Parse allowed* = null properly in structuredAttrs

This is the explicit way to indicate that there is no allow list.

.github/actions/install-nix-action/action.yaml

@@ -24,8 +24,8 @@ inputs:
     description: "Github token"
     required: true
   use_cache:
-    description: "Whether to setup github actions cache (not implemented currently)"
-    default: false
+    description: "Whether to setup magic-nix-cache"
+    default: true
     required: false
 runs:
   using: "composite"
@@ -122,3 +122,10 @@ runs:
         source-url: ${{ inputs.experimental-installer-version != 'latest' && 'https://artifacts.nixos.org/experimental-installer/tag/${{ inputs.experimental-installer-version }}/${{ env.EXPERIMENTAL_INSTALLER_ARTIFACT }}' || '' }}
         nix-package-url: ${{ inputs.dogfood == 'true' && steps.download-nix-installer.outputs.tarball-path || (inputs.tarball_url || '') }}
         extra-conf: ${{ inputs.extra_nix_config }}
+    - uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39 # v13
+      if: ${{ inputs.use_cache == 'true' }}
+      with:
+        diagnostic-endpoint: ''
+        use-flakehub: false
+        use-gha-cache: true
+        source-revision: 92d9581367be2233c2d5714a2640e1339f4087d8 # main

.github/workflows/backport.yml

@@ -0,0 +1,37 @@
+name: Backport
+on:
+  pull_request_target:
+    types: [closed, labeled]
+permissions:
+  contents: read
+jobs:
+  backport:
+    name: Backport Pull Request
+    permissions:
+      # for korthout/backport-action
+      contents: write
+      pull-requests: write
+    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - name: Generate GitHub App token
+        id: generate-token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ vars.CI_APP_ID }}
+          private-key: ${{ secrets.CI_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          # required to find all branches
+          fetch-depth: 0
+      - name: Create backport PRs
+        uses: korthout/backport-action@d07416681cab29bf2661702f925f020aaa962997 # v3.4.1
+        id: backport
+        with:
+          # Config README: https://github.com/korthout/backport-action#backport-action
+          github_token: ${{ steps.generate-token.outputs.token }}
+          github_workspace: ${{ github.workspace }}
+          auto_merge_enabled: true
+          pull_description: |-
+            Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.

.github/workflows/ci.yml

@@ -0,0 +1,318 @@
+name: "CI"
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+    inputs:
+      dogfood:
+        description: 'Use dogfood Nix build'
+        required: false
+        default: true
+        type: boolean
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: read-all
+
+jobs:
+  eval:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config:
+          experimental-features = nix-command flakes
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        use_cache: false
+    - run: nix flake show --all-systems --json
+
+  pre-commit-checks:
+    name: pre-commit checks
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@v6
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          extra_nix_config: experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - run: ./ci/gha/tests/pre-commit-checks
+
+  basic-checks:
+    name: aggregate basic checks
+    if: ${{ always() }}
+    runs-on: ubuntu-24.04
+    needs: [pre-commit-checks, eval]
+    steps:
+      - name: Exit with any errors
+        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
+        run: |
+          exit 1
+
+  tests:
+    needs: basic-checks
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on ubuntu (with sanitizers / coverage)
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: true
+            primary: false
+            stdenv: clangStdenv
+    name: tests ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
+    timeout-minutes: 60
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        # The sandbox would otherwise be disabled by default on Darwin
+        extra_nix_config: "sandbox = true"
+    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
+    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+      if: matrix.os == 'linux'
+    - name: Run component tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+    - name: Run VM tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix vmTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+      if: ${{ matrix.os == 'linux' }}
+    - name: Run flake checks and prepare the installer tarball
+      run: |
+        ci/gha/tests/build-checks
+        ci/gha/tests/prepare-installer-for-github-actions
+      if: ${{ matrix.primary }}
+    - name: Collect code coverage
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}" \
+          --out-link coverage-reports
+        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
+      if: ${{ matrix.instrumented }}
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v5
+      with:
+        name: coverage-reports
+        path: coverage-reports/
+      if: ${{ matrix.instrumented }}
+    - name: Upload installer tarball
+      uses: actions/upload-artifact@v5
+      with:
+        name: installer-${{matrix.os}}
+        path: out/*
+      if: ${{ matrix.primary }}
+
+  installer_test:
+    needs: [tests]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+            experimental-installer: false
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+            experimental-installer: false
+          - scenario: on ubuntu (experimental)
+            runs-on: ubuntu-24.04
+            os: linux
+            experimental-installer: true
+          - scenario: on macos (experimental)
+            runs-on: macos-14
+            os: darwin
+            experimental-installer: true
+    name: installer test ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
+    steps:
+    - uses: actions/checkout@v6
+    - name: Download installer tarball
+      uses: actions/download-artifact@v6
+      with:
+        name: installer-${{matrix.os}}
+        path: out
+    - name: Looking up the installer tarball URL
+      id: installer-tarball-url
+      run: |
+        echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
+        TARBALL_PATH="$(find "$GITHUB_WORKSPACE/out" -name 'nix*.tar.xz' -print | head -n 1)"
+        echo "tarball-path=file://$TARBALL_PATH" >> "$GITHUB_OUTPUT"
+    - uses: cachix/install-nix-action@0b0e072294b088b73964f1d72dfdac0951439dbd # v31.8.4
+      if: ${{ !matrix.experimental-installer }}
+      with:
+        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
+    - uses: ./.github/actions/install-nix-action
+      if: ${{ matrix.experimental-installer }}
+      with:
+        dogfood: false
+        experimental-installer: true
+        tarball_url: ${{ steps.installer-tarball-url.outputs.tarball-path }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - run: sudo apt install fish zsh
+      if: matrix.os == 'linux'
+    - run: brew install fish
+      if: matrix.os == 'darwin'
+    - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
+    - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
+    - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
+    - run: exec fish -c "nix-instantiate -E 'builtins.currentTime' --eval"
+    - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
+    - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
+
+  # Steps to test CI automation in your own fork.
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check presence of secrets
+    runs-on: ubuntu-24.04
+    outputs:
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for DockerHub secrets
+        id: secret
+        env:
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
+
+  docker_push_image:
+    needs: [tests, check_secrets]
+    permissions:
+      contents: read
+      packages: write
+    if: >-
+      needs.check_secrets.outputs.docker == 'true' &&
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        dogfood: false
+        extra_nix_config: |
+          experimental-features = flakes nix-command
+    - run: echo NIX_VERSION="$(nix eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
+    - run: nix build .#dockerImage -L
+    - run: docker load -i ./result/image.tar.gz
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
+    #
+    # Push to Docker Hub first
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        password: ${{ secrets.DOCKERHUB_TOKEN }}
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
+    # Push to GitHub Container Registry as well
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    - name: Push image
+      run: |
+        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/nix
+        # Change all uppercase to lowercase
+        IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
+
+        docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
+        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
+        docker push $IMAGE_ID:$NIX_VERSION
+        docker push $IMAGE_ID:latest
+        # deprecated 2024-02-24
+        docker tag nix:$NIX_VERSION $IMAGE_ID:master
+        docker push $IMAGE_ID:master
+
+  flake_regressions:
+    needs: tests
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout nix
+        uses: actions/checkout@v6
+      - name: Checkout flake-regressions
+        uses: actions/checkout@v6
+        with:
+          repository: NixOS/flake-regressions
+          path: flake-regressions
+      - name: Checkout flake-regressions-data
+        uses: actions/checkout@v6
+        with:
+          repository: NixOS/flake-regressions-data
+          path: flake-regressions/tests
+      - uses: ./.github/actions/install-nix-action
+        with:
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+          extra_nix_config:
+            experimental-features = nix-command flakes
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
+
+  profile_build:
+    needs: tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    if: >-
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config: |
+          experimental-features = flakes nix-command ca-derivations impure-derivations
+          max-jobs = 1
+    - run: |
+        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
+        cat build-time-report.md >> $GITHUB_STEP_SUMMARY

.github/workflows/labels.yml

@@ -0,0 +1,24 @@
+name: "Label PR"
+
+on:
+  pull_request_target:
+    types: [edited, opened, synchronize, reopened]
+
+# WARNING:
+# When extending this action, be aware that $GITHUB_TOKEN allows some write
+# access to the GitHub API. This means that it should not evaluate user input in
+# a way that allows code injection.
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  labels:
+    runs-on: ubuntu-24.04
+    if: github.repository_owner == 'NixOS'
+    steps:
+    - uses: actions/labeler@v6
+      with:
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        sync-labels: false

.gitignore

@@ -1,7 +1,5 @@
 # Default meson build dir
 /build
-# Meson creates this file too
-src/.wraplock
 
 # /tests/functional/
 /tests/functional/common/subst-vars.sh
@@ -16,10 +14,6 @@ src/.wraplock
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast
 
-# /tests/functional/cli-characterisation/
-/tests/functional/cli-characterisation/*.out
-/tests/functional/cli-characterisation/*.err
-
 /outputs
 
 *~

.version

@@ -1 +1 @@
-2.35.0
+2.33.0

ci/gha/tests/windows.nix

@@ -1,30 +0,0 @@
-{
-  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
-  system ? builtins.currentSystem,
-  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
-}:
-
-let
-  packages = nixFlake.packages.${system};
-
-  fixOutput =
-    test:
-    test.overrideAttrs (prev: {
-      nativeBuildInputs = prev.nativeBuildInputs or [ ] ++ [ pkgs.colorized-logs ];
-      env.GTEST_COLOR = "no";
-      # Wine's console emulation wraps every character in ANSI cursor
-      # hide/show sequences, making logs unreadable in GitHub Actions.
-      buildCommand = ''
-        set -o pipefail
-        {
-          ${prev.buildCommand}
-        } 2>&1 | ansi2txt
-      '';
-    });
-in
-
-{
-  unitTests = {
-    "nix-util-tests" = fixOutput packages."nix-util-tests-x86_64-w64-mingw32".passthru.tests.run;
-  };
-}

doc/manual/meson.build

@@ -26,6 +26,7 @@ bash = find_program('bash', native : true)
 # HTML manual dependencies (conditional)
 if get_option('html-manual')
   mdbook = find_program('mdbook', native : true)
+  rsync = find_program('rsync', required : true, native : true)
 endif
 
 pymod = import('python')
@@ -125,12 +126,7 @@ if get_option('html-manual')
           @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
           @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
           sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
-          # Copy source to build directory, excluding the build directory itself
-          # (which is present when built as an individual component).
-          # Use tar with --dereference to copy symlink targets (e.g., JSON examples from tests).
-          (cd @CURRENT_SOURCE_DIR@ && find . -mindepth 1 -maxdepth 1 ! -name build | tar -c --dereference -T - -f -) | (cd @2@ && tar -xf -)
-          chmod -R u+w @2@
-          find @2@ -name '*.drv' -delete
+          @4@ -r -L --exclude='*.drv' --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
           (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
           rm -rf @2@/manual
           mv @2@/html @2@/manual
@@ -142,6 +138,7 @@ if get_option('html-manual')
         mdbook.full_path(),
         meson.current_build_dir(),
         meson.project_version(),
+        rsync.full_path(),
       ),
     ],
     input : [

doc/manual/package.nix

@@ -1,6 +1,5 @@
 {
   lib,
-  stdenv,
   callPackage,
   mkMesonDerivation,
   runCommand,
@@ -11,6 +10,7 @@
   mdbook,
   jq,
   python3,
+  rsync,
   nix-cli,
   changelog-d,
   json-schema-for-humans,
@@ -54,8 +54,6 @@ mkMesonDerivation (finalAttrs: {
         ../../src/libstore-tests/data/nar-info
         ../../src/libstore-tests/data/build-result
         ../../src/libstore-tests/data/dummy-store
-        # For derivation examples referenced by symlinks in doc/manual/source/protocols/json/schema/
-        ../../tests/functional/derivation
         # Too many different types of files to filter for now
         ../../doc/manual
         ./.
@@ -92,13 +90,13 @@ mkMesonDerivation (finalAttrs: {
   ]
   ++ lib.optionals buildHtmlManual [
     mdbook
+    rsync
     json-schema-for-humans
   ]
-  ++ lib.optionals (!officialRelease && buildHtmlManual && !stdenv.hostPlatform.isi686) [
+  ++ lib.optionals (!officialRelease && buildHtmlManual) [
     # When not an official release, we likely have changelog entries that have
     # yet to be rendered.
     # When released, these are rendered into a committed file to save a dependency.
-    # Broken on i686.
     changelog-d
   ];
 

doc/manual/rl-next/beta-installer

@@ -1,29 +0,0 @@
----
-synopsis: "Rust nix-installer in beta"
-prs: []
----
-
-The Rust-based rewrite of the Nix installer is now in beta.
-We'd love help testing it out!
-
-To test out the new installer, run:
-```
-curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install
-```
-
-This installer can be run even when you have an existing, script-based Nix installation without any adjustments.
-
-This new installer also comes with the ability to uninstall your Nix installation; run:
-```
-/nix/nix-installer uninstall
-```
-
-This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation).
-
-This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems.
-Thanks to Determinate Systems for all the investment they've put into the installer.
-
-Source for the installer is in https://github.com/NixOS/nix-installer.
-Report any issues in that repo.
-
-For CI usage, a GitHub Action to install Nix using this installer is available at https://github.com/NixOS/nix-installer-action.

doc/manual/rl-next/build-trace-rework.md

@@ -1,81 +0,0 @@
----
-synopsis: "Content-addressed derivations: realisations keyed by store path instead of hash modulo"
-issues: [11897]
-prs: [12464]
----
-
-The experimental content-addressed (CA) derivation feature has undergone a significant change to how build traces (formerly called "realisations") are identified. This affects the **binary cache protocol** and the **wire protocols**.
-
-### What changed
-
-Previously, a build trace entry (realisation) was keyed by the **hash modulo** of the derivation.
-A SHA-256 hash computed via the complex "derivation hash modulo" algorithm.
-This required implementations to understand ATerm serialisation and the full derivation hashing scheme just to look up or store build results.
-
-Now, build trace entries are keyed by the **regular derivation store path** plus the output name. For example, instead of:
-
-```
-sha256:ba7816bf8f01...!out
-```
-
-The key is now:
-
-```
-/nix/store/abc...-foo.drv^out
-```
-
-This is simpler, more intuitive, and means that third-party tools implementing CA derivation support (e.g., Hydra)
-no longer need to implement the derivation hash modulo algorithm.
-
-### Binary cache protocol
-
-- The directory for build traces moved from `realisations/` to `build-trace-v2/`.
-- File paths changed from `realisations/<hash>!<output>.doi` to `build-trace-v2/<drvName>/<outputName>.doi`.
-- The JSON format of build trace entries is now split into `key` and `value` objects:
-  ```json
-  {
-    "key": {
-      "drvPath": "abc...-foo.drv",
-      "outputName": "out"
-    },
-    "value": {
-      "outPath": "xyz...-foo",
-      "signatures": [{ "keyName": "cache.example.com-1", "sig": "..." }]
-    }
-  }
-  ```
-  Previously, these were flat objects with a string `id` field like `"sha256:...!out"`.
-- The deprecated `dependentRealisations` field has been removed.
-
-Existing binary caches will need to be re-populated with the new format for CA derivation build traces.
-Old build traces at the previous URLs are simply abandoned.
-Non-CA builds are unaffected.
-
-### Wire protocols
-
-- **Worker protocol**:
-  A new feature flag `realisation-with-path-not-hash` is negotiated during the handshake.
-  Clients and daemons that both support this feature use the new binary serialisation for `DrvOutput`, `UnkeyedRealisation`, and related types.
-  Fallback to older protocol versions gracefully degrades (realisations are unavailable).
-- **Serve protocol**:
-  Bumped from 2.7 to 2.8 with native serialisers for the new types.
-  Fallback to older protocol versions gracefully degrades in the same way.
-
-Stable code paths do use the realization fields (`BuildResult::Success::builtOutputs`), but only the output name and outpath parts of that.
-For older protocols, we can fake enough of the realisation format to provide those two parts forthat map, which keeps operations like `--print-output-paths` working.
-
-### Structured signatures
-
-[Signatures](@docroot@/protocols/json/signature.md) in JSON formats are now represented as structured objects with `keyName` and `sig` fields, rather than colon-separated strings.
-`nix path-info --json --json-format 3` opts into the new version for this command.
-JSON parsing accepts both the old string format and new structured format for backwards compatibility.
-
-### Impact
-
-- **Non-CA derivation users**: No impact. This only affects the experimental `ca-derivations` feature.
-- **Binary cache operators**:
-  Binary caches serving CA derivation build traces will need to be repopulated.
-  Existing NARs and narinfo files are unaffected.
-- **Tool authors**:
-  Implementations interfacing with the CA derivations protocol are simplified.
-  The derivation hash modulo algorithm is no longer required to form build trace keys.

doc/manual/rl-next/channels-subdomain.md

@@ -0,0 +1,9 @@
+---
+synopsis: Channel URLs migrated to channels.nixos.org subdomain
+prs: [14518]
+issues: [14517]
+---
+
+Channel URLs have been updated from `https://nixos.org/channels/` to `https://channels.nixos.org/` throughout Nix.
+
+The subdomain provides better reliability with IPv6 support and improved CDN distribution. The old domain apex (`nixos.org/channels/`) currently redirects to the new location but may be deprecated in the future.

doc/manual/rl-next/fix-primop-eval-state.md

@@ -1,10 +0,0 @@
----
-synopsis: "C API: Fix `EvalState` pointer passed to primop callbacks"
-prs: [15300, 15383]
----
-
-The `EvalState *` passed to C API primop callbacks was incorrectly pointing to
-the internal `nix::EvalState` rather than the C API wrapper struct. This caused
-a segfault when the callback used the pointer with C API functions such as
-`nix_alloc_value()`. The same issue affected `printValueAsJSON` and
-`printValueAsXML` callbacks on external values.

doc/manual/rl-next/github-fetcher-param-validation.md

@@ -1,7 +0,0 @@
----
-synopsis: GitHub fetcher now validates URL parameters
-prs: [15331]
-issues: [15304]
----
-
-The `github:` fetcher now validates URL parameters, and will error if an invalid parameter like `tag` is provided.

doc/manual/rl-next/json-format-changes.md

@@ -0,0 +1,88 @@
+---
+synopsis: "JSON format changes for store path info and derivations"
+prs: []
+issues: []
+---
+
+JSON formats for store path info and derivations have been updated with new versions and structured fields.
+
+## Store Path Info JSON
+
+`nix path-info --json` now requires a `--json-format` flag to specify the output format version.
+Using `--json` without `--json-format` is deprecated and will become an error in a future release.
+For now, it defaults to version 1 with a warning, for a smoother migration.
+
+### Version 1 (`--json-format 1`)
+
+This is the legacy format, preserved for backwards compatibility:
+
+- String-based hash values (e.g., `"narHash": "sha256:FePFYIlM..."`)
+- String-based content addresses (e.g., `"ca": "fixed:r:sha256:1abc..."`)
+- Full store paths for map keys and references (e.g., `"/nix/store/abc...-foo"`)
+- Now includes `"storeDir"` field at the top level
+
+### Version 2 (`--json-format 2`)
+
+The new structured format follows the [JSON guidelines](@docroot@/development/json-guideline.md) with the following changes:
+
+- **Nested structure with top-level metadata**:
+
+  The output is now wrapped in an object with `version`, `storeDir`, and `info` fields:
+
+  ```json
+  {
+    "version": 2,
+    "storeDir": "/nix/store",
+    "info": { ... }
+  }
+  ```
+
+  The map from store bath base names to store object info is nested under the `info` field.
+
+- **Store path base names instead of full paths**:
+
+  Map keys and references use store path base names (e.g., `"abc...-foo"`) instead of full absolute store paths.
+  Combined with `storeDir`, the full path can be reconstructed.
+
+- **Structured `ca` field**:
+
+  Content address is now a structured JSON object instead of a string:
+
+  - Old: `"ca": "fixed:r:sha256:1abc..."`
+  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
+  - Still `null` values for input-addressed store objects
+
+  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.
+
+Nix currently only produces, and doesn't consume this format.
+
+Additionally the following field is added to both formats.
+(The `version` tracks breaking changes, and adding fields to outputted JSON is not a breaking change.)
+
+- **`version` field**:
+
+  All store path info JSON now includes `"version": <1|2>`.
+
+- **`storeDir` field**:
+
+  Top-level `"storeDir"` field contains the store directory path (e.g., `"/nix/store"`).
+
+## Derivation JSON (Version 4)
+
+The derivation JSON format has been updated from version 3 to version 4:
+
+- **Restructured inputs**:
+
+  Inputs are now nested under an `inputs` object:
+
+  - Old: `"inputSrcs": [...], "inputDrvs": {...}`
+  - New: `"inputs": {"srcs": [...], "drvs": {...}}`
+
+- **Consistent content addresses**:
+
+  Fixed content-addressed outputs now use structured JSON format.
+  This is the same format as `ca` in store path info (after the new version).
+
+Version 3 and earlier formats are *not* accepted when reading.
+
+**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.

doc/manual/rl-next/libcurl-pausing.md

@@ -0,0 +1,12 @@
+---
+synopsis: Fix "download buffer is full; consider increasing the 'download-buffer-size' setting" warning
+prs: [14614]
+issues: [11728]
+---
+
+The underlying issue that led to [#11728](https://github.com/NixOS/nix/issues/11728) has been resolved by utilizing
+[libcurl write pausing functionality](https://curl.se/libcurl/c/curl_easy_pause.html) to control backpressure when unpacking to slow destinations like the git-backed tarball cache. The default value of `download-buffer-size` is now 1 MiB and it's no longer recommended to increase it, since the root cause has been fixed.
+
+This is expected to improve download performance on fast connections, since previously a single slow download consumer would stall the thread and prevent any other transfers from progressing.
+
+Many thanks go out to the [Lix project](https://lix.systems/) for the [implementation](https://git.lix.systems/lix-project/lix/commit/4ae6fb5a8f0d456b8d2ba2aaca3712b4e49057fc) that served as inspiration for this change and for triaging libcurl [issues with pausing](https://github.com/curl/curl/issues/19334).

