    if (mode == Realise::Nothing)
        settings.readOnlyMode = true;
@@ -760,24 +735,23 @@ BuiltPaths build(
        pathsToBuild.insert(pathsToBuild.end(), b.begin(), b.end());
    }

-    if (mode == Realise::Nothing || mode == Realise::Derivation)
+    if (mode == Realise::Nothing)
        printMissing(store, pathsToBuild, lvlError);
    else if (mode == Realise::Outputs)
-        store->buildPaths(pathsToBuild, bMode, evalStore);
+        store->buildPaths(pathsToBuild, bMode);

-    return getBuiltPaths(evalStore, store, pathsToBuild);
+    return getBuiltPaths(store, pathsToBuild);
 }

 BuiltPaths toBuiltPaths(
-    ref<Store> evalStore,
    ref<Store> store,
    Realise mode,
    OperateOn operateOn,
-    const std::vector<std::shared_ptr<Installable>> & installables)
+    std::vector<std::shared_ptr<Installable>> installables)
 {
-    if (operateOn == OperateOn::Output)
-        return build(evalStore, store, mode, installables);
-    else {
+    if (operateOn == OperateOn::Output) {
+        return build(store, mode, installables);
+    } else {
        if (mode == Realise::Nothing)
            settings.readOnlyMode = true;

@@ -788,27 +762,23 @@ BuiltPaths toBuiltPaths(
    }
 }

-StorePathSet toStorePaths(
-    ref<Store> evalStore,
-    ref<Store> store,
+StorePathSet toStorePaths(ref<Store> store,
    Realise mode, OperateOn operateOn,
-    const std::vector<std::shared_ptr<Installable>> & installables)
+    std::vector<std::shared_ptr<Installable>> installables)
 {
    StorePathSet outPaths;
-    for (auto & path : toBuiltPaths(evalStore, store, mode, operateOn, installables)) {
+    for (auto & path : toBuiltPaths(store, mode, operateOn, installables)) {
        auto thisOutPaths = path.outPaths();
        outPaths.insert(thisOutPaths.begin(), thisOutPaths.end());
    }
    return outPaths;
 }

-StorePath toStorePath(
-    ref<Store> evalStore,
-    ref<Store> store,
+StorePath toStorePath(ref<Store> store,
    Realise mode, OperateOn operateOn,
    std::shared_ptr<Installable> installable)
 {
-    auto paths = toStorePaths(evalStore, store, mode, operateOn, {installable});
+    auto paths = toStorePaths(store, mode, operateOn, {installable});

    if (paths.size() != 1)
        throw Error("argument '%s' should evaluate to one store path", installable->what());
@@ -816,17 +786,15 @@ StorePath toStorePath(
    return *paths.begin();
 }

-StorePathSet toDerivations(
-    ref<Store> store,
-    const std::vector<std::shared_ptr<Installable>> & installables,
-    bool useDeriver)
+StorePathSet toDerivations(ref<Store> store,
+    std::vector<std::shared_ptr<Installable>> installables, bool useDeriver)
 {
    StorePathSet drvPaths;

-    for (const auto & i : installables)
-        for (const auto & b : i->toDerivedPaths())
+    for (auto & i : installables)
+        for (auto & b : i->toDerivedPaths())
            std::visit(overloaded {
-                [&](const DerivedPath::Opaque & bo) {
+                [&](DerivedPath::Opaque bo) {
                    if (!useDeriver)
                        throw Error("argument '%s' did not evaluate to a derivation", i->what());
                    auto derivers = store->queryValidDerivers(bo.path);
@@ -835,7 +803,7 @@ StorePathSet toDerivations(
                    // FIXME: use all derivers?
                    drvPaths.insert(*derivers.begin());
                },
-                [&](const DerivedPath::Built & bfd) {
+                [&](DerivedPath::Built bfd) {
                    drvPaths.insert(bfd.drvPath);
                },
            }, b.raw());
--- a/src/libcmd/installables.hh
+++ b/src/libcmd/installables.hh
@@ -26,7 +26,7 @@ struct App
 struct UnresolvedApp
 {
    App unresolved;
-    App resolve(ref<Store> evalStore, ref<Store> store);
+    App resolve(ref<Store>);
 };

 struct Installable
--- a/src/libcmd/local.mk
+++ b/src/libcmd/local.mk
@@ -8,8 +8,8 @@ libcmd_SOURCES := $(wildcard $(d)/*.cc)

 libcmd_CXXFLAGS += -I src/libutil -I src/libstore -I src/libexpr -I src/libmain -I src/libfetchers

-libcmd_LDFLAGS += -llowdown -pthread
+libcmd_LDFLAGS = -llowdown

 libcmd_LIBS = libstore libutil libexpr libmain libfetchers

-$(eval $(call install-file-in, $(d)/nix-cmd.pc, $(libdir)/pkgconfig, 0644))
+$(eval $(call install-file-in, $(d)/nix-cmd.pc, $(prefix)/lib/pkgconfig, 0644))
--- a/src/libcmd/markdown.cc
+++ b/src/libcmd/markdown.cc
@@ -12,7 +12,7 @@ std::string renderMarkdownToTerminal(std::string_view markdown)
    struct lowdown_opts opts {
        .type = LOWDOWN_TERM,
        .maxdepth = 20,
-        .cols = std::max(getWindowSize().second, (unsigned short) 80),
+        .cols = std::min(getWindowSize().second, (unsigned short) 80),
        .hmargin = 0,
        .vmargin = 0,
        .feat = LOWDOWN_COMMONMARK | LOWDOWN_FENCED | LOWDOWN_DEFLIST | LOWDOWN_TABLES,
@@ -25,7 +25,7 @@ std::string renderMarkdownToTerminal(std::string_view markdown)
    Finally freeDoc([&]() { lowdown_doc_free(doc); });

    size_t maxn = 0;
-    auto node = lowdown_doc_parse(doc, &maxn, markdown.data(), markdown.size(), nullptr);
+    auto node = lowdown_doc_parse(doc, &maxn, markdown.data(), markdown.size());
    if (!node)
        throw Error("cannot parse Markdown document");
    Finally freeNode([&]() { lowdown_node_free(node); });
@@ -40,11 +40,11 @@ std::string renderMarkdownToTerminal(std::string_view markdown)
        throw Error("cannot allocate Markdown output buffer");
    Finally freeBuffer([&]() { lowdown_buf_free(buf); });

-    int rndr_res = lowdown_term_rndr(buf, renderer, node);
+    int rndr_res = lowdown_term_rndr(buf, nullptr, renderer, node);
    if (!rndr_res)
        throw Error("allocation error while rendering Markdown");

-    return filterANSIEscapes(std::string(buf->data, buf->size), !shouldANSI());
+    return std::string(buf->data, buf->size);
 }

 }
--- a/src/libexpr/attr-path.cc
+++ b/src/libexpr/attr-path.cc
@@ -19,7 +19,7 @@ static Strings parseAttrPath(std::string_view s)
            ++i;
            while (1) {
                if (i == s.end())
-                    throw ParseError("missing closing quote in selection path '%1%'", s);
+                    throw Error("missing closing quote in selection path '%1%'", s);
                if (*i == '"') break;
                cur.push_back(*i++);
            }
@@ -100,7 +100,7 @@ std::pair<Value *, Pos> findAlongAttrPath(EvalState & state, const string & attr
 }


-Pos findPackageFilename(EvalState & state, Value & v, std::string what)
+Pos findDerivationFilename(EvalState & state, Value & v, std::string what)
 {
    Value * v2;
    try {
@@ -116,14 +116,14 @@ Pos findPackageFilename(EvalState & state, Value & v, std::string what)

    auto colon = pos.rfind(':');
    if (colon == std::string::npos)
-        throw ParseError("cannot parse meta.position attribute '%s'", pos);
+        throw Error("cannot parse meta.position attribute '%s'", pos);

    std::string filename(pos, 0, colon);
    unsigned int lineno;
    try {
        lineno = std::stoi(std::string(pos, colon + 1));
    } catch (std::invalid_argument & e) {
-        throw ParseError("cannot parse line number '%s'", pos);
+        throw Error("cannot parse line number '%s'", pos);
    }

    Symbol file = state.symbols.create(filename);
--- a/src/libexpr/attr-path.hh
+++ b/src/libexpr/attr-path.hh
@@ -14,7 +14,7 @@ std::pair<Value *, Pos> findAlongAttrPath(EvalState & state, const string & attr
    Bindings & autoArgs, Value & vIn);

 /* Heuristic to find the filename and lineno or a nix value. */
-Pos findPackageFilename(EvalState & state, Value & v, std::string what);
+Pos findDerivationFilename(EvalState & state, Value & v, std::string what);

 std::vector<Symbol> parseAttrPath(EvalState & state, std::string_view s);

--- a/src/libexpr/attr-set.hh
+++ b/src/libexpr/attr-set.hh
@@ -17,8 +17,8 @@ struct Attr
 {
    Symbol name;
    Value * value;
-    ptr<Pos> pos;
-    Attr(Symbol name, Value * value, ptr<Pos> pos = ptr(&noPos))
+    Pos * pos;
+    Attr(Symbol name, Value * value, Pos * pos = &noPos)
        : name(name), value(value), pos(pos) { };
    Attr() : pos(&noPos) { };
    bool operator < (const Attr & a) const
@@ -35,13 +35,13 @@ class Bindings
 {
 public:
    typedef uint32_t size_t;
-    ptr<Pos> pos;
+    Pos *pos;

 private:
    size_t size_, capacity_;
    Attr attrs[0];

-    Bindings(size_t capacity) : pos(&noPos), size_(0), capacity_(capacity) { }
+    Bindings(size_t capacity) : size_(0), capacity_(capacity) { }
    Bindings(const Bindings & bindings) = delete;

 public:
--- a/src/libexpr/common-eval-args.cc
+++ b/src/libexpr/common-eval-args.cc
@@ -61,14 +61,6 @@ MixEvalArgs::MixEvalArgs()
            fetchers::overrideRegistry(from.input, to.input, extraAttrs);
        }}
    });
-
-    addFlag({
-        .longName = "eval-store",
-        .description = "The Nix store to use for evaluations.",
-        .category = category,
-        .labels = {"store-url"},
-        .handler = {&evalStoreUrl},
-    });
 }

 Bindings * MixEvalArgs::getAutoArgs(EvalState & state)
--- a/src/libexpr/common-eval-args.hh
+++ b/src/libexpr/common-eval-args.hh
@@ -16,9 +16,8 @@ struct MixEvalArgs : virtual Args

    Strings searchPath;

-    std::optional<std::string> evalStoreUrl;
-
 private:
+
    std::map<std::string, std::string> autoArgs;
 };

--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -64,11 +64,7 @@ static char * dupStringWithLen(const char * s, size_t size)

 RootValue allocRootValue(Value * v)
 {
-#if HAVE_BOEHMGC
    return std::allocate_shared<Value *>(traceable_allocator<Value *>(), v);
-#else
-    return std::make_shared<Value *>(v);
-#endif
 }


@@ -237,34 +233,22 @@ static void * oomHandler(size_t requested)
 }

 class BoehmGCStackAllocator : public StackAllocator {
-    boost::coroutines2::protected_fixedsize_stack stack {
-        // We allocate 8 MB, the default max stack size on NixOS.
-        // A smaller stack might be quicker to allocate but reduces the stack
-        // depth available for source filter expressions etc.
-        std::max(boost::context::stack_traits::default_size(), static_cast<std::size_t>(8 * 1024 * 1024))
+  boost::coroutines2::protected_fixedsize_stack stack {
+    // We allocate 8 MB, the default max stack size on NixOS.
+    // A smaller stack might be quicker to allocate but reduces the stack
+    // depth available for source filter expressions etc.
+    std::max(boost::context::stack_traits::default_size(), static_cast<std::size_t>(8 * 1024 * 1024))
    };

-    // This is specific to boost::coroutines2::protected_fixedsize_stack.
-    // The stack protection page is included in sctx.size, so we have to
-    // subtract one page size from the stack size.
-    std::size_t pfss_usable_stack_size(boost::context::stack_context &sctx) {
-        return sctx.size - boost::context::stack_traits::page_size();
-    }
-
  public:
    boost::context::stack_context allocate() override {
        auto sctx = stack.allocate();
-
-        // Stacks generally start at a high address and grow to lower addresses.
-        // Architectures that do the opposite are rare; in fact so rare that
-        // boost_routine does not implement it.
-        // So we subtract the stack size.
-        GC_add_roots(static_cast<char *>(sctx.sp) - pfss_usable_stack_size(sctx), sctx.sp);
+        GC_add_roots(static_cast<char *>(sctx.sp) - sctx.size, sctx.sp);
        return sctx;
    }

    void deallocate(boost::context::stack_context sctx) override {
-        GC_remove_roots(static_cast<char *>(sctx.sp) - pfss_usable_stack_size(sctx), sctx.sp);
+        GC_remove_roots(static_cast<char *>(sctx.sp) - sctx.size, sctx.sp);
        stack.deallocate(sctx);
    }

@@ -378,10 +362,7 @@ static Strings parseNixPath(const string & s)
 }


-EvalState::EvalState(
-    const Strings & _searchPath,
-    ref<Store> store,
-    std::shared_ptr<Store> buildStore)
+EvalState::EvalState(const Strings & _searchPath, ref<Store> store)
    : sWith(symbols.create("<with>"))
    , sOutPath(symbols.create("outPath"))
    , sDrvPath(symbols.create("drvPath"))
@@ -414,7 +395,6 @@ EvalState::EvalState(
    , sEpsilon(symbols.create(""))
    , repair(NoRepair)
    , store(store)
-    , buildStore(buildStore ? buildStore : store)
    , regexCache(makeRegexCache())
    , baseEnv(allocEnv(128))
    , staticBaseEnv(false, 0)
@@ -445,12 +425,12 @@ EvalState::EvalState(
                    StorePathSet closure;
                    store->computeFSClosure(store->toStorePath(r.second).first, closure);
                    for (auto & path : closure)
-                        allowPath(path);
+                        allowedPaths->insert(store->printStorePath(path));
                } catch (InvalidPath &) {
-                    allowPath(r.second);
+                    allowedPaths->insert(r.second);
                }
            } else
-                allowPath(r.second);
+                allowedPaths->insert(r.second);
        }
    }

@@ -465,35 +445,6 @@ EvalState::~EvalState()
 }


-void EvalState::requireExperimentalFeatureOnEvaluation(
-    const std::string & feature,
-    const std::string_view fName,
-    const Pos & pos)
-{
-    if (!settings.isExperimentalFeatureEnabled(feature)) {
-        throw EvalError({
-            .msg = hintfmt(
-                "Cannot call '%2%' because experimental Nix feature '%1%' is disabled. You can enable it via '--extra-experimental-features %1%'.",
-                feature,
-                fName
-            ),
-            .errPos = pos
-        });
-    }
-}
-
-void EvalState::allowPath(const Path & path)
-{
-    if (allowedPaths)
-        allowedPaths->insert(path);
-}
-
-void EvalState::allowPath(const StorePath & storePath)
-{
-    if (allowedPaths)
-        allowedPaths->insert(store->toRealPath(storePath));
-}
-
 Path EvalState::checkSourcePath(const Path & path_)
 {
    if (!allowedPaths) return path_;
@@ -799,7 +750,7 @@ inline Value * EvalState::lookupVar(Env * env, const ExprVar & var, bool noEval)
        }
        Bindings::iterator j = env->values[0]->attrs->find(var.name);
        if (j != env->values[0]->attrs->end()) {
-            if (countCalls) attrSelects[*j->pos]++;
+            if (countCalls && j->pos) attrSelects[*j->pos]++;
            return j->value;
        }
        if (!env->prevWith)
@@ -809,10 +760,18 @@ inline Value * EvalState::lookupVar(Env * env, const ExprVar & var, bool noEval)
 }


+std::atomic<uint64_t> nrValuesFreed{0};
+
+void finalizeValue(void * obj, void * data)
+{
+    nrValuesFreed++;
+}
+
 Value * EvalState::allocValue()
 {
    nrValues++;
    auto v = (Value *) allocBytes(sizeof(Value));
+    //GC_register_finalizer_no_order(v, finalizeValue, nullptr, nullptr, nullptr);
    return v;
 }

@@ -854,9 +813,9 @@ void EvalState::mkThunk_(Value & v, Expr * expr)
 }


-void EvalState::mkPos(Value & v, ptr<Pos> pos)
+void EvalState::mkPos(Value & v, Pos * pos)
 {
-    if (pos->file.set()) {
+    if (pos && pos->file.set()) {
        mkAttrs(v, 3);
        mkString(*allocAttr(v, sFile), pos->file);
        mkInt(*allocAttr(v, sLine), pos->line);
@@ -879,37 +838,39 @@ Value * Expr::maybeThunk(EvalState & state, Env & env)
 }


+unsigned long nrAvoided = 0;
+
 Value * ExprVar::maybeThunk(EvalState & state, Env & env)
 {
    Value * v = state.lookupVar(&env, *this, true);
    /* The value might not be initialised in the environment yet.
       In that case, ignore it. */
-    if (v) { state.nrAvoided++; return v; }
+    if (v) { nrAvoided++; return v; }
    return Expr::maybeThunk(state, env);
 }


 Value * ExprString::maybeThunk(EvalState & state, Env & env)
 {
-    state.nrAvoided++;
+    nrAvoided++;
    return &v;
 }

 Value * ExprInt::maybeThunk(EvalState & state, Env & env)
 {
-    state.nrAvoided++;
+    nrAvoided++;
    return &v;
 }

 Value * ExprFloat::maybeThunk(EvalState & state, Env & env)
 {
-    state.nrAvoided++;
+    nrAvoided++;
    return &v;
 }

 Value * ExprPath::maybeThunk(EvalState & state, Env & env)
 {
-    state.nrAvoided++;
+    nrAvoided++;
    return &v;
 }

@@ -924,23 +885,38 @@ void EvalState::evalFile(const Path & path_, Value & v, bool mustBeTrivial)
        return;
    }

-    Path resolvedPath = resolveExprPath(path);
-    if ((i = fileEvalCache.find(resolvedPath)) != fileEvalCache.end()) {
+    Path path2 = resolveExprPath(path);
+    if ((i = fileEvalCache.find(path2)) != fileEvalCache.end()) {
        v = i->second;
        return;
    }

-    printTalkative("evaluating file '%1%'", resolvedPath);
+    printTalkative("evaluating file '%1%'", path2);
    Expr * e = nullptr;

-    auto j = fileParseCache.find(resolvedPath);
+    auto j = fileParseCache.find(path2);
    if (j != fileParseCache.end())
        e = j->second;

    if (!e)
-        e = parseExprFromFile(checkSourcePath(resolvedPath));
+        e = parseExprFromFile(checkSourcePath(path2));

-    cacheFile(path, resolvedPath, e, v, mustBeTrivial);
+    fileParseCache[path2] = e;
+
+    try {
+        // Enforce that 'flake.nix' is a direct attrset, not a
+        // computation.
+        if (mustBeTrivial &&
+            !(dynamic_cast<ExprAttrs *>(e)))
+            throw Error("file '%s' must be an attribute set", path);
+        eval(e, v);
+    } catch (Error & e) {
+        addErrorTrace(e, "while evaluating the file '%1%':", path2);
+        throw;
+    }
+
+    fileEvalCache[path2] = v;
+    if (path != path2) fileEvalCache[path] = v;
 }


@@ -951,32 +927,6 @@ void EvalState::resetFileCache()
 }


-void EvalState::cacheFile(
-    const Path & path,
-    const Path & resolvedPath,
-    Expr * e,
-    Value & v,
-    bool mustBeTrivial)
-{
-    fileParseCache[resolvedPath] = e;
-
-    try {
-        // Enforce that 'flake.nix' is a direct attrset, not a
-        // computation.
-        if (mustBeTrivial &&
-            !(dynamic_cast<ExprAttrs *>(e)))
-            throw EvalError("file '%s' must be an attribute set", path);
-        eval(e, v);
-    } catch (Error & e) {
-        addErrorTrace(e, "while evaluating the file '%1%':", resolvedPath);
-        throw;
-    }
-
-    fileEvalCache[resolvedPath] = v;
-    if (path != resolvedPath) fileEvalCache[path] = v;
-}
-
-
 void EvalState::eval(Expr * e, Value & v)
 {
    e->eval(*this, baseEnv, v);
@@ -1067,7 +1017,7 @@ void ExprAttrs::eval(EvalState & state, Env & env, Value & v)
            } else
                vAttr = i.second.e->maybeThunk(state, i.second.inherited ? env : env2);
            env2.values[displ++] = vAttr;
-            v.attrs->push_back(Attr(i.first, vAttr, ptr(&i.second.pos)));
+            v.attrs->push_back(Attr(i.first, vAttr, &i.second.pos));
        }

