Merge pull request #12601 from NixOS/mergify/bp/2.26-maintenance/pr-12600

packaging: Typo in setVersionLayer / preConfigure (backport #12600)
packaging: Typo in setVersionLayer / preConfigure
2025-03-04 17:08:09 +00:00 · 2025-03-04 16:46:15 +00:00 · 2025-03-01 10:41:47 +00:00 · 2025-03-01 10:36:41 +00:00 · 2025-02-24 22:18:03 +00:00 · 2025-02-24 23:00:07 +01:00
530 changed files with 12576 additions and 6935 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -7,14 +7,28 @@ on:
 permissions: read-all

 jobs:
+  eval:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - uses: cachix/install-nix-action@v30
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json

  tests:
-    needs: [check_secrets]
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+    name: tests ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
    timeout-minutes: 60
    steps:
    - uses: actions/checkout@v4
@@ -26,102 +40,51 @@ jobs:
        extra_nix_config: |
          sandbox = true
          max-jobs = 1
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
+    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+      if: matrix.os == 'linux'
+    - run: scripts/build-checks
+    - run: scripts/prepare-installer-for-github-actions
+    - name: Upload installer tarball
+      uses: actions/upload-artifact@v4
      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - if: matrix.os == 'ubuntu-latest'
-      run: |
-        free -h
-        swapon --show
-        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
-        echo "Found swap: $swap"
-        sudo swapoff $swap
-        # resize it (fallocate)
-        sudo fallocate -l 10G $swap
-        sudo mkswap $swap
-        sudo swapon $swap
-        free -h
-        (
-          while sleep 60; do
-            free -h
-          done
-        ) &
-    - run: nix --experimental-features 'nix-command flakes' flake check -L
-    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
-
-  # Steps to test CI automation in your own fork.
-  # Cachix:
-  # 1. Sign-up for https://www.cachix.org/
-  # 2. Create a cache for $githubuser-nix-install-tests
-  # 3. Create a cachix auth token and save it in https://github.com/$githubuser/nix/settings/secrets/actions in "Repository secrets" as CACHIX_AUTH_TOKEN
-  # Dockerhub:
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check Cachix and Docker secrets present for installer tests
-    runs-on: ubuntu-latest
-    outputs:
-      cachix: ${{ steps.secret.outputs.cachix }}
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for secrets
-        id: secret
-        env:
-          _CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }}
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}"
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-
-  installer:
-    needs: [tests, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v30
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - uses: cachix/cachix-action@v15
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-        cachixArgs: '-v'
-    - id: prepare-installer
-      run: scripts/prepare-installer-for-github-actions
+        name: installer-${{matrix.os}}
+        path: out/*

  installer_test:
-    needs: [installer, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
+    needs: [tests]
    strategy:
      fail-fast: false
      matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+    name: installer test ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
    steps:
    - uses: actions/checkout@v4
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - name: Download installer tarball
+      uses: actions/download-artifact@v4
+      with:
+        name: installer-${{matrix.os}}
+        path: out
+    - name: Serving installer
+      id: serving_installer
+      run: ./scripts/serve-installer-for-github-actions
    - uses: cachix/install-nix-action@v30
      with:
-        install_url: '${{needs.installer.outputs.installerURL}}'
-        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
+        install_url: 'http://localhost:8126/install'
+        install_options: "--tarball-url-prefix http://localhost:8126/"
    - run: sudo apt install fish zsh
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'linux'
    - run: brew install fish
-      if: matrix.os == 'macos-latest'
+      if: matrix.os == 'darwin'
    - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
    - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
@@ -129,32 +92,50 @@ jobs:
    - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
    - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"

+  # Steps to test CI automation in your own fork.
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check Docker secrets present for installer tests
+    runs-on: ubuntu-24.04
+    outputs:
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for secrets
+        id: secret
+        env:
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+
  docker_push_image:
-    needs: [check_secrets, tests, vm_tests]
+    needs: [tests, vm_tests, check_secrets]
    permissions:
      contents: read
      packages: write
    if: >-
+      needs.check_secrets.outputs.docker == 'true' &&
      github.event_name == 'push' &&
-      github.ref_name == 'master' &&
-      needs.check_secrets.outputs.cachix == 'true' &&
-      needs.check_secrets.outputs.docker == 'true'
-    runs-on: ubuntu-latest
+      github.ref_name == 'master'
+    runs-on: ubuntu-24.04
    steps:
+    - name: Check for secrets
+      id: secret
+      env:
+        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+      run: |
+        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
    - uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - uses: cachix/install-nix-action@v30
      with:
        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - uses: DeterminateSystems/magic-nix-cache-action@main
    - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
    - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
    - run: docker load -i ./result/image.tar.gz
    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
@@ -191,7 +172,7 @@ jobs:
        docker push $IMAGE_ID:master