doc/manual/rl-next/repl-interrupt.md

@@ -0,0 +1,8 @@
+---
+synopsis: Interrupting REPL commands works more than once
+issues: [13481]
+---
+
+Previously, this only worked once per REPL session; further attempts would be ignored.
+This issue is now fixed, so REPL commands such as `:b` or `:p` can be canceled consistently.
+This is a cherry-pick of the change from the [Lix project](https://gerrit.lix.systems/c/lix/+/1097).

doc/manual/rl-next/s3-curl-implementation.md

@@ -0,0 +1,40 @@
+---
+synopsis: "Improved S3 binary cache support via HTTP"
+prs: [13752, 13823, 14026, 14120, 14131, 14135, 14144, 14170, 14190, 14198, 14206, 14209, 14222, 14223, 14330, 14333, 14335, 14336, 14337, 14350, 14356, 14357, 14374, 14375, 14376, 14377, 14391, 14393, 14420, 14421]
+issues: [13084, 12671, 11748, 12403]
+---
+
+S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native
+AWS SigV4 authentication instead of the AWS C++ SDK, providing significant
+improvements:
+
+- **Reduced memory usage**: Eliminates memory buffering issues that caused
+  segfaults with large files
+- **Fixed upload reliability**: Resolves AWS SDK chunking errors
+  (`InvalidChunkSizeError`)
+- **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full
+  `aws-cpp-sdk`, reducing build complexity
+
+The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential
+management.
+
+All existing S3 URL formats and parameters remain supported, however the store
+settings for configuring multipart uploads have changed:
+
+- **`multipart-upload`** (default: `false`): Enable multipart uploads for large
+  files. When enabled, files exceeding the multipart threshold will be uploaded
+  in multiple parts.
+
+- **`multipart-threshold`** (default: `100 MiB`): Minimum file size for using
+  multipart uploads. Files smaller than this will use regular PUT requests.
+  Only takes effect when `multipart-upload` is enabled.
+
+- **`multipart-chunk-size`** (default: `5 MiB`): Size of each part in multipart
+  uploads. Must be at least 5 MiB (AWS S3 requirement). Larger chunk sizes
+  reduce the number of requests but use more memory.
+
+- **`buffer-size`**: Has been replaced by `multipart-chunk-size` and is now an alias to it.
+
+Note that this change also means Nix now supports S3 binary cache stores even
+if built without `aws-crt-cpp`, but only for public buckets which do not
+require authentication.

doc/manual/rl-next/s3-object-versioning.md

@@ -0,0 +1,14 @@
+---
+synopsis: "S3 URLs now support object versioning via versionId parameter"
+prs: [14274]
+issues: [13955]
+---
+
+S3 URLs now support a `versionId` query parameter to fetch specific versions
+of objects from S3 buckets with versioning enabled. This allows pinning to
+exact object versions for reproducibility and protection against unexpected
+changes:
+
+```
+s3://bucket/key?region=us-east-1&versionId=abc123def456
+```

doc/manual/rl-next/s3-storage-class.md

@@ -0,0 +1,21 @@
+---
+synopsis: "S3 binary cache stores now support storage class configuration"
+prs: [14464]
+issues: [7015]
+---
+
+S3 binary cache stores now support configuring the storage class for uploaded objects via the `storage-class` parameter. This allows users to optimize costs by selecting appropriate storage tiers based on access patterns.
+
+Example usage:
+
+```bash
+# Use Glacier storage for long-term archival
+nix copy --to 's3://my-bucket?storage-class=GLACIER' /nix/store/...
+
+# Use Intelligent Tiering for automatic cost optimization
+nix copy --to 's3://my-bucket?storage-class=INTELLIGENT_TIERING' /nix/store/...
+```
+
+The storage class applies to both regular uploads and multipart uploads. When not specified, objects use the bucket's default storage class.
+
+See the [S3 storage classes documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) for available storage classes and their characteristics.

doc/manual/source/SUMMARY.md.in

@@ -125,7 +125,6 @@
     - [Hash](protocols/json/hash.md)
     - [Content Address](protocols/json/content-address.md)
     - [Store Path](protocols/json/store-path.md)
-    - [Signature](protocols/json/signature.md)
     - [Store Object Info](protocols/json/store-object-info.md)
     - [Derivation](protocols/json/derivation/index.md)
       - [Derivation Options](protocols/json/derivation/options.md)
@@ -136,9 +135,7 @@
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
   - [Nix Archive (NAR) Format](protocols/nix-archive/index.md)
-  - [Nix Cache Info Format](protocols/nix-cache-info.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
-  - [Nix32 Encoding](protocols/nix32.md)
 - [C API](c-api.md)
 - [Glossary](glossary.md)
 - [Development](development/index.md)
@@ -154,8 +151,6 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
-  - [Release 2.34 (2026-02-27)](release-notes/rl-2.34.md)
-  - [Release 2.33 (2025-12-09)](release-notes/rl-2.33.md)
   - [Release 2.32 (2025-10-06)](release-notes/rl-2.32.md)
   - [Release 2.31 (2025-08-21)](release-notes/rl-2.31.md)
   - [Release 2.30 (2025-07-07)](release-notes/rl-2.30.md)

doc/manual/source/advanced-topics/eval-profiler.md

@@ -27,7 +27,7 @@ site](https://en.wikipedia.org/wiki/Call_site) position and the name of the
 function being called (when available). For example:
 
 ```
-/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5:primop import
+/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5:primop import
 ```
 
-Here `import` primop is called at `/nix/store/2q71fdvr4h33g9832hiriwnf20fn630l-source/pkgs/top-level/default.nix:167:5`.
+Here `import` primop is called at `/nix/store/x9wnkly3k1gkq580m90jjn32q9f05q2v-source/pkgs/top-level/default.nix:167:5`.

doc/manual/source/command-ref/env-common.md

@@ -57,6 +57,11 @@ Most Nix commands interpret the following environment variables:
 
   Overrides the location of the Nix store (default `prefix/store`).
 
+- <span id="env-NIX_DATA_DIR">[`NIX_DATA_DIR`](#env-NIX_DATA_DIR)</span>
+
+  Overrides the location of the Nix static data directory (default
+  `prefix/share`).
+
 - <span id="env-NIX_LOG_DIR">[`NIX_LOG_DIR`](#env-NIX_LOG_DIR)</span>
 
   Overrides the location of the Nix log directory (default

doc/manual/source/command-ref/files/default-nix-expression.md

@@ -39,11 +39,11 @@ This makes all subscribed channels available as attributes in the default expres
 A symlink that ensures that [`nix-env`] can find the current user's [channels]:
 
 - `~/.nix-defexpr/channels`
-- `$XDG_STATE_HOME/nix/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
+- `$XDG_STATE_HOME/defexpr/channels` if [`use-xdg-base-directories`] is set to `true`.
 
 This symlink points to:
 
-- `$XDG_STATE_HOME/nix/profiles/channels` for regular users
+- `$XDG_STATE_HOME/profiles/channels` for regular users
 - `$NIX_STATE_DIR/profiles/per-user/root/channels` for `root`
 
 In a multi-user installation, you may also have `~/.nix-defexpr/channels_root`, which links to the channels of the root user.

doc/manual/source/command-ref/files/manifest.nix.md

@@ -114,9 +114,9 @@ Here is an example of how this file might look like after installing `hello` fro
   };
   name = "hello-2.12.1";
   out = {
-    outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
+    outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
   };
-  outPath = "/nix/store/src1vzij2z0slnakrsbpqpk20389z0k6-hello-2.12.1";
+  outPath = "/nix/store/260q5867crm1xjs4khgqpl6vr9kywql1-hello-2.12.1";
   outputs = [ "out" ];
   system = "x86_64-linux";
   type = "derivation";

doc/manual/source/command-ref/files/profiles.md

@@ -37,13 +37,13 @@ dr-xr-xr-x 4 root root 4096 Jan  1  1970 share
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/bin:
 total 20
-lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/cyxny9d1zjb9l9103fr6j6kavp3bqjxf-chromium-86.0.4240.111/bin/chromium
+lrwxrwxrwx 5 root root 79 Jan  1  1970 chromium -> /nix/store/ijm5k0zqisvkdwjkc77mb9qzb35xfi4m-chromium-86.0.4240.111/bin/chromium
 lrwxrwxrwx 7 root root 87 Jan  1  1970 spotify -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/bin/spotify
 lrwxrwxrwx 3 root root 79 Jan  1  1970 zoom-us -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/bin/zoom-us
 
 /home/eelco/.local/state/nix/profiles/profile-7-link/share/applications:
 total 12
-lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/sqzyx2l85i6j2a77pnyvglh3bvzwmjjp-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
+lrwxrwxrwx 4 root root 120 Jan  1  1970 chromium-browser.desktop -> /nix/store/4cf803y4vzfm3gyk3vzhzb2327v0kl8a-chromium-unwrapped-86.0.4240.111/share/applications/chromium-browser.desktop
 lrwxrwxrwx 7 root root 110 Jan  1  1970 spotify.desktop -> /nix/store/w9182874m1bl56smps3m5zjj36jhp3rn-spotify-1.1.26.501.gbe11e53b-15/share/applications/spotify.desktop
 lrwxrwxrwx 3 root root 107 Jan  1  1970 us.zoom.Zoom.desktop -> /nix/store/wbhg2ga8f3h87s9h5k0slxk0m81m4cxl-zoom-us-5.3.469451.0927/share/applications/us.zoom.Zoom.desktop
 

doc/manual/source/command-ref/nix-copy-closure.md

@@ -72,11 +72,11 @@ When using public key authentication, you can avoid typing the passphrase with `
 > $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
 > $ nix-copy-closure --to alice@itchy.example.org "$storePath"
 > copying 5 paths...
-> copying path '/nix/store/h6q8sqsqfbd3252f9gixqn3z282wds7m-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/imnwvn96lw355giswsk36hx105j4wnpj-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/85301indj7scg34spnfczkz72jgv8wa9-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/ypwfsaljwhzw9iffiysxmxnhjj8v7np0-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
-> copying path '/nix/store/0dklv59zppdsqdvgf0qdvjgzcs5wbwxa-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/nrwkk6ak3rgkrxbqhsscb01jpzmslf2r-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/gm61h1y42pqyl6178g90x8zm22n6pyy5-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/ddfzjdykw67s20c35i7a6624by3iz5jv-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/apab5i73dqa09wx0q27b6fbhd1r18ihl-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/g1n2vryg06amvcc1avb2mcq36faly0mh-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
 > ```
 
 > **Example**

doc/manual/source/command-ref/nix-env/install.md

@@ -204,7 +204,7 @@ To install a specific [store derivation] (typically created by
 `nix-instantiate`):
 
 ```console
-$ nix-env --install /nix/store/8la6y31fmm6i4wfmby6avly1wf718xnj-gcc-3.4.3.drv
+$ nix-env --install /nix/store/fibjb1bfbpm5mrsxc4mh2d8n37sxh91i-gcc-3.4.3.drv
 ```
 
 To install a specific output path:
@@ -232,7 +232,7 @@ $ nix-env --file '<nixpkgs>' --install --attr hello --dry-run
 (dry run; not doing anything)
 installing ‘hello-2.10’
 this path will be fetched (0.04 MiB download, 0.19 MiB unpacked):
-  /nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10
+  /nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10
   ...
 ```
 

doc/manual/source/command-ref/nix-prefetch-url.md

@@ -76,7 +76,7 @@ $ nix-prefetch-url ftp://ftp.gnu.org/pub/gnu/hello/hello-2.10.tar.gz
 ```console
 $ nix-prefetch-url --print-path mirror://gnu/hello/hello-2.10.tar.gz
 0ssi1wpaf7plaswqqjwigppsg5fyh99vdlb9kzl7c9lng89ndq1i
-/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
+/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
 ```
 
 ```console

doc/manual/source/command-ref/nix-store/add-fixed.md

@@ -34,6 +34,6 @@ This operation has the following options:
 
 ```console
 $ nix-store --add-fixed sha256 ./hello-2.10.tar.gz
-/nix/store/8alrpdaasjd1x6g1fczchmzbpqm936a3-hello-2.10.tar.gz
+/nix/store/3x7dwzq014bblazs7kq20p9hyzz0qh8g-hello-2.10.tar.gz
 ```
 

doc/manual/source/command-ref/nix-store/delete.md

@@ -27,7 +27,7 @@ paths in the store that refer to it (i.e., depend on it).
 # Example
 
 ```console
-$ nix-store --delete /nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4
+$ nix-store --delete /nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4
 0 bytes freed (0.00 MiB)
-error: cannot delete path `/nix/store/gjak3al7lj61x4gj6rln4f5pc5v0f67n-mesa-6.4' since it is still alive
+error: cannot delete path `/nix/store/zq0h41l75vlb4z45kzgjjmsjxvcv1qk7-mesa-6.4' since it is still alive
 ```

doc/manual/source/command-ref/nix-store/query.md

@@ -184,9 +184,9 @@ Print the build-time dependencies of `svn`:
 
 ```console
 $ nix-store --query --requisites $(nix-store --query --deriver $(which svn))
-/nix/store/y6qa66l9h0pw161crnlk6y16rdrcljx4-grep-2.5.1.tar.bz2.drv
-/nix/store/z716h753s97jhnzvfank2srqbljswpgm-gcc-wrapper.sh
-/nix/store/f39x0q73rjdyvzm93y9wrkfr6x39lb7f-glibc-2.3.4.drv
+/nix/store/02iizgn86m42q905rddvg4ja975bk2i4-grep-2.5.1.tar.bz2.drv
+/nix/store/07a2bzxmzwz5hp58nf03pahrv2ygwgs3-gcc-wrapper.sh
+/nix/store/0ma7c9wsbaxahwwl04gbw3fcd806ski4-glibc-2.3.4.drv
 ... lots of other paths ...
 ```
 
@@ -199,10 +199,10 @@ Show the build-time dependencies as a tree:
 ```console
 $ nix-store --query --tree $(nix-store --query --deriver $(which svn))
 /nix/store/7i5082kfb6yjbqdbiwdhhza0am2xvh6c-subversion-1.1.4.drv
-+---/nix/store/vxnmkc8l8d2ijjha4xwhkfgx9vvc3q4c-builder.sh
-+---/nix/store/rn9776dy82n5qrgz7xbcl1iw4vfkcrkk-bash-3.0.drv
-|   +---/nix/store/x9j20hz6bln1crzn55qifk0bbsm8v5ac-bash
-|   +---/nix/store/ajnn1mcm45wjvn0rlc22gvx2cwhjnazx-builder.sh
++---/nix/store/d8afh10z72n8l1cr5w42366abiblgn54-builder.sh
++---/nix/store/fmzxmpjx2lh849ph0l36snfj9zdibw67-bash-3.0.drv
+|   +---/nix/store/570hmhmx3v57605cqg9yfvvyh0nnb8k8-bash
+|   +---/nix/store/p3srsbd8dx44v2pg6nbnszab5mcwx03v-builder.sh
 ...
 ```
 

doc/manual/source/command-ref/nix-store/realise.md

@@ -76,7 +76,7 @@ This operation is typically used to build [store derivation]s produced by
 
 ```console
 $ nix-store --realise $(nix-instantiate ./test.nix)
-/nix/store/6gwmy5jcnwdlz6aqqhksz863f1l8xc2w-aterm-2.3.1
+/nix/store/31axcgrlbfsxzmfff1gyj1bf62hvkby2-aterm-2.3.1
 ```
 
 This is essentially what [`nix-build`](@docroot@/command-ref/nix-build.md) does.

doc/manual/source/development/building.md

@@ -3,10 +3,6 @@
 This section provides some notes on how to start hacking on Nix.
 To get the latest version of Nix from GitHub:
 
-> **Note**
->
-> When checking out the repo on Windows, make sure you have the git setting `core.symlinks` enabled, before cloning, as there are symlinks in the repo.
-
 ```console
 $ git clone https://github.com/NixOS/nix.git
 $ cd nix

doc/manual/source/development/debugging.md

@@ -6,7 +6,14 @@ Additionally, see [Testing Nix](./testing.md) for further instructions on how to
 
 ## Building Nix with Debug Symbols
 
-In the development shell, `mesonBuildType` is set automatically to `debugoptimized`. This builds Nix with debug symbols, which are essential for effective debugging.
+In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
+
+```console
+[nix-shell]$ export mesonBuildType=debugoptimized
+```
+
+Then, proceed to build Nix as described in [Building Nix](./building.md).
+This will build Nix with debug symbols, which are essential for effective debugging.
 
 It is also possible to build without optimization for faster build:
 

doc/manual/source/glossary.md

@@ -39,7 +39,7 @@
   This sandbox by default only allows reading from store objects specified as inputs, and only allows writing to designated [outputs][output] to be [captured as store objects](@docroot@/store/building.md#processing-outputs).
 
   A derivation is typically specified as a [derivation expression] in the [Nix language], and [instantiated][instantiate] to a [store derivation].
-  There are multiple ways of obtaining store objects from store derivations, collectively called [realisation][realise].
+  There are multiple ways of obtaining store objects from store derivatons, collectively called [realisation][realise].
 
   [derivation]: #gloss-derivation
 
@@ -136,7 +136,7 @@
 
   > **Example**
   >
-  > `/nix/store/jf6gn2dzna4nmsfbdxsd7kwhsk6gnnlr-git-2.38.1`
+  > `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
 
   See [Store Path](@docroot@/store/store-path.md) for details.
 

doc/manual/source/installation/building-source.md

@@ -6,23 +6,14 @@ It is broken up into multiple Meson packages, which are optionally combined in a
 There are no mandatory extra steps to the building process:
 generic Meson installation instructions like [this](https://mesonbuild.com/Quick-guide.html#using-meson-as-a-distro-packager) should work.
 
-```bash
-git clone https://github.com/NixOS/nix.git
-cd nix
-meson setup build
-cd build
-ninja
-(sudo) ninja install
-```
-
-The installation path can be specified by passing `-Dprefix=prefix`
-to `meson setup build`. The default installation directory is `/usr/local`. You
+The installation path can be specified by passing the `-Dprefix=prefix`
+to `configure`. The default installation directory is `/usr/local`. You
 can change this to any location you like. You must have write permission
 to the *prefix* path.
 
 Nix keeps its *store* (the place where packages are stored) in
 `/nix/store` by default. This can be changed using
-`-Dlibstore:store-dir=path`.
+`-Dstore-dir=path`.
 
 > **Warning**
 >

doc/manual/source/installation/uninstall.md

@@ -16,29 +16,30 @@ If you are on Linux with systemd:
    sudo systemctl daemon-reload
    ```
 
-2. Remove files created by Nix:
+Remove files created by Nix:
 
-   ```console
-   sudo rm -rf /etc/nix /etc/profile.d/nix.sh /etc/tmpfiles.d/nix-daemon.conf /nix ~/.local/share/nix ~/.local/state/nix ~/.cache/nix ~/.nix-defexpr ~/.nix-profile ~/.nix-channels ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
-   ```
+```console
+sudo rm -rf /etc/nix /etc/profile.d/nix.sh /etc/tmpfiles.d/nix-daemon.conf /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
+```
 
-3. Remove build users and their group:
+Remove build users and their group:
 
-   ```console
-   for i in $(seq 1 32); do
-     sudo userdel nixbld$i
-   done
-   sudo groupdel nixbld
-   ```
+```console
+for i in $(seq 1 32); do
+  sudo userdel nixbld$i
+done
+sudo groupdel nixbld
+```
 
-4. There may also be references to Nix in
-   - `/etc/bash.bashrc`
-   - `/etc/bashrc`
-   - `/etc/profile`
-   - `/etc/zsh/zshrc`
-   - `/etc/zshrc`
+There may also be references to Nix in
 
-   which you may remove.
+- `/etc/bash.bashrc`
+- `/etc/bashrc`
+- `/etc/profile`
+- `/etc/zsh/zshrc`
+- `/etc/zshrc`
+
+which you may remove.
 
 ### FreeBSD
 
@@ -53,7 +54,7 @@ If you are on Linux with systemd:
 2. Remove files created by Nix:
 
    ```console
-   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~/.local/share/nix ~/.local/state/nix ~/.cache/nix ~/.nix-defexpr ~/.nix-profile ~/.nix-channels ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
+   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
    ```
 
 3. Remove build users and their group:
@@ -153,7 +154,7 @@ If you are on Linux with systemd:
 6. Remove the files Nix added to your system, except for the store:
 
    ```console
-   sudo rm -rf /etc/nix /var/root/.nix-profile /var/root/.nix-defexpr /var/root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels ~/.local/share/nix ~/.local/state/nix ~/.cache/nix
+   sudo rm -rf /etc/nix /var/root/.nix-profile /var/root/.nix-defexpr /var/root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels
    ```
 
 
@@ -191,6 +192,6 @@ If you are on Linux with systemd:
 To remove a [single-user installation](./installing-binary.md#single-user-installation) of Nix, run:
 