        /* If the rec contains an attribute called `__overrides', then
@@ -1099,7 +1049,7 @@ void ExprAttrs::eval(EvalState & state, Env & env, Value & v)

    else
        for (auto & i : attrs)
-            v.attrs->push_back(Attr(i.first, i.second.e->maybeThunk(state, env), ptr(&i.second.pos)));
+            v.attrs->push_back(Attr(i.first, i.second.e->maybeThunk(state, env), &i.second.pos));

    /* Dynamic attrs apply *after* rec and __overrides. */
    for (auto & i : dynamicAttrs) {
@@ -1116,11 +1066,11 @@ void ExprAttrs::eval(EvalState & state, Env & env, Value & v)

        i.valueExpr->setName(nameSym);
        /* Keep sorted order so find can catch duplicates */
-        v.attrs->push_back(Attr(nameSym, i.valueExpr->maybeThunk(state, *dynamicEnv), ptr(&i.pos)));
+        v.attrs->push_back(Attr(nameSym, i.valueExpr->maybeThunk(state, *dynamicEnv), &i.pos));
        v.attrs->sort(); // FIXME: inefficient
    }

-    v.attrs->pos = ptr(&pos);
+    v.attrs->pos = &pos;
 }


@@ -1175,10 +1125,12 @@ static string showAttrPath(EvalState & state, Env & env, const AttrPath & attrPa
 }


+unsigned long nrLookups = 0;
+
 void ExprSelect::eval(EvalState & state, Env & env, Value & v)
 {
    Value vTmp;
-    ptr<Pos> pos2(&noPos);
+    Pos * pos2 = 0;
    Value * vAttrs = &vTmp;

    e->eval(state, env, vTmp);
@@ -1186,7 +1138,7 @@ void ExprSelect::eval(EvalState & state, Env & env, Value & v)
    try {

        for (auto & i : attrPath) {
-            state.nrLookups++;
+            nrLookups++;
            Bindings::iterator j;
            Symbol name = getName(i, state, env);
            if (def) {
@@ -1204,13 +1156,13 @@ void ExprSelect::eval(EvalState & state, Env & env, Value & v)
            }
            vAttrs = j->value;
            pos2 = j->pos;
-            if (state.countCalls) state.attrSelects[*pos2]++;
+            if (state.countCalls && pos2) state.attrSelects[*pos2]++;
        }

-        state.forceValue(*vAttrs, (*pos2 != noPos ? *pos2 : this->pos ) );
+        state.forceValue(*vAttrs, ( pos2 != NULL ? *pos2 : this->pos ) );

    } catch (Error & e) {
-        if (*pos2 != noPos && pos2->file != state.sDerivationNix)
+        if (pos2 && pos2->file != state.sDerivationNix)
            addErrorTrace(e, *pos2, "while evaluating the attribute '%1%'",
                showAttrPath(state, env, attrPath));
        throw;
@@ -1328,13 +1280,13 @@ void EvalState::callFunction(Value & fun, Value & arg, Value & v, const Pos & po

    auto size =
        (lambda.arg.empty() ? 0 : 1) +
-        (lambda.hasFormals() ? lambda.formals->formals.size() : 0);
+        (lambda.matchAttrs ? lambda.formals->formals.size() : 0);
    Env & env2(allocEnv(size));
    env2.up = fun.lambda.env;

    size_t displ = 0;

-    if (!lambda.hasFormals())
+    if (!lambda.matchAttrs)
        env2.values[displ++] = &arg;

    else {
@@ -1414,7 +1366,7 @@ void EvalState::autoCallFunction(Bindings & args, Value & fun, Value & res)
        }
    }

-    if (!fun.isLambda() || !fun.lambda.fun->hasFormals()) {
+    if (!fun.isLambda() || !fun.lambda.fun->matchAttrs) {
        res = fun;
        return;
    }
@@ -1616,6 +1568,7 @@ void ExprConcatStrings::eval(EvalState & state, Env & env, Value & v)
           and none of the strings are allowed to have contexts. */
        if (first) {
            firstType = vTmp.type();
+            first = false;
        }

        if (firstType == nInt) {
@@ -1636,12 +1589,7 @@ void ExprConcatStrings::eval(EvalState & state, Env & env, Value & v)
            } else
                throwEvalError(pos, "cannot add %1% to a float", showType(vTmp));
        } else
-            /* skip canonization of first path, which would only be not
-            canonized in the first place if it's coming from a ./${foo} type
-            path */
-            s << state.coerceToString(pos, vTmp, context, false, firstType == nString, !first);
-
-        first = false;
+            s << state.coerceToString(pos, vTmp, context, false, firstType == nString);
    }

    if (firstType == nInt)
@@ -1660,7 +1608,7 @@ void ExprConcatStrings::eval(EvalState & state, Env & env, Value & v)

 void ExprPos::eval(EvalState & state, Env & env, Value & v)
 {
-    state.mkPos(v, ptr(&pos));
+    state.mkPos(v, &pos);
 }


@@ -1830,7 +1778,7 @@ std::optional<string> EvalState::tryAttrsToString(const Pos & pos, Value & v,
 }

 string EvalState::coerceToString(const Pos & pos, Value & v, PathSet & context,
-    bool coerceMore, bool copyToStore, bool canonicalizePath)
+    bool coerceMore, bool copyToStore)
 {
    forceValue(v, pos);

@@ -1842,7 +1790,7 @@ string EvalState::coerceToString(const Pos & pos, Value & v, PathSet & context,
    }

    if (v.type() == nPath) {
-        Path path(canonicalizePath ? canonPath(v.path) : v.path);
+        Path path(canonPath(v.path));
        return copyToStore ? copyPathToStore(context, path) : path;
    }

@@ -1901,7 +1849,6 @@ string EvalState::copyPathToStore(PathSet & context, const Path & path)
            ? store->computeStorePathForPath(std::string(baseNameOf(path)), checkSourcePath(path)).first
            : store->addToStore(std::string(baseNameOf(path)), checkSourcePath(path), FileIngestionMethod::Recursive, htSHA256, defaultPathFilter, repair);
        dstPath = store->printStorePath(p);
-        allowPath(p);
        srcToStore.insert_or_assign(path, std::move(p));
        printMsg(lvlChatty, "copied source '%1%' -> '%2%'", path, dstPath);
    }
--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@@ -94,14 +94,8 @@ public:

    Value vEmptySet;

-    /* Store used to materialise .drv files. */
    const ref<Store> store;

-    /* Store used to build stuff. */
-    const ref<Store> buildStore;
-
-    RootValue vCallFlake = nullptr;
-    RootValue vImportedDrvToDerivation = nullptr;

 private:
    SrcToStore srcToStore;
@@ -134,31 +128,13 @@ private:

 public:

-    EvalState(
-        const Strings & _searchPath,
-        ref<Store> store,
-        std::shared_ptr<Store> buildStore = nullptr);
+    EvalState(const Strings & _searchPath, ref<Store> store);
    ~EvalState();

-    void requireExperimentalFeatureOnEvaluation(
-        const std::string & feature,
-        const std::string_view fName,
-        const Pos & pos
-    );
-
    void addToSearchPath(const string & s);

    SearchPath getSearchPath() { return searchPath; }

-    /* Allow access to a path. */
-    void allowPath(const Path & path);
-
-    /* Allow access to a store path. Note that this gets remapped to
-       the real store path if `store` is a chroot store. */
-    void allowPath(const StorePath & storePath);
-
-    /* Check whether access to a path is allowed and throw an error if
-       not. Otherwise return the canonicalised path. */
    Path checkSourcePath(const Path & path);

    void checkURI(const std::string & uri);
@@ -187,14 +163,6 @@ public:
       trivial (i.e. doesn't require arbitrary computation). */
    void evalFile(const Path & path, Value & v, bool mustBeTrivial = false);

-    /* Like `cacheFile`, but with an already parsed expression. */
-    void cacheFile(
-        const Path & path,
-        const Path & resolvedPath,
-        Expr * e,
-        Value & v,
-        bool mustBeTrivial = false);
-
    void resetFileCache();

    /* Look up a file in the search path. */
@@ -249,8 +217,7 @@ public:
       booleans and lists to a string.  If `copyToStore' is set,
       referenced paths are copied to the Nix store as a side effect. */
    string coerceToString(const Pos & pos, Value & v, PathSet & context,
-        bool coerceMore = false, bool copyToStore = true,
-        bool canonicalizePath = true);
+        bool coerceMore = false, bool copyToStore = true);

    string copyPathToStore(PathSet & context, const Path & path);

@@ -334,7 +301,7 @@ public:
    void mkList(Value & v, size_t length);
    void mkAttrs(Value & v, size_t capacity);
    void mkThunk_(Value & v, Expr * expr);
-    void mkPos(Value & v, ptr<Pos> pos);
+    void mkPos(Value & v, Pos * pos);

    void concatLists(Value & v, size_t nrLists, Value * * lists, const Pos & pos);

@@ -349,10 +316,8 @@ private:
    unsigned long nrValuesInEnvs = 0;
    unsigned long nrValues = 0;
    unsigned long nrListElems = 0;
-    unsigned long nrLookups = 0;
    unsigned long nrAttrsets = 0;
    unsigned long nrAttrsInAttrsets = 0;
-    unsigned long nrAvoided = 0;
    unsigned long nrOpUpdates = 0;
    unsigned long nrOpUpdateValuesCopied = 0;
    unsigned long nrListConcats = 0;
@@ -374,11 +339,6 @@ private:

    friend struct ExprOpUpdate;
    friend struct ExprOpConcatLists;
-    friend struct ExprVar;
-    friend struct ExprString;
-    friend struct ExprInt;
-    friend struct ExprFloat;
-    friend struct ExprPath;
    friend struct ExprSelect;
    friend void prim_getAttr(EvalState & state, const Pos & pos, Value * * args, Value & v);
    friend void prim_match(EvalState & state, const Pos & pos, Value * * args, Value & v);
--- a/src/libexpr/flake/config.cc
+++ b/src/libexpr/flake/config.cc
@@ -29,7 +29,7 @@ static void writeTrustedList(const TrustedList & trustedList)

 void ConfigFile::apply()
 {
-    std::set<std::string> whitelist{"bash-prompt", "bash-prompt-suffix", "flake-registry"};
+    std::set<std::string> whitelist{"bash-prompt", "bash-prompt-suffix"};

    for (auto & [name, value] : settings) {

--- a/src/libexpr/flake/flake.cc
+++ b/src/libexpr/flake/flake.cc
@@ -1,5 +1,4 @@
 #include "flake.hh"
-#include "eval.hh"
 #include "lockfile.hh"
 #include "primops.hh"
 #include "eval-inline.hh"
@@ -64,7 +63,8 @@ static std::tuple<fetchers::Tree, FlakeRef, FlakeRef> fetchOrSubstituteTree(
    debug("got tree '%s' from '%s'",
        state.store->printStorePath(tree.storePath), lockedRef);

-    state.allowPath(tree.storePath);
+    if (state.allowedPaths)
+        state.allowedPaths->insert(tree.actualPath);

    assert(!originalRef.input.getNarHash() || tree.storePath == originalRef.input.computeStorePath(*state.store));

@@ -88,12 +88,10 @@ static void expectType(EvalState & state, ValueType type,
 }

 static std::map<FlakeId, FlakeInput> parseFlakeInputs(
-    EvalState & state, Value * value, const Pos & pos,
-    const std::optional<Path> & baseDir);
+    EvalState & state, Value * value, const Pos & pos);

 static FlakeInput parseFlakeInput(EvalState & state,
-    const std::string & inputName, Value * value, const Pos & pos,
-    const std::optional<Path> & baseDir)
+    const std::string & inputName, Value * value, const Pos & pos)
 {
    expectType(state, nAttrs, *value, pos);

@@ -117,7 +115,7 @@ static FlakeInput parseFlakeInput(EvalState & state,
                expectType(state, nBool, *attr.value, *attr.pos);
                input.isFlake = attr.value->boolean;
            } else if (attr.name == sInputs) {
-                input.overrides = parseFlakeInputs(state, attr.value, *attr.pos, baseDir);
+                input.overrides = parseFlakeInputs(state, attr.value, *attr.pos);
            } else if (attr.name == sFollows) {
                expectType(state, nString, *attr.value, *attr.pos);
                input.follows = parseInputPath(attr.value->string.s);
@@ -155,7 +153,7 @@ static FlakeInput parseFlakeInput(EvalState & state,
        if (!attrs.empty())
            throw Error("unexpected flake input attribute '%s', at %s", attrs.begin()->first, pos);
        if (url)
-            input.ref = parseFlakeRef(*url, baseDir, true);
+            input.ref = parseFlakeRef(*url, {}, true);
    }

    if (!input.follows && !input.ref)
@@ -165,8 +163,7 @@ static FlakeInput parseFlakeInput(EvalState & state,
 }

 static std::map<FlakeId, FlakeInput> parseFlakeInputs(
-    EvalState & state, Value * value, const Pos & pos,
-    const std::optional<Path> & baseDir)
+    EvalState & state, Value * value, const Pos & pos)
 {
    std::map<FlakeId, FlakeInput> inputs;

@@ -177,8 +174,7 @@ static std::map<FlakeId, FlakeInput> parseFlakeInputs(
            parseFlakeInput(state,
                inputAttr.name,
                inputAttr.value,
-                *inputAttr.pos,
-                baseDir));
+                *inputAttr.pos));
    }

    return inputs;
@@ -194,8 +190,7 @@ static Flake getFlake(
        state, originalRef, allowLookup, flakeCache);

    // Guard against symlink attacks.
-    auto flakeDir = canonPath(sourceInfo.actualPath + "/" + lockedRef.subdir);
-    auto flakeFile = canonPath(flakeDir + "/flake.nix");
+    auto flakeFile = canonPath(sourceInfo.actualPath + "/" + lockedRef.subdir + "/flake.nix");
    if (!isInDir(flakeFile, sourceInfo.actualPath))
        throw Error("'flake.nix' file of flake '%s' escapes from '%s'",
            lockedRef, state.store->printStorePath(sourceInfo.storePath));
@@ -223,14 +218,14 @@ static Flake getFlake(
    auto sInputs = state.symbols.create("inputs");

    if (auto inputs = vInfo.attrs->get(sInputs))
-        flake.inputs = parseFlakeInputs(state, inputs->value, *inputs->pos, flakeDir);
+        flake.inputs = parseFlakeInputs(state, inputs->value, *inputs->pos);

    auto sOutputs = state.symbols.create("outputs");

    if (auto outputs = vInfo.attrs->get(sOutputs)) {
        expectType(state, nFunction, *outputs->value, *outputs->pos);

-        if (outputs->value->isLambda() && outputs->value->lambda.fun->hasFormals()) {
+        if (outputs->value->isLambda() && outputs->value->lambda.fun->matchAttrs) {
            for (auto & formal : outputs->value->lambda.fun->formals->formals) {
                if (formal.name != state.sSelf)
                    flake.inputs.emplace(formal.name, FlakeInput {
@@ -301,14 +296,7 @@ LockedFlake lockFlake(

    FlakeCache flakeCache;

-    auto useRegistries = lockFlags.useRegistries.value_or(settings.useRegistries);
-
-    auto flake = getFlake(state, topRef, useRegistries, flakeCache);
-
-    if (lockFlags.applyNixConfig) {
-        flake.config.apply();
-        // FIXME: send new config to the daemon.
-    }
+    auto flake = getFlake(state, topRef, lockFlags.useRegistries, flakeCache);

    try {

@@ -329,38 +317,25 @@ LockedFlake lockFlake(

        std::vector<FlakeRef> parents;

-        struct LockParent {
-            /* The path to this parent. */
-            InputPath path;
-
-            /* Whether we are currently inside a top-level lockfile
-               (inputs absolute) or subordinate lockfile (inputs
-               relative). */
-            bool absolute;
-        };
-
        std::function<void(
            const FlakeInputs & flakeInputs,
            std::shared_ptr<Node> node,
            const InputPath & inputPathPrefix,
-            std::shared_ptr<const Node> oldNode,
-            const LockParent & parent,
-            const Path & parentPath)>
+            std::shared_ptr<const Node> oldNode)>
            computeLocks;

        computeLocks = [&](
            const FlakeInputs & flakeInputs,
            std::shared_ptr<Node> node,
            const InputPath & inputPathPrefix,
-            std::shared_ptr<const Node> oldNode,
-            const LockParent & parent,
-            const Path & parentPath)
+            std::shared_ptr<const Node> oldNode)
        {
            debug("computing lock file node '%s'", printInputPath(inputPathPrefix));

            /* Get the overrides (i.e. attributes of the form
               'inputs.nixops.inputs.nixpkgs.url = ...'). */
-            for (auto & [id, input] : flakeInputs) {
+            // FIXME: check this
+            for (auto & [id, input] : flake.inputs) {
                for (auto & [idOverride, inputOverride] : input.overrides) {
                    auto inputPath(inputPathPrefix);
                    inputPath.push_back(id);
@@ -384,31 +359,22 @@ LockedFlake lockFlake(
                       ancestors? */
                    auto i = overrides.find(inputPath);
                    bool hasOverride = i != overrides.end();
-                    if (hasOverride) {
-                        overridesUsed.insert(inputPath);
-                        // Respect the “flakeness” of the input even if we
-                        // override it
-                        i->second.isFlake = input2.isFlake;
-                    }
+                    if (hasOverride) overridesUsed.insert(inputPath);
                    auto & input = hasOverride ? i->second : input2;

                    /* Resolve 'follows' later (since it may refer to an input
                       path we haven't processed yet. */
                    if (input.follows) {
                        InputPath target;
-
-                        if (parent.absolute && !hasOverride) {
+                        if (hasOverride || input.absolute)
+                            /* 'follows' from an override is relative to the
+                               root of the graph. */
                            target = *input.follows;
-                        } else {
-                            if (hasOverride) {
-                                target = inputPathPrefix;
-                                target.pop_back();
-                            } else
-                                target = parent.path;
-
+                        else {
+                            /* Otherwise, it's relative to the current flake. */
+                            target = inputPathPrefix;
                            for (auto & i : *input.follows) target.push_back(i);
                        }
-
                        debug("input '%s' follows '%s'", inputPathS, printInputPath(target));
                        node->inputs.insert_or_assign(id, target);
                        continue;
@@ -454,7 +420,7 @@ LockedFlake lockFlake(
                        if (hasChildUpdate) {
                            auto inputFlake = getFlake(
                                state, oldLock->lockedRef, false, flakeCache);
-                            computeLocks(inputFlake.inputs, childNode, inputPath, oldLock, parent, parentPath);
+                            computeLocks(inputFlake.inputs, childNode, inputPath, oldLock);
                        } else {
                            /* No need to fetch this flake, we can be
                               lazy. However there may be new overrides on the
@@ -471,11 +437,12 @@ LockedFlake lockFlake(
                                } else if (auto follows = std::get_if<1>(&i.second)) {
                                    fakeInputs.emplace(i.first, FlakeInput {
                                        .follows = *follows,
+                                        .absolute = true
                                    });
                                }
                            }

-                            computeLocks(fakeInputs, childNode, inputPath, oldLock, parent, parentPath);
+                            computeLocks(fakeInputs, childNode, inputPath, oldLock);
                        }

                    } else {
@@ -487,15 +454,7 @@ LockedFlake lockFlake(
                            throw Error("cannot update flake input '%s' in pure mode", inputPathS);

                        if (input.isFlake) {
-                            Path localPath = parentPath;
-                            FlakeRef localRef = *input.ref;
-
-                            // If this input is a path, recurse it down.
-                            // This allows us to resolve path inputs relative to the current flake.
-                            if (localRef.input.getType() == "path")
-                                localPath = absPath(*input.ref->input.getSourcePath(), parentPath);
-
-                            auto inputFlake = getFlake(state, localRef, useRegistries, flakeCache);
+                            auto inputFlake = getFlake(state, *input.ref, lockFlags.useRegistries, flakeCache);