  vm_tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
      - uses: DeterminateSystems/nix-installer-action@main
@@ -206,7 +187,7 @@ jobs:

  flake_regressions:
    needs: vm_tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
    steps:
      - name: Checkout nix
        uses: actions/checkout@v4
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -15,7 +15,7 @@ permissions:

 jobs:
  labels:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
    if: github.repository_owner == 'NixOS'
    steps:
    - uses: actions/labeler@v5
--- a/.gitignore
+++ b/.gitignore
@@ -1,110 +1,12 @@
-Makefile.config
-perl/Makefile.config
-
-# /
-/aclocal.m4
-/autom4te.cache
-/precompiled-headers.h.gch
-/config.*
-/configure
-/stamp-h1
-/svn-revision
-/libtool
-/config/config.*
 # Default meson build dir
 /build

-# /doc/manual/
-/doc/manual/*.1
-/doc/manual/*.5
-/doc/manual/*.8
-/doc/manual/generated/*
-/doc/manual/nix.json
-/doc/manual/conf-file.json
-/doc/manual/language.json
-/doc/manual/xp-features.json
-/doc/manual/source/SUMMARY.md
-/doc/manual/source/SUMMARY-rl-next.md
-/doc/manual/source/store/types/*
-!/doc/manual/source/store/types/index.md.in
-/doc/manual/source/command-ref/new-cli
-/doc/manual/source/command-ref/conf-file.md
-/doc/manual/source/command-ref/experimental-features-shortlist.md
-/doc/manual/source/contributing/experimental-feature-descriptions.md
-/doc/manual/source/language/builtins.md
-/doc/manual/source/language/builtin-constants.md
-/doc/manual/source/release-notes/rl-next.md
-
-# /scripts/
-/scripts/nix-profile.sh
-/scripts/nix-profile-daemon.sh
-/scripts/nix-profile.fish
-/scripts/nix-profile-daemon.fish
-
-# /src/libexpr/
-/src/libexpr/lexer-tab.cc
-/src/libexpr/lexer-tab.hh
-/src/libexpr/parser-tab.cc
-/src/libexpr/parser-tab.hh
-/src/libexpr/parser-tab.output
-/src/libexpr/nix.tbl
-/src/libexpr/tests
-/src/libexpr-tests/libnixexpr-tests
-
-# /src/libfetchers
-/src/libfetchers-tests/libnixfetchers-tests
-
-# /src/libflake
-/src/libflake-tests/libnixflake-tests
-
-# /src/libstore/
-*.gen.*
-/src/libstore/tests
-/src/libstore-tests/libnixstore-tests
-
-# /src/libutil/
-/src/libutil/tests
-/src/libutil-tests/libnixutil-tests
-
-/src/nix/nix
-
-/src/nix/generated-doc
-
-# /src/nix-env/
-/src/nix-env/nix-env
-
-# /src/nix-instantiate/
-/src/nix-instantiate/nix-instantiate
-
-# /src/nix-store/
-/src/nix-store/nix-store
-
-/src/nix-prefetch-url/nix-prefetch-url
-
-/src/nix-collect-garbage/nix-collect-garbage
-
-# /src/nix-channel/
-/src/nix-channel/nix-channel
-
-# /src/nix-build/
-/src/nix-build/nix-build
-
-/src/nix-copy-closure/nix-copy-closure
-
-/src/error-demo/error-demo
-
-/src/build-remote/build-remote
-
 # /tests/functional/
-/tests/functional/test-tmp
 /tests/functional/common/subst-vars.sh
-/tests/functional/result*
 /tests/functional/restricted-innocent
-/tests/functional/shell
-/tests/functional/shell.drv
-/tests/functional/repl-result-out
 /tests/functional/debugger-test-out
 /tests/functional/test-libstoreconsumer/test-libstoreconsumer
+/tests/functional/nix-shell

 # /tests/functional/lang/
 /tests/functional/lang/*.out
@@ -112,27 +14,9 @@ perl/Makefile.config
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast

-/perl/lib/Nix/Config.pm
-/perl/lib/Nix/Store.cc
-
-/misc/systemd/nix-daemon.service
-/misc/systemd/nix-daemon.socket
-/misc/systemd/nix-daemon.conf
-/misc/upstart/nix-daemon.conf
-
 outputs/