 ```console
-rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile ~/.local/share/nix ~/.local/state/nix ~/.cache/nix
+rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
 ```
 You might also want to manually remove references to Nix from your `~/.profile`.

doc/manual/source/introduction.md

@@ -8,7 +8,7 @@ stores packages in the _Nix store_, usually the directory
 `/nix/store`, where each package has its own unique subdirectory such
 as
 
-    /nix/store/q06x3jll2yfzckz2bzqak089p43ixkkq-firefox-33.1/
+    /nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1/
 
 where `b6gvzjyb2pg0…` is a unique identifier for the package that
 captures all its dependencies (it’s a cryptographic hash of the

doc/manual/source/language/advanced-attributes.md

@@ -338,7 +338,7 @@ Here is more information on the `output*` attributes, and what values they may b
     This will specify the output hash of the single output of a [fixed-output derivation].
 
     The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-    The ["nix32" encoding](@docroot@/protocols/nix32.md) is Nix's variant of base-32 encoding.
+    The "nix32" encoding is an adaptation of base-32 encoding.
 
     > **Note**
     >

doc/manual/source/language/string-context.md

@@ -34,12 +34,12 @@ String context elements come in different forms:
     > [`builtins.storePath`] creates a string with a single constant string context element:
     >
     > ```nix
-    > builtins.getContext (builtins.storePath "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10")
+    > builtins.getContext (builtins.storePath "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10")
     > ```
     > evaluates to
     > ```nix
     > {
-    >   "/nix/store/ikwkxz4wwlp2g1428n7dy729cg1d9hin-hello-2.10" = {
+    >   "/nix/store/wkhdf9jinag5750mqlax6z2zbwhqb76n-hello-2.10" = {
     >     path = true;
     >   };
     > }

doc/manual/source/language/string-interpolation.md

@@ -181,7 +181,7 @@ A derivation interpolates to the [store path] of its first [output](./derivation
 > "${pkgs.hello}"
 > ```
 >
->     "/nix/store/qnlr7906z0mrl2syrkdbpicffq02nw07-hello-2.12.1"
+>     "/nix/store/4xpfqf29z4m8vbhrqcz064wfmb46w5r7-hello-2.12.1"
 
 An attribute set interpolates to the return value of the function in the `__toString` applied to the attribute set itself.
 

doc/manual/source/language/syntax.md

@@ -51,7 +51,6 @@ See [String literals](string-literals.md).
 
   Path literals can also include [string interpolation], besides being [interpolated into other expressions].
 
-  [string interpolation]: ./string-interpolation.md
   [interpolated into other expressions]: ./string-interpolation.md#interpolated-expression
 
   At least one slash (`/`) must appear *before* any interpolated expression for the result to be recognized as a path.
@@ -273,7 +272,7 @@ will crash with an `infinite recursion encountered` error message.
 
 A let-expression allows you to define local variables for an expression.
 
-> *let-in* = `let` [ *identifier* = *expr* `;` ]... `in` *expr*
+> *let-in* = `let` [ *identifier* = *expr* ]... `in` *expr*
 
 Example:
 
@@ -286,27 +285,6 @@ in x + y
 
 This evaluates to `"foobar"`.
 
-There is also another, older, syntax for let expressions that should not be used in new code:
-
-> *let* = `let` `{` *identifier* = *expr* `;` [ *identifier* = *expr* `;`]...  `}`
-
-In this form, the attribute set between the `{` `}` is recursive.
-
-One of the attributes must have the special name `body`,
-which is the result of the expression.
-
-Example:
-
-```nix
-let {
-  foo = bar;
-  bar = "baz";
-  body = foo;
-}
-```
-
-This evaluates to "baz".
-
 ## Inheriting attributes
 
 When defining an [attribute set](./types.md#type-attrs) or in a [let-expression](#let-expressions) it is often convenient to copy variables from the surrounding lexical scope (e.g., when you want to propagate attributes).

doc/manual/source/package-management/binary-cache-substituter.md

@@ -19,16 +19,17 @@ whatever port you like:
 $ nix-serve -p 8080
 ```
 
-To check whether it works, try fetching the [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) file on the client:
+To check whether it works, try the following on the client:
 
 ```console
 $ curl http://avalon:8080/nix-cache-info
-StoreDir: /nix/store
-WantMassQuery: 1
-Priority: 30
 ```
 
-When writing to a binary cache (e.g., with [`nix copy`](@docroot@/command-ref/new-cli/nix3-copy.md)), Nix creates [`nix-cache-info`](@docroot@/protocols/nix-cache-info.md) automatically if it doesn't exist.
+which should print something like:
+
+    StoreDir: /nix/store
+    WantMassQuery: 1
+    Priority: 30
 
 On the client side, you can tell Nix to use your binary cache using
 `--substituters`, e.g.:

doc/manual/source/protocols/json/build-trace-entry.md

@@ -1,21 +1,27 @@
-{{#include build-trace-entry-v3-fixed.md}}
+{{#include build-trace-entry-v1-fixed.md}}
 
 ## Examples
 
 ### Simple build trace entry
 
 ```json
-{{#include schema/build-trace-entry-v3/simple.json}}
+{{#include schema/build-trace-entry-v1/simple.json}}
+```
+
+### Build trace entry with dependencies
+
+```json
+{{#include schema/build-trace-entry-v1/with-dependent-realisations.json}}
 ```
 
 ### Build trace entry with signature
 
 ```json
-{{#include schema/build-trace-entry-v3/with-structured-signature.json}}
+{{#include schema/build-trace-entry-v1/with-signature.json}}
 ```
 
 <!--
 ## Raw Schema
 
-[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v3.json)
--->
+[JSON Schema for Build Trace Entry v1](schema/build-trace-entry-v1.json)
+-->

doc/manual/source/protocols/json/meson.build

@@ -13,12 +13,11 @@ schemas = [
   'hash-v1',
   'content-address-v1',
   'store-path-v1',
-  'signature-v2',
-  'store-object-info-v3',
+  'store-object-info-v2',
   'derivation-v4',
   'derivation-options-v1',
   'deriving-path-v1',
-  'build-trace-entry-v3',
+  'build-trace-entry-v1',
   'build-result-v1',
   'store-v1',
 ]

doc/manual/source/protocols/json/schema/build-result-v1.yaml

@@ -83,7 +83,7 @@ properties:
         description: |
           A mapping from output names to their build trace entries.
         additionalProperties:
-          "$ref": "build-trace-entry-v3.yaml#/$defs/value"
+          "$ref": "build-trace-entry-v1.yaml"
 
   failure:
     type: object

doc/manual/source/protocols/json/schema/build-trace-entry-v1.yaml

@@ -0,0 +1,100 @@
+"$schema": "http://json-schema.org/draft-04/schema"
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-trace-entry-v1.json"
+title: Build Trace Entry
+description: |
+  A record of a successful build outcome for a specific derivation output.
+
+  This schema describes the JSON representation of a [build trace entry](@docroot@/store/build-trace.md).
+
+  > **Warning**
+  >
+  > This JSON format is currently
+  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-ca-derivations)
+  > and subject to change.
+required:
+  - id
+  - outPath
+  - dependentRealisations
+  - signatures
+allOf:
+  - "$ref": "#/$defs/key"
+  - "$ref": "#/$defs/value"
+properties:
+  id: {}
+  outPath: {}
+  dependentRealisations: {}
+  signatures: {}
+additionalProperties: false
+
+"$defs":
+  key:
+    title: Build Trace Key
+    description: |
+      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
+      This is the "key" part, refering to a derivation and output.
+    type: object
+    required:
+      - id
+    properties:
+      id:
+        type: string
+        title: Derivation Output ID
+        pattern: "^sha256:[0-9a-f]{64}![a-zA-Z_][a-zA-Z0-9_-]*$"
+        description: |
+          Unique identifier for the derivation output that was built.
+
+          Format: `{hash-quotient-drv}!{output-name}`
+
+          - **hash-quotient-drv**: SHA-256 [hash of the quotient derivation](@docroot@/store/derivation/outputs/input-address.md#hash-quotient-drv).
+            Begins with `sha256:`.
+
+          - **output-name**: Name of the specific output (e.g., "out", "dev", "doc")
+
+          Example: `"sha256:ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad!foo"`
+
+  value:
+    title: Build Trace Value
+    description: |
+      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
+      This is the "value" part, describing an output.
+    type: object
+    required:
+      - outPath
+      - dependentRealisations
+      - signatures
+    properties:
+      outPath:
+        "$ref": "store-path-v1.yaml"
+        title: Output Store Path
+        description: |
+          The path to the store object that resulted from building this derivation for the given output name.
+
+      dependentRealisations:
+        type: object
+        title: Underlying Base Build Trace
+        description: |
+          This is for [*derived*](@docroot@/store/build-trace.md#derived) build trace entries to ensure coherence.
+
+          Keys are derivation output IDs (same format as the main `id` field).
+          Values are the store paths that those dependencies resolved to.
+
+          As described in the linked section on derived build trace traces, derived build trace entries must be kept in addition and not instead of the underlying base build entries.
+          This is the set of base build trace entries that this derived build trace is derived from.
+          (The set is also a map since this miniature base build trace must be coherent, mapping each key to a single value.)
+
+        patternProperties:
+          "^sha256:[0-9a-f]{64}![a-zA-Z_][a-zA-Z0-9_-]*$":
+            "$ref": "store-path-v1.yaml"
+            title: Dependent Store Path
+            description: Store path that this dependency resolved to during the build
+        additionalProperties: false
+
+      signatures:
+        type: array
+        title: Build Signatures
+        description: |
+          A set of cryptographic signatures attesting to the authenticity of this build trace entry.
+        items:
+          type: string
+          title: Signature
+          description: A single cryptographic signature

doc/manual/source/protocols/json/schema/build-trace-entry-v3.yaml

@@ -1,83 +0,0 @@
-"$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/build-trace-entry-v3.json"
-title: Build Trace Entry
-description: |
-  A record of a successful build outcome for a specific derivation output.
-
-  This schema describes the JSON representation of a [build trace entry](@docroot@/store/build-trace.md).
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-ca-derivations)
-  > and subject to change.
-
-  ## Version History
-
-  - Version 1: Original format
-
-  - Version 2:
-    - Remove `dependentRealisations`
-
-  - Version 3:
-    - Use `drvPath` not `drvHash` to refer to derivation in a more conventional way.
-    - Separate into `key` and `value`
-    - Use 2nd version of signatures format (objects, not strings)
-
-type: object
-required:
-  - key
-  - value
-properties:
-  key:
-    "$ref": "#/$defs/key"
-  value:
-    "$ref": "#/$defs/value"
-additionalProperties: false
-
-"$defs":
-  key:
-    title: Build Trace Key
-    description: |
-      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
-      This is the "key" part, refering to a derivation and output.
-    type: object
-    required:
-      - drvPath
-      - outputName
-    properties:
-      drvPath:
-        "$ref": "store-path-v1.yaml"
-        title: Derivation Path
-        description: |
-          The store path of the derivation that was built.
-      outputName:
-        type: string
-        title: Output Name
-        description: |
-          Name of the specific output (e.g., "out", "dev", "doc")
-    additionalProperties: false
-
-  value:
-    title: Build Trace Value
-    description: |
-      A [build trace entry](@docroot@/store/build-trace.md) is a key-value pair.
-      This is the "value" part, describing an output.
-    type: object
-    required:
-      - outPath
-      - signatures
-    properties:
-      outPath:
-        "$ref": "store-path-v1.yaml"
-        title: Output Store Path
-        description: |
-          The path to the store object that resulted from building this derivation for the given output name.
-
-      signatures:
-        type: array
-        title: Build Signatures
-        description: |
-          A set of cryptographic signatures attesting to the authenticity of this build trace entry.
-        items:
-          "$ref": "signature-v2.yaml"

doc/manual/source/protocols/json/schema/derivation-v4.yaml

@@ -94,8 +94,8 @@ properties:
           >
           > ```json
           > "srcs": [
-          >   "b8nwz167km1yciqpwzjj24f8jcy8pq1h-separate-debug-info.sh",
-          >   "ihzmilr413r8fb3ah30yjnhlb18c1laz-fix-pop-var-context-error.patch"
+          >   "47y241wqdhac3jm5l7nv0x4975mb1975-separate-debug-info.sh",
+          >   "56d0w71pjj9bdr363ym3wj1zkwyqq97j-fix-pop-var-context-error.patch"
           > ]
           > ```
         items:
@@ -140,7 +140,7 @@ properties:
     description: |
       Absolute path of the program used to perform the build.
       Typically this is the `bash` shell
-      (e.g. `/nix/store/p4xlj4imjbnm4v0x5jf4qysvyjjlgq1d-bash-4.4-p23/bin/bash`).
+      (e.g. `/nix/store/r3j288vpmczbl500w6zz89gyfa4nr0b1-bash-4.4-p23/bin/bash`).
 
   args:
     type: array

doc/manual/source/protocols/json/schema/hash-v1

@@ -1 +1 @@
-../../../../../../src/libutil-tests/data/hash
+../../../../../../src/libutil-tests/data/hash/

doc/manual/source/protocols/json/schema/nar-info-v3

@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/nar-info/json-3

doc/manual/source/protocols/json/schema/signature-v2.yaml

@@ -1,33 +0,0 @@
-"$schema": "http://json-schema.org/draft-07/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/signature-v2.json"
-title: Signature
-description: |
-  A cryptographic signature along with the name of the key that produced it.
-
-  This schema describes the JSON representation of signatures as used in various Nix JSON APIs.
-
-  > **Warning**
-  >
-  > This JSON format is currently
-  > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
-  > and subject to change.
-
-  ## Version History
-
-  - Version 1: Colon-separated string in the format `<key-name>:<signature-in-Base64>`
-
-  - Version 2: Structured object with `keyName` and `sig` fields
-
-type: object
-required:
-  - keyName
-  - sig
-properties:
-  keyName:
-    type: string
-    title: Key Name
-    description: The name of the key used to produce this signature
-  sig:
-    type: string
-    title: Signature Data
-    description: The raw signature bytes, Base64-encoded

doc/manual/source/protocols/json/schema/signature-v2/simple.json

@@ -1,4 +0,0 @@
-{
-    "keyName": "cache.nixos.org-1",
-    "sig": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
-}

doc/manual/source/protocols/json/schema/store-object-info-v2

@@ -0,0 +1 @@
+../../../../../../src/libstore-tests/data/path-info/json-2

doc/manual/source/protocols/json/schema/store-object-info-v2.yaml

@@ -1,6 +1,6 @@
 "$schema": "http://json-schema.org/draft-04/schema"
-"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-object-info-v3.json"
-title: Store Object Info v3
+"$id": "https://nix.dev/manual/nix/latest/protocols/json/schema/store-object-info-v2.json"
+title: Store Object Info v2
 description: |
   Information about a [store object](@docroot@/store/store-object.md).
 
@@ -50,10 +50,10 @@ $defs:
     properties:
       version:
         type: integer
-        const: 3
-        title: Format version (must be 3)
+        const: 2
+        title: Format version (must be 2)
         description: |
-          Must be `3`.
+          Must be `2`.
           This is a guard that allows us to continue evolving this format.
           Here is the rough version history:
 
@@ -63,8 +63,6 @@ $defs:
 
           - Version 2: Use structured JSON type for `ca`
 
-          - Version 3: Use structured JSON type for `signatures`
-
       path:
         "$ref": "./store-path-v1.yaml"
         title: Store Path
@@ -176,7 +174,7 @@ $defs:
 
           > This is an "impure" field that may not be included in certain contexts.
         items:
-          "$ref": "./signature-v2.yaml"
+          type: string
 
       # Computed closure fields
       closureSize:

doc/manual/source/protocols/json/schema/store-object-info-v3

@@ -1 +0,0 @@
-../../../../../../src/libstore-tests/data/path-info/json-3

doc/manual/source/protocols/json/schema/store-path-v1.yaml

@@ -24,7 +24,7 @@ description: |
 
   The format follows this pattern: `${digest}-${name}`
 
-  - **hash**: Digest rendered in [Nix32](@docroot@/protocols/nix32.md), a variant of base-32 (20 hash bytes become 32 ASCII characters)
+  - **hash**: Digest rendered in a custom variant of [Base32](https://en.wikipedia.org/wiki/Base32) (20 arbitrary bytes become 32 ASCII characters)
   - **name**: The package name and optional version/suffix information
 
 type: string

doc/manual/source/protocols/json/schema/store-v1.yaml

@@ -37,7 +37,7 @@ properties:
           - contents
         properties:
           info:
-            "$ref": "./store-object-info-v3.yaml#/$defs/impure"
+            "$ref": "./store-object-info-v2.yaml#/$defs/impure"
             title: Store Object Info
             description: |
               Metadata about the [store object](@docroot@/store/store-object.md) including hash, size, references, etc.
@@ -70,7 +70,7 @@ properties:
       "^[A-Za-z0-9+/]{43}=$":
         type: object
         additionalProperties:
-          "$ref": "./build-trace-entry-v3.yaml#/$defs/value"
+          "$ref": "./build-trace-entry-v1.yaml#/$defs/value"
     additionalProperties: false
 
 "$defs":

doc/manual/source/protocols/json/signature.md

@@ -1,9 +0,0 @@
-{{#include signature-v2-fixed.md}}
-
-## Examples
-
-### Simple signature
-
-```json
-{{#include schema/signature-v2/simple.json}}
-```

doc/manual/source/protocols/json/store-object-info.md

@@ -1,45 +1,45 @@
-{{#include store-object-info-v3-fixed.md}}
+{{#include store-object-info-v2-fixed.md}}
 
 ## Examples
 
 ### Minimal store object (content-addressed)
 
 ```json
-{{#include schema/store-object-info-v3/pure.json}}
+{{#include schema/store-object-info-v2/pure.json}}
 ```
 
 ### Store object with impure fields
 
 ```json
-{{#include schema/store-object-info-v3/impure.json}}
+{{#include schema/store-object-info-v2/impure.json}}
 ```
 
 ### Minimal store object (empty)
 
 ```json
-{{#include schema/store-object-info-v3/empty_pure.json}}
+{{#include schema/store-object-info-v2/empty_pure.json}}
 ```
 
 ### Store object with all impure fields
 
 ```json
-{{#include schema/store-object-info-v3/empty_impure.json}}
+{{#include schema/store-object-info-v2/empty_impure.json}}
 ```
 
 ### NAR info (minimal)
 
 ```json
-{{#include schema/nar-info-v3/pure.json}}
+{{#include schema/nar-info-v2/pure.json}}
 ```
 
 ### NAR info (with binary cache fields)
 
 ```json
-{{#include schema/nar-info-v3/impure.json}}
+{{#include schema/nar-info-v2/impure.json}}
 ```
 
 <!-- need to convert YAML to JSON first
 ## Raw Schema
 
-[JSON Schema for Store Object Info v1](schema/store-object-info-v3.json)
+[JSON Schema for Store Object Info v1](schema/store-object-info-v2.json)
 -->

doc/manual/source/protocols/nix-cache-info.md

@@ -1,55 +0,0 @@
-# Nix Cache Info Format
-
-The `nix-cache-info` file is a metadata file at the root of a [binary cache](@docroot@/package-management/binary-cache-substituter.md) (e.g., `https://cache.example.com/nix-cache-info`).
-
-MIME type: `text/x-nix-cache-info`
-
-## Format
-
-Line-based key-value format:
-
-```
-Key: value
-```
-
-Leading and trailing whitespace is trimmed from values.
-Lines without a colon are ignored.
-Unknown keys are silently ignored.
-
-## Fields
-
-### `StoreDir`
-
-The Nix store directory path that this cache was built for (e.g., `/nix/store`).
-
-If present, Nix verifies that this matches the client's store directory:
-
-```
-error: binary cache 'https://example.com' is for Nix stores with prefix '/nix/store', not '/home/user/nix/store'
-```
-
-### `WantMassQuery`
-
-`1` or `0`. Sets the default for [`want-mass-query`](@docroot@/store/types/http-binary-cache-store.md#store-http-binary-cache-store-want-mass-query).
-
-### `Priority`
-
-Integer. Sets the default for [`priority`](@docroot@/store/types/http-binary-cache-store.md#store-http-binary-cache-store-priority).
-
-## Example
-
-```
-StoreDir: /nix/store
-WantMassQuery: 1
-Priority: 30
-```
-
-## Caching Behavior
-
-Nix caches `nix-cache-info` in the [cache directory](@docroot@/command-ref/env-common.md#env-NIX_CACHE_HOME) with a 7-day TTL.
-
-## See Also
-
-- [HTTP Binary Cache Store](@docroot@/store/types/http-binary-cache-store.md)
-- [Serving a Nix store via HTTP](@docroot@/package-management/binary-cache-substituter.md)
-- [`substituters`](@docroot@/command-ref/conf-file.md#conf-substituters)

doc/manual/source/protocols/nix32.md

@@ -1,19 +0,0 @@
-# Nix32 Encoding
-
-Nix32 is Nix's variant of base-32 encoding, used for [store path digests](@docroot@/protocols/store-path.md), hash output via [`nix hash`](@docroot@/command-ref/new-cli/nix3-hash.md), and the [`outputHash`](@docroot@/language/advanced-attributes.md#adv-attr-outputHash) derivation attribute.
-
-## Alphabet
-
-The Nix32 alphabet consists of these 32 characters:
-
-```
-0 1 2 3 4 5 6 7 8 9 a b c d f g h i j k l m n p q r s v w x y z
-```
-
-The letters `e`, `o`, `u`, and `t` are omitted.
-
-## Byte Order
-
-Nix32 encoding processes the hash bytes from the end (last byte first), while base-16 encoding processes from the beginning (first byte first).
-
-Consequently, the string sort order is determined primarily by the first bytes for base-16, and by the last bytes for Nix32.

doc/manual/source/protocols/store-path.md

@@ -20,11 +20,12 @@ where
 
 - `store-dir` = the [store directory](@docroot@/store/store-path.md#store-directory)
 
-- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`.
+- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`
 
-  Nix uses a custom base-32 encoding called [Nix32](@docroot@/protocols/nix32.md).
-
-  For the definition of the hash compression algorithm, please refer to section 5.1 of the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf).
+For the definition of the hash compression algorithm, please refer to the section 5.1 of
+the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf), which also defines the
+specifics of base-32 encoding. Note that base-32 encoding processes the hash bytestring from
+the end, while base-16 processes in from the beginning.
 