                            /* Note: in case of an --override-input, we use
                               the *original* ref (input2.ref) for the
@@ -516,13 +475,6 @@ LockedFlake lockFlake(
                            parents.push_back(*input.ref);
                            Finally cleanup([&]() { parents.pop_back(); });

-                            // Follows paths from existing inputs in the top-level lockfile are absolute,
-                            // whereas paths in subordinate lockfiles are relative to those lockfiles.
-                            LockParent newParent {
-                                .path = inputPath,
-                                .absolute = oldLock ? true : false
-                            };
-
                            /* Recursively process the inputs of this
                               flake. Also, unless we already have this flake
                               in the top-level lock file, use this flake's
@@ -532,13 +484,12 @@ LockedFlake lockFlake(
                                oldLock
                                ? std::dynamic_pointer_cast<const Node>(oldLock)
                                : LockFile::read(
-                                    inputFlake.sourceInfo->actualPath + "/" + inputFlake.lockedRef.subdir + "/flake.lock").root,
-                                newParent, localPath);
+                                    inputFlake.sourceInfo->actualPath + "/" + inputFlake.lockedRef.subdir + "/flake.lock").root);
                        }

                        else {
                            auto [sourceInfo, resolvedRef, lockedRef] = fetchOrSubstituteTree(
-                                state, *input.ref, useRegistries, flakeCache);
+                                state, *input.ref, lockFlags.useRegistries, flakeCache);
                            node->inputs.insert_or_assign(id,
                                std::make_shared<LockedNode>(lockedRef, *input.ref, false));
                        }
@@ -551,17 +502,9 @@ LockedFlake lockFlake(
            }
        };

-        LockParent parent {
-            .path = {},
-            .absolute = true
-        };
-
-        // Bring in the current ref for relative path resolution if we have it
-        auto parentPath = canonPath(flake.sourceInfo->actualPath + "/" + flake.lockedRef.subdir);
-
        computeLocks(
            flake.inputs, newLockFile.root, {},
-            lockFlags.recreateLockFile ? nullptr : oldLockFile.root, parent, parentPath);
+            lockFlags.recreateLockFile ? nullptr : oldLockFile.root);

        for (auto & i : lockFlags.inputOverrides)
            if (!overridesUsed.count(i.first))
@@ -611,8 +554,8 @@ LockedFlake lockFlake(
                        topRef.input.markChangedFile(
                            (topRef.subdir == "" ? "" : topRef.subdir + "/") + "flake.lock",
                            lockFlags.commitLockFile
-                            ? std::optional<std::string>(fmt("%s: %s\n\nFlake lock file changes:\n\n%s",
-                                    relPath, lockFileExists ? "Update" : "Add", filterANSIEscapes(diff, true)))
+                            ? std::optional<std::string>(fmt("%s: %s\n\nFlake input changes:\n\n%s",
+                                    relPath, lockFileExists ? "Update" : "Add", diff))
                            : std::nullopt);

                        /* Rewriting the lockfile changed the top-level
@@ -620,7 +563,7 @@ LockedFlake lockFlake(
                           also just clear the 'rev' field... */
                        auto prevLockedRef = flake.lockedRef;
                        FlakeCache dummyCache;
-                        flake = getFlake(state, topRef, useRegistries, dummyCache);
+                        flake = getFlake(state, topRef, lockFlags.useRegistries, dummyCache);

                        if (lockFlags.commitLockFile &&
                            flake.lockedRef.input.getRev() &&
@@ -637,10 +580,8 @@ LockedFlake lockFlake(
                    }
                } else
                    throw Error("cannot write modified lock file of flake '%s' (use '--no-write-lock-file' to ignore)", topRef);
-            } else {
+            } else
                warn("not writing modified lock file of flake '%s':\n%s", topRef, chomp(diff));
-                flake.forceDirty = true;
-            }
        }

        return LockedFlake { .flake = std::move(flake), .lockFile = std::move(newLockFile) };
@@ -663,32 +604,26 @@ void callFlake(EvalState & state,

    mkString(*vLocks, lockedFlake.lockFile.to_string());

-    emitTreeAttrs(
-        state,
-        *lockedFlake.flake.sourceInfo,
-        lockedFlake.flake.lockedRef.input,
-        *vRootSrc,
-        false,
-        lockedFlake.flake.forceDirty);
+    emitTreeAttrs(state, *lockedFlake.flake.sourceInfo, lockedFlake.flake.lockedRef.input, *vRootSrc);

    mkString(*vRootSubdir, lockedFlake.flake.lockedRef.subdir);

-    if (!state.vCallFlake) {
-        state.vCallFlake = allocRootValue(state.allocValue());
+    static RootValue vCallFlake = nullptr;
+
+    if (!vCallFlake) {
+        vCallFlake = allocRootValue(state.allocValue());
        state.eval(state.parseExprFromString(
            #include "call-flake.nix.gen.hh"
-            , "/"), **state.vCallFlake);
+            , "/"), **vCallFlake);
    }

-    state.callFunction(**state.vCallFlake, *vLocks, *vTmp1, noPos);
+    state.callFunction(**vCallFlake, *vLocks, *vTmp1, noPos);
    state.callFunction(*vTmp1, *vRootSrc, *vTmp2, noPos);
    state.callFunction(*vTmp2, *vRootSubdir, vRes, noPos);
 }

 static void prim_getFlake(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
-    state.requireExperimentalFeatureOnEvaluation("flakes", "builtins.getFlake", pos);
-
    auto flakeRefS = state.forceStringNoCtx(*args[0], pos);
    auto flakeRef = parseFlakeRef(flakeRefS, {}, true);
    if (evalSettings.pureEval && !flakeRef.input.isImmutable())
@@ -698,13 +633,13 @@ static void prim_getFlake(EvalState & state, const Pos & pos, Value * * args, Va
        lockFlake(state, flakeRef,
            LockFlags {
                .updateLockFile = false,
-                .useRegistries = !evalSettings.pureEval && settings.useRegistries,
+                .useRegistries = !evalSettings.pureEval,
                .allowMutable  = !evalSettings.pureEval,
            }),
        v);
 }

-static RegisterPrimOp r2("__getFlake", 1, prim_getFlake);
+static RegisterPrimOp r2("__getFlake", 1, prim_getFlake, "flakes");

 }

@@ -714,9 +649,8 @@ Fingerprint LockedFlake::getFingerprint() const
    // and we haven't changed it, then it's sufficient to use
    // flake.sourceInfo.storePath for the fingerprint.
    return hashString(htSHA256,
-        fmt("%s;%s;%d;%d;%s",
+        fmt("%s;%d;%d;%s",
            flake.sourceInfo->storePath.to_string(),
-            flake.lockedRef.subdir,
            flake.lockedRef.input.getRevCount().value_or(0),
            flake.lockedRef.input.getLastModified().value_or(0),
            lockFile));
--- a/src/libexpr/flake/flake.hh
+++ b/src/libexpr/flake/flake.hh
@@ -43,6 +43,7 @@ struct FlakeInput
    std::optional<FlakeRef> ref;
    bool isFlake = true;  // true = process flake to get outputs, false = (fetched) static source path
    std::optional<InputPath> follows;
+    bool absolute = false; // whether 'follows' is relative to the flake root
    FlakeInputs overrides;
 };

@@ -58,10 +59,9 @@ struct ConfigFile
 /* The contents of a flake.nix file. */
 struct Flake
 {
-    FlakeRef originalRef; // the original flake specification (by the user)
-    FlakeRef resolvedRef; // registry references and caching resolved to the specific underlying flake
-    FlakeRef lockedRef; // the specific local store result of invoking the fetcher
-    bool forceDirty = false; // pretend that 'lockedRef' is dirty
+    FlakeRef originalRef;   // the original flake specification (by the user)
+    FlakeRef resolvedRef;   // registry references and caching resolved to the specific underlying flake
+    FlakeRef lockedRef;     // the specific local store result of invoking the fetcher
    std::optional<std::string> description;
    std::shared_ptr<const fetchers::Tree> sourceInfo;
    FlakeInputs inputs;
@@ -102,11 +102,7 @@ struct LockFlags

    /* Whether to use the registries to lookup indirect flake
       references like 'nixpkgs'. */
-    std::optional<bool> useRegistries = std::nullopt;
-
-    /* Whether to apply flake's nixConfig attribute to the configuration */
-
-    bool applyNixConfig = false;
+    bool useRegistries = true;

    /* Whether mutable flake references (i.e. those without a Git
       revision or similar) without a corresponding lock are
@@ -141,8 +137,6 @@ void emitTreeAttrs(
    EvalState & state,
    const fetchers::Tree & tree,
    const fetchers::Input & input,
-    Value & v,
-    bool emptyRevFallback = false,
-    bool forceDirty = false);
+    Value & v, bool emptyRevFallback = false);

 }
--- a/src/libexpr/flake/flakeref.cc
+++ b/src/libexpr/flake/flakeref.cc
@@ -172,12 +172,8 @@ std::pair<FlakeRef, std::string> parseFlakeRefWithFragment(
        auto parsedURL = parseURL(url);
        std::string fragment;
        std::swap(fragment, parsedURL.fragment);
-
-        auto input = Input::fromURL(parsedURL);
-        input.parent = baseDir;
-
        return std::make_pair(
-            FlakeRef(std::move(input), get(parsedURL.query, "dir").value_or("")),
+            FlakeRef(Input::fromURL(parsedURL), get(parsedURL.query, "dir").value_or("")),
            fragment);
    }
 }
--- a/src/libexpr/flake/lockfile.cc
+++ b/src/libexpr/flake/lockfile.cc
@@ -2,8 +2,6 @@
 #include "store-api.hh"
 #include "url-parts.hh"

-#include <iomanip>
-
 #include <nlohmann/json.hpp>

 namespace nix::flake {
@@ -270,20 +268,10 @@ std::map<InputPath, Node::Edge> LockFile::getAllInputs() const
    return res;
 }

-static std::string describe(const FlakeRef & flakeRef)
-{
-    auto s = fmt("'%s'", flakeRef.to_string());
-
-    if (auto lastModified = flakeRef.input.getLastModified())
-        s += fmt(" (%s)", std::put_time(std::gmtime(&*lastModified), "%Y-%m-%d"));
-
-    return s;
-}
-
 std::ostream & operator <<(std::ostream & stream, const Node::Edge & edge)
 {
    if (auto node = std::get_if<0>(&edge))
-        stream << describe((*node)->lockedRef);
+        stream << "'" << (*node)->lockedRef << "'";
    else if (auto follows = std::get_if<1>(&edge))
        stream << fmt("follows '%s'", printInputPath(*follows));
    return stream;
@@ -311,15 +299,14 @@ std::string LockFile::diff(const LockFile & oldLocks, const LockFile & newLocks)

    while (i != oldFlat.end() || j != newFlat.end()) {
        if (j != newFlat.end() && (i == oldFlat.end() || i->first > j->first)) {
-            res += fmt("• " ANSI_GREEN "Added input '%s':" ANSI_NORMAL "\n    %s\n",
-                printInputPath(j->first), j->second);
+            res += fmt("* Added '%s': %s\n", printInputPath(j->first), j->second);
            ++j;
        } else if (i != oldFlat.end() && (j == newFlat.end() || i->first < j->first)) {
-            res += fmt("• " ANSI_RED "Removed input '%s'" ANSI_NORMAL "\n", printInputPath(i->first));
+            res += fmt("* Removed '%s'\n", printInputPath(i->first));
            ++i;
        } else {
            if (!equals(i->second, j->second)) {
-                res += fmt("• " ANSI_BOLD "Updated input '%s':" ANSI_NORMAL "\n    %s\n  → %s\n",
+                res += fmt("* Updated '%s': %s -> %s\n",
                    printInputPath(i->first),
                    i->second,
                    j->second);
--- a/src/libexpr/lexer.l
+++ b/src/libexpr/lexer.l
@@ -9,9 +9,6 @@
 %s DEFAULT
 %x STRING
 %x IND_STRING
-%x INPATH
-%x INPATH_SLASH
-%x PATH_START


 %{
@@ -28,8 +25,6 @@ using namespace nix;

 namespace nix {

-// backup to recover from yyless(0)
-YYLTYPE prev_yylloc;

 static void initLoc(YYLTYPE * loc)
 {
@@ -40,18 +35,14 @@ static void initLoc(YYLTYPE * loc)

 static void adjustLoc(YYLTYPE * loc, const char * s, size_t len)
 {
-    prev_yylloc = *loc;
-
    loc->first_line = loc->last_line;
    loc->first_column = loc->last_column;

-    for (size_t i = 0; i < len; i++) {
+    while (len--) {
       switch (*s++) {
       case '\r':
-           if (*s == '\n') { /* cr/lf */
-               i++;
+           if (*s == '\n') /* cr/lf */
               s++;
-           }
           /* fall through */
       case '\n':
           ++loc->last_line;
@@ -104,12 +95,9 @@ ANY         .|\n
 ID          [a-zA-Z\_][a-zA-Z0-9\_\'\-]*
 INT         [0-9]+
 FLOAT       (([1-9][0-9]*\.[0-9]*)|(0?\.[0-9]+))([Ee][+-]?[0-9]+)?
-PATH_CHAR   [a-zA-Z0-9\.\_\-\+]
-PATH        {PATH_CHAR}*(\/{PATH_CHAR}+)+\/?
-PATH_SEG    {PATH_CHAR}*\/
-HPATH       \~(\/{PATH_CHAR}+)+\/?
-HPATH_START \~\/
-SPATH       \<{PATH_CHAR}+(\/{PATH_CHAR}+)*\>
+PATH        [a-zA-Z0-9\.\_\-\+]*(\/[a-zA-Z0-9\.\_\-\+]+)+\/?
+HPATH       \~(\/[a-zA-Z0-9\.\_\-\+]+)+\/?
+SPATH       \<[a-zA-Z0-9\.\_\-\+]+(\/[a-zA-Z0-9\.\_\-\+]+)*\>
 URI         [a-zA-Z][a-zA-Z0-9\+\-\.]*\:[a-zA-Z0-9\%\/\?\:\@\&\=\+\$\,\-\_\.\!\~\*\']+


@@ -210,75 +198,17 @@ or          { return OR_KW; }
                   return IND_STR;
                 }

-{PATH_SEG}\$\{ |
-{HPATH_START}\$\{ {
-  PUSH_STATE(PATH_START);
-  yyless(0);
-  *yylloc = prev_yylloc;
-}
-
-<PATH_START>{PATH_SEG} {
-  POP_STATE();
-  PUSH_STATE(INPATH_SLASH);
-  yylval->path = strdup(yytext);
-  return PATH;
-}
-
-<PATH_START>{HPATH_START} {
-  POP_STATE();
-  PUSH_STATE(INPATH_SLASH);
-  yylval->path = strdup(yytext);
-  return HPATH;
-}
-
-{PATH} {
-  if (yytext[yyleng-1] == '/')
-    PUSH_STATE(INPATH_SLASH);
-  else
-    PUSH_STATE(INPATH);
-  yylval->path = strdup(yytext);
-  return PATH;
-}
-{HPATH} {
-  if (yytext[yyleng-1] == '/')
-    PUSH_STATE(INPATH_SLASH);
-  else
-    PUSH_STATE(INPATH);
-  yylval->path = strdup(yytext);
-  return HPATH;
-}
-
-<INPATH,INPATH_SLASH>\$\{ {
-  POP_STATE();
-  PUSH_STATE(INPATH);
-  PUSH_STATE(DEFAULT);
-  return DOLLAR_CURLY;
-}
-<INPATH,INPATH_SLASH>{PATH}|{PATH_SEG}|{PATH_CHAR}+ {
-  POP_STATE();
-  if (yytext[yyleng-1] == '/')
-      PUSH_STATE(INPATH_SLASH);
-  else
-      PUSH_STATE(INPATH);
-  yylval->e = new ExprString(data->symbols.create(string(yytext)));
-  return STR;
-}
-<INPATH>{ANY} |
-<INPATH><<EOF>> {
-  /* if we encounter a non-path character we inform the parser that the path has
-     ended with a PATH_END token and re-parse this character in the default
-     context (it may be ')', ';', or something of that sort) */
-  POP_STATE();
-  yyless(0);
-  *yylloc = prev_yylloc;
-  return PATH_END;
-}
-
-<INPATH_SLASH>{ANY} |
-<INPATH_SLASH><<EOF>> {
-  throw ParseError("path has a trailing slash");
-}

+{PATH}      { if (yytext[yyleng-1] == '/')
+                  throw ParseError("path '%s' has a trailing slash", yytext);
+              yylval->path = strdup(yytext);
+              return PATH;
+            }
+{HPATH}     { if (yytext[yyleng-1] == '/')
+                  throw ParseError("path '%s' has a trailing slash", yytext);
+              yylval->path = strdup(yytext);
+              return HPATH;
+            }
 {SPATH}     { yylval->path = strdup(yytext); return SPATH; }
 {URI}       { yylval->uri = strdup(yytext); return URI; }

--- a/src/libexpr/local.mk
+++ b/src/libexpr/local.mk
@@ -15,8 +15,8 @@ libexpr_CXXFLAGS += -I src/libutil -I src/libstore -I src/libfetchers -I src/lib

 libexpr_LIBS = libutil libstore libfetchers

-libexpr_LDFLAGS += -lboost_context -pthread
-ifdef HOST_LINUX
+libexpr_LDFLAGS = -lboost_context
+ifeq ($(OS), Linux)
 libexpr_LDFLAGS += -ldl
 endif

@@ -35,7 +35,7 @@ $(d)/lexer-tab.cc $(d)/lexer-tab.hh: $(d)/lexer.l

 clean-files += $(d)/parser-tab.cc $(d)/parser-tab.hh $(d)/lexer-tab.cc $(d)/lexer-tab.hh

-$(eval $(call install-file-in, $(d)/nix-expr.pc, $(libdir)/pkgconfig, 0644))
+$(eval $(call install-file-in, $(d)/nix-expr.pc, $(prefix)/lib/pkgconfig, 0644))

 $(foreach i, $(wildcard src/libexpr/flake/*.hh), \
  $(eval $(call install-file-in, $(i), $(includedir)/nix/flake, 0644)))
--- a/src/libexpr/nixexpr.cc
+++ b/src/libexpr/nixexpr.cc
@@ -124,7 +124,7 @@ void ExprList::show(std::ostream & str) const
 void ExprLambda::show(std::ostream & str) const
 {
    str << "(";
-    if (hasFormals()) {
+    if (matchAttrs) {
        str << "{ ";
        bool first = true;
        for (auto & i : formals->formals) {
@@ -348,7 +348,7 @@ void ExprLambda::bindVars(const StaticEnv & env)

    if (!arg.empty()) newEnv.vars[arg] = displ++;

-    if (hasFormals()) {
+    if (matchAttrs) {
        for (auto & i : formals->formals)
            newEnv.vars[i.name] = displ++;

--- a/src/libexpr/nixexpr.hh
+++ b/src/libexpr/nixexpr.hh
@@ -233,10 +233,11 @@ struct ExprLambda : Expr
    Pos pos;
    Symbol name;
    Symbol arg;
+    bool matchAttrs;
    Formals * formals;
    Expr * body;
-    ExprLambda(const Pos & pos, const Symbol & arg, Formals * formals, Expr * body)
-        : pos(pos), arg(arg), formals(formals), body(body)
+    ExprLambda(const Pos & pos, const Symbol & arg, bool matchAttrs, Formals * formals, Expr * body)
+        : pos(pos), arg(arg), matchAttrs(matchAttrs), formals(formals), body(body)
    {
        if (!arg.empty() && formals && formals->argNames.find(arg) != formals->argNames.end())
            throw ParseError({
@@ -246,7 +247,6 @@ struct ExprLambda : Expr
    };
    void setName(Symbol & name);
    string showNamePos() const;
-    inline bool hasFormals() const { return formals != nullptr; }
    COMMON_METHODS
 };