-*.a
-*.o
-*.o.tmp
-*.so
-*.dylib
-*.dll
-*.exe
-*.dep
 *~
-*.pc
-*.plist

 # GNU Global
 GPATH
@@ -147,8 +31,6 @@ GTAGS
 compile_commands.json
 *.compile_commands.json

-nix-rust/target
-
 result
 result-*

@@ -163,3 +45,5 @@ result-*

 # Mac OS
 .DS_Store
+
+flake-regressions
--- a/.mergify.yml
+++ b/.mergify.yml
@@ -2,10 +2,11 @@ queue_rules:
  - name: default
    # all required tests need to go here
    merge_conditions:
-      - check-success=tests (macos-latest)
-      - check-success=tests (ubuntu-latest)
+      - check-success=tests on macos
+      - check-success=tests on ubuntu
+      - check-success=installer test on macos
+      - check-success=installer test on ubuntu
      - check-success=vm_tests
-    merge_method: rebase
    batch_size: 5

 pull_request_rules:
@@ -26,6 +27,7 @@ pull_request_rules:
        branches:
          - 2.18-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.19
@@ -36,6 +38,7 @@ pull_request_rules:
        branches:
          - 2.19-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.20
@@ -46,6 +49,7 @@ pull_request_rules:
        branches:
          - 2.20-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.21
@@ -56,6 +60,7 @@ pull_request_rules:
        branches:
          - 2.21-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.22
@@ -66,6 +71,7 @@ pull_request_rules:
        branches:
          - 2.22-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.23
@@ -76,6 +82,7 @@ pull_request_rules:
        branches:
          - 2.23-maintenance
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.24
@@ -86,6 +93,7 @@ pull_request_rules:
        branches:
          - "2.24-maintenance"
        labels:
+          - automatic backport
          - merge-queue

  - name: backport patches to 2.25
@@ -96,4 +104,5 @@ pull_request_rules:
        branches:
          - "2.25-maintenance"
        labels:
+          - automatic backport
          - merge-queue
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.26.0
+2.26.3
--- a/default.nix
+++ b/default.nix
@@ -1,10 +1,9 @@
-(import
-  (
-    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
-    fetchTarball {
-      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-      sha256 = lock.nodes.flake-compat.locked.narHash;
-    }
-  )
-  { src = ./.; }
-).defaultNix
+(import (
+  let
+    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  in
+  fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  }
+) { src = ./.; }).defaultNix
--- a/doc/manual/generate-builtins.nix
+++ b/doc/manual/generate-builtins.nix
@@ -5,7 +5,15 @@ in

 builtinsInfo:
 let
-  showBuiltin = name: { doc, type ? null, args ? [ ], experimental-feature ? null, impure-only ? false }:
+  showBuiltin =
+    name:
+    {
+      doc,
+      type ? null,
+      args ? [ ],
+      experimental-feature ? null,
+      impure-only ? false,
+    }:
    let
      type' = optionalString (type != null) " (${type})";

--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -32,7 +32,13 @@ let

  commandInfo = fromJSON commandDump;

-  showCommand = { command, details, filename, toplevel }:
+  showCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
    let

      result = ''
@@ -56,26 +62,27 @@ let
        ${maybeOptions}
      '';

-      showSynopsis = command: args:
+      showSynopsis =
+        command: args:
        let
-          showArgument = arg: "*${arg.label}*" + optionalString (! arg ? arity) "...";
+          showArgument = arg: "*${arg.label}*" + optionalString (!arg ? arity) "...";
          arguments = concatStringsSep " " (map showArgument args);
-        in ''
+        in
+        ''
          `${command}` [*option*...] ${arguments}
        '';

-      maybeSubcommands = optionalString (details ? commands && details.commands != {})
-        ''
-          where *subcommand* is one of the following:
+      maybeSubcommands = optionalString (details ? commands && details.commands != { }) ''
+        where *subcommand* is one of the following:

-          ${subcommands}
-        '';
+        ${subcommands}
+      '';

-      subcommands = if length categories > 1
-        then listCategories
-        else listSubcommands details.commands;
+      subcommands = if length categories > 1 then listCategories else listSubcommands details.commands;

-      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues details.commands)));
+      categories = sort (x: y: x.id < y.id) (
+        unique (map (cmd: cmd.category) (attrValues details.commands))
+      );

      listCategories = concatStrings (map showCategory categories);