 ## Fingerprint
 

doc/manual/source/release-notes/rl-0.12.md

@@ -80,7 +80,7 @@
           ...
         the following paths will be downloaded/copied (30.02 MiB):
           /nix/store/4m8pvgy2dcjgppf5b4cj5l6wyshjhalj-samba-3.2.4
-          /nix/store/spc1m987vlibchdx369qwa391s738s7l-libunwind-0.98.6
+          /nix/store/7h1kwcj29ip8vk26rhmx6bfjraxp0g4l-libunwind-0.98.6
           ...
 
   - Language features:

doc/manual/source/release-notes/rl-0.8.md

@@ -63,7 +63,7 @@ Nix 0.8 has the following improvements:
     can query all paths that directly or indirectly use a certain Glibc:
 
         $ nix-store -q --referrers-closure \
-            /nix/store/1a6mdrjz4wn7b9sfmcw5ggbk1mi281mh-glibc-2.3.4
+            /nix/store/8lz9yc6zgmc0vlqmn2ipcpkjlmbi51vv-glibc-2.3.4
 
   - The concept of fixed-output derivations has been formalised.
     Previously, functions such as `fetchurl` in Nixpkgs used a hack

doc/manual/source/release-notes/rl-2.0.md

@@ -66,7 +66,7 @@ This release has the following new features:
 
             nix copy --to ssh://machine nixpkgs.hello
 
-            nix copy --to ssh://machine /nix/store/qbhyj3blxpw2i6pb7c6grc9185nbnpvy-hello-2.10
+            nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
 
             nix copy --to ssh://machine '(with import <nixpkgs> {}; hello)'
 
@@ -187,7 +187,7 @@ This release has the following new features:
         former is primarily useful in conjunction with remote stores,
         e.g.
 
-            nix ls-store --store https://cache.nixos.org/ -lR /nix/store/qbhyj3blxpw2i6pb7c6grc9185nbnpvy-hello-2.10
+            nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
 
         lists the contents of path in a binary cache.
 

doc/manual/source/release-notes/rl-2.13.md

@@ -25,7 +25,7 @@
 * Allow explicitly selecting outputs in a store derivation installable, just like we can do with other sorts of installables.
   For example,
   ```shell-session
-  # nix build /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv^dev
+  # nix build /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv^dev
   ```
   now works just as
   ```shell-session

doc/manual/source/release-notes/rl-2.15.md

@@ -18,13 +18,13 @@
 
   For example,
   ```shell-session
-  $ nix path-info /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv
+  $ nix path-info /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv
   ```
 
   now gives info about the derivation itself, while
 
   ```shell-session
-  $ nix path-info /nix/store/fpq78s2h8ffh66v2iy0q1838mhff06y8-glibc-2.33-78.drv^*
+  $ nix path-info /nix/store/gzaflydcr6sb3567hap9q6srzx8ggdgg-glibc-2.33-78.drv^*
   ```
   provides information about each of its outputs.
 

doc/manual/source/release-notes/rl-2.19.md

@@ -45,7 +45,7 @@
     ```json5
     [
       {
-        "path": "/nix/store/fvqsvk65d38p8qqir371ii0hyqxvjcw6-bash-5.2-p15",
+        "path": "/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15",
         "valid": true,
         // ...
       },
@@ -60,7 +60,7 @@
 
     ```json5
     {
-      "/nix/store/fvqsvk65d38p8qqir371ii0hyqxvjcw6-bash-5.2-p15": {
+      "/nix/store/8fv91097mbh5049i9rglc73dx6kjg3qk-bash-5.2-p15": {
         // ...
       },
       "/nix/store/wffw7l0alvs3iw94cbgi1gmmbmw99sqb-home-manager-path": null,

doc/manual/source/release-notes/rl-2.20.md

@@ -182,7 +182,7 @@
   «partially applied primop map»
 
   nix-repl> builtins.trace lib.id "my-value"
-  trace: «lambda id @ /nix/store/kgr5lnaiiv08wb7k324yv1i1npjmrvjc-source/lib/trivial.nix:26:5»
+  trace: «lambda id @ /nix/store/8rrzq23h2zq7sv5l2vhw44kls5w0f654-source/lib/trivial.nix:26:5»
   "my-value"
   ```
 

doc/manual/source/release-notes/rl-2.33.md

@@ -1,281 +0,0 @@
-# Release 2.33.0 (2025-12-09)
-
-## New features
-
-- New command `nix registry resolve` [#14595](https://github.com/NixOS/nix/pull/14595)
-
-  This command looks up a flake registry input name and returns the flakeref it resolves to.
-
-  For example, looking up Nixpkgs:
-
-  ```
-  $ nix registry resolve nixpkgs
-  github:NixOS/nixpkgs/nixpkgs-unstable
-  ```
-
-  Upstreamed from [Determinate Nix 3.14.0](https://github.com/DeterminateSystems/nix-src/pull/273).
-
-- `nix flake clone` supports all input types [#14581](https://github.com/NixOS/nix/pull/14581)
-
-  `nix flake clone` now supports arbitrary input types. In particular, this allows you to clone tarball flakes, such as flakes on FlakeHub.
-
-  Upstreamed from [Determinate Nix 3.12.0](https://github.com/DeterminateSystems/nix-src/pull/229).
-
-## Performance improvements
-
-- Git fetcher computes `revCount`s using multiple threads [#14462](https://github.com/NixOS/nix/pull/14462)
-
-  When using Git repositories with a long history, calculating the `revCount` attribute can take a long time. Nix now computes `revCount` using multiple threads, making it much faster (e.g. 9.1s to 3.7s for Nixpkgs).
-
-  Note that if you don't need `revCount`, you can disable it altogether by setting the flake input attribute `shallow = true`.
-
-  Upstreamed from [Determinate Nix 3.12.2](https://github.com/DeterminateSystems/nix-src/pull/245).
-
-- `builtins.stringLength` now runs in constant time [#14442](https://github.com/NixOS/nix/pull/14442)
-
-  The internal representation of strings has been replaced with a size-prefixed Pascal style string. Previously Nix stored strings as a NUL-terminated array of bytes, necessitating a linear scan to calculate the length.
-
-- Uploads to `http://` and `https://` binary cache stores now run in constant memory [#14390](https://github.com/NixOS/nix/pull/14390)
-
-  Nix used to buffer the whole compressed NAR contents in memory. It now reads it in a streaming fashion.
-
-- Channel URLs migrated to channels.nixos.org subdomain [#14517](https://github.com/NixOS/nix/issues/14517) [#14518](https://github.com/NixOS/nix/pull/14518)
-
-  Channel URLs have been updated from `https://nixos.org/channels/` to `https://channels.nixos.org/` throughout Nix. This subdomain provides better reliability with IPv6 support and improved CDN distribution. The old domain apex (`nixos.org/channels/`) currently redirects to the new location but may be deprecated in the future.
-
-- Fix `download buffer is full; consider increasing the 'download-buffer-size' setting` warning [#11728](https://github.com/NixOS/nix/issues/11728) [#14614](https://github.com/NixOS/nix/pull/14614)
-
-  The underlying issue that led to [#11728](https://github.com/NixOS/nix/issues/11728) has been resolved by utilizing
-  [libcurl write pausing functionality](https://curl.se/libcurl/c/curl_easy_pause.html) to control backpressure when unpacking to slow destinations like the git-backed tarball cache. The default value of `download-buffer-size` is now 1 MiB and it's no longer recommended to increase it, since the root cause has been fixed.
-
-  This is expected to improve download performance on fast connections, since previously a single slow download consumer would stall the thread and prevent any other transfers from progressing.
-
-  Many thanks go out to the [Lix project](https://lix.systems/) for the [implementation](https://git.lix.systems/lix-project/lix/commit/4ae6fb5a8f0d456b8d2ba2aaca3712b4e49057fc) that served as inspiration for this change and for triaging libcurl [issues with pausing](https://github.com/curl/curl/issues/19334).
-
-- Significantly improve tarball unpacking performance [#14689](https://github.com/NixOS/nix/pull/14689) [#14696](https://github.com/NixOS/nix/pull/14696) [#10683](https://github.com/NixOS/nix/issues/10683) [#11098](https://github.com/NixOS/nix/issues/11098)
-
-  Nix uses a content-addressed cache backed by libgit2 for deduplicating files fetched via `fetchTarball` and `github`, `tarball` flake inputs. Its usage has been significantly optimised to reduce the amount of I/O operations that are performed. For a typical nixpkgs source tarball this results in 200 times fewer system calls on Linux. In combination with libcurl pausing this alleviates performance regressions stemming from the tarball cache.
-
-- Already valid derivations are no longer copied to the store [#14219](https://github.com/NixOS/nix/pull/14219)
-
-  This results in a modest speedup when using the Nix daemon.
-
-- `nix nar ls` and `nix nar cat` are significantly faster and no longer buffer the whole NAR in memory [#14273](https://github.com/NixOS/nix/pull/14273) [#14732](https://github.com/NixOS/nix/pull/14732)
-
-## S3 improvements
-
-- Improved S3 binary cache support via HTTP [#11748](https://github.com/NixOS/nix/issues/11748) [#12403](https://github.com/NixOS/nix/issues/12403) [#12671](https://github.com/NixOS/nix/issues/12671) [#13084](https://github.com/NixOS/nix/issues/13084) [#13752](https://github.com/NixOS/nix/pull/13752) [#13823](https://github.com/NixOS/nix/pull/13823) [#14026](https://github.com/NixOS/nix/pull/14026) [#14120](https://github.com/NixOS/nix/pull/14120) [#14131](https://github.com/NixOS/nix/pull/14131) [#14135](https://github.com/NixOS/nix/pull/14135) [#14144](https://github.com/NixOS/nix/pull/14144) [#14170](https://github.com/NixOS/nix/pull/14170) [#14190](https://github.com/NixOS/nix/pull/14190) [#14198](https://github.com/NixOS/nix/pull/14198) [#14206](https://github.com/NixOS/nix/pull/14206) [#14209](https://github.com/NixOS/nix/pull/14209) [#14222](https://github.com/NixOS/nix/pull/14222) [#14223](https://github.com/NixOS/nix/pull/14223) [#14330](https://github.com/NixOS/nix/pull/14330) [#14333](https://github.com/NixOS/nix/pull/14333) [#14335](https://github.com/NixOS/nix/pull/14335) [#14336](https://github.com/NixOS/nix/pull/14336) [#14337](https://github.com/NixOS/nix/pull/14337) [#14350](https://github.com/NixOS/nix/pull/14350) [#14356](https://github.com/NixOS/nix/pull/14356) [#14357](https://github.com/NixOS/nix/pull/14357) [#14374](https://github.com/NixOS/nix/pull/14374) [#14375](https://github.com/NixOS/nix/pull/14375) [#14376](https://github.com/NixOS/nix/pull/14376) [#14377](https://github.com/NixOS/nix/pull/14377) [#14391](https://github.com/NixOS/nix/pull/14391) [#14393](https://github.com/NixOS/nix/pull/14393) [#14420](https://github.com/NixOS/nix/pull/14420) [#14421](https://github.com/NixOS/nix/pull/14421)
-
-  S3 binary cache operations now happen via HTTP, leveraging `libcurl`'s native AWS SigV4 authentication instead of the AWS C++ SDK, providing significant improvements:
-
-  - **Reduced memory usage**: Eliminates memory buffering issues that caused segfaults with large files
-  - **Fixed upload reliability**: Resolves AWS SDK chunking errors (`InvalidChunkSizeError`)
-  - **Lighter dependencies**: Uses lightweight `aws-crt-cpp` instead of full `aws-cpp-sdk`, reducing build complexity
-
-  The new implementation requires curl >= 7.75.0 and `aws-crt-cpp` for credential management.
-
-  All existing S3 URL formats and parameters remain supported, however the store settings for configuring multipart uploads have changed:
-
-  - **`multipart-upload`** (default: `false`): Enable multipart uploads for large files. When enabled, files exceeding the multipart threshold will be uploaded in multiple parts.
-
-  - **`multipart-threshold`** (default: `100 MiB`): Minimum file size for using multipart uploads. Files smaller than this will use regular PUT requests. Only takes effect when `multipart-upload` is enabled.
-
-  - **`multipart-chunk-size`** (default: `5 MiB`): Size of each part in multipart uploads. Must be at least 5 MiB (AWS S3 requirement). Larger chunk sizes reduce the number of requests but use more memory.
-
-  - **`buffer-size`**: Has been replaced by `multipart-chunk-size` and is now an alias to it.
-
-  Note that this change also means Nix now supports S3 binary cache stores even if built without `aws-crt-cpp`, but only for public buckets which do not require authentication.
-
-- S3 URLs now support object versioning via `versionId` parameter [#13955](https://github.com/NixOS/nix/issues/13955) [#14274](https://github.com/NixOS/nix/pull/14274)
-
-  S3 URLs now support a `versionId` query parameter to fetch specific versions
-  of objects from S3 buckets with versioning enabled. This allows pinning to
-  exact object versions for reproducibility and protection against unexpected
-  changes:
-
-  ```
-  s3://bucket/key?region=us-east-1&versionId=abc123def456
-  ```
-
-- S3 binary cache stores now support storage class configuration [#7015](https://github.com/NixOS/nix/issues/7015) [#14464](https://github.com/NixOS/nix/pull/14464)
-
-  S3 binary cache stores now support configuring the storage class for uploaded objects via the `storage-class` parameter. This allows users to optimize costs by selecting appropriate storage tiers based on access patterns.
-
-  Example usage:
-
-  ```bash
-  # Use Glacier storage for long-term archival
-  nix copy --to 's3://my-bucket?storage-class=GLACIER' /nix/store/...
-
-  # Use Intelligent Tiering for automatic cost optimization
-  nix copy --to 's3://my-bucket?storage-class=INTELLIGENT_TIERING' /nix/store/...
-  ```
-
-  The storage class applies to both regular uploads and multipart uploads. When not specified, objects use the bucket's default storage class.
-
-  See the [S3 storage classes documentation](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-class-intro.html) for available storage classes and their characteristics.
-
-
-## Store path info JSON format changes
-
-The JSON format emitted by `nix path-info --json` has been updated to a new version with improved structure.
-
-To maintain compatibility, `nix path-info --json` now requires a `--json-format` flag to specify the output format version.
-Using `--json` without `--json-format` is deprecated and will become an error in a future release.
-For now, it defaults to version 1 with a warning, for a smoother migration.
-
-### Version 1 (`--json-format 1`)
-
-This is the legacy format, preserved for backwards compatibility:
-
-- String-based hash values (e.g., `"narHash": "sha256:FePFYIlM..."`)
-- String-based content addresses (e.g., `"ca": "fixed:r:sha256:1abc..."`)
-- Full store paths for map keys and references (e.g., `"/nix/store/abc...-foo"`)
-- Now includes `"storeDir"` field at the top level
-
-### Version 2 (`--json-format 2`)
-
-The new structured format follows the [JSON guidelines](@docroot@/development/json-guideline.md) with the following changes:
-
-- **Nested structure with top-level metadata**:
-
-  The output is now wrapped in an object with `version`, `storeDir`, and `info` fields:
-
-  ```json
-  {
-    "version": 2,
-    "storeDir": "/nix/store",
-    "info": { ... }
-  }
-  ```
-
-  The map from store path base names to store object info is nested under the `info` field.
-
-- **Store path base names instead of full paths**:
-
-  Map keys and references use store path base names (e.g., `"abc...-foo"`) instead of full absolute store paths.
-  Combined with `storeDir`, the full path can be reconstructed.
-
-- **Structured `ca` field**:
-
-  Content address is now a structured JSON object instead of a string:
-
-  - Old: `"ca": "fixed:r:sha256:1abc..."`
-  - New: `"ca": {"method": "nar", "hash": "sha256-ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="}`
-  - Still `null` values for input-addressed store objects
-
-  The `hash` field uses the [SRI](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) format like other hashes.
-
-Additionally the following fields are added to both formats:
-
-  - **`version` field**:
-
-    All store path info JSON now includes `"version": <1|2>`. The `version` tracks breaking changes, and adding fields to outputted JSON is not a breaking change.
-
-  - **`storeDir` field**:
-
-    Top-level `"storeDir"` field contains the store directory path (e.g., `"/nix/store"`).
-
-## Derivation JSON format changes
-
-The derivation JSON format has been updated from version 3 to version 4:
-
-- **Nested structure with top-level metadata**:
-
-  The output of `nix derivation show` is now wrapped in an object with `version` and `derivations` fields:
-
-  ```json
-  {
-    "version": 4,
-    "derivations": { ... }
-  }
-  ```
-
-  The map from derivation paths to derivation info is nested under the `derivations` field.
-
-  This matches the structure used for `nix path-info --json --json-format 2`, and likewise brings this command into compliance with the JSON guidelines.
-
-- **Restructured inputs**:
-
-  Inputs are now nested under an `inputs` object:
-
-  - Old: `"inputSrcs": [...], "inputDrvs": {...}`
-  - New: `"inputs": {"srcs": [...], "drvs": {...}}`
-
-- **Consistent content addresses**:
-
-  Fixed content-addressed outputs now use structured JSON format.
-  This is the same format as `ca` in store path info (after the new version).
-
-Version 3 and earlier formats are *not* accepted when reading.
-
-**Affected command**: `nix derivation`, namely its `show` and `add` sub-commands.
-
-## Miscellaneous changes
-
-- Git fetcher: Restore progress indication [#14487](https://github.com/NixOS/nix/pull/14487)
-
-  Nix used to feel "stuck" while it was cloning large repositories. Nix now shows Git's native progress indicator while fetching.
-
-  Upstreamed from [Determinate Nix 3.13.0](https://github.com/DeterminateSystems/nix-src/pull/250).
-
-- Interrupting REPL commands works more than once [#13481](https://github.com/NixOS/nix/issues/13481)
-
-  Previously, this only worked once per REPL session; further attempts would be ignored.
-  This issue is now fixed, so REPL commands such as `:b` or `:p` can be canceled consistently.
-  This is a cherry-pick of the change from the [Lix project](https://gerrit.lix.systems/c/lix/+/1097).
-
-- NAR unpacking code has been rewritten to make use of dirfd-based `openat` and `openat2` system calls when available [#14597](https://github.com/NixOS/nix/pull/14597)
-
-- Dynamic size unit rendering [#14423](https://github.com/NixOS/nix/pull/14423) [#14364](https://github.com/NixOS/nix/pull/14364)
-
-  Various commands and the progress bar now use dynamically determined size units instead
-  of always using `MiB`. For example, the progress bar now reports download status like:
-
-  ```
-  [1/196/197 copied (773.7 MiB/2.1 GiB), 172.4/421.5 MiB DL]
-  ```
-
-  Instead of:
-
-  ```
-  [1/196/197 copied (773.7/2147.3 MiB), 172.4/421.5 MiB DL]
-  ```
-
-## Contributors
-
-This release was made possible by the following 33 contributors:
-
-- Adam Dinwoodie [**(@me-and)**](https://github.com/me-and)
-- jonhermansen [**(@jonhermansen)**](https://github.com/jonhermansen)
-- Arnout Engelen [**(@raboof)**](https://github.com/raboof)
-- Jean-François Roche [**(@jfroche)**](https://github.com/jfroche)
-- tomberek [**(@tomberek)**](https://github.com/tomberek)
-- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
-- Marcel [**(@MarcelCoding)**](https://github.com/MarcelCoding)
-- David McFarland [**(@corngood)**](https://github.com/corngood)
-- Soumyadip Sarkar [**(@neuralsorcerer)**](https://github.com/neuralsorcerer)
-- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
-- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
-- Tristan Ross [**(@RossComputerGuy)**](https://github.com/RossComputerGuy)
-- Alex Auvolat [**(@Alexis211)**](https://github.com/Alexis211)
-- edef [**(@edef1c)**](https://github.com/edef1c)
-- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
-- Vinayak Goyal [**(@vinayakankugoyal)**](https://github.com/vinayakankugoyal)
-- Graham Dennis [**(@GrahamDennis)**](https://github.com/GrahamDennis)
-- Aspen Smith [**(@glittershark)**](https://github.com/glittershark)
-- Jens Petersen [**(@juhp)**](https://github.com/juhp)
-- Bernardo Meurer [**(@lovesegfault)**](https://github.com/lovesegfault)
-- Peter Bynum [**(@pkpbynum)**](https://github.com/pkpbynum)
-- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
-- Alex Decious [**(@adeci)**](https://github.com/adeci)
-- Matthieu Coudron [**(@teto)**](https://github.com/teto)
-- Domen Kožar [**(@domenkozar)**](https://github.com/domenkozar)
-- Taeer Bar-Yam [**(@Radvendii)**](https://github.com/Radvendii)
-- Seth Flynn [**(@getchoo)**](https://github.com/getchoo)
-- Robert Hensing [**(@roberth)**](https://github.com/roberth)
-- Vladimir Panteleev [**(@CyberShadow)**](https://github.com/CyberShadow)
-- bryango [**(@bryango)**](https://github.com/bryango)
-- Henry [**(@cootshk)**](https://github.com/cootshk)
-- Martin Joerg [**(@mjoerg)**](https://github.com/mjoerg)
-- Farid Zakaria [**(@fzakaria)**](https://github.com/fzakaria)