--- a/src/libexpr/parser.y
+++ b/src/libexpr/parser.y
@@ -290,13 +290,13 @@ void yyerror(YYLTYPE * loc, yyscan_t scanner, ParseData * data, const char * err
 %type <formal> formal
 %type <attrNames> attrs attrpath
 %type <string_parts> string_parts_interpolated ind_string_parts
-%type <e> path_start string_parts string_attr
+%type <e> string_parts string_attr
 %type <id> attr
 %token <id> ID ATTRPATH
 %token <e> STR IND_STR
 %token <n> INT
 %token <nf> FLOAT
-%token <path> PATH HPATH SPATH PATH_END
+%token <path> PATH HPATH SPATH
 %token <uri> URI
 %token IF THEN ELSE ASSERT WITH LET IN REC INHERIT EQ NEQ AND OR IMPL OR_KW
 %token DOLLAR_CURLY /* == ${ */
@@ -324,13 +324,13 @@ expr: expr_function;

 expr_function
  : ID ':' expr_function
-    { $$ = new ExprLambda(CUR_POS, data->symbols.create($1), 0, $3); }
+    { $$ = new ExprLambda(CUR_POS, data->symbols.create($1), false, 0, $3); }
  | '{' formals '}' ':' expr_function
-    { $$ = new ExprLambda(CUR_POS, data->symbols.create(""), $2, $5); }
+    { $$ = new ExprLambda(CUR_POS, data->symbols.create(""), true, $2, $5); }
  | '{' formals '}' '@' ID ':' expr_function
-    { $$ = new ExprLambda(CUR_POS, data->symbols.create($5), $2, $7); }
+    { $$ = new ExprLambda(CUR_POS, data->symbols.create($5), true, $2, $7); }
  | ID '@' '{' formals '}' ':' expr_function
-    { $$ = new ExprLambda(CUR_POS, data->symbols.create($1), $4, $7); }
+    { $$ = new ExprLambda(CUR_POS, data->symbols.create($1), true, $4, $7); }
  | ASSERT expr ';' expr_function
    { $$ = new ExprAssert(CUR_POS, $2, $4); }
  | WITH expr ';' expr_function
@@ -405,11 +405,8 @@ expr_simple
  | IND_STRING_OPEN ind_string_parts IND_STRING_CLOSE {
      $$ = stripIndentation(CUR_POS, data->symbols, *$2);
  }
-  | path_start PATH_END { $$ = $1; }
-  | path_start string_parts_interpolated PATH_END {
-      $2->insert($2->begin(), $1);
-      $$ = new ExprConcatStrings(CUR_POS, false, $2);
-  }
+  | PATH { $$ = new ExprPath(absPath($1, data->basePath)); }
+  | HPATH { $$ = new ExprPath(getHome() + string{$1 + 1}); }
  | SPATH {
      string path($1 + 1, strlen($1) - 2);
      $$ = new ExprApp(CUR_POS,
@@ -455,20 +452,6 @@ string_parts_interpolated
    }
  ;

-path_start
-  : PATH {
-    Path path(absPath($1, data->basePath));
-    /* add back in the trailing '/' to the first segment */
-    if ($1[strlen($1)-1] == '/' && strlen($1) > 1)
-      path += "/";
-    $$ = new ExprPath(path);
-  }
-  | HPATH {
-    Path path(getHome() + string($1 + 1));
-    $$ = new ExprPath(path);
-  }
-  ;
-
 ind_string_parts
  : ind_string_parts IND_STR { $$ = $1; $1->push_back($2); }
  | ind_string_parts DOLLAR_CURLY expr '}' { $$ = $1; $1->push_back($3); }
@@ -752,7 +735,7 @@ std::pair<bool, std::string> EvalState::resolveSearchPathElem(const SearchPathEl
            res = { true, path };
        else {
            logWarning({
-                .msg = hintfmt("Nix search path entry '%1%' does not exist, ignoring", elem.second)
+                .msg = hintfmt("warning: Nix search path entry '%1%' does not exist, ignoring", elem.second)
            });
            res = { false, "" };
        }
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -52,13 +52,16 @@ void EvalState::realiseContext(const PathSet & context)
    if (drvs.empty()) return;

    if (!evalSettings.enableImportFromDerivation)
-        throw Error(
-            "cannot build '%1%' during evaluation because the option 'allow-import-from-derivation' is disabled",
+        throw EvalError("attempted to realize '%1%' during evaluation but 'allow-import-from-derivation' is false",
            store->printStorePath(drvs.begin()->drvPath));

-    /* Build/substitute the context. */
+    /* For performance, prefetch all substitute info. */
+    StorePathSet willBuild, willSubstitute, unknown;
+    uint64_t downloadSize, narSize;
    std::vector<DerivedPath> buildReqs;
    for (auto & d : drvs) buildReqs.emplace_back(DerivedPath { d });
+    store->queryMissing(buildReqs, willBuild, willSubstitute, unknown, downloadSize, narSize);
+
    store->buildPaths(buildReqs);

    /* Add the output of this derivations to the allowed
@@ -121,7 +124,7 @@ static void import(EvalState & state, const Pos & pos, Value & vPath, Value * vS
        });
    } catch (Error & e) {
        e.addTrace(pos, "while importing '%s'", path);
-        throw;
+        throw e;
    }

    Path realPath = state.checkSourcePath(state.toRealPath(path, context));
@@ -157,15 +160,16 @@ static void import(EvalState & state, const Pos & pos, Value & vPath, Value * vS
        }
        w.attrs->sort();

-        if (!state.vImportedDrvToDerivation) {
-            state.vImportedDrvToDerivation = allocRootValue(state.allocValue());
+        static RootValue fun;
+        if (!fun) {
+            fun = allocRootValue(state.allocValue());
            state.eval(state.parseExprFromString(
                #include "imported-drv-to-derivation.nix.gen.hh"
-                , "/"), **state.vImportedDrvToDerivation);
+                , "/"), **fun);
        }

-        state.forceFunction(**state.vImportedDrvToDerivation, pos);
-        mkApp(v, **state.vImportedDrvToDerivation, w);
+        state.forceFunction(**fun, pos);
+        mkApp(v, **fun, w);
        state.forceAttrs(v, pos);
    }

@@ -410,7 +414,7 @@ static RegisterPrimOp primop_isNull({
      Return `true` if *e* evaluates to `null`, and `false` otherwise.

      > **Warning**
-      >
+      > 
      > This function is *deprecated*; just write `e == null` instead.
    )",
    .fun = prim_isNull,
@@ -1170,7 +1174,7 @@ static void prim_derivationStrict(EvalState & state, const Pos & pos, Value * *
        // hash per output.
        auto hashModulo = hashDerivationModulo(*state.store, Derivation(drv), true);
        std::visit(overloaded {
-            [&](Hash & h) {
+            [&](Hash h) {
                for (auto & i : outputs) {
                    auto outPath = state.store->makeOutputPath(i, h, drvName);
                    drv.env[i] = state.store->printStorePath(outPath);
@@ -1182,11 +1186,11 @@ static void prim_derivationStrict(EvalState & state, const Pos & pos, Value * *
                        });
                }
            },
-            [&](CaOutputHashes &) {
+            [&](CaOutputHashes) {
                // Shouldn't happen as the toplevel derivation is not CA.
                assert(false);
            },
-            [&](DeferredHash &) {
+            [&](DeferredHash _) {
                for (auto & i : outputs) {
                    drv.outputs.insert_or_assign(i,
                        DerivationOutput {
@@ -1489,20 +1493,15 @@ static void prim_hashFile(EvalState & state, const Pos & pos, Value * * args, Va
    string type = state.forceStringNoCtx(*args[0], pos);
    std::optional<HashType> ht = parseHashType(type);
    if (!ht)
-        throw Error({
-            .msg = hintfmt("unknown hash type '%1%'", type),
-            .errPos = pos
-        });
+      throw Error({
+          .msg = hintfmt("unknown hash type '%1%'", type),
+          .errPos = pos
+      });

-    PathSet context;
-    Path path = state.coerceToPath(pos, *args[1], context);
-    try {
-        state.realiseContext(context);
-    } catch (InvalidPathError & e) {
-        throw EvalError("cannot read '%s' since path '%s' is not valid, at %s", path, e.path, pos);
-    }
+    PathSet context; // discarded
+    Path p = state.coerceToPath(pos, *args[1], context);

-    mkString(v, hashFile(*ht, state.checkSourcePath(state.toRealPath(path, context))).to_string(Base16, false));
+    mkString(v, hashFile(*ht, state.checkSourcePath(p)).to_string(Base16, false), context);
 }

 static RegisterPrimOp primop_hashFile({
@@ -1713,7 +1712,7 @@ static void prim_fromJSON(EvalState & state, const Pos & pos, Value * * args, Va
        parseJSON(state, s, v);
    } catch (JSONParseError &e) {
        e.addTrace(pos, "while decoding a JSON string");
-        throw;
+        throw e;
    }
 }

@@ -1843,81 +1842,50 @@ static RegisterPrimOp primop_toFile({
    .fun = prim_toFile,
 });

-static void addPath(
-    EvalState & state,
-    const Pos & pos,
-    const string & name,
-    Path path,
-    Value * filterFun,
-    FileIngestionMethod method,
-    const std::optional<Hash> expectedHash,
-    Value & v,
-    const PathSet & context)
+static void addPath(EvalState & state, const Pos & pos, const string & name, const Path & path_,
+    Value * filterFun, FileIngestionMethod method, const std::optional<Hash> expectedHash, Value & v)
 {
-    try {
-        // FIXME: handle CA derivation outputs (where path needs to
-        // be rewritten to the actual output).
-        state.realiseContext(context);
+    const auto path = evalSettings.pureEval && expectedHash ?
+        path_ :
+        state.checkSourcePath(path_);
+    PathFilter filter = filterFun ? ([&](const Path & path) {
+        auto st = lstat(path);

-        if (state.store->isInStore(path)) {
-            auto [storePath, subPath] = state.store->toStorePath(path);
-            auto info = state.store->queryPathInfo(storePath);
-            if (!info->references.empty())
-                throw EvalError("store path '%s' is not allowed to have references",
-                    state.store->printStorePath(storePath));
-            path = state.store->toRealPath(storePath) + subPath;
-        }
+        /* Call the filter function.  The first argument is the path,
+           the second is a string indicating the type of the file. */
+        Value arg1;
+        mkString(arg1, path);

-        path = evalSettings.pureEval && expectedHash
-            ? path
-            : state.checkSourcePath(path);
+        Value fun2;
+        state.callFunction(*filterFun, arg1, fun2, noPos);

-        PathFilter filter = filterFun ? ([&](const Path & path) {
-            auto st = lstat(path);
+        Value arg2;
+        mkString(arg2,
+            S_ISREG(st.st_mode) ? "regular" :
+            S_ISDIR(st.st_mode) ? "directory" :
+            S_ISLNK(st.st_mode) ? "symlink" :
+            "unknown" /* not supported, will fail! */);

-            /* Call the filter function.  The first argument is the path,
-               the second is a string indicating the type of the file. */
-            Value arg1;
-            mkString(arg1, path);
+        Value res;
+        state.callFunction(fun2, arg2, res, noPos);

-            Value fun2;
-            state.callFunction(*filterFun, arg1, fun2, noPos);
+        return state.forceBool(res, pos);
+    }) : defaultPathFilter;

-            Value arg2;
-            mkString(arg2,
-                S_ISREG(st.st_mode) ? "regular" :
-                S_ISDIR(st.st_mode) ? "directory" :
-                S_ISLNK(st.st_mode) ? "symlink" :
-                "unknown" /* not supported, will fail! */);
+    std::optional<StorePath> expectedStorePath;
+    if (expectedHash)
+        expectedStorePath = state.store->makeFixedOutputPath(method, *expectedHash, name);
+    Path dstPath;
+    if (!expectedHash || !state.store->isValidPath(*expectedStorePath)) {
+        dstPath = state.store->printStorePath(settings.readOnlyMode
+            ? state.store->computeStorePathForPath(name, path, method, htSHA256, filter).first
+            : state.store->addToStore(name, path, method, htSHA256, filter, state.repair));
+        if (expectedHash && expectedStorePath != state.store->parseStorePath(dstPath))
+            throw Error("store path mismatch in (possibly filtered) path added from '%s'", path);
+    } else
+        dstPath = state.store->printStorePath(*expectedStorePath);

-            Value res;
-            state.callFunction(fun2, arg2, res, noPos);
-
-            return state.forceBool(res, pos);
-        }) : defaultPathFilter;
-
-        std::optional<StorePath> expectedStorePath;
-        if (expectedHash)
-            expectedStorePath = state.store->makeFixedOutputPath(method, *expectedHash, name);
-
-        Path dstPath;
-        if (!expectedHash || !state.store->isValidPath(*expectedStorePath)) {
-            dstPath = state.store->printStorePath(settings.readOnlyMode
-                ? state.store->computeStorePathForPath(name, path, method, htSHA256, filter).first
-                : state.store->addToStore(name, path, method, htSHA256, filter, state.repair));
-            if (expectedHash && expectedStorePath != state.store->parseStorePath(dstPath))
-                throw Error("store path mismatch in (possibly filtered) path added from '%s'", path);
-        } else
-            dstPath = state.store->printStorePath(*expectedStorePath);
-
-        mkString(v, dstPath, {dstPath});
-
-        state.allowPath(dstPath);
-
-    } catch (Error & e) {
-        e.addTrace(pos, "while adding path '%s'", path);
-        throw;
-    }
+    mkString(v, dstPath, {dstPath});
 }


@@ -1925,6 +1893,11 @@ static void prim_filterSource(EvalState & state, const Pos & pos, Value * * args
 {
    PathSet context;
    Path path = state.coerceToPath(pos, *args[1], context);
+    if (!context.empty())
+        throw EvalError({
+            .msg = hintfmt("string '%1%' cannot refer to other paths", path),
+            .errPos = pos
+        });

    state.forceValue(*args[0], pos);
    if (args[0]->type() != nFunction)
@@ -1935,26 +1908,13 @@ static void prim_filterSource(EvalState & state, const Pos & pos, Value * * args
            .errPos = pos
        });

-    addPath(state, pos, std::string(baseNameOf(path)), path, args[0], FileIngestionMethod::Recursive, std::nullopt, v, context);
+    addPath(state, pos, std::string(baseNameOf(path)), path, args[0], FileIngestionMethod::Recursive, std::nullopt, v);
 }

 static RegisterPrimOp primop_filterSource({
    .name = "__filterSource",
    .args = {"e1", "e2"},
    .doc = R"(
-      > **Warning**
-      >
-      > `filterSource` should not be used to filter store paths. Since
-      > `filterSource` uses the name of the input directory while naming
-      > the output directory, doing so will produce a directory name in
-      > the form of `<hash2>-<hash>-<name>`, where `<hash>-<name>` is
-      > the name of the input directory. Since `<hash>` depends on the
-      > unfiltered directory, the name of the output directory will
-      > indirectly depend on files that are filtered out by the
-      > function. This will trigger a rebuild even when a filtered out
-      > file is changed. Use `builtins.path` instead, which allows
-      > specifying the name of the output directory.
-
      This function allows you to copy sources into the Nix store while
      filtering certain files. For instance, suppose that you want to use
      the directory `source-dir` as an input to a Nix expression, e.g.
@@ -2001,13 +1961,18 @@ static void prim_path(EvalState & state, const Pos & pos, Value * * args, Value
    Value * filterFun = nullptr;
    auto method = FileIngestionMethod::Recursive;
    std::optional<Hash> expectedHash;
-    PathSet context;

    for (auto & attr : *args[0]->attrs) {
        const string & n(attr.name);
-        if (n == "path")
+        if (n == "path") {
+            PathSet context;
            path = state.coerceToPath(*attr.pos, *attr.value, context);
-        else if (attr.name == state.sName)
+            if (!context.empty())
+                throw EvalError({
+                    .msg = hintfmt("string '%1%' cannot refer to other paths", path),
+                    .errPos = *attr.pos
+                });
+        } else if (attr.name == state.sName)
            name = state.forceStringNoCtx(*attr.value, *attr.pos);
        else if (n == "filter") {
            state.forceValue(*attr.value, pos);
@@ -2030,7 +1995,7 @@ static void prim_path(EvalState & state, const Pos & pos, Value * * args, Value
    if (name.empty())
        name = baseNameOf(path);

-    addPath(state, pos, name, path, filterFun, method, expectedHash, v, context);
+    addPath(state, pos, name, path, filterFun, method, expectedHash, v);
 }

 static RegisterPrimOp primop_path({
@@ -2144,7 +2109,7 @@ void prim_getAttr(EvalState & state, const Pos & pos, Value * * args, Value & v)
        pos
    );
    // !!! add to stack trace?
-    if (state.countCalls && *i->pos != noPos) state.attrSelects[*i->pos]++;
+    if (state.countCalls && i->pos) state.attrSelects[*i->pos]++;
    state.forceValue(*i->value, pos);
    v = *i->value;
 }
@@ -2395,7 +2360,7 @@ static void prim_functionArgs(EvalState & state, const Pos & pos, Value * * args
            .errPos = pos
        });

-    if (!args[0]->lambda.fun->hasFormals()) {
+    if (!args[0]->lambda.fun->matchAttrs) {
        state.mkAttrs(v, 0);
        return;
    }
@@ -2404,7 +2369,7 @@ static void prim_functionArgs(EvalState & state, const Pos & pos, Value * * args
    for (auto & i : args[0]->lambda.fun->formals->formals) {
        // !!! should optimise booleans (allocate only once)
        Value * value = state.allocValue();
-        v.attrs->push_back(Attr(i.name, value, ptr(&i.pos)));
+        v.attrs->push_back(Attr(i.name, value, &i.pos));
        mkBool(*value, i.def);
    }
    v.attrs->sort();
@@ -2550,7 +2515,7 @@ static RegisterPrimOp primop_tail({
      the argument isn’t a list or is an empty list.

      > **Warning**
-      >
+      > 
      > This function should generally be avoided since it's inefficient:
      > unlike Haskell's `tail`, it takes O(n) time, so recursing over a
      > list by repeatedly calling `tail` takes O(n^2) time.
@@ -2932,7 +2897,7 @@ static void prim_concatMap(EvalState & state, const Pos & pos, Value * * args, V
            state.forceList(lists[n], lists[n].determinePos(args[0]->determinePos(pos)));
        } catch (TypeError &e) {
            e.addTrace(pos, hintfmt("while invoking '%s'", "concatMap"));
-            throw;
+            throw e;
        }
        len += lists[n].listSize();
    }
@@ -3144,7 +3109,7 @@ static RegisterPrimOp primop_toString({

        - A path (e.g., `toString /foo/bar` yields `"/foo/bar"`.

-        - A set containing `{ __toString = self: ...; }` or `{ outPath = ...; }`.
+        - A set containing `{ __toString = self: ...; }`.

        - An integer.