@@ -99,38 +106,39 @@ let

            ${allStores}
          '';
-          index = replaceStrings
-            [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
-            [ storesOverview "#local-store" "#local-daemon-store" ]
-            details.doc;
+          index =
+            replaceStrings
+              [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
+              [ storesOverview "#local-store" "#local-daemon-store" ]
+              details.doc;
          storesOverview =
            let
-              showEntry = store:
-                "- [${store.name}](#${store.slug})";
+              showEntry = store: "- [${store.name}](#${store.slug})";
            in
            concatStringsSep "\n" (map showEntry storesList) + "\n";
          allStores = concatStringsSep "\n" (attrValues storePages);
-          storePages = listToAttrs
-            (map (s: { name = s.filename; value = s.page; }) storesList);
+          storePages = listToAttrs (
+            map (s: {
+              name = s.filename;
+              value = s.page;
+            }) storesList
+          );
          storesList = showStoreDocs {
            storeInfo = commandInfo.stores;
            inherit inlineHTML;
          };
-          hasInfix = infix: content:
+          hasInfix =
+            infix: content:
            builtins.stringLength content != builtins.stringLength (replaceStrings [ infix ] [ "" ] content);
        in
        optionalString (details ? doc) (
          # An alternate implementation with builtins.match stack overflowed on some systems.
-          if hasInfix "@store-types@" details.doc
-          then help-stores
-          else details.doc
+          if hasInfix "@store-types@" details.doc then help-stores else details.doc
        );

      maybeOptions =
        let
-          allVisibleOptions = filterAttrs
-            (_: o: ! o.hiddenCategory)
-            (details.flags // toplevel.flags);
+          allVisibleOptions = filterAttrs (_: o: !o.hiddenCategory) (details.flags // toplevel.flags);
        in
        optionalString (allVisibleOptions != { }) ''
          # Options
@@ -142,55 +150,73 @@ let
          > See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.
        '';

-      showOptions = inlineHTML: allOptions:
+      showOptions =
+        inlineHTML: allOptions:
        let
          showCategory = cat: opts: ''
            ${optionalString (cat != "") "## ${cat}"}

            ${concatStringsSep "\n" (attrValues (mapAttrs showOption opts))}
          '';
-          showOption = name: option:
+          showOption =
+            name: option:
            let
              result = trim ''
                - ${item}

                  ${option.description}
              '';
-              item = if inlineHTML
-                then ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
-                else "`--${name}` ${shortName} ${labels}";
-              shortName = optionalString
-                (option ? shortName)
-                ("/ `-${option.shortName}`");
-              labels = optionalString
-                (option ? labels)
-                (concatStringsSep " " (map (s: "*${s}*") option.labels));
-            in result;
-          categories = mapAttrs
-            # Convert each group from a list of key-value pairs back to an attrset
-            (_: listToAttrs)
-            (groupBy
-              (cmd: cmd.value.category)
-              (attrsToList allOptions));
-        in concatStrings (attrValues (mapAttrs showCategory categories));
-    in squash result;
+              item =
+                if inlineHTML then
+                  ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
+                else
+                  "`--${name}` ${shortName} ${labels}";
+              shortName = optionalString (option ? shortName) ("/ `-${option.shortName}`");
+              labels = optionalString (option ? labels) (concatStringsSep " " (map (s: "*${s}*") option.labels));
+            in
+            result;
+          categories =
+            mapAttrs
+              # Convert each group from a list of key-value pairs back to an attrset
+              (_: listToAttrs)
+              (groupBy (cmd: cmd.value.category) (attrsToList allOptions));
+        in
+        concatStrings (attrValues (mapAttrs showCategory categories));
+    in
+    squash result;

  appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;

-  processCommand = { command, details, filename, toplevel }:
+  processCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
    let
      cmd = {
        inherit command;
        name = filename + ".md";
-        value = showCommand { inherit command details filename toplevel; };
+        value = showCommand {
+          inherit
+            command
+            details
+            filename
+            toplevel
+            ;
+        };
      };
-      subcommand = subCmd: processCommand {
-        command = command + " " + subCmd;
-        details = details.commands.${subCmd};
-        filename = appendName filename subCmd;
-        inherit toplevel;
-      };
-    in [ cmd ] ++ concatMap subcommand (attrNames details.commands or {});
+      subcommand =
+        subCmd:
+        processCommand {
+          command = command + " " + subCmd;
+          details = details.commands.${subCmd};
+          filename = appendName filename subCmd;
+          inherit toplevel;
+        };
+    in
+    [ cmd ] ++ concatMap subcommand (attrNames details.commands or { });

  manpages = processCommand {
    command = "nix";
@@ -199,9 +225,11 @@ let
    toplevel = commandInfo.args;
  };

-  tableOfContents = let
-    showEntry = page:
-      "    - [${page.command}](command-ref/new-cli/${page.name})";
-    in concatStringsSep "\n" (map showEntry manpages) + "\n";
+  tableOfContents =
+    let
+      showEntry = page: "    - [${page.command}](command-ref/new-cli/${page.name})";
+    in
+    concatStringsSep "\n" (map showEntry manpages) + "\n";