doc/manual/source/release-notes/rl-2.34.md

@@ -1,352 +0,0 @@
-# Release 2.34.0 (2026-02-27)
-
-## Highlights
-
-- Rust nix-installer in beta
-
-  The Rust-based rewrite of the Nix installer is now in beta.
-  We'd love help testing it out!
-
-  To test out the new installer, run:
-  ```
-  curl -sSfL https://artifacts.nixos.org/nix-installer | sh -s -- install
-  ```
-
-  This installer can be run even when you have an existing, script-based Nix installation without any adjustments.
-
-  This new installer also comes with the ability to uninstall your Nix installation; run:
-  ```
-  /nix/nix-installer uninstall
-  ```
-
-  This will get rid of your entire Nix installation (even if you installed over an existing, script-based installation).
-
-  This installer is a modified version of the [Determinate Nix Installer](https://github.com/DeterminateSystems/nix-installer) by Determinate Systems.
-  Thanks to Determinate Systems for all the investment they've put into the installer.
-
-  Source for the installer is in <https://github.com/NixOS/nix-installer>.
-  Report any issues in that repo.
-
-  For CI usage, a GitHub Action to install Nix using this installer is available at <https://github.com/NixOS/nix-installer-action>.
-
-- Stabilisation of `no-url-literals` experimental feature and new diagnostics infrastructure, with `lint-url-literals`, `lint-short-path-literals`, and `lint-absolute-path-literals` settings [#8738](https://github.com/NixOS/nix/issues/8738) [#10048](https://github.com/NixOS/nix/issues/10048) [#10281](https://github.com/NixOS/nix/issues/10281) [#15326](https://github.com/NixOS/nix/pull/15326)
-
-  Experimental feature `no-url-literals` has been stabilised and is now controlled by the `lint-url-literals` option.
-  New diagnostics infrastructure has been added for linting discouraged language features.
-
-  ### New lint infrastructure
-
-  #### [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals)
-
-  The `no-url-literals` experimental feature has been stabilised and replaced with a new [`lint-url-literals`](@docroot@/command-ref/conf-file.md#conf-lint-url-literals) setting.
-
-  To migrate from the experimental feature, replace:
-  ```
-  experimental-features = no-url-literals
-  ```
-  with:
-  ```
-  lint-url-literals = fatal
-  ```
-
-  #### [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals)
-
-  The [`warn-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-warn-short-path-literals) boolean setting has been deprecated and replaced with [`lint-short-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-short-path-literals).
-
-  To migrate, replace:
-  ```
-  warn-short-path-literals = true
-  ```
-  with:
-  ```
-  lint-short-path-literals = warn
-  ```
-
-  #### [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals)
-
-  A new [`lint-absolute-path-literals`](@docroot@/command-ref/conf-file.md#conf-lint-absolute-path-literals) setting has been added to control handling of absolute path literals (paths starting with `/`) and home path literals (paths starting with `~/`).
-
-  #### Setting values
-
-  All three settings accept three values:
-  - `ignore`: Allow the feature without emitting any diagnostic (default)
-  - `warn`: Emit a warning when the feature is used
-  - `fatal`: Treat the feature as a parse error
-
-  The defaults may change in future versions.
-
-- Improved parser error messages [#15092](https://github.com/NixOS/nix/pull/15092)
-
-  Parser error messages now use legible strings for tokens instead of internal names. For example, malformed expression `a ++ ++ b` now produces the following error:
-  ```
-  error: syntax error, unexpected '++'
-       at «string»:1:6:
-            1| a ++ ++ b
-             |      ^
-  ```
-
-  Instead of:
-  ```
-  error: syntax error, unexpected CONCAT
-       at «string»:1:6:
-            1| a ++ ++ b
-             |      ^
-  ```
-
-## New features
-
-- `nix repl` now supports `inherit` and multiple bindings [#15082](https://github.com/NixOS/nix/pull/15082)
-
-  The `nix repl` now supports `inherit` statements and multiple bindings per line:
-
-  ```
-  nix-repl> a = { x = 1; y = 2; }
-  nix-repl> inherit (a) x y
-  nix-repl> x + y
-  3
-
-  nix-repl> p = 1; q = 2;
-  nix-repl> p + q
-  3
-
-  nix-repl> foo.bar.baz = 1;
-  nix-repl> foo.bar
-  { baz = 1; }
-  ```
-
-- New command `nix store roots-daemon` for serving GC roots [#15143](https://github.com/NixOS/nix/pull/15143)
-
-  New command [`nix store roots-daemon`](@docroot@/command-ref/new-cli/nix3-store-roots-daemon.md) runs a daemon that serves garbage collector roots over a Unix domain socket.
-  It enables the garbage collector to discover runtime roots when the main Nix daemon doesn't have `CAP_SYS_PTRACE` capability and therefore cannot scan `/proc`.
-
-  The garbage collector can be configured to use this daemon via the [`use-roots-daemon`](@docroot@/store/types/local-store.md#store-experimental-option-use-roots-daemon) store setting.
-
-  This feature requires the [`local-overlay-store` experimental feature](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store).
-
-- New command `nix-nswrapper` in `libexec` [#15183](https://github.com/NixOS/nix/pull/15183)
-
-  The new command `libexec/nix-nswrapper` is used to run the Nix daemon in an unprivileged user namespace on Linux. In order to use this command, build user UIDs and GIDs must be allocated in `/etc/subuid` and `/etc/subgid`.
-
-  It can be used to run the Nix daemon with full sandboxing without executing as root. Support has been added to Nixpkgs with the new `nix.daemonUser` and `nix.daemonGroup` settings.
-
-- New setting `ignore-gc-delete-failure` for local stores [#15054](https://github.com/NixOS/nix/pull/15054)
-
-  A new local store setting [`ignore-gc-delete-failure`](@docroot@/store/types/local-store.md#store-local-store-ignore-gc-delete-failure) has been added.
-  When enabled, garbage collection will log warnings instead of failing when it cannot delete store paths.
-  This is useful when running Nix as an unprivileged user that may not have write access to all paths in the store.
-
-  This setting is experimental and requires the [`local-overlay-store`](@docroot@/development/experimental-features.md#xp-feature-local-overlay-store) experimental feature.
-
-- New setting `narinfo-cache-meta-ttl` [#15287](https://github.com/NixOS/nix/pull/15287)
-
-  The new setting `narinfo-cache-meta-ttl` controls how long binary cache metadata (i.e. `/nix-cache-info`) is cached locally, in seconds. This was previously hard-coded to 7 days, which is still the default. As a result, you can now use `nix store info --refresh` to check whether a binary cache is still valid.
-
-- Support HTTPS binary caches using mTLS (client certificate) authentication [#13002](https://github.com/NixOS/nix/issues/13002) [#13030](https://github.com/NixOS/nix/pull/13030)
-
-  Added support for `tls-certificate` and `tls-private-key` options in substituter URLs.
-
-  Example:
-
-  ```
-  https://substituter.invalid?tls-certificate=/path/to/cert.pem&tls-private-key=/path/to/key.pem
-  ```
-
-  When these options are configured, Nix will use this certificate/private key pair to authenticate to the server.
-
-- `nix store gc --dry-run` and `nix-collect-garbage --dry-run` now report the number of paths that would be freed [#15229](https://github.com/NixOS/nix/pull/15229) [#5704](https://github.com/NixOS/nix/issues/5704)
-
-## Performance improvements
-
-- Unpacking tarballs to `~/.cache/nix/tarball-cache-v2` is now multithreaded [#12087](https://github.com/NixOS/nix/pull/12087)
-
-  Content-addressed cache for `builtins.fetchTarball` and tarball-based flake inputs (e.g. `github:NixOS/nixpkgs`, `https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz`) now writes git blobs (files) to the `tarball-cache-v2` repository concurrently, which significantly reduces the wall time for tarball unpacking (up to ~1.8x faster unpacking for `https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz` in our testing).
-
-  Currently, Nix doesn't perform any maintenance on the `~/.cache/nix/tarball-cache-v2` repository, which will be addressed in future versions. Users that wish to reclaim disk space used by the tarball cache may want to run:
-
-  ```
-  rm -rf ~/.cache/nix/tarball-cache # Historical tarball-cache, not used by Nix >= 2.33
-  cd ~/.cache/nix/tarball-cache-v2 && git multi-pack-index write && git multi-pack-index repack && git multi-pack-index expire
-  ```
-
-- `nix nar ls` and other NAR listing operations have been optimised further [#15163](https://github.com/NixOS/nix/pull/15163)
-
-- Evaluator hot-path optimizations [#15270](https://github.com/NixOS/nix/pull/15270) [#15271](https://github.com/NixOS/nix/pull/15271)
-
-## C API Changes
-
-- New store API methods [#14766](https://github.com/NixOS/nix/pull/14766) [#14768](https://github.com/NixOS/nix/pull/14768)
-
-  The C API now includes additional methods:
-
-  - `nix_store_query_path_from_hash_part()` - Get the full store path given its hash part
-  - `nix_store_copy_path()` - Copy a single store path between two stores, allows repairs and configuring signature checking
-
-- Errors returned from your primops are not treated as recoverable by default [#13930](https://github.com/NixOS/nix/pull/13930) [#15286](https://github.com/NixOS/nix/pull/15286)
-
-  Nix 2.34 by default remembers the error in the thunk that triggered it.
-
-  Previously the following sequence of events worked:
-
-  1. Have a thunk that invokes a primop that's defined through the C API
-  2. The primop returns an error
-  3. Force the thunk again
-  4. The primop returns a value
-  5. The thunk evaluated successfully
-
-  **Resolution**
-
-  C API consumers that rely on this must change their recoverable error calls:
-
-  ```diff
-  -nix_set_err_msg(context, NIX_ERR_*, msg);
-  +nix_set_err_msg(context, NIX_ERR_RECOVERABLE, msg);
-  ```
-
-## Bug fixes
-
-- Avoid dropping ssh connections with `ssh-ng://` stores for store path copying [#14998](https://github.com/NixOS/nix/pull/14998) [#6950](https://github.com/NixOS/nix/issues/6950)
-
-  Due to a bug in how Nix handled Boost.Coroutine2 suspension and resumption, copying from `ssh-ng://` stores would drop the SSH connection for each copied path. This issue has been fixed, which improves performance by avoiding multiple SSH/Nix Worker Protocol handshakes.
-
-- S3 binary caches now use virtual-hosted-style addressing by default [#15208](https://github.com/NixOS/nix/issues/15208) [#15216](https://github.com/NixOS/nix/pull/15216)
-
-  S3 binary caches now use virtual-hosted-style URLs
-  (`https://bucket.s3.region.amazonaws.com/key`) instead of path-style URLs
-  (`https://s3.region.amazonaws.com/bucket/key`) when connecting to standard AWS
-  S3 endpoints. This enables HTTP/2 multiplexing and fixes TCP connection
-  exhaustion (TIME_WAIT socket accumulation) under high-concurrency workloads.
-
-  A new `addressing-style` store option controls this behavior:
-
-  - `auto` (default): virtual-hosted-style for standard AWS endpoints, path-style
-    for custom endpoints.
-  - `path`: forces path-style addressing (deprecated by AWS).
-  - `virtual`: forces virtual-hosted-style addressing (bucket names must not
-    contain dots).
-
-  Bucket names containing dots (e.g., `my.bucket.name`) automatically fall back
-  to path-style addressing in `auto` mode, because dotted names create
-  multi-level subdomains that break TLS wildcard certificate validation.
-
-  Example using path-style for backwards compatibility:
-
-  ```
-  s3://my-bucket/key?region=us-east-1&addressing-style=path
-  ```
-
-  Additionally, TCP keep-alive is now enabled on all HTTP connections, preventing
-  idle connections from being silently dropped by intermediate network devices
-  (NATs, firewalls, load balancers).
-
-- `nix-prefetch-url --unpack` now properly checks for empty archives [#15242](https://github.com/NixOS/nix/pull/15242)
-
-  Prior versions failed to check for empty archives and would crash with a `nullptr` dereference when unpacking empty archives.
-  This is now fixed.
-
-- Prevent runaway processes when Nix is killed with `SIGKILL` when building in a local store with build users [#15193](https://github.com/NixOS/nix/pull/15193)
-
-  When run as root, Nix doesn't run builds via the daemon and is a parent of the forked build processes. Prior versions of Nix failed to preserve the `PR_SET_PDEATHSIG` parent-death signal across `setuid` calls. This could lead to build processes being reparented and continue running in the background. This has been fixed.
-
-- Fix crash when interrupting `--log-format internal-json` [#15335](https://github.com/NixOS/nix/pull/15335)
-
-  Pressing Ctrl-C during `--log-format internal-json` (used by [nix-output-monitor](https://github.com/maralorn/nix-output-monitor)) no longer causes a spurious "Nix crashed. This is a bug." report.
-
-- Fix percent-encoding in `file://` and `local://` store URIs [#15280](https://github.com/NixOS/nix/pull/15280)
-
-  Store URIs with special characters like `+` in the path (e.g. `file:///tmp/a+b`) no longer incorrectly create percent-encoded directories (e.g. `/tmp/a%2Bb`).
-
-- Fix crash during tab completion in `nix repl` [#15255](https://github.com/NixOS/nix/pull/15255)
-
-- Fix "Too many open files" on macOS [#15205](https://github.com/NixOS/nix/pull/15205)
-
-  Nix now raises the open file soft limit to the hard limit at startup, fixing "Too many open files" errors on macOS where the default soft limit is low.
-
-- `nix develop` no longer fails when `inputs.nixpkgs` has `flake = false` [#15175](https://github.com/NixOS/nix/pull/15175)
-
-- `builtins.flakeRefToString` no longer fails with "attribute is a thunk" [#15160](https://github.com/NixOS/nix/pull/15160)
-
-- Fix `QueryPathInfo` throwing on invalid paths in the daemon [#15134](https://github.com/NixOS/nix/pull/15134)
-
-- `nix-store --generate-binary-cache-key` now fsyncs key files to prevent corruption [#15107](https://github.com/NixOS/nix/pull/15107)
-
-- Fix `build-hook` setting in `nix.conf` being ignored [#15083](https://github.com/NixOS/nix/pull/15083)
-
-- Fix empty error messages when builds are cancelled due to a dependency failure [#14972](https://github.com/NixOS/nix/pull/14972)
-
-  When a build fails without `--keep-going`, other in-progress builds are cancelled. Previously, these cancelled builds were incorrectly reported as failed with empty error messages. This affected `buildPathsWithResults` callers such as `nix flake check`.
-
-## Miscellaneous changes
-
-- Content-Encoding decompression is now handled by libcurl [#14324](https://github.com/NixOS/nix/issues/14324) [#15336](https://github.com/NixOS/nix/pull/15336)
-
-  Transparent decompression of HTTP downloads specifying `Content-Encoding` header now uses libcurl. This adds support for previously advertised, but not supported `deflate` encoding as well as deprecated `x-gzip` alias.
-  Non-standard `xz`, `bzip2` encodings that were previously advertised are no longer supported, as they do not commonly appear in the wild and should not be sent by compliant servers.
-
-  `br`, `zstd`, `gzip` continue to be supported. Distro packaging should ensure that the `libcurl` dependency is linked against required libraries to support these encodings. By default, the build system now requires libcurl >= 8.17.0, which is not known to have issues around [pausing and decompression](https://github.com/curl/curl/issues/16280).
-
-- Static builds now support S3 features (`libstore:s3-aws-auth` meson option) [#15076](https://github.com/NixOS/nix/pull/15076)
-
-- Improved package-related error messages [#15349](https://github.com/NixOS/nix/pull/15349)
-
-  Store path context is now rendered in the user-facing `hash^out` format instead of the internal `!out!hash` format.
-  A misleading error message in `nix-env` that incorrectly blamed content-addressed derivations has been fixed.
-
-- Improved error message for empty derivation files [#15298](https://github.com/NixOS/nix/pull/15298)
-
-  Parsing an empty `.drv` file (e.g. due to store corruption after an unclean shutdown) now produces a clear error message instead of the cryptic `expected string 'D'`.
-
-- Relative `file:` paths for tarballs are now rejected with a clear error [#14983](https://github.com/NixOS/nix/pull/14983)
-
-- Continued progress on the Windows port, including build fixes, CI improvements, and platform abstractions.
-
-- Nix docker images are now uploaded to [GHCR](https://github.com/NixOS/nix/pkgs/container/nix) as part of the release process
-
-  Historically, only pre-release builds of `amd64` docker images have been uploaded to ghcr.io with the `latest` tag pointing to the last built image from `master` branch. This has been fixed and going forward, <https://github.com/NixOS/nix/pkgs/container/nix> will include the same images as <https://hub.docker.com/r/nixos/nix/> that are built by [Hydra](https://hydra.nixos.org/project/nix) for [arm64](https://hydra.nixos.org/job/nix/maintenance-2.34/dockerImage.aarch64-linux) and [amd64](https://hydra.nixos.org/job/nix/maintenance-2.34/dockerImage.x86_64-linux). Pre-release versions are no longer pushed to the registry.
-
-## Contributors
-
-This release was made possible by the following 43 contributors:
-
-- Taeer Bar-Yam [**(@Radvendii)**](https://github.com/Radvendii)
-- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
-- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
-- Graham Dennis [**(@GrahamDennis)**](https://github.com/GrahamDennis)
-- Damien Diederen [**(@ztzg)**](https://github.com/ztzg)
-- koberbe-jh [**(@koberbe-jh)**](https://github.com/koberbe-jh)
-- Robert Hensing [**(@roberth)**](https://github.com/roberth)
-- Bouke van der Bijl [**(@bouk)**](https://github.com/bouk)
-- Lisanna Dettwyler [**(@lisanna-dettwyler)**](https://github.com/lisanna-dettwyler)
-- kiara [**(@KiaraGrouwstra)**](https://github.com/KiaraGrouwstra)
-- Side Effect [**(@YawKar)**](https://github.com/YawKar)
-- dram [**(@dramforever)**](https://github.com/dramforever)
-- tomf [**(@tomfitzhenry)**](https://github.com/tomfitzhenry)
-- Kamil Monicz [**(@Zaczero)**](https://github.com/Zaczero)
-- Cosima Neidahl [**(@OPNA2608)**](https://github.com/OPNA2608)
-- Siddhant Kumar [**(@siddhantk232)**](https://github.com/siddhantk232)
-- Jens Petersen [**(@juhp)**](https://github.com/juhp)
-- Johannes Kirschbauer [**(@hsjobeki)**](https://github.com/hsjobeki)
-- tomberek [**(@tomberek)**](https://github.com/tomberek)
-- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
-- Artemis Tosini [**(@artemist)**](https://github.com/artemist)
-- David McFarland [**(@corngood)**](https://github.com/corngood)
-- Tucker Shea [**(@NoRePercussions)**](https://github.com/NoRePercussions)
-- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
-- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
-- Eveeifyeve [**(@Eveeifyeve)**](https://github.com/Eveeifyeve)
-- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
-- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
-- Ilja [**(@iljah)**](https://github.com/iljah)
-- Pol Dellaiera [**(@drupol)**](https://github.com/drupol)
-- steelman [**(@steelman)**](https://github.com/steelman)
-- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
-- JustAGuyTryingHisBest [**(@JustAGuyTryingHisBest)**](https://github.com/JustAGuyTryingHisBest)
-- zowoq [**(@zowoq)**](https://github.com/zowoq)
-- Agustín Covarrubias [**(@agucova)**](https://github.com/agucova)
-- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi)
-- Bernardo Meurer [**(@lovesegfault)**](https://github.com/lovesegfault)
-- Peter Bynum [**(@pkpbynum)**](https://github.com/pkpbynum)
-- Amaan Qureshi [**(@amaanq)**](https://github.com/amaanq)
-- Michael Hoang [**(@Enzime)**](https://github.com/Enzime)
-- Michael Daniels [**(@mdaniels5757)**](https://github.com/mdaniels5757)
-- Matthew Kenigsberg [**(@mkenigs)**](https://github.com/mkenigs)
-- Shea Levy [**(@shlevy)**](https://github.com/shlevy)

doc/manual/source/store/store-path.md

@@ -2,7 +2,7 @@
 
 > **Example**
 >
-> `/nix/store/jf6gn2dzna4nmsfbdxsd7kwhsk6gnnlr-git-2.38.1`
+> `/nix/store/a040m110amc4h71lds2jmr8qrkj2jhxd-git-2.38.1`
 >
 > A rendered store path
 
@@ -22,7 +22,7 @@ Store paths are pairs of
 
 > **Example**
 >
-> - Digest: `q06x3jll2yfzckz2bzqak089p43ixkkq`
+> - Digest: `b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z`
 > - Name:   `firefox-33.1`
 
 To make store objects accessible to operating system processes, stores have to expose store objects through the file system.
@@ -31,14 +31,14 @@ A store path is rendered to a file system path as the concatenation of
 
 - [Store directory](#store-directory) (typically `/nix/store`)
 - Path separator (`/`)
-- Digest rendered in [Nix32](@docroot@/protocols/nix32.md), a variant of base-32 (20 hash bytes become 32 ASCII characters)
+- Digest rendered in a custom variant of [Base32](https://en.wikipedia.org/wiki/Base32) (20 arbitrary bytes become 32 ASCII characters)
 - Hyphen (`-`)
 - Name
 
 > **Example**
 >
 > ```
->   /nix/store/q06x3jll2yfzckz2bzqak089p43ixkkq-firefox-33.1
+>   /nix/store/b6gvzjyb2pg0kjfwrjmg1vfhh54ad73z-firefox-33.1
 >   |--------| |------------------------------| |----------|
 > store directory            digest                 name
 > ```

doc/manual/source/store/types/index.md.in

@@ -8,7 +8,7 @@ Stores are specified using a URL-like syntax. For example, the command
 
 ```console
 # nix path-info --store https://cache.nixos.org/ --json \
-  /nix/store/1542dip9i7k4f24y6hqgd04hmvid9hr5-coreutils-9.1
+  /nix/store/a7gvj343m05j2s32xcnwr35v31ynlypr-coreutils-9.1
 ```
 
 fetches information about a store path in the HTTP binary cache

docker.nix

@@ -358,6 +358,7 @@ dockerTools.buildLayeredImageWithNixDb {
 
   extraCommands = ''
     rm -rf nix-support
+    ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
   '';
   fakeRootCommands = ''
     chmod 1777 tmp

flake.lock

@@ -3,15 +3,15 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1767039857,
-        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
-        "owner": "NixOS",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
-        "owner": "NixOS",
+        "owner": "edolstra",
         "repo": "flake-compat",
         "type": "github"
       }
@@ -63,15 +63,15 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1771903837,
-        "narHash": "sha256-jEA8WggGKtMFeNeCKq3NK8cLEjJmG6/RLUElYYbBZ0E=",
-        "rev": "e764fc9a405871f1f6ca3d1394fb422e0a0c3951",
+        "lastModified": 1763948260,
+        "narHash": "sha256-zZk7fn2ARAqmLwaYTpxBJmj81KIdz11NiWt7ydHHD/M=",
+        "rev": "1c8ba8d3f7634acac4a2094eef7c32ad9106532c",
         "type": "tarball",
-        "url": "https://releases.nixos.org/nixos/25.11/nixos-25.11.6495.e764fc9a4058/nixexprs.tar.xz"
+        "url": "https://releases.nixos.org/nixos/25.05/nixos-25.05.813095.1c8ba8d3f763/nixexprs.tar.xz"
       },
       "original": {
         "type": "tarball",
-        "url": "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz"
+        "url": "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz"
       }
     },
     "nixpkgs-23-11": {

flake.nix

@@ -1,12 +1,12 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.11/nixexprs.tar.xz";
+  inputs.nixpkgs.url = "https://channels.nixos.org/nixos-25.05/nixexprs.tar.xz";
 