@@ -3229,7 +3194,7 @@ static void prim_hashString(EvalState & state, const Pos & pos, Value * * args,
    PathSet context; // discarded
    string s = state.forceString(*args[1], context, pos);

-    mkString(v, hashString(*ht, s).to_string(Base16, false));
+    mkString(v, hashString(*ht, s).to_string(Base16, false), context);
 }

 static RegisterPrimOp primop_hashString({
@@ -3636,13 +3601,15 @@ static RegisterPrimOp primop_splitVersion({
 RegisterPrimOp::PrimOps * RegisterPrimOp::primOps;


-RegisterPrimOp::RegisterPrimOp(std::string name, size_t arity, PrimOpFun fun)
+RegisterPrimOp::RegisterPrimOp(std::string name, size_t arity, PrimOpFun fun,
+    std::optional<std::string> requiredFeature)
 {
    if (!primOps) primOps = new PrimOps;
    primOps->push_back({
        .name = name,
        .args = {},
        .arity = arity,
+        .requiredFeature = std::move(requiredFeature),
        .fun = fun
    });
 }
@@ -3678,7 +3645,9 @@ void EvalState::createBaseEnv()
    if (!evalSettings.pureEval) {
        mkInt(v, time(0));
        addConstant("__currentTime", v);
+    }

+    if (!evalSettings.pureEval) {
        mkString(v, settings.thisSystem.get());
        addConstant("__currentSystem", v);
    }
@@ -3716,13 +3685,14 @@ void EvalState::createBaseEnv()

    if (RegisterPrimOp::primOps)
        for (auto & primOp : *RegisterPrimOp::primOps)
-            addPrimOp({
-                .fun = primOp.fun,
-                .arity = std::max(primOp.args.size(), primOp.arity),
-                .name = symbols.create(primOp.name),
-                .args = std::move(primOp.args),
-                .doc = primOp.doc,
-            });
+            if (!primOp.requiredFeature || settings.isExperimentalFeatureEnabled(*primOp.requiredFeature))
+                addPrimOp({
+                    .fun = primOp.fun,
+                    .arity = std::max(primOp.args.size(), primOp.arity),
+                    .name = symbols.create(primOp.name),
+                    .args = std::move(primOp.args),
+                    .doc = primOp.doc,
+                });

    /* Add a wrapper around the derivation primop that computes the
       `drvPath' and `outPath' attributes lazily. */
--- a/src/libexpr/primops.hh
+++ b/src/libexpr/primops.hh
@@ -15,6 +15,7 @@ struct RegisterPrimOp
        std::vector<std::string> args;
        size_t arity = 0;
        const char * doc;
+        std::optional<std::string> requiredFeature;
        PrimOpFun fun;
    };

@@ -27,7 +28,8 @@ struct RegisterPrimOp
    RegisterPrimOp(
        std::string name,
        size_t arity,
-        PrimOpFun fun);
+        PrimOpFun fun,
+        std::optional<std::string> requiredFeature = {});

    RegisterPrimOp(Info && info);
 };
--- a/src/libexpr/primops/fetchMercurial.cc
+++ b/src/libexpr/primops/fetchMercurial.cc
@@ -62,7 +62,6 @@ static void prim_fetchMercurial(EvalState & state, const Pos & pos, Value * * ar
    fetchers::Attrs attrs;
    attrs.insert_or_assign("type", "hg");
    attrs.insert_or_assign("url", url.find("://") != std::string::npos ? url : "file://" + url);
-    attrs.insert_or_assign("name", name);
    if (ref) attrs.insert_or_assign("ref", *ref);
    if (rev) attrs.insert_or_assign("rev", rev->gitRev());
    auto input = fetchers::Input::fromAttrs(std::move(attrs));
@@ -84,7 +83,8 @@ static void prim_fetchMercurial(EvalState & state, const Pos & pos, Value * * ar
        mkInt(*state.allocAttr(v, state.symbols.create("revCount")), *revCount);
    v.attrs->sort();

-    state.allowPath(tree.storePath);
+    if (state.allowedPaths)
+        state.allowedPaths->insert(tree.actualPath);
 }

 static RegisterPrimOp r_fetchMercurial("fetchMercurial", 1, prim_fetchMercurial);
--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@@ -7,7 +7,6 @@

 #include <ctime>
 #include <iomanip>
-#include <regex>

 namespace nix {

@@ -16,8 +15,7 @@ void emitTreeAttrs(
    const fetchers::Tree & tree,
    const fetchers::Input & input,
    Value & v,
-    bool emptyRevFallback,
-    bool forceDirty)
+    bool emptyRevFallback)
 {
    assert(input.isImmutable());

@@ -34,28 +32,24 @@ void emitTreeAttrs(
    mkString(*state.allocAttr(v, state.symbols.create("narHash")),
        narHash->to_string(SRI, true));

+    if (auto rev = input.getRev()) {
+        mkString(*state.allocAttr(v, state.symbols.create("rev")), rev->gitRev());
+        mkString(*state.allocAttr(v, state.symbols.create("shortRev")), rev->gitShortRev());
+    } else if (emptyRevFallback) {
+        // Backwards compat for `builtins.fetchGit`: dirty repos return an empty sha1 as rev
+        auto emptyHash = Hash(htSHA1);
+        mkString(*state.allocAttr(v, state.symbols.create("rev")), emptyHash.gitRev());
+        mkString(*state.allocAttr(v, state.symbols.create("shortRev")), emptyHash.gitShortRev());
+    }
+
    if (input.getType() == "git")
        mkBool(*state.allocAttr(v, state.symbols.create("submodules")),
            fetchers::maybeGetBoolAttr(input.attrs, "submodules").value_or(false));

-    if (!forceDirty) {
-
-        if (auto rev = input.getRev()) {
-            mkString(*state.allocAttr(v, state.symbols.create("rev")), rev->gitRev());
-            mkString(*state.allocAttr(v, state.symbols.create("shortRev")), rev->gitShortRev());
-        } else if (emptyRevFallback) {
-            // Backwards compat for `builtins.fetchGit`: dirty repos return an empty sha1 as rev
-            auto emptyHash = Hash(htSHA1);
-            mkString(*state.allocAttr(v, state.symbols.create("rev")), emptyHash.gitRev());
-            mkString(*state.allocAttr(v, state.symbols.create("shortRev")), emptyHash.gitShortRev());
-        }
-
-        if (auto revCount = input.getRevCount())
-            mkInt(*state.allocAttr(v, state.symbols.create("revCount")), *revCount);
-        else if (emptyRevFallback)
-            mkInt(*state.allocAttr(v, state.symbols.create("revCount")), 0);
-
-    }
+    if (auto revCount = input.getRevCount())
+        mkInt(*state.allocAttr(v, state.symbols.create("revCount")), *revCount);
+    else if (emptyRevFallback)
+        mkInt(*state.allocAttr(v, state.symbols.create("revCount")), 0);

    if (auto lastModified = input.getLastModified()) {
        mkInt(*state.allocAttr(v, state.symbols.create("lastModified")), *lastModified);
@@ -66,33 +60,25 @@ void emitTreeAttrs(
    v.attrs->sort();
 }

-std::string fixURI(std::string uri, EvalState & state, const std::string & defaultScheme = "file")
+std::string fixURI(std::string uri, EvalState &state)
 {
    state.checkURI(uri);
-    return uri.find("://") != std::string::npos ? uri : defaultScheme + "://" + uri;
+    return uri.find("://") != std::string::npos ? uri : "file://" + uri;
 }

-std::string fixURIForGit(std::string uri, EvalState & state)
+void addURI(EvalState &state, fetchers::Attrs &attrs, Symbol name, std::string v)
 {
-    static std::regex scp_uri("([^/].*)@(.*):(.*)");
-    if (uri[0] != '/' && std::regex_match(uri, scp_uri))
-        return fixURI(std::regex_replace(uri, scp_uri, "$1@$2/$3"), state, "ssh");
-    else
-        return fixURI(uri, state);
+    string n(name);
+    attrs.emplace(name, n == "url" ? fixURI(v, state) : v);
 }

-struct FetchTreeParams {
-    bool emptyRevFallback = false;
-    bool allowNameArgument = false;
-};
-
 static void fetchTree(
-    EvalState & state,
-    const Pos & pos,
-    Value * * args,
-    Value & v,
-    std::optional<std::string> type,
-    const FetchTreeParams & params = FetchTreeParams{}
+    EvalState &state,
+    const Pos &pos,
+    Value **args,
+    Value &v,
+    const std::optional<std::string> type,
+    bool emptyRevFallback = false
 ) {
    fetchers::Input input;
    PathSet context;
@@ -104,33 +90,17 @@ static void fetchTree(

        fetchers::Attrs attrs;

-        if (auto aType = args[0]->attrs->get(state.sType)) {
-            if (type)
-                throw Error({
-                    .msg = hintfmt("unexpected attribute 'type'"),
-                    .errPos = pos
-                });
-            type = state.forceStringNoCtx(*aType->value, *aType->pos);
-        } else if (!type)
-            throw Error({
-                .msg = hintfmt("attribute 'type' is missing in call to 'fetchTree'"),
-                .errPos = pos
-            });
-
-        attrs.emplace("type", type.value());
-
        for (auto & attr : *args[0]->attrs) {
-            if (attr.name == state.sType) continue;
            state.forceValue(*attr.value);
-            if (attr.value->type() == nPath || attr.value->type() == nString) {
-                auto s = state.coerceToString(*attr.pos, *attr.value, context, false, false);
-                attrs.emplace(attr.name,
-                    attr.name == "url"
-                    ? type == "git"
-                      ? fixURIForGit(s, state)
-                      : fixURI(s, state)
-                    : s);
-            }
+            if (attr.value->type() == nPath || attr.value->type() == nString)
+                addURI(
+                    state,
+                    attrs,
+                    attr.name,
+                    state.coerceToString(*attr.pos, *attr.value, context, false, false)
+                );
+            else if (attr.value->type() == nString)
+                addURI(state, attrs, attr.name, attr.value->string.s);
            else if (attr.value->type() == nBool)
                attrs.emplace(attr.name, Explicit<bool>{attr.value->boolean});
            else if (attr.value->type() == nInt)
@@ -140,24 +110,26 @@ static void fetchTree(
                    attr.name, showType(*attr.value));
        }

-        if (!params.allowNameArgument)
-            if (auto nameIter = attrs.find("name"); nameIter != attrs.end())
-                throw Error({
-                    .msg = hintfmt("attribute 'name' isn’t supported in call to 'fetchTree'"),
-                    .errPos = pos
-                });
+        if (type)
+            attrs.emplace("type", type.value());
+
+        if (!attrs.count("type"))
+            throw Error({
+                .msg = hintfmt("attribute 'type' is missing in call to 'fetchTree'"),
+                .errPos = pos
+            });

        input = fetchers::Input::fromAttrs(std::move(attrs));
    } else {
-        auto url = state.coerceToString(pos, *args[0], context, false, false);
+        auto url = fixURI(state.coerceToString(pos, *args[0], context, false, false), state);

        if (type == "git") {
            fetchers::Attrs attrs;
            attrs.emplace("type", "git");
-            attrs.emplace("url", fixURIForGit(url, state));
+            attrs.emplace("url", url);
            input = fetchers::Input::fromAttrs(std::move(attrs));
        } else {
-            input = fetchers::Input::fromURL(fixURI(url, state));
+            input = fetchers::Input::fromURL(url);
        }
    }

@@ -169,15 +141,16 @@ static void fetchTree(

    auto [tree, input2] = input.fetch(state.store);

-    state.allowPath(tree.storePath);
+    if (state.allowedPaths)
+        state.allowedPaths->insert(tree.actualPath);

-    emitTreeAttrs(state, tree, input2, v, params.emptyRevFallback, false);
+    emitTreeAttrs(state, tree, input2, v, emptyRevFallback);
 }

 static void prim_fetchTree(EvalState & state, const Pos & pos, Value * * args, Value & v)
 {
    settings.requireExperimentalFeature("flakes");
-    fetchTree(state, pos, args, v, std::nullopt, FetchTreeParams { .allowNameArgument = false });
+    fetchTree(state, pos, args, v, std::nullopt);
 }

 // FIXME: document
@@ -233,18 +206,20 @@ static void fetch(EvalState & state, const Pos & pos, Value * * args, Value & v,
        ? fetchers::downloadTarball(state.store, *url, name, (bool) expectedHash).first.storePath
        : fetchers::downloadFile(state.store, *url, name, (bool) expectedHash).storePath;

+    auto path = state.store->toRealPath(storePath);
+
    if (expectedHash) {
        auto hash = unpack
            ? state.store->queryPathInfo(storePath)->narHash
-            : hashFile(htSHA256, state.store->toRealPath(storePath));
+            : hashFile(htSHA256, path);
        if (hash != *expectedHash)
            throw Error((unsigned int) 102, "hash mismatch in file downloaded from '%s':\n  specified: %s\n  got:       %s",
                *url, expectedHash->to_string(Base32, true), hash.to_string(Base32, true));
    }

-    state.allowPath(storePath);
+    if (state.allowedPaths)
+        state.allowedPaths->insert(path);

-    auto path = state.store->printStorePath(storePath);
    mkString(v, path, PathSet({path}));
 }

@@ -317,7 +292,7 @@ static RegisterPrimOp primop_fetchTarball({

 static void prim_fetchGit(EvalState &state, const Pos &pos, Value **args, Value &v)
 {
-    fetchTree(state, pos, args, v, "git", FetchTreeParams { .emptyRevFallback = true, .allowNameArgument = true });
+    fetchTree(state, pos, args, v, "git", true);
 }

 static RegisterPrimOp primop_fetchGit({
--- a/src/libexpr/value-to-xml.cc
+++ b/src/libexpr/value-to-xml.cc
@@ -42,7 +42,7 @@ static void showAttrs(EvalState & state, bool strict, bool location,

        XMLAttrs xmlAttrs;
        xmlAttrs["name"] = i;
-        if (location && a.pos != ptr(&noPos)) posToXML(xmlAttrs, *a.pos);
+        if (location && a.pos != &noPos) posToXML(xmlAttrs, *a.pos);

        XMLOpenElement _(doc, "attr", xmlAttrs);
        printValueAsXML(state, strict, location,
@@ -135,7 +135,7 @@ static void printValueAsXML(EvalState & state, bool strict, bool location,
            if (location) posToXML(xmlAttrs, v.lambda.fun->pos);
            XMLOpenElement _(doc, "function", xmlAttrs);

-            if (v.lambda.fun->hasFormals()) {
+            if (v.lambda.fun->matchAttrs) {
                XMLAttrs attrs;
                if (!v.lambda.fun->arg.empty()) attrs["name"] = v.lambda.fun->arg;
                if (v.lambda.fun->formals->ellipsis) attrs["ellipsis"] = "1";
--- a/src/libfetchers/fetchers.cc
+++ b/src/libfetchers/fetchers.cc
@@ -200,17 +200,12 @@ void Input::markChangedFile(
    return scheme->markChangedFile(*this, file, commitMsg);
 }

-std::string Input::getName() const
-{
-    return maybeGetStrAttr(attrs, "name").value_or("source");
-}
-
 StorePath Input::computeStorePath(Store & store) const
 {
    auto narHash = getNarHash();
    if (!narHash)
        throw Error("cannot compute store path for mutable input '%s'", to_string());
-    return store.makeFixedOutputPath(FileIngestionMethod::Recursive, *narHash, getName());
+    return store.makeFixedOutputPath(FileIngestionMethod::Recursive, *narHash, "source");
 }

 std::string Input::getType() const
--- a/src/libfetchers/fetchers.hh
+++ b/src/libfetchers/fetchers.hh
@@ -38,9 +38,6 @@ struct Input
    bool immutable = false;
    bool direct = true;

-    /* path of the parent of this input, used for relative path resolution */
-    std::optional<Path> parent;
-
 public:
    static Input fromURL(const std::string & url);

@@ -84,8 +81,6 @@ public:
        std::string_view file,
        std::optional<std::string> commitMsg) const;

-    std::string getName() const;
-
    StorePath computeStorePath(Store & store) const;

    // Convenience functions for common attributes.
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -4,7 +4,6 @@
 #include "tarfile.hh"
 #include "store-api.hh"
 #include "url-parts.hh"
-#include "pathlocks.hh"

 #include <sys/time.h>
 #include <sys/wait.h>
@@ -13,12 +12,6 @@ using namespace std::string_literals;

 namespace nix::fetchers {

-// Explicit initial branch of our bare repo to suppress warnings from new version of git.
-// The value itself does not matter, since we always fetch a specific revision or branch.
-// It is set with `-c init.defaultBranch=` instead of `--initial-branch=` to stay compatible with
-// old version of git, which will ignore unrecognized `-c` options.
-const std::string gitInitialBranch = "__nix_dummy_branch";
-
 static std::string readHead(const Path & path)
 {
    return chomp(runProgram("git", true, { "-C", path, "rev-parse", "--abbrev-ref", "HEAD" }));
@@ -67,7 +60,7 @@ struct GitInputScheme : InputScheme
        if (maybeGetStrAttr(attrs, "type") != "git") return {};

        for (auto & [name, value] : attrs)
-            if (name != "type" && name != "url" && name != "ref" && name != "rev" && name != "shallow" && name != "submodules" && name != "lastModified" && name != "revCount" && name != "narHash" && name != "allRefs" && name != "name")
+            if (name != "type" && name != "url" && name != "ref" && name != "rev" && name != "shallow" && name != "submodules" && name != "lastModified" && name != "revCount" && name != "narHash" && name != "allRefs")
                throw Error("unsupported Git input attribute '%s'", name);

        parseURL(getStrAttr(attrs, "url"));
@@ -174,9 +167,9 @@ struct GitInputScheme : InputScheme

    std::pair<Tree, Input> fetch(ref<Store> store, const Input & _input) override
    {
-        Input input(_input);
+        auto name = "source";

-        std::string name = input.getName();
+        Input input(_input);

        bool shallow = maybeGetBoolAttr(input.attrs, "shallow").value_or(false);
        bool submodules = maybeGetBoolAttr(input.attrs, "submodules").value_or(false);
@@ -277,7 +270,7 @@ struct GitInputScheme : InputScheme
                    return files.count(file);
                };

-                auto storePath = store->addToStore(input.getName(), actualUrl, FileIngestionMethod::Recursive, htSHA256, filter);
+                auto storePath = store->addToStore("source", actualUrl, FileIngestionMethod::Recursive, htSHA256, filter);

                // FIXME: maybe we should use the timestamp of the last
                // modified dirty file?
@@ -324,17 +317,11 @@ struct GitInputScheme : InputScheme
            Path cacheDir = getCacheDir() + "/nix/gitv3/" + hashString(htSHA256, actualUrl).to_string(Base32, false);
            repoDir = cacheDir;

-            Path cacheDirLock = cacheDir + ".lock";
-            createDirs(dirOf(cacheDir));
-            AutoCloseFD lock = openLockFile(cacheDirLock, true);
-            lockFile(lock.get(), ltWrite, true);
-
            if (!pathExists(cacheDir)) {
-                runProgram("git", true, { "-c", "init.defaultBranch=" + gitInitialBranch, "init", "--bare", repoDir });
+                createDirs(dirOf(cacheDir));
+                runProgram("git", true, { "init", "--bare", repoDir });
            }

-            deleteLockFile(cacheDirLock, lock.get());
-
            Path localRefFile =
                input.getRef()->compare(0, 5, "refs/") == 0
                ? cacheDir + "/" + *input.getRef()
@@ -419,14 +406,17 @@ struct GitInputScheme : InputScheme
        AutoDelete delTmpDir(tmpDir, true);
        PathFilter filter = defaultPathFilter;

-        auto result = runProgram(RunOptions {
-            .program = "git",
-            .args = { "-C", repoDir, "cat-file", "commit", input.getRev()->gitRev() },
-            .mergeStderrToStdout = true
-        });
+        RunOptions checkCommitOpts(
+            "git",
+            { "-C", repoDir, "cat-file", "commit", input.getRev()->gitRev() }
+        );
+        checkCommitOpts.searchPath = true;
+        checkCommitOpts.mergeStderrToStdout = true;
+
+        auto result = runProgram(checkCommitOpts);
        if (WEXITSTATUS(result.first) == 128
-            && result.second.find("bad file") != std::string::npos)
-        {
+            && result.second.find("bad file") != std::string::npos
+        ) {
            throw Error(
                "Cannot find Git revision '%s' in ref '%s' of repository '%s'! "
                    "Please make sure that the " ANSI_BOLD "rev" ANSI_NORMAL " exists on the "
@@ -442,7 +432,7 @@ struct GitInputScheme : InputScheme
            Path tmpGitDir = createTempDir();
            AutoDelete delTmpGitDir(tmpGitDir, true);

-            runProgram("git", true, { "-c", "init.defaultBranch=" + gitInitialBranch, "init", tmpDir, "--separate-git-dir", tmpGitDir });
+            runProgram("git", true, { "init", tmpDir, "--separate-git-dir", tmpGitDir });
            // TODO: repoDir might lack the ref (it only checks if rev
            // exists, see FIXME above) so use a big hammer and fetch
            // everything to ensure we get the rev.
@@ -458,11 +448,9 @@ struct GitInputScheme : InputScheme
            // FIXME: should pipe this, or find some better way to extract a
            // revision.
            auto source = sinkToSource([&](Sink & sink) {
-                runProgram2({
-                    .program = "git",
-                    .args = { "-C", repoDir, "archive", input.getRev()->gitRev() },
-                    .standardOut = &sink
-                });
+                RunOptions gitOptions("git", { "-C", repoDir, "archive", input.getRev()->gitRev() });
+                gitOptions.standardOut = &sink;
+                runProgram2(gitOptions);
            });

            unpackTarfile(*source, tmpDir);
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@@ -207,7 +207,7 @@ struct GitArchiveInputScheme : InputScheme

        auto url = getDownloadUrl(input);

-        auto [tree, lastModified] = downloadTarball(store, url.url, input.getName(), true, url.headers);
+        auto [tree, lastModified] = downloadTarball(store, url.url, "source", true, url.headers);

        input.attrs.insert_or_assign("lastModified", uint64_t(lastModified));