-in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }
+in
+(listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }
--- a/doc/manual/generate-settings.nix
+++ b/doc/manual/generate-settings.nix
@@ -1,67 +1,99 @@
 let
-  inherit (builtins) attrValues concatStringsSep isAttrs isBool mapAttrs;
-  inherit (import <nix/utils.nix>) concatStrings indent optionalString squash;
+  inherit (builtins)
+    attrValues
+    concatStringsSep
+    isAttrs
+    isBool
+    mapAttrs
+    ;
+  inherit (import <nix/utils.nix>)
+    concatStrings
+    indent
+    optionalString
+    squash
+    ;
 in

 # `inlineHTML` is a hack to accommodate inconsistent output from `lowdown`
-{ prefix, inlineHTML ? true }: settingsInfo:
+{
+  prefix,
+  inlineHTML ? true,
+}:
+settingsInfo:

 let

-  showSetting = prefix: setting: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
+  showSetting =
+    prefix: setting:
+    {
+      description,
+      documentDefault,
+      defaultValue,
+      aliases,
+      value,
+      experimentalFeature,
+    }:
    let
      result = squash ''
-          - ${item}
+        - ${item}

-          ${indent "  " body}
-        '';
-      item = if inlineHTML
-        then ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
-        else "`${setting}`";
+        ${indent "  " body}
+      '';
+      item =
+        if inlineHTML then
+          ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
+        else
+          "`${setting}`";
      # separate body to cleanly handle indentation
      body = ''
-          ${experimentalFeatureNote}
+        ${experimentalFeatureNote}

-          ${description}
+        ${description}

-          **Default:** ${showDefault documentDefault defaultValue}
+        **Default:** ${showDefault documentDefault defaultValue}

-          ${showAliases aliases}
-        '';
+        ${showAliases aliases}
+      '';

      experimentalFeatureNote = optionalString (experimentalFeature != null) ''
-          > **Warning**
-          >
-          > This setting is part of an
-          > [experimental feature](@docroot@/development/experimental-features.md).
-          >
-          > To change this setting, make sure the
-          > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
-          > is enabled.
-          > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
-          >
-          > ```
-          > extra-experimental-features = ${experimentalFeature}
-          > ${setting} = ...
-          > ```
-        '';
+        > **Warning**
+        >
+        > This setting is part of an
+        > [experimental feature](@docroot@/development/experimental-features.md).
+        >
+        > To change this setting, make sure the
+        > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
+        > is enabled.
+        > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
+        >
+        > ```
+        > extra-experimental-features = ${experimentalFeature}
+        > ${setting} = ...
+        > ```
+      '';

-      showDefault = documentDefault: defaultValue:
+      showDefault =
+        documentDefault: defaultValue:
        if documentDefault then
          # a StringMap value type is specified as a string, but
          # this shows the value type. The empty stringmap is `null` in
          # JSON, but that converts to `{ }` here.
-          if defaultValue == "" || defaultValue == [] || isAttrs defaultValue
-            then "*empty*"
-            else if isBool defaultValue then
-              if defaultValue then "`true`" else "`false`"
-            else "`${toString defaultValue}`"
-        else "*machine-specific*";
+          if defaultValue == "" || defaultValue == [ ] || isAttrs defaultValue then
+            "*empty*"
+          else if isBool defaultValue then
+            if defaultValue then "`true`" else "`false`"
+          else
+            "`${toString defaultValue}`"
+        else
+          "*machine-specific*";

-      showAliases = aliases:
-          optionalString (aliases != [])
-            "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
+      showAliases =
+        aliases:
+        optionalString (aliases != [ ])
+          "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";

-    in result;
+    in
+    result;

-in concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))
+in
+concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))
--- a/doc/manual/generate-store-info.nix
+++ b/doc/manual/generate-store-info.nix
@@ -1,6 +1,20 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
-  inherit (import <nix/utils.nix>) optionalString filterAttrs trim squash toLower unique indent;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
+  inherit (import <nix/utils.nix>)
+    optionalString
+    filterAttrs
+    trim
+    squash
+    toLower
+    unique
+    indent
+    ;
  showSettings = import <nix/generate-settings.nix>;
 in

@@ -14,7 +28,13 @@ in

 let

-  showStore = { name, slug }: { settings, doc, experimentalFeature }:
+  showStore =
+    { name, slug }:
+    {
+      settings,
+      doc,
+      experimentalFeature,
+    }:
    let
      result = squash ''
        # ${name}
@@ -25,7 +45,10 @@ let

        ## Settings

-        ${showSettings { prefix = "store-${slug}"; inherit inlineHTML; } settings}
+        ${showSettings {
+          prefix = "store-${slug}";
+          inherit inlineHTML;
+        } settings}
      '';

      experimentalFeatureNote = optionalString (experimentalFeature != null) ''
@@ -43,15 +66,15 @@ let
        > extra-experimental-features = ${experimentalFeature}
        > ```
      '';
-    in result;
+    in
+    result;