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
   inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
   inputs.flake-compat = {
-    url = "github:NixOS/flake-compat";
+    url = "github:edolstra/flake-compat";
     flake = false;
   };
 
@@ -115,9 +115,6 @@
                     }
                     // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
                       useLLVM = true;
-                    }
-                    // lib.optionalAttrs (crossSystem == "x86_64-w64-mingw32") {
-                      emulator = pkgs: "${pkgs.buildPackages.wineWow64Packages.stable_11}/bin/wine";
                     };
                 overlays = [
                   (overlayFor (pkgs: pkgs.${stdenv}))
@@ -409,10 +406,6 @@
 
               "nix-cmd" = { };
 
-              "nix-nswrapper" = {
-                linuxOnly = true;
-              };
-
               "nix-cli" = { };
 
               "nix-everything" = { };
@@ -425,6 +418,10 @@
                 supportsCross = false;
               };
 
+              "nix-kaitai-struct-checks" = {
+                supportsCross = false;
+              };
+
               "nix-perl-bindings" = {
                 supportsCross = false;
               };
@@ -433,37 +430,32 @@
               pkgName:
               {
                 supportsCross ? true,
-                linuxOnly ? false,
               }:
-              lib.optionalAttrs (linuxOnly -> nixpkgsFor.${system}.native.stdenv.hostPlatform.isLinux) (
-                {
-                  # These attributes go right into `packages.<system>`.
-                  "${pkgName}" = nixpkgsFor.${system}.native.nixComponents2.${pkgName};
-                  "${pkgName}-static" = nixpkgsFor.${system}.native.pkgsStatic.nixComponents2.${pkgName};
-                  "${pkgName}-llvm" = nixpkgsFor.${system}.native.pkgsLLVM.nixComponents2.${pkgName};
-                }
-                // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (
-                  stdenvName:
-                  { }:
-                  {
-                    # These attributes go right into `packages.<system>`.
-                    "${pkgName}-${stdenvName}" =
-                      nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.nixComponents2.${pkgName};
-                  }
-                )
-              )
+              {
+                # These attributes go right into `packages.<system>`.
+                "${pkgName}" = nixpkgsFor.${system}.native.nixComponents2.${pkgName};
+                "${pkgName}-static" = nixpkgsFor.${system}.native.pkgsStatic.nixComponents2.${pkgName};
+                "${pkgName}-llvm" = nixpkgsFor.${system}.native.pkgsLLVM.nixComponents2.${pkgName};
+              }
               // lib.optionalAttrs supportsCross (
                 flatMapAttrs (lib.genAttrs crossSystems (_: { })) (
                   crossSystem:
                   { }:
-                  lib.optionalAttrs
-                    (linuxOnly -> nixpkgsFor.${system}.cross.${crossSystem}.stdenv.hostPlatform.isLinux)
-                    {
-                      # These attributes go right into `packages.<system>`.
-                      "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents2.${pkgName};
-                    }
+                  {
+                    # These attributes go right into `packages.<system>`.
+                    "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents2.${pkgName};
+                  }
                 )
               )
+              // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (
+                stdenvName:
+                { }:
+                {
+                  # These attributes go right into `packages.<system>`.
+                  "${pkgName}-${stdenvName}" =
+                    nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.nixComponents2.${pkgName};
+                }
+              )
             )
         // lib.optionalAttrs (builtins.elem system linux64BitSystems) {
           dockerImage =

maintainers/data/release-credits-email-to-handle.json

@@ -224,25 +224,5 @@
     "42688647+netadr@users.noreply.github.com": "netadr",
     "matej.urbas@gmail.com": "urbas",
     "ethanalexevans@gmail.com": "ethanavatar",
-    "greg.marti@gmail.com": "gmarti",
-    "arnout@bzzt.net": "raboof",
-    "vinayakankugoyal@gmail.com": "vinayakankugoyal",
-    "Radvendii@users.noreply.github.com": "Radvendii",
-    "jon@jh86.org": "jonhermansen",
-    "edef@edef.eu": "edef1c",
-    "pkpbynum@gmail.com": "pkpbynum",
-    "886074+teto@users.noreply.github.com": "teto",
-    "alex@adnab.me": "Alexis211",
-    "root@gws.fyi": "glittershark",
-    "me@m4rc3l.de": "MarcelCoding",
-    "taeer.bar-yam@bevuta.com": "Radvendii",
-    "martin.joerg@gmail.com": "mjoerg",
-    "git@cy.md": "CyberShadow",
-    "cootshk@duck.com": "cootshk",
-    "adam@dinwoodie.org": "me-and",
-    "domen@cachix.org": "domenkozar",
-    "alex.decious@gmail.com": "adeci",
-    "soumya.papanvk18@gmail.com": "neuralsorcerer",
-    "gdennis@anduril.com": null,
-    "graham.dennis@gmail.com": "GrahamDennis"
+    "greg.marti@gmail.com": "gmarti"
 }

maintainers/data/release-credits-handle-to-name.json

@@ -196,21 +196,5 @@
     "gmarti": "Gr\u00e9gory Marti",
     "lovesegfault": "Bernardo Meurer",
     "EphraimSiegfried": "Ephraim Siegfried",
-    "hgl": "Glen Huang",
-    "mjoerg": "Martin Joerg",
-    "Alexis211": "Alex Auvolat",
-    "domenkozar": "Domen Ko\u017ear",
-    "edef1c": "edef",
-    "cootshk": "Henry",
-    "raboof": "Arnout Engelen",
-    "pkpbynum": "Peter Bynum",
-    "glittershark": "Aspen Smith",
-    "MarcelCoding": "Marcel",
-    "teto": "Matthieu Coudron",
-    "jonhermansen": null,
-    "neuralsorcerer": "Soumyadip Sarkar",
-    "adeci": "Alex Decious",
-    "vinayakankugoyal": "Vinayak Goyal",
-    "me-and": "Adam Dinwoodie",
-    "GrahamDennis": "Graham Dennis"
+    "hgl": "Glen Huang"
 }

maintainers/flake-module.nix

@@ -88,28 +88,16 @@
               ''^tests/functional/lang/eval-fail-path-slash\.nix$''
               ''^tests/functional/lang/eval-fail-toJSON-non-utf-8\.nix$''
               ''^tests/functional/lang/eval-fail-set\.nix$''
-
-              # Language tests, don't churn the formatting of strings
-              ''^tests/functional/lang/eval-fail-fromTOML-overflow\.nix$''
-              ''^tests/functional/lang/eval-fail-fromTOML-underflow\.nix$''
-              ''^tests/functional/lang/eval-fail-bad-string-interpolation-3\.nix$''
-              ''^tests/functional/lang/eval-fail-bad-string-interpolation-4\.nix$''
-              ''^tests/functional/lang/eval-okay-regex-match2\.nix$''
-
-              # URL literal tests - nixfmt converts unquoted URLs to strings
-              ''^tests/functional/lang/eval-fail-url-literal\.nix$''
-              ''^tests/functional/lang/eval-okay-url-literal-warn\.nix$''
-              ''^tests/functional/lang/eval-okay-url-literal-default\.nix$''
             ];
           };
           clang-format = {
             enable = true;
             # https://github.com/cachix/git-hooks.nix/pull/532
-            package = pkgs.llvmPackages_21.clang-tools;
+            package = pkgs.llvmPackages_latest.clang-tools;
             excludes = [
               # We don't want to format test data
               # ''tests/(?!nixos/).*\.nix''
-              "^src/[^/]*-tests/data/.*$"
+              ''^src/[^/]*-tests/data/.*$''
 
               # Don't format vendored code
               ''^doc/manual/redirects\.js$''

maintainers/invalidate-store-paths.sh

@@ -1,32 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-set -x
-
-git ls-files -z \
-    | xargs -0 grep -o '[0123456789abcdfghijklmnpqrsvwxyz]\{32\}' 2> /dev/null \
-    | rev \
-    | cut -d: -f1 \
-    | rev \
-    | sort \
-    | uniq \
-    | while read -r oldhash; do
-        if ! curl --fail -I "https://cache.nixos.org/$oldhash.narinfo" > /dev/null 2>&1; then
-            continue
-        fi
-
-        newhash=$(
-            nix eval --expr "builtins.toFile \"006c6ssvddri1sg34wnw65mzd05pcp3qliylxlhv49binldajba5\" \"$oldhash\"" \
-                | cut -d- -f1 \
-                | cut -d/ -f4
-        )
-
-        msg=$(printf "bad: %s -> %s" "$oldhash" "$newhash")
-        echo "$msg"
-        git ls-files -z \
-            | xargs -0 grep -a -l "$oldhash" 2> /dev/null \
-            | while read -r file; do
-                [ -L "$file" ] && continue
-                perl -pi -e "s/$oldhash/$newhash/g" "$file" || true
-            done || true
-        git commit -am "$msg"
-    done

maintainers/keys/158A6F530EA202E5F651611314FAEA63448E1DF9.asc

@@ -1,110 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBGPtMiwBEAC0sFZW2QW/OaDjKm5zGRpDvHXDsMIUtlHfoi5ce8pocC63W05o
-FSXbUZjZ1VfYO8lT8DFANCzTkiXYaZx0cPRG2pVY4AOQZDNFt5XrAyvw496XCAIM
-DTYGFLjCqgjPt9RUFEy4MyHPJTEpB0x3rXgT4ILNu9vsj9Q0vttps7SpbZ3Ldq5H
-o/BBbLW77q/vNjpYzCbBIXF7ycUGpnNv9Go/WuiDnrBMcyxh+8kjjIHB5cxZSnjJ
-DUv681+m83v+gLZQGX/jexQrrf5JpS0X9qEnhGLrNUDhtyv5ud3Je4EfamkjLVVC
-RlNLofgflOCsl/tP80i+K7S1QdKhUALxuJ6H0prYUflGBDxDyC8XYuJ62TT0OUpa
-vJvgwVlCq8/jq+ykYQXlbuBVOzi5wAuI4l3+HqreSQYPSiwe+6N590Zbafdv1fvN
-WFtZKCTGMqfyaaAnppioH9/+NWkI2AQxaYVasYM/JEYvY9pJgA7alh51jHW4JglP
-ErypKfBKPKJID0QENqYoa3bDDCihuNWhgQf9dxzPlj2ckd35Zb6w4DfuSmtjaa9D
-o0jZVY1JbFuxBqP09+saVPrxLHgmPxjcdzPGQQtAqdO2vyJXNEGLFMoVEZPNaLo3
-QmcIJnT7oSck+4vGfOYtWUHXQynu/Tnwsv2XkA/uyw8HNe+RRMqv/apnzQARAQAB
-tCdTZXJnZWkgWmltbWVybWFuIDxzZXJnZWlAemltbWVybWFuLmZvbz6JAlEEEwEK
-ADsCGwEFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AWIQQVim9TDqIC5fZRYRMU+upj
-RI4d+QUCaUbsaAIZAQAKCRAU+upjRI4d+VdDD/492HRaJ/8V7R7VUzkafmb2Hb28
-SLf7oiB8Uq9I7SukiDEaIT1fUhquYWQ9KWpPRNR1TX6ApXnIeuJRMGFoDVIRnmnr
-cKnYYXfqqc81VxIyKvaumB7KWbS7G4Nbor8AH1ouOOOMMS50OTJOWQA4A26inIuG
-n+7L8MeS5aT+3uNKDoTKsidC47vnaxNMcke1taPfbfo7vn69PsRCM/g9/7TQYU8b
-6xp+pM9Ao9nJneRk2YCpsGYRrWTpaik0DFKnfpPKJM/yunhtGLF2IYAp3l1mvHPK
-nnzo92zjpQuZwazEIK+23V1vRT4IjM2BewbJPAzf2/UuxEjjgNQm0tOtH2JhFNeB
-VM0BVrGxWrrwrsmv6lWghTtBc6zRWyHrj/rpjtVQNmeKYrHWJeXwVz1rqgGPmB2N
-k0MZD1UjHHhEs1Cntn7yLmxTPztRJCtR+euRu81Uo2NAvrMJ4xsDjaM0LeLTnzjV
-9AsPjD188dOFyz7VExZum4+XaaEJ41FIPLEqU3U0GAa6stEy0ylSlIN4x9aiXXVW
-xfzHHchS5jK6QAjuZxN8t01GRactNylINRf7uoTECFZTtXNqfeuk0HQxBH0LuKVE
-0PxJbcNI4mVWw1KgTJ8PUVC1IXP3sEpqPdJOYiRXgnpcS26fWOBu0aQ4mhxiaJhr
-/zBfrkLEqp20TdNDZLkCDQRj7TM1ARAAt73xO24curnHTTgXkkVMMRzcMLx3Mb1a
-2FuddxC5hzTpEpw01L91UBrXVJEg9K2KAwP5CtCLgPCqXr47Tm7krvHxWwBksgY/
-6aHRsoPQfCFUZHc0aiO+C4NCzR+aEeGKn66Oc1Hq9oUTpDgiBWhsuEPiyA1OSGF0
-4L0jeTCqfm68kWp4PIK9yuugkdDsoyj6TonuMsb3V5ctHLqop9KH+eHSkUTPo+Lk
-+bxaeAOJ1UfbohgbRbrYKAfsaghhOMDH3R1w2pvtUJz+sDbuQsiPFTqbxsXDTFws
-H4N/AQCYnnvOhqEek2sOEZ19bJXt5UrAr10mX4PGmAkWqE1JWBxpOKG3BXSGOTu1
-3dFhQfPMK+PmvUrs0kcWQr53K/aRUdKKhIfTcMfkqYTGPK5HclHph24WjXj3QFFA
-SjksQTdm6486ZmLZK4CTbAFOPfTF/aWg8gu9v4ihdq6lqHNNXxv2xBAChcd59H7p
-D5zy9z8SpwWR9V5JDmlF6HWIIau1c6lSsQq1xHvYM8EuPe03vJvor+2u/cn5zYF1
-5ZxAuPI2i5vtavg1s8ZGAAogJ9dVcP36LdJfL9quXWvmovkd//qHIepBB+l/zQio
-ZRDZlIcfV3Xycaqsb5OqHGARHE0097koipMt5y/iXlqG4Ruue6Idb8bW96EKpaWj
-kKy/iNfQfQMAEQEAAYkEcgQYAQoAJgIbAhYhBBWKb1MOogLl9lFhExT66mNEjh35
-BQJpRuz3BQkJHCDCAkDBdCAEGQEKAB0WIQRK3hK0WyJ4BicGpcmpsLVXymMjJQUC
-Y+0zNQAKCRCpsLVXymMjJbdSD/9+f1FOOeGDAJI6Duo5fsWnf4xJJdtQtDbz6d2A
-SeDapxeJ3zWfKBD0wu5sISEa0uiWsYSmLtsa2SqVAKHlEaMGRR+tkBMPQ+rvgI4c
-62YjGTgm+IPd+NFIn+ixFU1hpinTh+KhUEoeOwWCvKs9nZfSG9vkienfiG0bBxo2
-zrvBzXA50x5hbUL+ghKu/AVfN9qZDwh30O4KZTwk4g4cM9SeaQa4YvHYIS3IEhDZ
-hGybwrrqV9cs92ln4IJw9WCy9QReBNrdeFgC4+3ziUp1QsG3RvqrtuMttwBVC1Z3
-bj5QjLLOREhhodfvk98t9yVkragObb4rGrLo1mWuF0c4mJGvXwnrqhCMvzv4M+0T
-Zdrmw6YpGkGOaOPghVuwoTtqSAkl+zFWIJS89jidvkYG3EqKAkgLKog/TQReCq13
-HWrF8cMck+Rf2K8k26q/RNZaA9ZUKjLExzz8lsWmd2C7rvkGLrlxnzxz0gGyNR3Q
-KK74vcPhqeABt2GSkHtEXZFFA9IVVzwlRWK3e0S+mVQnZVjNL+cBPn3/hZHMLesB
-CucyYZv+DxvT+JkYXBkGSw4s3hpABqGym7gdPUIa0q4rbBFG6xP5sLLBG4yru8vV
-2dyCMmFqRuxpT49uNfyQ6Vj+dobN6qHnP/9NwfzOixXYBHXR6LBqb/M+iCiJaaIn
-uiRLHwkQFPrqY0SOHfkQpA//W51vj8meuz7snRO+vZFcjLneFFzqfh1Jdz8IqDpO
-CkI5pBJmi8e0oSe6r68MkahiQLlYPwm7d+sjHvJhPWipNKWq/uwCgBs+Ac1lpPXR
-MwLbrZukcLMYlLmb2MrCKmjcMt0BZsZKBNYL3a3X9nHgwXdeqFYS4WQDMCCc09lz
-9YqfdoEsqRO4qN7D0hFqnwjOzb34ixZ6UO8a8ekY9QKxAgWc9fJWGMg6Pjdg4qsK
-nqymOIAdGVOJdoRM46wKGVBvbsF2gNfQU4XyzgJo5vHGFwJm6EoSnODlL5e2wsQh
-uN1oqBt/8ef/plloMEqVBweUBATqSqjRF6IhhYJvWVuQHQL1p1vnV9FebiVj34ir
-Z8ID+o0AnTJcclbUcDwannGJ0cuDcPhk/v/ahVuoMERCi12qnMBo5B/e6Omyh1yB
-4pbf4GATGGQipDQG75eC/kP2GQEqJP5WYN0Ar8Le/AA/2xyL7upW0yIByyXCwGEb
-JRwEgU3+bPyu58bFt8Pftit6J7rA3oBVVMOPrYH5eZwRaj5m2RptwKGL6BfHnhNv
-ZqmCq9EBGX6L1NI0xHMjEFfXJ8jU01XdfG8nCqkwqsHwslXLhqjJphfHcx89YwbV
-/15GCuURAv1cKe/7277sOhcvP/QpQqSWgvYExHw8PeFJcTYtF2NrRgNwcQsWS1Rj
-gXa5Ag0EY+0zcAEQANC5N6kSfezuucAgi+X3BD+MT37mxQyvICSggEJf1LDSmy0+
-bnvD7setL8CP9etTA2fcVNYKI1oboMyhoCnsRP2jDdv1iXOI/hZg4wSb/D1yUkae
-fUpxv3Wuci2QKavH2MfraDD7BFMbsQeMcHtn4Rk216T6jndZHnzT1Ih7iX0XeQPb
-li5fojOiZssgWAVT4HPXFCJB6lI35Hjp35oRYwrtMmu5INinZ79n9h1igGtt1ItZ
-b7rQKNd772Jxcn4UU71ovORSL/xT5i5sxZ+evQOxkpqUAokMOFaoHcOXLmA1NsFv
-yryXHK4Ioq9ap2jKlLTWkJWjua9JZ4AmKhbvT8X4ELxIKSCAdJKAWP8ZHbXNu5MD
-aznyzZQLxSO7uFvu356De75mI5iohZNj5wB5Wju71pBiorTKVj4+iJ4e+xVIzFdG
-hFC0DehNcl2t9w/y8qHwIQ1yUAjXHLXq0/2jsVeH6bU5q/MsgvUP1jcFe0eyOpxy
-CDvyFdzZFbI57TnB/fvcZTRZ5ewXMFpH8gzuoFzAjUAP95UjYKgaGdrNPNIy28Ii
-4zhvdghei2+n9jgiMfcGQg8lyfH5yF0vWWWynX0KcJsRwEZoL2EauVdwq4PcYOoU
-pQFhpcreCjD4LdZ4yRU4InbhcUogXjrQ9Dz01TbPmQD5b5iso21bCEFBXrhzABEB
-AAGJAjwEGAEKACYCGwwWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwg
-hwAKCRAU+upjRI4d+X/XD/sH5xvHPfTJq52v8weFmB52up+DzqG2lyhGdoUQ1Muw
-dRDLTLXLJrFdfpoOo7/j4Scr0rdc7/dpCn0DLcPuCoPxu+SkjEnVehFmZrGSv7Ga
-x9dHr3DBh42fdlX/U/EnDuyosY0JU1gNF2/6FIA+bTTOFE3RxfN906RjslYQDjMZ
-UAlSeLYHOZofdltI0YIr32vrxgdWQGZXPxU4XusDUc0z163OO+TGg7iUNWFZP5Qj
-ubM7e0YbDX0NPIshk8us99YJmrWnhaix1/W5ryO3DXiGaQ7XFi9u7QofRqvRIctg
-QXavdepkzJow9V9qpMECAJePIuICq7rm+xy+njjbuF436W7390bfVBwRr+FPADsl
-jgQP4KvY5rykss30kheom8wNEbveWkhH5oTfH9b7O4KXJfpfJzrlgOWp2BD9JL8t
-/M4HvFXTr2a75H/QbHK5OFrZeGATuv9OTxv7EZvnrPXU+DYTFldpu7TrNNqKCoj3
-ZyXmc3Hhg5kskDhfHJppaeOayuhMOpT3ud1MFzROY5SLVIH8rBR12KUgsCUYQcGs
-Iy0+0QvEGkjb4cAH1NK3VlbqVNsy1RmqRt2B28R2ueewDfTOoqkzt4MmzLqTdnAx
-mTqmHmkEKhEf3K4MRNUPO2yieUg2COk5l6x9HhAnoxxeOZrTmcMsPY/UViG2HEPm
-ybkCDQRj7TRDARAA9DZuKdfKq4Bs2+NwxC0aplljWOl8VIsEVg+Q8agD7/HU6/b6
-Dry0njtWybn2x6Axf/nUdeOC01Fi1lmht/fpj6mRkgAvd/V6P10xnsUoykPSDSTh
-P25MFFGW3JAA82bwdJ4AJpEQvTZG2nTb3237vlBiI1qHQrac8GYkju2O4UfySRN6
-7cyi7bMf2pjWBBOEhaNy4b6CMDsb32P/N5J7sTE/TXgrS+u4ITIgjzSrkUkh5Z+B
-8QVRa7xPIDZJdvZWTEXWu5fgRPZvxbr154GIkWJkFzlDoB1UcO56/uzRUuKhEV6o
-HW3LMUuWdPMjpHpq8hrL0G2rDniJFUtbDFzHdZK1LUU3T2BJM8rjI3D/euph+IDT
-27vl5qo72zCYE/iKzx4FMLZcQvx1kUAxkPX8l+dzZEwKeRIIpFDxQvatRtl+z0bM
-jbkpDb+Yjv66sC4dYRpgTTGX6rok0PWHR3IxDNzyf2j8zQ4LFJ+rVBM1GjGSt6mG
-j9TeL8CVeiSp4SuJ7I/FJVPHsKb50m+BDzeB31qTydNqh2kKr0DVAUa+TUsCr7e0
-OYr8WE2adJcRXIW0qw50xXF+W7/05GqSCVD0dpeOUdBTQTsSkQmM3/0hcj9aVo9e
-UDCM9RF0WRqiDAoHzJFfg+ztamkQI5HO6CklC4Ok22qrHRf6HDNYSuT6QFkAEQEA
-AYkCPQQYAQoAJwMbIAQWIQQVim9TDqIC5fZRYRMU+upjRI4d+QUCaUbs9wUJCRwf
-tAAKCRAU+upjRI4d+Y+cD/9yllG6uo934pcHNsVppZBfREFwSc8ywlbosCuSVpay
-PjSqgrWwDrnqrsk0F2kUdC6rR3BIcXbn+lA9KqylH+cCXAJCkh8EDq6TlQ7Lt5EV
-w1U0MAMXOyxPwDymQ/BO+iDyjXWkRRYgbF5XiFhCfGeuKyhkhACisAgNZ1uA1P5k
-0SJYc14YfEhQkB46Y20SpfVHRsQ46FyNB6GHbmTmfoO8La8VTh++7GBdh85HfvkG
-VNQ3wpi5oXsOLN9+MJOezc0XsW2LQsKQj1/J7QKzGh+lxN5cemsA5aqPzh8dyxeT
-0lYRFp4AHkimqGUomVpRkbegMIPxXqOE+ZAmsddErw0UtmrKxcmMptOJwNgYzEgu
-++2vtqerL/NYp+wsdcWaBjCz2F3NiwHgNli7NSB/FPwucZZ5gN5C4SnmeFzrGdHg
-Oy+tQUN6ayQKljHeBO7CjMlsFNo/dcVrEMa1ShxBMqlj/6ivoEhktLz0Nru4FwNU
-xE5SJYDYfpjD7Ws8y4LoXgWXjFHrMO6N9GzqLN/e8LT7I+w4ps2MrgJ8QSrelmQ3
-rjkxp3uWp5v2lqy4rLfpi9iB6zIAeoN2eU1yOM9joxOYMxKYaYeYyP1Mm90wFol8
-LcTSaN+tVniPddBiL6zvsGBEMbCR9XN3EQ+mErbuw5ovWBOCrr+dvN3FxvD11y4J
-7w==
-=mXYP
------END PGP PUBLIC KEY BLOCK-----