@@ -273,9 +273,9 @@ struct GitHubInputScheme : GitArchiveInputScheme
    void clone(const Input & input, const Path & destDir) override
    {
        auto host = maybeGetStrAttr(input.attrs, "host").value_or("github.com");
-        Input::fromURL(fmt("git+https://%s/%s/%s.git",
+        Input::fromURL(fmt("git+ssh://git@%s/%s/%s.git",
                host, getStrAttr(input.attrs, "owner"), getStrAttr(input.attrs, "repo")))
-            .applyOverrides(input.getRef(), input.getRev())
+            .applyOverrides(input.getRef().value_or("HEAD"), input.getRev())
            .clone(destDir);
    }
 };
@@ -341,9 +341,9 @@ struct GitLabInputScheme : GitArchiveInputScheme
    {
        auto host = maybeGetStrAttr(input.attrs, "host").value_or("gitlab.com");
        // FIXME: get username somewhere
-        Input::fromURL(fmt("git+https://%s/%s/%s.git",
+        Input::fromURL(fmt("git+ssh://git@%s/%s/%s.git",
                host, getStrAttr(input.attrs, "owner"), getStrAttr(input.attrs, "repo")))
-            .applyOverrides(input.getRef(), input.getRev())
+            .applyOverrides(input.getRef().value_or("HEAD"), input.getRev())
            .clone(destDir);
    }
 };
--- a/src/libfetchers/local.mk
+++ b/src/libfetchers/local.mk
@@ -8,6 +8,4 @@ libfetchers_SOURCES := $(wildcard $(d)/*.cc)

 libfetchers_CXXFLAGS += -I src/libutil -I src/libstore

-libfetchers_LDFLAGS += -pthread
-
 libfetchers_LIBS = libutil libstore
--- a/src/libfetchers/mercurial.cc
+++ b/src/libfetchers/mercurial.cc
@@ -11,32 +11,34 @@ using namespace std::string_literals;

 namespace nix::fetchers {

-static RunOptions hgOptions(const Strings & args)
-{
-    auto env = getEnv();
-    // Set HGPLAIN: this means we get consistent output from hg and avoids leakage from a user or system .hgrc.
-    env["HGPLAIN"] = "";
+namespace {

-    return {
-        .program = "hg",
-        .searchPath = true,
-        .args = args,
-        .environment = env
-    };
+RunOptions hgOptions(const Strings & args) {
+	RunOptions opts("hg", args);
+	opts.searchPath = true;
+
+	auto env = getEnv();
+	// Set HGPLAIN: this means we get consistent output from hg and avoids leakage from a user or system .hgrc.
+	env["HGPLAIN"] = "";
+	opts.environment = env;
+
+	return opts;
 }

 // runProgram wrapper that uses hgOptions instead of stock RunOptions.
-static string runHg(const Strings & args, const std::optional<std::string> & input = {})
+string runHg(const Strings & args, const std::optional<std::string> & input = {})
 {
-    RunOptions opts = hgOptions(args);
-    opts.input = input;
+	RunOptions opts = hgOptions(args);
+	opts.input = input;

-    auto res = runProgram(std::move(opts));
+	auto res = runProgram(opts);

-    if (!statusOk(res.first))
-        throw ExecError(res.first, fmt("hg %1%", statusToString(res.first)));
+	if (!statusOk(res.first))
+		throw ExecError(res.first, fmt("hg %1%", statusToString(res.first)));
+
+	return res.second;
+}

-    return res.second;
 }

 struct MercurialInputScheme : InputScheme
@@ -72,7 +74,7 @@ struct MercurialInputScheme : InputScheme
        if (maybeGetStrAttr(attrs, "type") != "hg") return {};

        for (auto & [name, value] : attrs)
-            if (name != "type" && name != "url" && name != "ref" && name != "rev" && name != "revCount" && name != "narHash" && name != "name")
+            if (name != "type" && name != "url" && name != "ref" && name != "rev" && name != "revCount" && name != "narHash")
                throw Error("unsupported Mercurial input attribute '%s'", name);

        parseURL(getStrAttr(attrs, "url"));
@@ -145,9 +147,9 @@ struct MercurialInputScheme : InputScheme

    std::pair<Tree, Input> fetch(ref<Store> store, const Input & _input) override
    {
-        Input input(_input);
+        auto name = "source";

-        auto name = input.getName();
+        Input input(_input);

        auto [isLocal, actualUrl_] = getActualUrl(input);
        auto actualUrl = actualUrl_; // work around clang bug
@@ -191,7 +193,7 @@ struct MercurialInputScheme : InputScheme
                    return files.count(file);
                };

-                auto storePath = store->addToStore(input.getName(), actualUrl, FileIngestionMethod::Recursive, htSHA256, filter);
+                auto storePath = store->addToStore("source", actualUrl, FileIngestionMethod::Recursive, htSHA256, filter);

                return {
                    Tree(store->toRealPath(storePath), std::move(storePath)),
@@ -251,7 +253,9 @@ struct MercurialInputScheme : InputScheme
           have to pull again. */
        if (!(input.getRev()
                && pathExists(cacheDir)
-                && runProgram(hgOptions({ "log", "-R", cacheDir, "-r", input.getRev()->gitRev(), "--template", "1" })).second == "1"))
+                && runProgram(
+                    hgOptions({ "log", "-R", cacheDir, "-r", input.getRev()->gitRev(), "--template", "1" })
+                    .killStderr(true)).second == "1"))
        {
            Activity act(*logger, lvlTalkative, actUnknown, fmt("fetching Mercurial repository '%s'", actualUrl));

--- a/src/libfetchers/path.cc
+++ b/src/libfetchers/path.cc
@@ -82,38 +82,18 @@ struct PathInputScheme : InputScheme

    std::pair<Tree, Input> fetch(ref<Store> store, const Input & input) override
    {
-        std::string absPath;
        auto path = getStrAttr(input.attrs, "path");

-        if (path[0] != '/') {
-            if (!input.parent)
-                throw Error("cannot fetch input '%s' because it uses a relative path", input.to_string());
-
-            auto parent = canonPath(*input.parent);
-
-            // the path isn't relative, prefix it
-            absPath = nix::absPath(path, parent);
-
-            // for security, ensure that if the parent is a store path, it's inside it
-            if (store->isInStore(parent)) {
-                auto storePath = store->printStorePath(store->toStorePath(parent).first);
-                if (!isInDir(absPath, storePath))
-                    throw BadStorePath("relative path '%s' points outside of its parent's store path '%s'", path, storePath);
-            }
-        } else
-            absPath = path;
-
-        Activity act(*logger, lvlTalkative, actUnknown, fmt("copying '%s'", absPath));
-
        // FIXME: check whether access to 'path' is allowed.
-        auto storePath = store->maybeParseStorePath(absPath);
+
+        auto storePath = store->maybeParseStorePath(path);

        if (storePath)
            store->addTempRoot(*storePath);

        if (!storePath || storePath->name() != "source" || !store->isValidPath(*storePath))
            // FIXME: try to substitute storePath.
-            storePath = store->addToStore("source", absPath);
+            storePath = store->addToStore("source", path);

        return {
            Tree(store->toRealPath(*storePath), std::move(*storePath)),
--- a/src/libfetchers/registry.cc
+++ b/src/libfetchers/registry.cc
@@ -124,13 +124,6 @@ std::shared_ptr<Registry> getUserRegistry()
    return userRegistry;
 }

-std::shared_ptr<Registry> getCustomRegistry(const Path & p)
-{
-    static auto customRegistry =
-        Registry::read(p, Registry::Custom);
-    return customRegistry;
-}
-
 static std::shared_ptr<Registry> flagRegistry =
    std::make_shared<Registry>(Registry::Flag);

--- a/src/libfetchers/registry.hh
+++ b/src/libfetchers/registry.hh
@@ -14,7 +14,6 @@ struct Registry
        User = 1,
        System = 2,
        Global = 3,
-        Custom = 4,
    };

    RegistryType type;
@@ -49,8 +48,6 @@ typedef std::vector<std::shared_ptr<Registry>> Registries;

 std::shared_ptr<Registry> getUserRegistry();

-std::shared_ptr<Registry> getCustomRegistry(const Path & p);
-
 Path getUserRegistryPath();

 Registries getRegistries(ref<Store> store);
--- a/src/libfetchers/tarball.cc
+++ b/src/libfetchers/tarball.cc
@@ -196,7 +196,7 @@ struct TarballInputScheme : InputScheme
        if (maybeGetStrAttr(attrs, "type") != "tarball") return {};

        for (auto & [name, value] : attrs)
-            if (name != "type" && name != "url" && /* name != "hash" && */ name != "narHash" && name != "name")
+            if (name != "type" && name != "url" && /* name != "hash" && */ name != "narHash")
                throw Error("unsupported tarball input attribute '%s'", name);

        Input input;
@@ -226,7 +226,7 @@ struct TarballInputScheme : InputScheme

    std::pair<Tree, Input> fetch(ref<Store> store, const Input & input) override
    {
-        auto tree = downloadTarball(store, getStrAttr(input.attrs, "url"), input.getName(), false).first;
+        auto tree = downloadTarball(store, getStrAttr(input.attrs, "url"), "source", false).first;
        return {std::move(tree), input};
    }
 };
--- a/src/libmain/local.mk
+++ b/src/libmain/local.mk
@@ -8,10 +8,10 @@ libmain_SOURCES := $(wildcard $(d)/*.cc)

 libmain_CXXFLAGS += -I src/libutil -I src/libstore

-libmain_LDFLAGS += $(OPENSSL_LIBS)
+libmain_LDFLAGS = $(OPENSSL_LIBS)

 libmain_LIBS = libstore libutil

 libmain_ALLOW_UNDEFINED = 1

-$(eval $(call install-file-in, $(d)/nix-main.pc, $(libdir)/pkgconfig, 0644))
+$(eval $(call install-file-in, $(d)/nix-main.pc, $(prefix)/lib/pkgconfig, 0644))
--- a/src/libmain/progress-bar.cc
+++ b/src/libmain/progress-bar.cc
@@ -484,7 +484,7 @@ Logger * makeProgressBar(bool printBuildLogs)
 {
    return new ProgressBar(
        printBuildLogs,
-        shouldANSI()
+        isatty(STDERR_FILENO) && getEnv("TERM").value_or("dumb") != "dumb"
    );
 }

--- a/src/libmain/shared.cc
+++ b/src/libmain/shared.cc
@@ -15,9 +15,6 @@
 #include <sys/stat.h>
 #include <unistd.h>
 #include <signal.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netdb.h>

 #include <openssl/crypto.h>

@@ -113,31 +110,6 @@ static void opensslLockCallback(int mode, int type, const char * file, int line)
 }
 #endif

-static std::once_flag dns_resolve_flag;
-
-static void preloadNSS() {
-    /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
-       one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
-       been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
-       load its lookup libraries in the parent before any child gets a chance to. */
-    std::call_once(dns_resolve_flag, []() {
-        struct addrinfo *res = NULL;
-
-        /* nss will only force the "local" (not through nscd) dns resolution if its on the LOCALDOMAIN.
-           We need the resolution to be done locally, as nscd socket will not be accessible in the
-           sandbox. */
-        char * previous_env = getenv("LOCALDOMAIN");
-        setenv("LOCALDOMAIN", "invalid", 1);
-        if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) == 0) {
-            if (res) freeaddrinfo(res);
-        }
-        if (previous_env) {
-             setenv("LOCALDOMAIN", previous_env, 1);
-        } else {
-             unsetenv("LOCALDOMAIN");
-        }
-    });
-}

 static void sigHandler(int signo) { }

@@ -204,8 +176,6 @@ void initNix()
    if (hasPrefix(getEnv("TMPDIR").value_or("/tmp"), "/var/folders/"))
        unsetenv("TMPDIR");
 #endif
-
-    preloadNSS();
 }


@@ -268,7 +238,7 @@ LegacyArgs::LegacyArgs(const std::string & programName,
    addFlag({
        .longName = "no-gc-warning",
        .description = "Disable warnings about not using `--add-root`.",
-        .handler = {&gcWarning, false},
+        .handler = {&gcWarning, true},
    });

    addFlag({
--- a/src/libstore/binary-cache-store.cc
+++ b/src/libstore/binary-cache-store.cc
@@ -52,9 +52,9 @@ void BinaryCacheStore::init()
                    throw Error("binary cache '%s' is for Nix stores with prefix '%s', not '%s'",
                        getUri(), value, storeDir);
            } else if (name == "WantMassQuery") {
-                wantMassQuery.setDefault(value == "1");
+                wantMassQuery.setDefault(value == "1" ? "true" : "false");
            } else if (name == "Priority") {
-                priority.setDefault(std::stoi(value));
+                priority.setDefault(fmt("%d", std::stoi(value)));
            }
        }
    }
@@ -130,6 +130,17 @@ AutoCloseFD openFile(const Path & path)
    return fd;
 }

+struct FileSource : FdSource
+{
+    AutoCloseFD fd2;
+
+    FileSource(const Path & path)
+        : fd2(openFile(path))
+    {
+        fd = fd2.get();
+    }
+};
+
 ref<const ValidPathInfo> BinaryCacheStore::addToStoreCommon(
    Source & narSource, RepairFlag repair, CheckSigsFlag checkSigs,
    std::function<ValidPathInfo(HashResult)> mkInfo)
--- a/src/libstore/build/derivation-goal.cc
+++ b/src/libstore/build/derivation-goal.cc
@@ -143,6 +143,7 @@ void DerivationGoal::work()
    (this->*state)();
 }

+
 void DerivationGoal::addWantedOutputs(const StringSet & outputs)
 {
    /* If we already want all outputs, there is nothing to do. */
@@ -165,7 +166,7 @@ void DerivationGoal::getDerivation()
    /* The first thing to do is to make sure that the derivation
       exists.  If it doesn't, it may be created through a
       substitute. */
-    if (buildMode == bmNormal && worker.evalStore.isValidPath(drvPath)) {
+    if (buildMode == bmNormal && worker.store.isValidPath(drvPath)) {
        loadDerivation();
        return;
    }
@@ -188,12 +189,12 @@ void DerivationGoal::loadDerivation()
    /* `drvPath' should already be a root, but let's be on the safe
       side: if the user forgot to make it a root, we wouldn't want
       things being garbage collected while we're busy. */
-    worker.evalStore.addTempRoot(drvPath);
+    worker.store.addTempRoot(drvPath);

-    assert(worker.evalStore.isValidPath(drvPath));
+    assert(worker.store.isValidPath(drvPath));

    /* Get the derivation. */
-    drv = std::make_unique<Derivation>(worker.evalStore.derivationFromPath(drvPath));
+    drv = std::make_unique<Derivation>(worker.store.derivationFromPath(drvPath));

    haveDerivation();
 }
@@ -212,8 +213,8 @@ void DerivationGoal::haveDerivation()
        if (i.second.second)
            worker.store.addTempRoot(*i.second.second);

-    auto outputHashes = staticOutputHashes(worker.evalStore, *drv);
-    for (auto & [outputName, outputHash] : outputHashes)
+    auto outputHashes = staticOutputHashes(worker.store, *drv);
+    for (auto &[outputName, outputHash] : outputHashes)
      initialOutputs.insert({
            outputName,
            InitialOutput{
@@ -337,15 +338,6 @@ void DerivationGoal::gaveUpOnSubstitution()
        for (auto & i : dynamic_cast<Derivation *>(drv.get())->inputDrvs)
            addWaitee(worker.makeDerivationGoal(i.first, i.second, buildMode == bmRepair ? bmRepair : bmNormal));

-    /* Copy the input sources from the eval store to the build
-       store. */
-    if (&worker.evalStore != &worker.store) {
-        RealisedPath::Set inputSrcs;
-        for (auto & i : drv->inputSrcs)
-            inputSrcs.insert(i);
-        copyClosure(worker.evalStore, worker.store, inputSrcs);
-    }
-
    for (auto & i : drv->inputSrcs) {
        if (worker.store.isValidPath(i)) continue;
        if (!settings.useSubstitutes)
@@ -487,8 +479,8 @@ void DerivationGoal::inputsRealised()
            /* Add the relevant output closures of the input derivation
               `i' as input paths.  Only add the closures of output paths
               that are specified as inputs. */
-            assert(worker.evalStore.isValidPath(drvPath));
-            auto outputs = worker.evalStore.queryPartialDerivationOutputMap(depDrvPath);
+            assert(worker.store.isValidPath(drvPath));
+            auto outputs = worker.store.queryPartialDerivationOutputMap(depDrvPath);
            for (auto & j : wantedDepOutputs) {
                if (outputs.count(j) > 0) {
                    auto optRealizedInput = outputs.at(j);
@@ -553,7 +545,7 @@ void DerivationGoal::tryToBuild()
    PathSet lockFiles;
    /* FIXME: Should lock something like the drv itself so we don't build same
       CA drv concurrently */
-    if (dynamic_cast<LocalStore *>(&worker.store)) {
+    if (dynamic_cast<LocalStore *>(&worker.store))
        /* If we aren't a local store, we might need to use the local store as
           a build remote, but that would cause a deadlock. */
        /* FIXME: Make it so we can use ourselves as a build remote even if we
@@ -561,15 +553,9 @@ void DerivationGoal::tryToBuild()
        /* FIXME: find some way to lock for scheduling for the other stores so
           a forking daemon with --store still won't farm out redundant builds.
           */
-        for (auto & i : drv->outputsAndOptPaths(worker.store)) {
+        for (auto & i : drv->outputsAndOptPaths(worker.store))
            if (i.second.second)
                lockFiles.insert(worker.store.Store::toRealPath(*i.second.second));
-            else
-                lockFiles.insert(
-                    worker.store.Store::toRealPath(drvPath) + "." + i.first
-                );
-        }
-    }

    if (!outputLocks.lockPaths(lockFiles, "", false)) {
        if (!actLock)
@@ -616,9 +602,7 @@ void DerivationGoal::tryToBuild()
    /* Don't do a remote build if the derivation has the attribute
       `preferLocalBuild' set.  Also, check and repair modes are only
       supported for local builds. */
-    bool buildLocally =
-        (buildMode != bmNormal || parsedDrv->willBuildLocally(worker.store))
-        && settings.maxBuildJobs.get() != 0;
+    bool buildLocally = buildMode != bmNormal || parsedDrv->willBuildLocally(worker.store);

    if (!buildLocally) {
        switch (tryBuildHook()) {
@@ -774,7 +758,9 @@ void runPostBuildHook(

    hookEnvironment.emplace("DRV_PATH", store.printStorePath(drvPath));
    hookEnvironment.emplace("OUT_PATHS", chomp(concatStringsSep(" ", store.printStorePathSet(outputPaths))));
-    hookEnvironment.emplace("NIX_CONFIG", globalConfig.toKeyValue());
+
+    RunOptions opts(settings.postBuildHook, {});
+    opts.environment = hookEnvironment;

    struct LogSink : Sink {
        Activity & act;
@@ -806,12 +792,9 @@ void runPostBuildHook(
    };
    LogSink sink(act);

-    runProgram2({
-        .program = settings.postBuildHook,
-        .environment = hookEnvironment,
-        .standardOut = &sink,
-        .mergeStderrToStdout = true,
-    });
+    opts.standardOut = &sink;
+    opts.mergeStderrToStdout = true;
+    runProgram2(opts);
 }

 void DerivationGoal::buildDone()
@@ -1011,7 +994,7 @@ HookReply DerivationGoal::tryBuildHook()
                    return readLine(worker.hook->fromHook.readSide.get());
                } catch (Error & e) {
                    e.addTrace({}, "while reading the response from the build hook");
-                    throw;
+                    throw e;
                }
            }();
            if (handleJSONLogMessage(s, worker.act, worker.hook->activities, true))
@@ -1057,7 +1040,7 @@ HookReply DerivationGoal::tryBuildHook()
        machineName = readLine(hook->fromHook.readSide.get());
    } catch (Error & e) {
        e.addTrace({}, "while reading the machine name from the build hook");
-        throw;
+        throw e;
    }

    /* Tell the hook all the inputs that have to be copied to the
@@ -1091,6 +1074,42 @@ HookReply DerivationGoal::tryBuildHook()
 }