-  storesList = map
-    (name: rec {
-      inherit name;
-      slug = replaceStrings [ " " ] [ "-" ] (toLower name);
-      filename = "${slug}.md";
-      page = showStore { inherit name slug; } storeInfo.${name};
-    })
-    (attrNames storeInfo);
+  storesList = map (name: rec {
+    inherit name;
+    slug = replaceStrings [ " " ] [ "-" ] (toLower name);
+    filename = "${slug}.md";
+    page = showStore { inherit name slug; } storeInfo.${name};
+  }) (attrNames storeInfo);

-in storesList
+in
+storesList
--- a/doc/manual/generate-store-types.nix
+++ b/doc/manual/generate-store-types.nix
@@ -1,5 +1,11 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
  showSettings = import <nix/generate-settings.nix>;
  showStoreDocs = import <nix/generate-store-info.nix>;
 in
@@ -14,26 +20,28 @@ let

  index =
    let
-      showEntry = store:
-        "- [${store.name}](./${store.filename})";
+      showEntry = store: "- [${store.name}](./${store.filename})";
    in
    concatStringsSep "\n" (map showEntry storesList);

-  "index.md" = replaceStrings
-    [ "@store-types@" ] [ index ]
-    (readFile ./source/store/types/index.md.in);
+  "index.md" =
+    replaceStrings [ "@store-types@" ] [ index ]
+      (readFile ./source/store/types/index.md.in);

  tableOfContents =
    let
-      showEntry = store:
-        "    - [${store.name}](store/types/${store.filename})";
+      showEntry = store: "    - [${store.name}](store/types/${store.filename})";
    in
    concatStringsSep "\n" (map showEntry storesList) + "\n";

  "SUMMARY.md" = tableOfContents;

-  storePages = listToAttrs
-    (map (s: { name = s.filename; value = s.page; }) storesList);
+  storePages = listToAttrs (
+    map (s: {
+      name = s.filename;
+      value = s.page;
+    }) storesList
+  );

 in
 storePages // { inherit "index.md" "SUMMARY.md"; }
--- a/doc/manual/generate-xp-features-shortlist.nix
+++ b/doc/manual/generate-xp-features-shortlist.nix
@@ -2,8 +2,8 @@ with builtins;
 with import <nix/utils.nix>;

 let
-  showExperimentalFeature = name: doc:
-    ''
-      - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
-    '';
-in xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))
+  showExperimentalFeature = name: doc: ''
+    - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
+  '';
+in
+xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))
--- a/doc/manual/generate-xp-features.nix
+++ b/doc/manual/generate-xp-features.nix
@@ -2,7 +2,8 @@ with builtins;
 with import <nix/utils.nix>;

 let
-  showExperimentalFeature = name: doc:
+  showExperimentalFeature =
+    name: doc:
    squash ''
      ## [`${name}`]{#xp-feature-${name}}

--- a/doc/manual/package.nix
+++ b/doc/manual/package.nix
@@ -1,19 +1,20 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,

-, meson
-, ninja
-, lowdown
-, mdbook
-, mdbook-linkcheck
-, jq
-, python3
-, rsync
-, nix-cli
+  meson,
+  ninja,
+  lowdown-unsandboxed,
+  mdbook,
+  mdbook-linkcheck,
+  jq,
+  python3,
+  rsync,
+  nix-cli,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -25,24 +26,28 @@ mkMesonDerivation (finalAttrs: {
  inherit version;

  workDir = ./.;
-  fileset = fileset.difference
-    (fileset.unions [
-      ../../.version
-      # Too many different types of files to filter for now
-      ../../doc/manual
-      ./.
-    ])
-    # Do a blacklist instead
-    ../../doc/manual/package.nix;
+  fileset =
+    fileset.difference
+      (fileset.unions [
+        ../../.version
+        # Too many different types of files to filter for now
+        ../../doc/manual
+        ./.
+      ])
+      # Do a blacklist instead
+      ../../doc/manual/package.nix;

  # TODO the man pages should probably be separate
-  outputs = [ "out" "man" ];
+  outputs = [
+    "out"
+    "man"
+  ];

  # Hack for sake of the dev shell
  passthru.externalNativeBuildInputs = [
    meson
    ninja
-    (lib.getBin lowdown)
+    (lib.getBin lowdown-unsandboxed)
    mdbook
    mdbook-linkcheck
    jq
@@ -54,11 +59,10 @@ mkMesonDerivation (finalAttrs: {
    nix-cli
  ];