maintainers/keys/B541D55301270E0BCF15CA5D8170B4726D7198DE.asc

@@ -1,51 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBFZu2zwBCADfatenjH3cvhlU6AeInvp4R0JmPBG942aghFj1Qh57smRcO5Bv
-y9mqrX3UDdmVvu58V3k1k9/GzPnAG1t+c7ohdymv/AMuNY4pE2sfxx7bX+mncTHX
-5wthipn8kTNm4WjREjCJM1Bm5sozzEZetED3+0/dWlnHl8b38evnLsD+WbSrDPVp
-o6M6Eg9IfMwTfcXzdmLmSnGolBWDQ9i1a0x0r3o+sDW5UTnr7jVP+zILcnOZ1Ewl
-Rn9OJ4Qg3ULM7WTMDYpKH4BO7RLR3aJgmsFAHp17vgUnzzFBZ10MCS3UOyUNoyph
-xo3belf7Q9nrHcSNbqSeQuBnW/vafAZUreAlABEBAAG0IkVlbGNvIERvbHN0cmEg
-PGVkb2xzdHJhQGdtYWlsLmNvbT6JATwEEwEIACYCGyMHCwkIBwMCAQYVCAIJCgsE
-FgIDAQIeAQIXgAUCVm7etAIZAQAKCRCBcLRybXGY3q51B/96qt41tmcDSzrj/UTl
-O6rErfW5zFvVsJTZ95Duwu87t/DVhw5lKBQcjALqVddufw1nMzyN/tSOMVDW8xe4
-wMEdcU4+QAMzNX80enuyinsw1glxfLcK0+VbTvqNIfw0sG3MjPqNs6cK2VRfMHK4
-paJjytBVICszNX9TfjLyIpKKoSSo1vqnT47LDZ5GIMy7l9Cs2sO/rqQHSPcR79yz
-8m8tbHpDDEMZmJeklckKP2QoiqnHiIvlisDxLclYnUmNaPdaN/f++qZz5Yqvu1n+
-sNUBA5eLaZH64Uy2SwtABxO3JPJ8nQ2+SFZ7ocFm4Gcdv4aM+Ura9S6fvM91tEJp
-yAQOiQE5BBMBCAAjBQJWbts8AhsjBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AA
-CgkQgXC0cm1xmN6sIAgAielxO8zJREqEkA2xudg/o4e9ZlNZ3X1NvY8OzJH/qlB2
-SmwKqwifhtbC1K0uavXA7eaxdtd2zrI+Yq7IooUyv7juMjHTZhLcFbR5iVkQ4Mfp
-JmeHXJ/ChYKxD5mMj/C3WbCZ91oCSNZ6Iyi5fvQj/691OC4q+y/2NEUcOI8D8cw8
-XKHbKtceFYc+nZmdOv3ZZrNTSN/kszGViNNLKgnpPdDVPtLp+vjXtbmitiFG2HL/
-WfbJ+3Gh2Yr1Vy3O9dWKH++e1AmIv7WWqmUjRFVpqC/wr7/BLaScWT8WKF5vkshU
-gq8Ez1/cuizsgs3wQIZWgXKQK5njvwnbKg+Zmh/uGbQmRWVsY28gRG9sc3RyYSA8
-ZWVsY28uZG9sc3RyYUB0d2VhZy5pbz6JAU4EEwEIADgWIQS1QdVTAScOC88Vyl2B
-cLRybXGY3gUCXELt4gIbIwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCBcLRy
-bXGY3ujFCADfS5D1xHU8KH6TpqgssSggYVq62Wwn/Ga+4XPPetM+ajcXagyH6SwB
-mxlHICcnv9xC93ryiTI10P1ADJl+aBsI66wEdHBU+ty4RTDy4JZNUPtmRCk9LhSc
-mtUO3ry/wtWkRLdJxP49hg7BbQvWoU0M6WODp7SJjPKPWNX64mzHBeOuy+DqGCbM
-lpGNCvW8ahU/ewbm7+xwWmzqLDoWzXjHsdF4QdzMVM/vkAgWEP4y0wEqFASzIYaR
-GNEkBWU4OQVq5Bdm9+wWWAgsbM0FJAQl0GDqnz4QxWzxxCAAXdbh9F5ffafWYsA9
-bise4ZQLkvYo6iUnrcFm4dtZbT8iL3gptCtFZWxjbyBEb2xzdHJhIDxlZWxjby5k
-b2xzdHJhQGxvZ2ljYmxveC5jb20+iQE5BBMBCAAjBQJWbt6nAhsjBwsJCAcDAgEG
-FQgCCQoLBBYCAwECHgECF4AACgkQgXC0cm1xmN4b/wf8DApMV/jSPEpibekrUPQu
-Ye3Z8cxBQuRm/nOPowtPEH/ShAevrCdRiob2nuEZWNoqZ2e5/+6ud07Hs9bslvco
-cDv1jeY1dof1idxfKhH3kfSpuD2XJhuzQBxBqOrIlCS/rdnW+Y9wOGD7+bs9QpcA
-IyAeQGLLkfggAxaGYQ2Aev8pS7i3a/+lOWbFhcTe02I49KemCOJqBorG5FfILLNr
-DjO3EoutNGpuz6rZvc/BlymphWBoAdUmxgoObr7NYWgw9pI8WeE6C7bbSOO7p5aQ
-spWXU7Hm17DkzsVDpaJlyClllqK+DdKza5oWlBMe/P02jD3Y+0P/2rCCyQQwmH3D
-RbkBDQRWbts8AQgA0g556xc08dH5YNEjbCwEt1j+XoRnV4+GfbSJIXOl9joIgzRC
-4IaijvL8+4biWvX7HiybfvBKto0XB1AWLZRC3jWKX5p74I77UAcrD+VQ/roWQqlJ
-BKbiQMlRYEsj/5Xnf72G90IP4DAFKvNl+rLChe+jUySA91BCtrYoP75Sw1BE9Cyz
-xEtm4WUzKAJdXI+ZTBttA2Nbqy+GSuzBs7fSKDwREJaZmVrosvmns+pQVG4WPWf4
-0l4mPguDQmZ9wSWZvBDkpG7AgHYDRYRGkMbAGsVfc6cScN2VsSTa6cbeeAEowKxM
-qx9RbY3WOq6aKAm0qDvow1nl7WwXwe8K0wQxfQARAQABiQEfBBgBCAAJBQJWbts8
-AhsMAAoJEIFwtHJtcZjeuAAH/0YNz2Qe1IAEO5oqEZNFOccL4KxVPrBhWUen83/b
-C6PjOnOqv6q5ztAcms88WIKxBlfzIfq+dzJcbKVS/H7TEXgcaC+7EYW8sJVEsipN
-BtEZ3LQNJ5coDjm7WZygniah1lfXNuiritAXduK5FWNNndqGArEaeZ8Shzdo/Uyi
-b9lOsBIL6xc2ZcnX5f+rTu02LCEtEb0FwCycZLEWYf8hG4k8uttIOZOC+CLk/k8d
-kBmPikMwUVTTV0CdT1cemQKdTaoAaK+kurF6FYXwcnjhRlHrisSt/tVMEwTw4LUM
-3MYf6qfjjvE4HlDwZal8th7ccoQp/flfJIuRv85xCcKK+PI=
-=u5cX
------END PGP PUBLIC KEY BLOCK-----

maintainers/keys/README.md

@@ -1,13 +0,0 @@
-# Maintainer GPG Keys
-
-Release tags are signed by members of the [Nix maintainer team](https://nixos.org/community/teams/nix/) as part of the [release process](../release-process.md). This directory contains the public GPG keys used for signing.
-
-## Keys
-
-- **Eelco Dolstra**
-  GPG Fingerprint: `B541 D553 0127 0E0B CF15 CA5D 8170 B472 6D71 98DE`
-
-- **Sergei Zimmerman**
-  GPG Fingerprint: [`158A 6F53 0EA2 02E5 F651 6113 14FA EA63 448E 1DF9`](https://keys.openpgp.org/vks/v1/by-fingerprint/158A6F530EA202E5F651611314FAEA63448E1DF9)
-
-<!-- TODO: Add keys for other Nix team members -->

maintainers/release-process.md

@@ -5,11 +5,11 @@
 The release process is intended to create the following for each
 release:
 
-* A signed Git tag (public keys in `maintainers/keys/`)
+* A Git tag
 
 * Binary tarballs in https://releases.nixos.org/?prefix=nix/
 
-* Docker images (arm64 and amd64 variants, uploaded to DockerHub and GHCR)
+* Docker images
 
 * Closures in https://cache.nixos.org
 
@@ -104,17 +104,21 @@ release:
   evaluation ID (e.g. `1780832` in
   `https://hydra.nixos.org/eval/1780832`).
 
-* Tag the release:
+* Tag the release and upload the release artifacts to
+  [`releases.nixos.org`](https://releases.nixos.org/) and [Docker Hub](https://hub.docker.com/):
 
   ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
   ```
 
   Note: `IS_LATEST=1` causes the `latest-release` branch to be
   force-updated. This is used by the `nixos.org` website to get the
   [latest Nix manual](https://nixos.org/manual/nixpkgs/unstable/).
 
-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
+  TODO: This script requires the right AWS credentials. Document.
+
+  TODO: This script currently requires a
+  `/home/eelco/Dev/nix-pristine`.
 
   TODO: trigger nixos.org netlify: https://docs.netlify.com/configure-builds/build-hooks/
 
@@ -177,18 +181,16 @@ release:
 * Wait for the desired evaluation of the maintenance jobset to finish
   building.
 
-* Tag the release
+* Run
 
   ```console
-  $ IS_LATEST=1 ./maintainers/upload-release.pl --skip-docker --skip-s3 --project-root $PWD <EVAL-ID>
+  $ IS_LATEST=1 ./maintainers/upload-release.pl <EVAL-ID>
   ```
 
   Omit `IS_LATEST=1` when creating a point release that is not on the
   most recent stable branch. This prevents `nixos.org` to going back
   to an older release.
 
-* Trigger the [`upload-release.yml` workflow](https://github.com/NixOS/nix/actions/workflows/upload-release.yml) via `workflow_dispatch` trigger. At the top click `Run workflow` -> select the current release branch from `Use workflow from` -> fill in `Hydra evaluation ID` with `<EVAL-ID>` value from previous steps -> click `Run workflow`. Wait for the run to be approved by `NixOS/nix-team` (or bypass checks if warranted). Wait for the workflow to succeed.
-
 * Bump the version number of the release branch as above (e.g. to
   `2.12.2`).
 

maintainers/upload-release.pl

@@ -1,8 +1,7 @@
 #! /usr/bin/env nix-shell
-#! nix-shell -i perl -p awscli2 perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 perlPackages.GetoptLongDescriptive gnupg1
+#! nix-shell -i perl -p perl perlPackages.LWPUserAgent perlPackages.LWPProtocolHttps perlPackages.FileSlurp perlPackages.NetAmazonS3 gnupg1
 
 use strict;
-use Getopt::Long::Descriptive;
 use Data::Dumper;
 use File::Basename;
 use File::Path;
@@ -14,30 +13,7 @@ use Net::Amazon::S3;
 
 delete $ENV{'shell'}; # shut up a LWP::UserAgent.pm warning
 
-my ($opt, $usage) = describe_options(
-    '%c %o <eval-id>',
-    [ 'skip-docker',      'Skip Docker image upload' ],
-    [ 'skip-git',         'Skip Git tagging' ],
-    [ 'skip-s3',          'Skip S3 upload' ],
-    [ 'docker-owner=s',   'Docker image owner', { default => 'nixos/nix' } ],
-    [ 'project-root=s',   'Pristine git repository path' ],
-    [ 's3-endpoint=s',    'Custom S3 endpoint' ],
-    [ 's3-host=s',        'S3 host', { default => 's3-eu-west-1.amazonaws.com' } ],
-    [],
-    [ 'help|h',           'Show this help message', { shortcircuit => 1 } ],
-    [],
-    [ 'Environment variables:' ],
-    [ 'AWS_ACCESS_KEY_ID' ],
-    [ 'AWS_SECRET_ACCESS_KEY' ],
-    [ 'AWS_SESSION_TOKEN   For OIDC' ],
-    [ 'IS_LATEST           Set to "1" to mark as latest release' ],
-);
-
-print($usage->text), exit if $opt->help;
-
-my $evalId = $ARGV[0] or do { print STDERR $usage->text; exit 1 };
-
-die "--project-root is required unless --skip-git is specified\n" unless $opt->skip_git || $opt->project_root;
+my $evalId = $ARGV[0] or die "Usage: $0 EVAL-ID\n";
 
 my $releasesBucketName = "nix-releases";
 my $channelsBucketName = "nix-channels";
@@ -86,38 +62,25 @@ File::Path::make_path($narCache);
 my $binaryCache = "https://cache.nixos.org/?local-nar-cache=$narCache";
 
 # S3 setup.
-my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'};
-my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'};
-my $aws_session_token = $ENV{'AWS_SESSION_TOKEN'};
+my $aws_access_key_id = $ENV{'AWS_ACCESS_KEY_ID'} or die "No AWS_ACCESS_KEY_ID given.";
+my $aws_secret_access_key = $ENV{'AWS_SECRET_ACCESS_KEY'} or die "No AWS_SECRET_ACCESS_KEY given.";
 
-my ($s3, $releasesBucket, $s3_channels, $channelsBucket);
+my $s3 = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+      host                  => "s3-eu-west-1.amazonaws.com",
+    });
 
-unless ($opt->skip_s3) {
-    $aws_access_key_id or die "No AWS_ACCESS_KEY_ID given.";
-    $aws_secret_access_key or die "No AWS_SECRET_ACCESS_KEY given.";
+my $releasesBucket = $s3->bucket($releasesBucketName) or die;
 
-    $s3 = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          host                  => $opt->s3_host,
-          secure                => ($opt->s3_endpoint && $opt->s3_endpoint =~ /^http:/) ? 0 : 1,
-        });
+my $s3_us = Net::Amazon::S3->new(
+    { aws_access_key_id     => $aws_access_key_id,
+      aws_secret_access_key => $aws_secret_access_key,
+      retry                 => 1,
+    });
 
-    $releasesBucket = $s3->bucket($releasesBucketName) or die;
-
-    $s3_channels = Net::Amazon::S3->new(
-        { aws_access_key_id     => $aws_access_key_id,
-          aws_secret_access_key => $aws_secret_access_key,
-          $aws_session_token ? (aws_session_token => $aws_session_token) : (),
-          retry                 => 1,
-          $opt->s3_endpoint ? (host => $opt->s3_host) : (),
-          $opt->s3_endpoint ? (secure => ($opt->s3_endpoint =~ /^http:/) ? 0 : 1) : (),
-        });
-
-    $channelsBucket = $s3_channels->bucket($channelsBucketName) or die;
-}
+my $channelsBucket = $s3_us->bucket($channelsBucketName) or die;
 
 sub getStorePath {
     my ($jobName, $output) = @_;
@@ -152,12 +115,11 @@ sub copyManual {
         File::Path::remove_tree("$tmpDir/manual.tmp", {safe => 1});
     }
 
-    my $awsEndpoint = $opt->s3_endpoint ? "--endpoint-url " . $opt->s3_endpoint : "";
-    system("aws $awsEndpoint s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
+    system("aws s3 sync '$tmpDir/manual' s3://$releasesBucketName/$releaseDir/manual") == 0
         or die "syncing manual to S3\n";
 }
 
-copyManual unless $opt->skip_s3;
+copyManual;
 
 sub downloadFile {
     my ($jobName, $productNr, $dstName) = @_;
@@ -196,12 +158,30 @@ sub downloadFile {
     return $sha256_expected;
 }
 
-# Upload docker images.
+downloadFile("binaryTarball.i686-linux", "1");
+downloadFile("binaryTarball.x86_64-linux", "1");
+downloadFile("binaryTarball.aarch64-linux", "1");
+downloadFile("binaryTarball.x86_64-darwin", "1");
+downloadFile("binaryTarball.aarch64-darwin", "1");
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
+};
+warn "$@" if $@;
+eval {
+    downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
+};
+warn "$@" if $@;
+downloadFile("installerScript", "1");
+
+# Upload docker images to dockerhub.
 my $dockerManifest = "";
 my $dockerManifestLatest = "";
 my $haveDocker = 0;
 
-unless ($opt->skip_docker) {
 for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
     my $system = $platforms->[0];
     my $dockerPlatform = $platforms->[1];
@@ -215,8 +195,8 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
     print STDERR "loading docker image for $dockerPlatform...\n";
     system("docker load -i $tmpDir/$fn") == 0 or die;
 
-    my $tag = $opt->docker_owner . ":$version-$dockerPlatform";
-    my $latestTag = $opt->docker_owner . ":latest-$dockerPlatform";
+    my $tag = "nixos/nix:$version-$dockerPlatform";
+    my $latestTag = "nixos/nix:latest-$dockerPlatform";
 
     print STDERR "tagging $version docker image for $dockerPlatform...\n";
     system("docker tag nix:$version $tag") == 0 or die;
@@ -239,94 +219,68 @@ for my $platforms (["x86_64-linux", "amd64"], ["aarch64-linux", "arm64"]) {
 }
 
 if ($haveDocker) {
-    my $dockerOwner = $opt->docker_owner;
     print STDERR "creating multi-platform docker manifest...\n";
-    system("docker manifest rm $dockerOwner:$version");
-    system("docker manifest create $dockerOwner:$version $dockerManifest") == 0 or die;
+    system("docker manifest rm nixos/nix:$version");
+    system("docker manifest create nixos/nix:$version $dockerManifest") == 0 or die;
     if ($isLatest) {
         print STDERR "creating latest multi-platform docker manifest...\n";
-        system("docker manifest rm $dockerOwner:latest");
-        system("docker manifest create $dockerOwner:latest $dockerManifestLatest") == 0 or die;
+        system("docker manifest rm nixos/nix:latest");
+        system("docker manifest create nixos/nix:latest $dockerManifestLatest") == 0 or die;
     }
 
     print STDERR "pushing multi-platform docker manifest...\n";
-    system("docker manifest push $dockerOwner:$version") == 0 or die;
+    system("docker manifest push nixos/nix:$version") == 0 or die;
 
     if ($isLatest) {
         print STDERR "pushing latest multi-platform docker manifest...\n";
-        system("docker manifest push $dockerOwner:latest") == 0 or die;
+        system("docker manifest push nixos/nix:latest") == 0 or die;
     }
 }
-}
 
+# Upload nix-fallback-paths.nix.
+write_file("$tmpDir/fallback-paths.nix",
+    "{\n" .
+    "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
+    "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
+    "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
+    "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
+    "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
+    "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
+    "}\n");
 
 # Upload release files to S3.
-unless ($opt->skip_s3) {
-    downloadFile("binaryTarball.i686-linux", "1");
-    downloadFile("binaryTarball.x86_64-linux", "1");
-    downloadFile("binaryTarball.aarch64-linux", "1");
-    downloadFile("binaryTarball.x86_64-darwin", "1");
-    downloadFile("binaryTarball.aarch64-darwin", "1");
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv6l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.armv7l-unknown-linux-gnueabihf", "1");
-    };
-    warn "$@" if $@;
-    eval {
-        downloadFile("binaryTarballCross.x86_64-linux.riscv64-unknown-linux-gnu", "1");
-    };
-    warn "$@" if $@;
-    downloadFile("installerScript", "1");
+for my $fn (glob "$tmpDir/*") {
+    my $name = basename($fn);
+    next if $name eq "manual";
+    my $dstKey = "$releaseDir/" . $name;
+    unless (defined $releasesBucket->head_key($dstKey)) {
+        print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
 
-    # Upload nix-fallback-paths.nix.
-    write_file("$tmpDir/fallback-paths.nix",
-        "{\n" .
-        "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
-        "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
-        "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
-        "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
-        "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
-        "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
-        "}\n");
+        my $configuration = ();
+        $configuration->{content_type} = "application/octet-stream";
 
-    for my $fn (glob "$tmpDir/*") {
-        my $name = basename($fn);
-        next if $name eq "manual";
-        my $dstKey = "$releaseDir/" . $name;
-        unless (defined $releasesBucket->head_key($dstKey)) {
-            print STDERR "uploading $fn to s3://$releasesBucketName/$dstKey...\n";
-
-            my $configuration = ();
-            $configuration->{content_type} = "application/octet-stream";
-
-            if ($fn =~ /.sha256|install|\.nix$/) {
-                $configuration->{content_type} = "text/plain";
-            }
-
-            $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
-                or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+        if ($fn =~ /.sha256|install|\.nix$/) {
+            $configuration->{content_type} = "text/plain";
         }
-    }
 
-    # Update the "latest" symlink.
-    $channelsBucket->add_key(
-        "nix-latest/install", "",
-        { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
-        or die $channelsBucket->err . ": " . $channelsBucket->errstr
-        if $isLatest;
+        $releasesBucket->add_key_filename($dstKey, $fn, $configuration)
+            or die $releasesBucket->err . ": " . $releasesBucket->errstr;
+    }
 }
 
+# Update the "latest" symlink.
+$channelsBucket->add_key(
+    "nix-latest/install", "",
+    { "x-amz-website-redirect-location" => "https://releases.nixos.org/$releaseDir/install" })
+    or die $channelsBucket->err . ": " . $channelsBucket->errstr
+    if $isLatest;
+
 # Tag the release in Git.
-unless ($opt->skip_git) {
-    chdir($opt->project_root) or die "Cannot chdir to " . $opt->project_root . ": $!";
-    system("git remote update origin") == 0 or die;
-    system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
-    system("git push origin refs/tags/$version") == 0 or die;
-    system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
-}
+chdir("/home/eelco/Dev/nix-pristine") or die;
+system("git remote update origin") == 0 or die;
+system("git tag --force --sign $version $nixRev -m 'Tagging release $version'") == 0 or die;
+system("git push --tags") == 0 or die;
+system("git push --force-with-lease origin $nixRev:refs/heads/latest-release") == 0 or die if $isLatest;
 
 File::Path::remove_tree($narCache, {safe => 1});
 File::Path::remove_tree($tmpDir, {safe => 1});

meson.build

@@ -24,10 +24,6 @@ subproject('libcmd')
 # Executables
 subproject('nix')
 
-if host_machine.system() == 'linux'
-  subproject('nswrapper')
-endif
-
 # Docs
 if get_option('doc-gen')
   subproject('internal-api-docs')
@@ -67,3 +63,6 @@ subproject('nix-functional-tests')
 if get_option('json-schema-checks')
   subproject('json-schema-checks')
 endif
+if get_option('kaitai-struct-checks')
+  subproject('kaitai-struct-checks')
+endif

meson.options

@@ -28,6 +28,13 @@ option(
   description : 'Build benchmarks (requires gbenchmark)',
 )
 
+option(
+  'kaitai-struct-checks',
+  type : 'boolean',
+  value : true,
+  description : 'Check the Kaitai Struct specifications (requires Kaitai Struct)',
+)
+
 option(
   'json-schema-checks',
   type : 'boolean',

misc/systemd/nix-daemon.service.in

@@ -11,7 +11,7 @@ ExecStart=@@bindir@/nix-daemon nix-daemon --daemon
 KillMode=process
 LimitNOFILE=1048576
 TasksMax=1048576
-Delegate=
+Delegate=yes
 
 [Install]
 WantedBy=multi-user.target

nix-meson-build-support/common/asan-options/meson.build

@@ -1,7 +1,7 @@
 # Clang gets grumpy about missing libasan symbols if -shared-libasan is not
 # passed when building shared libs, at least on Linux
 if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefined' in get_option(
-    'b_sanitize',
+  'b_sanitize',
 ))
   add_project_link_arguments('-shared-libasan', language : 'cpp')
 endif

nix-meson-build-support/common/meson.build

@@ -22,8 +22,6 @@ add_project_arguments(
   '-Werror=undef',
   '-Werror=unused-result',
   '-Werror=sign-compare',
-  '-Werror=return-type',
-  '-Werror=non-virtual-dtor',
   '-Wignored-qualifiers',
   '-Wimplicit-fallthrough',
   '-Wno-deprecated-declarations',
@@ -33,13 +31,6 @@ add_project_arguments(
 # GCC doesn't benefit much from precompiled headers.
 do_pch = cxx.get_id() == 'clang'
 
-if cxx.get_id() == 'gcc'
-  add_project_arguments(
-    '-Wno-interference-size', # Used for C++ ABI only. We don't provide any guarantees about different march tunings.
-    language : 'cpp',
-  )
-endif
-
 # This is a clang-only option for improving build times.
 # It forces the instantiation of templates in the PCH itself and
 # not every translation unit it's included in.
@@ -49,11 +40,6 @@ endif
 # instantiations in libutil and libstore.
 if cxx.get_id() == 'clang'
   add_project_arguments('-fpch-instantiate-templates', language : 'cpp')
-  # Catch brace elision bugs: when WorkerProto::Version changed from `unsigned int`
-  # to `struct { unsigned int major; uint8_t minor; }`, `.version = 16` silently
-  # became `.version = {16, 0}` instead of failing, breaking protocol compatibility
-  # in a subtle way
-  add_project_arguments('-Werror=c99-designator', language : 'cpp')
 endif
 
 # Detect if we're using libstdc++ (GCC's standard library)

packaging/binary-tarball.nix

@@ -1,20 +1,16 @@
 {
   runCommand,
-  stdenv,
+  system,
   buildPackages,
   cacert,
   nix,
-  nixComponents2,
 }:
 
 let
 
-  inherit (stdenv.hostPlatform) system;
-
   installerClosureInfo = buildPackages.closureInfo {
     rootPaths = [
       nix
-      nixComponents2.nix-manual.man
       cacert
     ];
   };
@@ -46,7 +42,6 @@ runCommand "nix-binary-tarball-${version}" env ''
     --subst-var-by cacert ${cacert}
   substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
     --subst-var-by nix ${nix} \
-    --subst-var-by nix-manual ${nixComponents2.nix-manual.man} \
     --subst-var-by cacert ${cacert}
 
   if type -p shellcheck; then

packaging/components.nix

@@ -133,7 +133,7 @@ let
       +
         lib.optionalString
           (
-            !(stdenv.hostPlatform.isWindows || stdenv.hostPlatform.isCygwin)
+            !stdenv.hostPlatform.isWindows
             # build failure
             && !stdenv.hostPlatform.isStatic
             # LTO breaks exception handling on x86-64-darwin.
@@ -155,14 +155,12 @@ let
     ];
   };
 
-  mesonBuildLayer = finalAttrs: prevAttrs: rec {
+  mesonBuildLayer = finalAttrs: prevAttrs: {
     nativeBuildInputs = prevAttrs.nativeBuildInputs or [ ] ++ [
       pkg-config
     ];
     separateDebugInfo = !stdenv.hostPlatform.isStatic;
-    # needed by separateDebugInfo
-    # SEE: https://github.com/NixOS/nixpkgs/pull/394674/commits/a4d355342976e9e9823fb94f133bc43ebec9da5b
-    __structuredAttrs = separateDebugInfo;
+    hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
   };
 
   mesonLibraryLayer = finalAttrs: prevAttrs: {
@@ -418,8 +416,6 @@ in
 
   nix-cmd = callPackage ../src/libcmd/package.nix { };
 
-  nix-nswrapper = callPackage ../src/nswrapper/package.nix { };
-
   /**
     The Nix command line interface. Note that this does not include its tests, whereas `nix-everything` does.
   */
@@ -456,6 +452,11 @@ in
   */
   nix-json-schema-checks = callPackage ../src/json-schema-checks/package.nix { };
 
+  /**
+    Kaitai struct schema validation checks
+  */
+  nix-kaitai-struct-checks = callPackage ../src/kaitai-struct-checks/package.nix { };
+
   nix-perl-bindings = callPackage ../src/perl/package.nix { };
 
   /**

packaging/dependencies.nix

@@ -30,23 +30,32 @@ scope: {
         NIX_CFLAGS_COMPILE = "-DINITIAL_MARK_STACK_SIZE=1048576";
       });
 
-  curl =
-    (pkgs.curl.override {
-      http3Support = !pkgs.stdenv.hostPlatform.isWindows;
-      # Make sure we enable all the dependencies for Content-Encoding/Transfer-Encoding decompression.
-      zstdSupport = true;
-      brotliSupport = true;
-      zlibSupport = true;
-    }).overrideAttrs
-      {
-        # TODO: Fix in nixpkgs. Static build with brotli is marked as broken, but it's not the case.
-        # Remove once https://github.com/NixOS/nixpkgs/pull/494111 lands in the 25.11 channel.
-        meta.broken = false;
-      };
+  lowdown = pkgs.lowdown.overrideAttrs (prevAttrs: rec {
+    version = "2.0.2";
+    src = pkgs.fetchurl {
+      url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
+      hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
+    };
+    nativeBuildInputs = prevAttrs.nativeBuildInputs ++ [ pkgs.buildPackages.bmake ];
+    postInstall =
+      lib.replaceStrings [ "lowdown.so.1" "lowdown.1.dylib" ] [ "lowdown.so.2" "lowdown.2.dylib" ]
+        (prevAttrs.postInstall or "");
+  });
 
-  libblake3 = pkgs.libblake3.override {
-    useTBB = !(stdenv.hostPlatform.isWindows || stdenv.hostPlatform.isStatic);
-  };
+  # TODO: Remove this when https://github.com/NixOS/nixpkgs/pull/442682 is included in a stable release
+  toml11 =
+    if lib.versionAtLeast pkgs.toml11.version "4.4.0" then
+      pkgs.toml11
+    else
+      pkgs.toml11.overrideAttrs rec {
+        version = "4.4.0";
+        src = pkgs.fetchFromGitHub {
+          owner = "ToruNiina";
+          repo = "toml11";
+          tag = "v${version}";
+          hash = "sha256-sgWKYxNT22nw376ttGsTdg0AMzOwp8QH3E8mx0BZJTQ=";
+        };
+      };
 
   # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
   boost =

packaging/dev-shell.nix

@@ -131,7 +131,7 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
     ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
 
     availableComponents = lib.filterAttrs (
-      k: v: lib.meta.availableOn pkgs.stdenv.hostPlatform v
+      k: v: lib.meta.availableOn pkgs.hostPlatform v
     ) allComponents;
 
     activeComponents = buildInputsClosureCond isInternal (
@@ -142,23 +142,12 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
     internalDrvs = byDrvPath (
       # Drop the attr names (not present in buildInputs anyway)
       lib.attrValues availableComponents
-      ++ lib.concatMap (c: lib.filter (v: !v.meta.broken) (lib.attrValues (c.tests or { }))) (
-        lib.attrValues availableComponents
-      )
+      ++ lib.concatMap (c: lib.attrValues c.tests or { }) (lib.attrValues availableComponents)
     );
 
     isInternal =
       dep: internalDrvs ? ${builtins.unsafeDiscardStringContext dep.drvPath or "_non-existent_"};
 
-    activeComponentNames = lib.listToAttrs (
-      map (c: {
-        name = c.pname or c.name;
-        value = null;
-      }) activeComponents
-    );
-
-    isActiveComponent = name: activeComponentNames ? ${name};
-
   in
   {
     pname = "shell-for-nix";
@@ -201,19 +190,27 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
           }
         );
 
-      small = finalAttrs.finalPackage.withActiveComponents (
-        c:
-        lib.intersectAttrs (lib.genAttrs [
-          "nix-cli"
-          "nix-util-tests"
-          "nix-store-tests"
-          "nix-expr-tests"
-          "nix-fetchers-tests"
-          "nix-flake-tests"
-          "nix-functional-tests"
-          "nix-perl-bindings"
-        ] (_: null)) c
-      );
+      small =
+        (finalAttrs.finalPackage.withActiveComponents (
+          c:
+          lib.intersectAttrs (lib.genAttrs [
+            "nix-cli"
+            "nix-util-tests"
+            "nix-store-tests"
+            "nix-expr-tests"
+            "nix-fetchers-tests"
+            "nix-flake-tests"
+            "nix-functional-tests"
+            "nix-perl-bindings"
+          ] (_: null)) c
+        )).overrideAttrs
+          (o: {
+            mesonFlags = o.mesonFlags ++ [
+              # TODO: infer from activeComponents or vice versa
+              "-Dkaitai-struct-checks=false"
+              "-Djson-schema-checks=false"
+            ];
+          });
     };
 
     # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
@@ -261,13 +258,10 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
 
     # We use this shell with the local checkout, not unpackPhase.
     src = null;
-
     # Workaround https://sourceware.org/pipermail/gdb-patches/2025-October/221398.html
     # Remove when gdb fix is rolled out everywhere.
     separateDebugInfo = false;
 
-    mesonBuildType = "debugoptimized";
-
     env = {
       # For `make format`, to work without installing pre-commit
       _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
@@ -281,32 +275,21 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
 
     dontUseCmakeConfigure = true;
 
-    mesonFlags = [
-      (lib.mesonBool "json-schema-checks" (isActiveComponent "nix-json-schema-checks"))
-    ]
-    ++ map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
-    ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents2.nix-store.mesonFlags)
-    ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents2.nix-fetchers.mesonFlags)
-    ++ lib.optionals havePerl (
-      map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
-    )
-    ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
-    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
+    mesonFlags =
+      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
+      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents2.nix-store.mesonFlags)
+      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents2.nix-fetchers.mesonFlags)
+      ++ lib.optionals havePerl (
+        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
+      )
+      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
+      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
 
     nativeBuildInputs =
       let
         inputs =
           dedupByString (v: "${v}") (
-            lib.filter (x: !isInternal x) (
-              lib.lists.concatMap (
-                # Nix manual has a build-time dependency on nix, but we
-                # don't want to do a native build just to enter the cross
-                # dev shell.
-                #
-                # TODO: think of a more principled fix for this.
-                c: lib.filter (f: f.pname or null != "nix") c.nativeBuildInputs
-              ) activeComponents
-            )
+            lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.nativeBuildInputs) activeComponents)
           )
           ++ lib.optional (
             !buildCanExecuteHost
@@ -322,8 +305,8 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
             pkgs.buildPackages.nixfmt-rfc-style
             pkgs.buildPackages.shellcheck
             pkgs.buildPackages.include-what-you-use
+            pkgs.buildPackages.gdb
           ]
-          ++ lib.optional stdenv.hostPlatform.isUnix pkgs.buildPackages.gdb
           ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
             lib.hiPrio pkgs.buildPackages.clang-tools
           )
@@ -339,13 +322,13 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
       )
     );
 
-    buildInputs =
-      # TODO change Nixpkgs to mark gbenchmark as building on Windows
-      lib.optional stdenv.hostPlatform.isUnix pkgs.gbenchmark
-      ++ dedupByString (v: "${v}") (
-        lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.buildInputs) activeComponents)
-      )
-      ++ lib.optional havePerl pkgs.perl;
+    buildInputs = [
+      pkgs.gbenchmark
+    ]
+    ++ dedupByString (v: "${v}") (
+      lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.buildInputs) activeComponents)
+    )
+    ++ lib.optional havePerl pkgs.perl;
 
     propagatedBuildInputs = dedupByString (v: "${v}") (
       lib.filter (x: !isInternal x) (lib.lists.concatMap (c: c.propagatedBuildInputs) activeComponents)

packaging/everything.nix

@@ -31,8 +31,6 @@
 
   nix-cmd,
 
-  nix-nswrapper,
-
   nix-cli,
 
   nix-functional-tests,
@@ -173,9 +171,6 @@ stdenv.mkDerivation (finalAttrs: {
       # Forwarded outputs
       ln -sT ${nix-manual} $doc
       ln -sT ${nix-manual.man} $man
-    ''
-    + lib.optionalString stdenv.isLinux ''
-      lndir ${nix-nswrapper} $out
     '';
 
   passthru = {

packaging/hydra.nix

@@ -57,7 +57,6 @@ let
         "nix-flake"
         "nix-flake-c"
         "nix-flake-tests"
-        "nix-nswrapper"
         "nix-main"
         "nix-main-c"
         "nix-cmd"
@@ -73,6 +72,7 @@ let
         "nix-manual-manpages-only"
         "nix-internal-api-docs"
         "nix-external-api-docs"
+        "nix-kaitai-struct-checks"
       ]
     );
 in
@@ -115,11 +115,7 @@ rec {
 
   # Binary package for various platforms.
   build = forAllPackages (
-    pkgName:
-    lib.filterAttrs (
-      system: _do_not_touch:
-      pkgName == "nix-nswrapper" -> nixpkgsFor.${system}.native.stdenv.hostPlatform.isLinux
-    ) (forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.${pkgName}))
+    pkgName: forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.${pkgName})
   );
 
   shellInputs = removeAttrs (forAllSystems (
@@ -139,10 +135,6 @@ rec {
     (
       if pkgName == "nix-functional-tests" then
         lib.flip builtins.removeAttrs [ "x86_64-w64-mingw32" ]
-      else if pkgName == "nix-nswrapper" then
-        lib.filterAttrs (
-          crossSystem: _do_not_touch: nixpkgsFor.x86_64-linux.cross.${crossSystem}.stdenv.hostPlatform.isLinux
-        )
       else
         lib.id
     )
@@ -179,13 +171,7 @@ rec {
         )
       );
     in
-    forAllPackages (
-      pkgName:
-      lib.filterAttrs (
-        system: _do_not_touch:
-        pkgName == "nix-nswrapper" -> nixpkgsFor.${system}.native.stdenv.hostPlatform.isLinux
-      ) (forAllSystems (system: components.${system}.${pkgName}))
-    );
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
   buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.nix-cli);
 
@@ -205,13 +191,7 @@ rec {
         )
       );
     in
-    forAllPackages (
-      pkgName:
-      lib.filterAttrs (
-        system: _do_not_touch:
-        pkgName == "nix-nswrapper" -> nixpkgsFor.${system}.native.stdenv.hostPlatform.isLinux
-      ) (forAllSystems (system: components.${system}.${pkgName}))
-    );
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
   # Perl bindings for various platforms.
   perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.nix-perl-bindings);

scripts/install-multi-user.sh

@@ -52,10 +52,9 @@ readonly PROFILE_FISH_PREFIXES=(
 readonly PROFILE_NIX_FILE_FISH="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.fish"
 
 readonly NIX_INSTALLED_NIX="@nix@"
-readonly NIX_INSTALLED_NIX_MAN="@nix-manual@"
 readonly NIX_INSTALLED_CACERT="@cacert@"
-#readonly NIX_INSTALLED_NIX="/nix/store/byi37zv50wnfrpp4d81z3spswd5zva37-nix-2.3.6"
-#readonly NIX_INSTALLED_CACERT="/nix/store/7pi45g541xa8ahwgpbpy7ggsl0xj1jj6-nss-cacert-3.49.2"
+#readonly NIX_INSTALLED_NIX="/nix/store/j8dbv5w6jl34caywh2ygdy88knx1mdf7-nix-2.3.6"
+#readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
 EXTRACTED_NIX_PATH="$(dirname "$0")"
 readonly EXTRACTED_NIX_PATH
 
@@ -970,8 +969,6 @@ setup_default_profile() {
     task "Setting up the default profile"
     _sudo "to install a bootstrapping Nix in to the default profile" \
           HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_NIX"
-    _sudo "to install Nix man pages in to the default profile" \
-          HOME="$ROOT_HOME" "$NIX_INSTALLED_NIX/bin/nix-env" -i "$NIX_INSTALLED_NIX_MAN"
 
     if [ -z "${NIX_SSL_CERT_FILE:-}" ] || ! [ -f "${NIX_SSL_CERT_FILE:-}" ] || cert_in_store; then
         _sudo "to install a bootstrapping SSL certificate just for Nix in to the default profile" \