+StorePathSet DerivationGoal::exportReferences(const StorePathSet & storePaths)
+{
+    StorePathSet paths;
+
+    for (auto & storePath : storePaths) {
+        if (!inputPaths.count(storePath))
+            throw BuildError("cannot export references of path '%s' because it is not in the input closure of the derivation", worker.store.printStorePath(storePath));
+
+        worker.store.computeFSClosure({storePath}, paths);
+    }
+
+    /* If there are derivations in the graph, then include their
+       outputs as well.  This is useful if you want to do things
+       like passing all build-time dependencies of some path to a
+       derivation that builds a NixOS DVD image. */
+    auto paths2 = paths;
+
+    for (auto & j : paths2) {
+        if (j.isDerivation()) {
+            Derivation drv = worker.store.derivationFromPath(j);
+            for (auto & k : drv.outputsAndOptPaths(worker.store)) {
+                if (!k.second.second)
+                    /* FIXME: I am confused why we are calling
+                       `computeFSClosure` on the output path, rather than
+                       derivation itself. That doesn't seem right to me, so I
+                       won't try to implemented this for CA derivations. */
+                    throw UnimplementedError("exportReferences on CA derivations is not yet implemented");
+                worker.store.computeFSClosure(*k.second.second, paths);
+            }
+        }
+    }
+
+    return paths;
+}
+
+
 void DerivationGoal::registerOutputs()
 {
    /* When using a build hook, the build hook can register the output
--- a/src/libstore/build/entry-points.cc
+++ b/src/libstore/build/entry-points.cc
@@ -6,17 +6,17 @@

 namespace nix {

-void Store::buildPaths(const std::vector<DerivedPath> & reqs, BuildMode buildMode, std::shared_ptr<Store> evalStore)
+void Store::buildPaths(const std::vector<DerivedPath> & reqs, BuildMode buildMode)
 {
-    Worker worker(*this, evalStore ? *evalStore : *this);
+    Worker worker(*this);

    Goals goals;
-    for (const auto & br : reqs) {
+    for (auto & br : reqs) {
        std::visit(overloaded {
-            [&](const DerivedPath::Built & bfd) {
+            [&](DerivedPath::Built bfd) {
                goals.insert(worker.makeDerivationGoal(bfd.drvPath, bfd.outputs, buildMode));
            },
-            [&](const DerivedPath::Opaque & bo) {
+            [&](DerivedPath::Opaque bo) {
                goals.insert(worker.makePathSubstitutionGoal(bo.path, buildMode == bmRepair ? Repair : NoRepair));
            },
        }, br.raw());
@@ -51,7 +51,7 @@ void Store::buildPaths(const std::vector<DerivedPath> & reqs, BuildMode buildMod
 BuildResult Store::buildDerivation(const StorePath & drvPath, const BasicDerivation & drv,
    BuildMode buildMode)
 {
-    Worker worker(*this, *this);
+    Worker worker(*this);
    auto goal = worker.makeBasicDerivationGoal(drvPath, drv, {}, buildMode);

    BuildResult result;
@@ -93,7 +93,7 @@ void Store::ensurePath(const StorePath & path)
    /* If the path is already valid, we're done. */
    if (isValidPath(path)) return;

-    Worker worker(*this, *this);
+    Worker worker(*this);
    GoalPtr goal = worker.makePathSubstitutionGoal(path);
    Goals goals = {goal};

@@ -111,7 +111,7 @@ void Store::ensurePath(const StorePath & path)

 void LocalStore::repairPath(const StorePath & path)
 {
-    Worker worker(*this, *this);
+    Worker worker(*this);
    GoalPtr goal = worker.makePathSubstitutionGoal(path, Repair);
    Goals goals = {goal};

--- a/src/libstore/build/goal.cc
+++ b/src/libstore/build/goal.cc
@@ -13,9 +13,11 @@ bool CompareGoalPtrs::operator() (const GoalPtr & a, const GoalPtr & b) const {

 void addToWeakGoals(WeakGoals & goals, GoalPtr p)
 {
-    if (goals.find(p) != goals.end())
-        return;
-    goals.insert(p);
+    // FIXME: necessary?
+    // FIXME: O(n)
+    for (auto & i : goals)
+        if (i.lock() == p) return;
+    goals.push_back(p);
 }


@@ -44,7 +46,10 @@ void Goal::waiteeDone(GoalPtr waitee, ExitCode result)
        /* If we failed and keepGoing is not set, we remove all
           remaining waitees. */
        for (auto & goal : waitees) {
-            goal->waiters.extract(shared_from_this());
+            WeakGoals waiters2;
+            for (auto & j : goal->waiters)
+                if (j.lock() != shared_from_this()) waiters2.push_back(j);
+            goal->waiters = waiters2;
        }
        waitees.clear();

--- a/src/libstore/build/goal.hh
+++ b/src/libstore/build/goal.hh
@@ -19,7 +19,7 @@ struct CompareGoalPtrs {

 /* Set of goals. */
 typedef set<GoalPtr, CompareGoalPtrs> Goals;
-typedef set<WeakGoalPtr, std::owner_less<WeakGoalPtr>> WeakGoals;
+typedef list<WeakGoalPtr> WeakGoals;

 /* A map of paths to goals (and the other way around). */
 typedef std::map<StorePath, WeakGoalPtr> WeakGoalMap;
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -17,14 +17,16 @@
 #include <regex>
 #include <queue>

+#include <sys/types.h>
+#include <sys/socket.h>
 #include <sys/un.h>
+#include <netdb.h>
 #include <fcntl.h>
 #include <termios.h>
 #include <unistd.h>
 #include <sys/mman.h>
 #include <sys/utsname.h>
 #include <sys/resource.h>
-#include <sys/socket.h>

 #if HAVE_STATVFS
 #include <sys/statvfs.h>
@@ -32,6 +34,7 @@

 /* Includes required for chroot support. */
 #if __linux__
+#include <sys/socket.h>
 #include <sys/ioctl.h>
 #include <net/if.h>
 #include <netinet/ip.h>
@@ -67,14 +70,12 @@ void handleDiffHook(
    auto diffHook = settings.diffHook;
    if (diffHook != "" && settings.runDiffHook) {
        try {
-            auto diffRes = runProgram(RunOptions {
-                .program = diffHook,
-                .searchPath = true,
-                .args = {tryA, tryB, drvPath, tmpDir},
-                .uid = uid,
-                .gid = gid,
-                .chdir = "/"
-            });
+            RunOptions diffHookOptions(diffHook,{tryA, tryB, drvPath, tmpDir});
+            diffHookOptions.searchPath = true;
+            diffHookOptions.uid = uid;
+            diffHookOptions.gid = gid;
+            diffHookOptions.chdir = "/";
+            auto diffRes = runProgram(diffHookOptions);
            if (!statusOk(diffRes.first))
                throw ExecError(diffRes.first,
                    "diff-hook program '%1%' %2%",
@@ -343,6 +344,23 @@ int childEntry(void * arg)
 }


+static std::once_flag dns_resolve_flag;
+
+static void preloadNSS() {
+    /* builtin:fetchurl can trigger a DNS lookup, which with glibc can trigger a dynamic library load of
+       one of the glibc NSS libraries in a sandboxed child, which will fail unless the library's already
+       been loaded in the parent. So we force a lookup of an invalid domain to force the NSS machinery to
+       load its lookup libraries in the parent before any child gets a chance to. */
+    std::call_once(dns_resolve_flag, []() {
+        struct addrinfo *res = NULL;
+
+        if (getaddrinfo("this.pre-initializes.the.dns.resolvers.invalid.", "http", NULL, &res) != 0) {
+            if (res) freeaddrinfo(res);
+        }
+    });
+}
+
+
 static void linkOrCopy(const Path & from, const Path & to)
 {
    if (link(from.c_str(), to.c_str()) == -1) {
@@ -371,6 +389,9 @@ void LocalDerivationGoal::startBuilder()
            settings.thisSystem,
            concatStringsSep<StringSet>(", ", worker.store.systemFeatures));

+    if (drv->isBuiltin())
+        preloadNSS();
+
 #if __APPLE__
    additionalSandboxProfile = parsedDrv->getStringAttr("__sandboxProfile").value_or("");
 #endif
@@ -497,7 +518,7 @@ void LocalDerivationGoal::startBuilder()
            /* Write closure info to <fileName>. */
            writeFile(tmpDir + "/" + fileName,
                worker.store.makeValidityRegistration(
-                    worker.store.exportReferences({storePath}, inputPaths), false, false));
+                    exportReferences({storePath}), false, false));
        }
    }

@@ -705,13 +726,12 @@ void LocalDerivationGoal::startBuilder()
    Path logFile = openLogFile();

    /* Create a pipe to get the output of the builder. */
-    //builderOut.create();
+    builderOut.create();

    builderOut.readSide = posix_openpt(O_RDWR | O_NOCTTY);
    if (!builderOut.readSide)
        throw SysError("opening pseudoterminal master");

-    // FIXME: not thread-safe, use ptsname_r
    std::string slaveName(ptsname(builderOut.readSide.get()));

    if (buildUser) {
@@ -755,6 +775,7 @@ void LocalDerivationGoal::startBuilder()
    result.startTime = time(0);

    /* Fork a child to build the package. */
+    ProcessOptions options;

 #if __linux__
    if (useChroot) {
@@ -797,6 +818,8 @@ void LocalDerivationGoal::startBuilder()

        userNamespaceSync.create();

+        options.allowVfork = false;
+
        Path maxUserNamespaces = "/proc/sys/user/max_user_namespaces";
        static bool userNamespacesEnabled =
            pathExists(maxUserNamespaces)
@@ -854,7 +877,7 @@ void LocalDerivationGoal::startBuilder()
            writeFull(builderOut.writeSide.get(),
                fmt("%d %d\n", usingUserNamespace, child));
            _exit(0);
-        });
+        }, options);

        int res = helper.wait();
        if (res != 0 && settings.sandboxFallback) {
@@ -918,9 +941,10 @@ void LocalDerivationGoal::startBuilder()
 #endif
    {
    fallback:
+        options.allowVfork = !buildUser && !drv->isBuiltin();
        pid = startProcess([&]() {
            runChild();
-        });
+        }, options);
    }

    /* parent */
@@ -935,12 +959,9 @@ void LocalDerivationGoal::startBuilder()
            try {
                return readLine(builderOut.readSide.get());
            } catch (Error & e) {
-                auto status = pid.wait();
-                e.addTrace({}, "while waiting for the build environment for '%s' to initialize (%s, previous messages: %s)",
-                    worker.store.printStorePath(drvPath),
-                    statusToString(status),
+                e.addTrace({}, "while waiting for the build environment to initialize (previous messages: %s)",
                    concatStringsSep("|", msgs));
-                throw;
+                throw e;
            }
        }();
        if (string(msg, 0, 1) == "\2") break;
@@ -1063,38 +1084,123 @@ void LocalDerivationGoal::initEnv()
 }


+static std::regex shVarName("[A-Za-z_][A-Za-z0-9_]*");
+
+
 void LocalDerivationGoal::writeStructuredAttrs()
 {
-    if (auto structAttrsJson = parsedDrv->prepareStructuredAttrs(worker.store, inputPaths)) {
-        auto json = structAttrsJson.value();
-        nlohmann::json rewritten;
-        for (auto & [i, v] : json["outputs"].get<nlohmann::json::object_t>()) {
-            /* The placeholder must have a rewrite, so we use it to cover both the
-               cases where we know or don't know the output path ahead of time. */
-            rewritten[i] = rewriteStrings(v, inputRewrites);
+    auto structuredAttrs = parsedDrv->getStructuredAttrs();
+    if (!structuredAttrs) return;
+
+    auto json = *structuredAttrs;
+
+    /* Add an "outputs" object containing the output paths. */
+    nlohmann::json outputs;
+    for (auto & i : drv->outputs) {
+        /* The placeholder must have a rewrite, so we use it to cover both the
+           cases where we know or don't know the output path ahead of time. */
+        outputs[i.first] = rewriteStrings(hashPlaceholder(i.first), inputRewrites);
+    }
+    json["outputs"] = outputs;
+
+    /* Handle exportReferencesGraph. */
+    auto e = json.find("exportReferencesGraph");
+    if (e != json.end() && e->is_object()) {
+        for (auto i = e->begin(); i != e->end(); ++i) {
+            std::ostringstream str;
+            {
+                JSONPlaceholder jsonRoot(str, true);
+                StorePathSet storePaths;
+                for (auto & p : *i)
+                    storePaths.insert(worker.store.parseStorePath(p.get<std::string>()));
+                worker.store.pathInfoToJSON(jsonRoot,
+                    exportReferences(storePaths), false, true);
+            }
+            json[i.key()] = nlohmann::json::parse(str.str()); // urgh
+        }
+    }
+
+    writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites));
+    chownToBuilder(tmpDir + "/.attrs.json");
+
+    /* As a convenience to bash scripts, write a shell file that
+       maps all attributes that are representable in bash -
+       namely, strings, integers, nulls, Booleans, and arrays and
+       objects consisting entirely of those values. (So nested
+       arrays or objects are not supported.) */
+
+    auto handleSimpleType = [](const nlohmann::json & value) -> std::optional<std::string> {
+        if (value.is_string())
+            return shellEscape(value);
+
+        if (value.is_number()) {
+            auto f = value.get<float>();
+            if (std::ceil(f) == f)
+                return std::to_string(value.get<int>());
        }

-        json["outputs"] = rewritten;
+        if (value.is_null())
+            return std::string("''");

-        auto jsonSh = writeStructuredAttrsShell(json);
+        if (value.is_boolean())
+            return value.get<bool>() ? std::string("1") : std::string("");

-        writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites));
-        chownToBuilder(tmpDir + "/.attrs.sh");
-        env["NIX_ATTRS_SH_FILE"] = tmpDir + "/.attrs.sh";
-        writeFile(tmpDir + "/.attrs.json", rewriteStrings(json.dump(), inputRewrites));
-        chownToBuilder(tmpDir + "/.attrs.json");
-        env["NIX_ATTRS_JSON_FILE"] = tmpDir + "/.attrs.json";
+        return {};
+    };
+
+    std::string jsonSh;
+
+    for (auto i = json.begin(); i != json.end(); ++i) {
+
+        if (!std::regex_match(i.key(), shVarName)) continue;
+
+        auto & value = i.value();
+
+        auto s = handleSimpleType(value);
+        if (s)
+            jsonSh += fmt("declare %s=%s\n", i.key(), *s);
+
+        else if (value.is_array()) {
+            std::string s2;
+            bool good = true;
+
+            for (auto i = value.begin(); i != value.end(); ++i) {
+                auto s3 = handleSimpleType(i.value());
+                if (!s3) { good = false; break; }
+                s2 += *s3; s2 += ' ';
+            }
+
+            if (good)
+                jsonSh += fmt("declare -a %s=(%s)\n", i.key(), s2);
+        }
+
+        else if (value.is_object()) {
+            std::string s2;
+            bool good = true;
+
+            for (auto i = value.begin(); i != value.end(); ++i) {
+                auto s3 = handleSimpleType(i.value());
+                if (!s3) { good = false; break; }
+                s2 += fmt("[%s]=%s ", shellEscape(i.key()), *s3);
+            }
+
+            if (good)
+                jsonSh += fmt("declare -A %s=(%s)\n", i.key(), s2);
+        }
    }
+
+    writeFile(tmpDir + "/.attrs.sh", rewriteStrings(jsonSh, inputRewrites));
+    chownToBuilder(tmpDir + "/.attrs.sh");
 }


 static StorePath pathPartOfReq(const DerivedPath & req)
 {
    return std::visit(overloaded {
-        [&](const DerivedPath::Opaque & bo) {
+        [&](DerivedPath::Opaque bo) {
            return bo.path;
        },
-        [&](const DerivedPath::Built & bfd)  {
+        [&](DerivedPath::Built bfd)  {
            return bfd.drvPath;
        },
    }, req.raw());
@@ -1233,10 +1339,8 @@ struct RestrictedStore : public virtual RestrictedStoreConfig, public virtual Lo
        return next->queryRealisation(id);
    }

-    void buildPaths(const std::vector<DerivedPath> & paths, BuildMode buildMode, std::shared_ptr<Store> evalStore) override
+    void buildPaths(const std::vector<DerivedPath> & paths, BuildMode buildMode) override
    {
-        assert(!evalStore);
-
        if (buildMode != bmNormal) throw Error("unsupported build mode");

        StorePathSet newPaths;
@@ -1650,7 +1754,7 @@ void LocalDerivationGoal::runChild()
                /* N.B. it is realistic that these paths might not exist. It
                   happens when testing Nix building fixed-output derivations
                   within a pure derivation. */
-                for (auto & path : { "/etc/resolv.conf", "/etc/services", "/etc/hosts" })
+                for (auto & path : { "/etc/resolv.conf", "/etc/services", "/etc/hosts", "/var/run/nscd/socket" })
                    if (pathExists(path))
                        ss.push_back(path);
            }
@@ -1832,7 +1936,7 @@ void LocalDerivationGoal::runChild()
        /* Fill in the arguments. */
        Strings args;

-        std::string builder = "invalid";
+        const char *builder = "invalid";

        if (drv->isBuiltin()) {
            ;
@@ -1958,13 +2062,13 @@ void LocalDerivationGoal::runChild()
                }
                args.push_back(drv->builder);
            } else {
-                builder = drv->builder;
+                builder = drv->builder.c_str();
                args.push_back(std::string(baseNameOf(drv->builder)));
            }
        }
 #else
        else {
-            builder = drv->builder;
+            builder = drv->builder.c_str();
            args.push_back(std::string(baseNameOf(drv->builder)));
        }
 #endif
@@ -2020,9 +2124,9 @@ void LocalDerivationGoal::runChild()
            posix_spawnattr_setbinpref_np(&attrp, 1, &cpu, NULL);
        }

-        posix_spawn(NULL, builder.c_str(), NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+        posix_spawn(NULL, builder, NULL, &attrp, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
 #else
-        execve(builder.c_str(), stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
+        execve(builder, stringsToCharPtrs(args).data(), stringsToCharPtrs(envStrs).data());
 #endif

        throw SysError("executing '%1%'", drv->builder);
@@ -2137,7 +2241,8 @@ void LocalDerivationGoal::registerOutputs()

        /* Pass blank Sink as we are not ready to hash data at this stage. */
        NullSink blank;
-        auto references = scanForReferences(blank, actualPath, referenceablePaths);
+        auto references = worker.store.parseStorePathSet(
+            scanForReferences(blank, actualPath, worker.store.printStorePathSet(referenceablePaths)));

        outputReferencesIfUnregistered.insert_or_assign(
            outputName,
@@ -2151,8 +2256,8 @@ void LocalDerivationGoal::registerOutputs()
                /* Since we'll use the already installed versions of these, we
                   can treat them as leaves and ignore any references they
                   have. */
-                [&](const AlreadyRegistered &) { return StringSet {}; },
-                [&](const PerhapsNeedToRegister & refs) {
+                [&](AlreadyRegistered _) { return StringSet {}; },
+                [&](PerhapsNeedToRegister refs) {
                    StringSet referencedOutputs;
                    /* FIXME build inverted map up front so no quadratic waste here */
                    for (auto & r : refs.refs)
@@ -2188,11 +2293,11 @@ void LocalDerivationGoal::registerOutputs()
        };

        std::optional<StorePathSet> referencesOpt = std::visit(overloaded {
-            [&](const AlreadyRegistered & skippedFinalPath) -> std::optional<StorePathSet> {
+            [&](AlreadyRegistered skippedFinalPath) -> std::optional<StorePathSet> {
                finish(skippedFinalPath.path);
                return std::nullopt;
            },
-            [&](const PerhapsNeedToRegister & r) -> std::optional<StorePathSet> {
+            [&](PerhapsNeedToRegister r) -> std::optional<StorePathSet> {
                return r.refs;
            },
        }, outputReferencesIfUnregistered.at(outputName));
@@ -2204,7 +2309,7 @@ void LocalDerivationGoal::registerOutputs()
        auto rewriteOutput = [&]() {
            /* Apply hash rewriting if necessary. */
            if (!outputRewrites.empty()) {
-                debug("rewriting hashes in '%1%'; cross fingers", actualPath);
+                warn("rewriting hashes in '%1%'; cross fingers", actualPath);

                /* FIXME: this is in-memory. */
                StringSink sink;
@@ -2308,7 +2413,7 @@ void LocalDerivationGoal::registerOutputs()
        };

        ValidPathInfo newInfo = std::visit(overloaded {
-            [&](const DerivationOutputInputAddressed & output) {
+            [&](DerivationOutputInputAddressed output) {
                /* input-addressed case */
                auto requiredFinalPath = output.path;
                /* Preemptively add rewrite rule for final hash, as that is
@@ -2327,14 +2432,14 @@ void LocalDerivationGoal::registerOutputs()
                    newInfo0.references.insert(newInfo0.path);
                return newInfo0;
            },
-            [&](const DerivationOutputCAFixed & dof) {
+            [&](DerivationOutputCAFixed dof) {
                auto newInfo0 = newInfoFromCA(DerivationOutputCAFloating {
                    .method = dof.hash.method,
                    .hashType = dof.hash.hash.type,
                });