-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';

  postInstall = ''
    mkdir -p ''$out/nix-support
--- a/doc/manual/rl-next/curl-cloexec.md
+++ b/doc/manual/rl-next/curl-cloexec.md
@@ -0,0 +1,10 @@
+---
+synopsis: Set FD_CLOEXEC on sockets created by curl
+issues: []
+prs: [12439]
+---
+
+
+Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell`
+
+This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.
--- a/doc/manual/rl-next/nix-copy-flags.md
+++ b/doc/manual/rl-next/nix-copy-flags.md
@@ -1,18 +0,0 @@
---
-synopsis: "`nix copy` supports `--profile` and `--out-link`"
-prs: [11657]
---
-
-The `nix copy` command now has flags `--profile` and `--out-link`, similar to `nix build`. `--profile` makes a profile point to the
-top-level store path, while `--out-link` create symlinks to the top-level store paths.
-
-For example, when updating the local NixOS system profile from a NixOS system closure on a remote machine, instead of
-```
-# nix copy --from ssh://server $path
-# nix build --profile /nix/var/nix/profiles/system $path
-```
-you can now do
-```
-# nix copy --from ssh://server --profile /nix/var/nix/profiles/system $path
-```
-The advantage is that this avoids a time window where *path* is not a garbage collector root, and so could be deleted by a concurrent `nix store gc` process.
--- a/doc/manual/source/SUMMARY.md.in
+++ b/doc/manual/source/SUMMARY.md.in
@@ -130,6 +130,7 @@
  - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
  - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)
  - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
  - [Release 2.23 (2024-06-03)](release-notes/rl-2.23.md)
--- a/doc/manual/source/command-ref/nix-collect-garbage.md
+++ b/doc/manual/source/command-ref/nix-collect-garbage.md
@@ -62,6 +62,15 @@ These options are for deleting old [profiles] prior to deleting unreachable [sto
  This is the equivalent of invoking [`nix-env --delete-generations <period>`](@docroot@/command-ref/nix-env/delete-generations.md#generations-time) on each found profile.
  See the documentation of that command for additional information about the *period* argument.

+  - <span id="opt-max-freed">[`--max-freed`](#opt-max-freed)</span> *bytes*
+
+<!-- duplication from https://github.com/NixOS/nix/blob/442a2623e48357ff72c77bb11cf2cf06d94d2f90/doc/manual/source/command-ref/nix-store/gc.md?plain=1#L39-L44 -->
+
+  Keep deleting paths until at least *bytes* bytes have been deleted,
+  then stop. The argument *bytes* can be followed by the
+  multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
+  or TiB units.
+  
 {{#include ./opt-common.md}}

 {{#include ./env-common.md}}
--- a/doc/manual/source/command-ref/nix-copy-closure.md
+++ b/doc/manual/source/command-ref/nix-copy-closure.md
@@ -84,7 +84,7 @@ When using public key authentication, you can avoid typing the passphrase with `
 > Copy GNU Hello from a remote machine using a known store path, and run it:
 >
 > ```shell-session
-> $ storePath="$(nix-instantiate --eval '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath | tr -d '"')"
+> $ storePath="$(nix-instantiate --eval --raw '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath)"
 > $ nix-copy-closure --from alice@itchy.example.org "$storePath"
 > $ "$storePath"/bin/hello
 > Hello, world!
--- a/doc/manual/source/command-ref/nix-env/install.md
+++ b/doc/manual/source/command-ref/nix-env/install.md
@@ -11,6 +11,7 @@
  [`--from-profile` *path*]
  [`--preserve-installed` | `-P`]
  [`--remove-all` | `-r`]
+  [`--priority` *priority*]

 # Description

@@ -61,6 +62,10 @@ The arguments *args* map to store paths in a number of possible ways:
  The derivations returned by those function calls are installed.
  This allows derivations to be specified in an unambiguous way, which is necessary if there are multiple derivations with the same name.

+- If `--priority` *priority* is given, the priority of the derivations being installed is set to *priority*.
+  This can be used to override the priority of the derivations being installed.
+  This is useful if *args* are [store paths], which don't have any priority information.
+
 - If *args* are [store derivations](@docroot@/glossary.md#gloss-store-derivation), then these are [realised], and the resulting output paths are installed.