                /* Check wanted hash */
-                const Hash & wanted = dof.hash.hash;
+                Hash & wanted = dof.hash.hash;
                assert(newInfo0.ca);
                auto got = getContentAddressHash(*newInfo0.ca);
                if (wanted != got) {
@@ -2470,13 +2575,7 @@ void LocalDerivationGoal::registerOutputs()
        infos.emplace(outputName, std::move(newInfo));
    }

-    if (buildMode == bmCheck) {
-        // In case of FOD mismatches on `--check` an error must be thrown as this is also
-        // a source for non-determinism.
-        if (delayedException)
-            std::rethrow_exception(delayedException);
-        return;
-    }
+    if (buildMode == bmCheck) return;

    /* Apply output checks. */
    checkOutputs(infos);
--- a/src/libstore/build/substitution-goal.cc
+++ b/src/libstore/build/substitution-goal.cc
@@ -204,7 +204,7 @@ void PathSubstitutionGoal::tryToRun()
            Activity act(*logger, actSubstitute, Logger::Fields{worker.store.printStorePath(storePath), sub->getUri()});
            PushActivity pact(act.id);

-            copyStorePath(*sub, worker.store,
+            copyStorePath(ref<Store>(sub), ref<Store>(worker.store.shared_from_this()),
                subPath ? *subPath : storePath, repair, sub->isTrusted ? NoCheckSigs : CheckSigs);

            promise.set_value();
--- a/src/libstore/build/worker.cc
+++ b/src/libstore/build/worker.cc
@@ -9,12 +9,11 @@

 namespace nix {

-Worker::Worker(Store & store, Store & evalStore)
+Worker::Worker(Store & store)
    : act(*logger, actRealise)
    , actDerivations(*logger, actBuilds)
    , actSubstitutions(*logger, actCopyPaths)
    , store(store)
-    , evalStore(evalStore)
 {
    /* Debugging: prevent recursive workers. */
    nrLocalBuilds = 0;
@@ -239,7 +238,7 @@ void Worker::run(const Goals & _topGoals)
        }
    }

-    /* Call queryMissing() to efficiently query substitutes. */
+    /* Call queryMissing() efficiently query substitutes. */
    StorePathSet willBuild, willSubstitute, unknown;
    uint64_t downloadSize, narSize;
    store.queryMissing(topPaths, willBuild, willSubstitute, unknown, downloadSize, narSize);
--- a/src/libstore/build/worker.hh
+++ b/src/libstore/build/worker.hh
@@ -110,7 +110,6 @@ public:
    bool checkMismatch;

    Store & store;
-    Store & evalStore;

    std::unique_ptr<HookInstance> hook;

@@ -132,7 +131,7 @@ public:
       it answers with "decline-permanently", we don't try again. */
    bool tryBuildHook = true;

-    Worker(Store & store, Store & evalStore);
+    Worker(Store & store);
    ~Worker();

    /* Make a goal (with caching). */
--- a/src/libstore/content-address.cc
+++ b/src/libstore/content-address.cc
@@ -31,10 +31,10 @@ std::string makeFixedOutputCA(FileIngestionMethod method, const Hash & hash)
 std::string renderContentAddress(ContentAddress ca)
 {
    return std::visit(overloaded {
-        [](TextHash & th) {
+        [](TextHash th) {
            return "text:" + th.hash.to_string(Base32, true);
        },
-        [](FixedOutputHash & fsh) {
+        [](FixedOutputHash fsh) {
            return makeFixedOutputCA(fsh.method, fsh.hash);
        }
    }, ca);
@@ -43,10 +43,10 @@ std::string renderContentAddress(ContentAddress ca)
 std::string renderContentAddressMethod(ContentAddressMethod cam)
 {
    return std::visit(overloaded {
-        [](TextHashMethod & th) {
+        [](TextHashMethod &th) {
            return std::string{"text:"} + printHashType(htSHA256);
        },
-        [](FixedOutputHashMethod & fshm) {
+        [](FixedOutputHashMethod &fshm) {
            return "fixed:" + makeFileIngestionPrefix(fshm.fileIngestionMethod) + printHashType(fshm.hashType);
        }
    }, cam);
@@ -104,12 +104,12 @@ ContentAddress parseContentAddress(std::string_view rawCa) {

    return std::visit(
        overloaded {
-            [&](TextHashMethod & thm) {
+            [&](TextHashMethod thm) {
                return ContentAddress(TextHash {
                    .hash = Hash::parseNonSRIUnprefixed(rest, htSHA256)
                });
            },
-            [&](FixedOutputHashMethod & fohMethod) {
+            [&](FixedOutputHashMethod fohMethod) {
                return ContentAddress(FixedOutputHash {
                    .method = fohMethod.fileIngestionMethod,
                    .hash = Hash::parseNonSRIUnprefixed(rest, std::move(fohMethod.hashType)),
@@ -137,10 +137,10 @@ std::string renderContentAddress(std::optional<ContentAddress> ca)
 Hash getContentAddressHash(const ContentAddress & ca)
 {
    return std::visit(overloaded {
-        [](const TextHash & th) {
+        [](TextHash th) {
            return th.hash;
        },
-        [](const FixedOutputHash & fsh) {
+        [](FixedOutputHash fsh) {
            return fsh.hash;
        }
    }, ca);
--- a/src/libstore/daemon.cc
+++ b/src/libstore/daemon.cc
@@ -227,15 +227,8 @@ struct ClientSettings
            try {
                if (name == "ssh-auth-sock") // obsolete
                    ;
-                else if (name == settings.experimentalFeatures.name) {
-                    // We don’t want to forward the experimental features to
-                    // the daemon, as that could cause some pretty weird stuff
-                    if (tokenizeString<Strings>(value) != settings.experimentalFeatures.get())
-                        debug("Ignoring the client-specified experimental features");
-                }
                else if (trusted
                    || name == settings.buildTimeout.name
-                    || name == settings.buildRepeat.name
                    || name == "connect-timeout"
                    || (name == "builders" && value == ""))
                    settings.set(name, value);
@@ -250,6 +243,23 @@ struct ClientSettings
    }
 };

+static void writeValidPathInfo(
+    ref<Store> store,
+    unsigned int clientVersion,
+    Sink & to,
+    std::shared_ptr<const ValidPathInfo> info)
+{
+    to << (info->deriver ? store->printStorePath(*info->deriver) : "")
+       << info->narHash.to_string(Base16, false);
+    worker_proto::write(*store, to, info->references);
+    to << info->registrationTime << info->narSize;
+    if (GET_PROTOCOL_MINOR(clientVersion) >= 16) {
+        to << info->ultimate
+           << info->sigs
+           << renderContentAddress(info->ca);
+    }
+}
+
 static std::vector<DerivedPath> readDerivedPaths(Store & store, unsigned int clientVersion, Source & from)
 {
    std::vector<DerivedPath> reqs;
@@ -396,13 +406,13 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
                FramedSource source(from);
                // TODO this is essentially RemoteStore::addCAToStore. Move it up to Store.
                return std::visit(overloaded {
-                    [&](TextHashMethod &) {
+                    [&](TextHashMethod &_) {
                        // We could stream this by changing Store
                        std::string contents = source.drain();
                        auto path = store->addTextToStore(name, contents, refs, repair);
                        return store->queryPathInfo(path);
                    },
-                    [&](FixedOutputHashMethod & fohm) {
+                    [&](FixedOutputHashMethod &fohm) {
                        if (!refs.empty())
                            throw UnimplementedError("cannot yet have refs with flat or nar-hashed data");
                        auto path = store->addToStoreFromDump(source, name, fohm.fileIngestionMethod, fohm.hashType, repair);
@@ -412,7 +422,9 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
            }();
            logger->stopWork();

-            pathInfo->write(to, *store, GET_PROTOCOL_MINOR(clientVersion));
+            to << store->printStorePath(pathInfo->path);
+            writeValidPathInfo(store, clientVersion, to, pathInfo);
+
        } else {
            HashType hashAlgo;
            std::string baseName;
@@ -459,21 +471,6 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
        break;
    }

-    case wopAddMultipleToStore: {
-        bool repair, dontCheckSigs;
-        from >> repair >> dontCheckSigs;
-        if (!trusted && dontCheckSigs)
-            dontCheckSigs = false;
-
-        logger->startWork();
-        FramedSource source(from);
-        store->addMultipleToStore(source,
-            RepairFlag{repair},
-            dontCheckSigs ? NoCheckSigs : CheckSigs);
-        logger->stopWork();
-        break;
-    }
-
    case wopAddTextToStore: {
        string suffix = readString(from);
        string s = readString(from);
@@ -773,7 +770,7 @@ static void performOp(TunnelLogger * logger, ref<Store> store,
        if (info) {
            if (GET_PROTOCOL_MINOR(clientVersion) >= 17)
                to << 1;
-            info->write(to, *store, GET_PROTOCOL_MINOR(clientVersion), false);
+            writeValidPathInfo(store, clientVersion, to, info);
        } else {
            assert(GET_PROTOCOL_MINOR(clientVersion) >= 17);
            to << 0;
--- a/src/libstore/derivations.cc
+++ b/src/libstore/derivations.cc
@@ -10,18 +10,18 @@ namespace nix {
 std::optional<StorePath> DerivationOutput::path(const Store & store, std::string_view drvName, std::string_view outputName) const
 {
    return std::visit(overloaded {
-        [](const DerivationOutputInputAddressed & doi) -> std::optional<StorePath> {
+        [](DerivationOutputInputAddressed doi) -> std::optional<StorePath> {
            return { doi.path };
        },
-        [&](const DerivationOutputCAFixed & dof) -> std::optional<StorePath> {
+        [&](DerivationOutputCAFixed dof) -> std::optional<StorePath> {
            return {
                dof.path(store, drvName, outputName)
            };
        },
-        [](const DerivationOutputCAFloating & dof) -> std::optional<StorePath> {
+        [](DerivationOutputCAFloating dof) -> std::optional<StorePath> {
            return std::nullopt;
        },
-        [](const DerivationOutputDeferred &) -> std::optional<StorePath> {
+        [](DerivationOutputDeferred) -> std::optional<StorePath> {
            return std::nullopt;
        },
    }, output);
@@ -332,22 +332,22 @@ string Derivation::unparse(const Store & store, bool maskOutputs,
        if (first) first = false; else s += ',';
        s += '('; printUnquotedString(s, i.first);
        std::visit(overloaded {
-            [&](const DerivationOutputInputAddressed & doi) {
+            [&](DerivationOutputInputAddressed doi) {
                s += ','; printUnquotedString(s, maskOutputs ? "" : store.printStorePath(doi.path));
                s += ','; printUnquotedString(s, "");
                s += ','; printUnquotedString(s, "");
            },
-            [&](const DerivationOutputCAFixed & dof) {
+            [&](DerivationOutputCAFixed dof) {
                s += ','; printUnquotedString(s, maskOutputs ? "" : store.printStorePath(dof.path(store, name, i.first)));
                s += ','; printUnquotedString(s, dof.hash.printMethodAlgo());
                s += ','; printUnquotedString(s, dof.hash.hash.to_string(Base16, false));
            },
-            [&](const DerivationOutputCAFloating & dof) {
+            [&](DerivationOutputCAFloating dof) {
                s += ','; printUnquotedString(s, "");
                s += ','; printUnquotedString(s, makeFileIngestionPrefix(dof.method) + printHashType(dof.hashType));
                s += ','; printUnquotedString(s, "");
            },
-            [&](const DerivationOutputDeferred &) {
+            [&](DerivationOutputDeferred) {
                s += ','; printUnquotedString(s, "");
                s += ','; printUnquotedString(s, "");
                s += ','; printUnquotedString(s, "");
@@ -420,13 +420,13 @@ DerivationType BasicDerivation::type() const
    std::optional<HashType> floatingHashType;
    for (auto & i : outputs) {
        std::visit(overloaded {
-            [&](const DerivationOutputInputAddressed &) {
+            [&](DerivationOutputInputAddressed _) {
               inputAddressedOutputs.insert(i.first);
            },
-            [&](const DerivationOutputCAFixed &) {
+            [&](DerivationOutputCAFixed _) {
                fixedCAOutputs.insert(i.first);
            },
-            [&](const DerivationOutputCAFloating & dof) {
+            [&](DerivationOutputCAFloating dof) {
                floatingCAOutputs.insert(i.first);
                if (!floatingHashType) {
                    floatingHashType = dof.hashType;
@@ -435,7 +435,7 @@ DerivationType BasicDerivation::type() const
                        throw Error("All floating outputs must use the same hash type");
                }
            },
-            [&](const DerivationOutputDeferred &) {
+            [&](DerivationOutputDeferred _) {
               deferredIAOutputs.insert(i.first);
            },
        }, i.second.output);
@@ -538,15 +538,15 @@ DrvHashModulo hashDerivationModulo(Store & store, const Derivation & drv, bool m
        const auto & res = pathDerivationModulo(store, i.first);
        std::visit(overloaded {
            // Regular non-CA derivation, replace derivation
-            [&](const Hash & drvHash) {
+            [&](Hash drvHash) {
                inputs2.insert_or_assign(drvHash.to_string(Base16, false), i.second);
            },
-            [&](const DeferredHash & deferredHash) {
+            [&](DeferredHash deferredHash) {
                isDeferred = true;
                inputs2.insert_or_assign(deferredHash.hash.to_string(Base16, false), i.second);
            },
            // CA derivation's output hashes
-            [&](const CaOutputHashes & outputHashes) {
+            [&](CaOutputHashes outputHashes) {
                std::set<std::string> justOut = { "out" };
                for (auto & output : i.second) {
                    /* Put each one in with a single "out" output.. */
@@ -568,21 +568,21 @@ DrvHashModulo hashDerivationModulo(Store & store, const Derivation & drv, bool m
 }


-std::map<std::string, Hash> staticOutputHashes(Store & store, const Derivation & drv)
+std::map<std::string, Hash> staticOutputHashes(Store& store, const Derivation& drv)
 {
    std::map<std::string, Hash> res;
    std::visit(overloaded {
-        [&](const Hash & drvHash) {
+        [&](Hash drvHash) {
            for (auto & outputName : drv.outputNames()) {
                res.insert({outputName, drvHash});
            }
        },
-        [&](const DeferredHash & deferredHash) {
+        [&](DeferredHash deferredHash) {
            for (auto & outputName : drv.outputNames()) {
                res.insert({outputName, deferredHash.hash});
            }
        },
-        [&](const CaOutputHashes & outputHashes) {
+        [&](CaOutputHashes outputHashes) {
            res = outputHashes;
        },
    }, hashDerivationModulo(store, drv, true));
@@ -666,22 +666,22 @@ void writeDerivation(Sink & out, const Store & store, const BasicDerivation & dr
    for (auto & i : drv.outputs) {
        out << i.first;
        std::visit(overloaded {
-            [&](const DerivationOutputInputAddressed & doi) {
+            [&](DerivationOutputInputAddressed doi) {
                out << store.printStorePath(doi.path)
                    << ""
                    << "";
            },
-            [&](const DerivationOutputCAFixed & dof) {
+            [&](DerivationOutputCAFixed dof) {
                out << store.printStorePath(dof.path(store, drv.name, i.first))
                    << dof.hash.printMethodAlgo()
                    << dof.hash.hash.to_string(Base16, false);
            },
-            [&](const DerivationOutputCAFloating & dof) {
+            [&](DerivationOutputCAFloating dof) {
                out << ""
                    << (makeFileIngestionPrefix(dof.method) + printHashType(dof.hashType))
                    << "";
            },
-            [&](const DerivationOutputDeferred &) {
+            [&](DerivationOutputDeferred) {
                out << ""
                    << ""
                    << "";
--- a/src/libstore/derivations.hh
+++ b/src/libstore/derivations.hh
@@ -138,8 +138,8 @@ struct Derivation : BasicDerivation

    /* Return the underlying basic derivation but with these changes:

-       1. Input drvs are emptied, but the outputs of them that were used are
-          added directly to input sources.
+	   1. Input drvs are emptied, but the outputs of them that were used are
+	      added directly to input sources.

       2. Input placeholders are replaced with realized input store paths. */
    std::optional<BasicDerivation> tryResolve(Store & store);
--- a/src/libstore/derived-path.cc
+++ b/src/libstore/derived-path.cc
@@ -24,8 +24,8 @@ StorePathSet BuiltPath::outPaths() const
 {
    return std::visit(
        overloaded{
-            [](const BuiltPath::Opaque & p) { return StorePathSet{p.path}; },
-            [](const BuiltPath::Built & b) {
+            [](BuiltPath::Opaque p) { return StorePathSet{p.path}; },
+            [](BuiltPath::Built b) {
                StorePathSet res;
                for (auto & [_, path] : b.outputs)
                    res.insert(path);
@@ -94,8 +94,8 @@ RealisedPath::Set BuiltPath::toRealisedPaths(Store & store) const
    RealisedPath::Set res;
    std::visit(
        overloaded{
-            [&](const BuiltPath::Opaque & p) { res.insert(p.path); },
-            [&](const BuiltPath::Built & p) {
+            [&](BuiltPath::Opaque p) { res.insert(p.path); },
+            [&](BuiltPath::Built p) {
                auto drvHashes =
                    staticOutputHashes(store, store.readDerivation(p.drvPath));
                for (auto& [outputName, outputPath] : p.outputs) {
--- a/src/libstore/dummy-store.cc
+++ b/src/libstore/dummy-store.cc
@@ -43,6 +43,11 @@ struct DummyStore : public virtual DummyStoreConfig, public virtual Store
        RepairFlag repair, CheckSigsFlag checkSigs) override
    { unsupported("addToStore"); }

+    StorePath addToStore(const string & name, const Path & srcPath,
+        FileIngestionMethod method, HashType hashAlgo,
+        PathFilter & filter, RepairFlag repair) override
+    { unsupported("addToStore"); }
+
    StorePath addTextToStore(const string & name, const string & s,
        const StorePathSet & references, RepairFlag repair) override
    { unsupported("addTextToStore"); }
--- a/src/libstore/filetransfer.cc
+++ b/src/libstore/filetransfer.cc
@@ -716,32 +716,15 @@ struct curlFileTransfer : public FileTransfer
    }
 };

-ref<curlFileTransfer> makeCurlFileTransfer()
-{
-    return make_ref<curlFileTransfer>();
-}
-
 ref<FileTransfer> getFileTransfer()
 {
-    static ref<curlFileTransfer> fileTransfer = makeCurlFileTransfer();
-
-    // this has to be done in its own scope to make sure that the lock is released
-    // before creating a new fileTransfer instance.
-    auto needsRecreation = [&]() -> bool {
-        auto state = fileTransfer->state_.lock();
-        return state->quit;
-    };
-
-    if (needsRecreation()) {
-        fileTransfer = makeCurlFileTransfer();
-    }
-
+    static ref<FileTransfer> fileTransfer = makeFileTransfer();
    return fileTransfer;
 }

 ref<FileTransfer> makeFileTransfer()
 {
-    return makeCurlFileTransfer();
+    return make_ref<curlFileTransfer>();
 }

 std::future<FileTransferResult> FileTransfer::enqueueFileTransfer(const FileTransferRequest & request)
--- a/src/libstore/globals.cc
+++ b/src/libstore/globals.cc
@@ -166,7 +166,7 @@ bool Settings::isExperimentalFeatureEnabled(const std::string & name)
 }

 MissingExperimentalFeature::MissingExperimentalFeature(std::string feature)
-    : Error("experimental Nix feature '%1%' is disabled; use '--extra-experimental-features %1%' to override", feature)
+    : Error("experimental Nix feature '%1%' is disabled; use '--experimental-features %1%' to override", feature)
    , missingFeature(feature)
    {}

--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -956,9 +956,6 @@ public:
          resolves to a different location from that of the build machine. You
          can enable this setting if you are sure you're not going to do that.
        )"};
-
-    Setting<bool> useRegistries{this, true, "use-registries",
-        "Whether to use flake registries to resolve flake references."};
 };


--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`$(eval $(call install-file-as, $(d)/completion.fish, $(datarootdir)/fish/vendor_completions.d/nix.fish, 0644))`