 - If *args* are [store paths] that are not store derivations, then these are [realised] and installed.
@@ -235,4 +240,3 @@ channel:
 ```console
 $ nix-env --file https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz --install --attr firefox
 ```
-
--- a/doc/manual/source/command-ref/nix-instantiate.md
+++ b/doc/manual/source/command-ref/nix-instantiate.md
@@ -5,7 +5,7 @@
 # Synopsis

 `nix-instantiate`
-  [`--parse` | `--eval` [`--strict`] [`--json`] [`--xml`] ]
+  [`--parse` | `--eval` [`--strict`] [`--raw` | `--json` | `--xml`] ]
  [`--read-write-mode`]
  [`--arg` *name* *value*]
  [{`--attr`| `-A`} *attrPath*]
@@ -102,6 +102,11 @@ standard input.
  > This option can cause non-termination, because lazy data
  > structures can be infinitely large.

+- `--raw`
+
+  When used with `--eval`, the evaluation result must be a string,
+  which is printed verbatim, without quoting, escaping or trailing newline.
+
 - `--json`

  When used with `--eval`, print the resulting value as an JSON
--- a/doc/manual/source/command-ref/nix-store/add-fixed.md
+++ b/doc/manual/source/command-ref/nix-store/add-fixed.md
@@ -21,6 +21,9 @@ This operation has the following options:
  Use recursive instead of flat hashing mode, used when adding
  directories to the store.

+  *paths* that refer to symlinks are not dereferenced, but added to the store
+  as symlinks with the same target.
+
 {{#include ./opt-common.md}}

 {{#include ../opt-common.md}}
--- a/doc/manual/source/command-ref/nix-store/add.md
+++ b/doc/manual/source/command-ref/nix-store/add.md
@@ -11,6 +11,9 @@
 The operation `--add` adds the specified paths to the Nix store. It
 prints the resulting paths in the Nix store on standard output.

+*paths* that refer to symlinks are not dereferenced, but added to the store
+as symlinks with the same target.
+
 {{#include ./opt-common.md}}

 {{#include ../opt-common.md}}
--- a/doc/manual/source/development/documentation.md
+++ b/doc/manual/source/development/documentation.md
@@ -19,10 +19,11 @@ nix-build -E '(import ./.).packages.${builtins.currentSystem}.nix.doc'
 or

 ```console
-nix build .#nix^doc
+nix build .#nix-manual
 ```

-and open `./result-doc/share/doc/nix/manual/index.html`.
+and open `./result/share/doc/nix/manual/index.html`.
+

 To build the manual incrementally, [enter the development shell](./building.md) and run:

--- a/doc/manual/source/development/testing.md
+++ b/doc/manual/source/development/testing.md
@@ -297,7 +297,7 @@ Creating a Cachix cache for your installer tests and adding its authorisation to
  - `armv7l-linux`
  - `x86_64-darwin`

- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
+- The `installer_test` job (which runs on `ubuntu-24.04` and `macos-14`) will try to install Nix with the cached installer and run a trivial Nix command.

 ### One-time setup

--- a/doc/manual/source/installation/uninstall.md
+++ b/doc/manual/source/installation/uninstall.md
@@ -160,6 +160,6 @@ which you may remove.
 To remove a [single-user installation](./installing-binary.md#single-user-installation) of Nix, run:

 ```console
-$ rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
+rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
 ```
 You might also want to manually remove references to Nix from your `~/.profile`.
--- a/doc/manual/source/release-notes/rl-2.26.md
+++ b/doc/manual/source/release-notes/rl-2.26.md
@@ -0,0 +1,128 @@
+# Release 2.26.0 (2025-01-22)
+
+- Support for relative path inputs [#10089](https://github.com/NixOS/nix/pull/10089)
+
+  Flakes can now refer to other flakes in the same repository using relative paths, e.g.
+  ```nix
+  inputs.foo.url = "path:./foo";
+  ```
+  uses the flake in the `foo` subdirectory of the referring flake. For more information, see the documentation on [the `path` flake input type](@docroot@/command-ref/new-cli/nix3-flake.md#path-fetcher).
+
+  This feature required a change to the lock file format. Previous Nix versions will not be able to use lock files that have locks for relative path inputs in them.
+
+- Flake lock file generation now ignores local registries [#12019](https://github.com/NixOS/nix/pull/12019)
+
+  When resolving indirect flake references like `nixpkgs` in `flake.nix` files, Nix will no longer use the system and user flake registries. It will only use the global flake registry and overrides given on the command line via `--override-flake`.
+
+  This avoids accidents where users have local registry overrides that map `nixpkgs` to a `path:` flake in the local file system, which then end up in committed lock files pushed to other users.
+
+  In the future, we may remove the use of the registry during lock file generation altogether. It's better to explicitly specify the URL of a flake input. For example, instead of
+  ```nix
+  {
+    outputs = { self, nixpkgs }: { ... };
+  }
+  ```
+  write
+  ```nix
+  {
+    inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    outputs = { self, nixpkgs }: { ... };
+  }
+  ```
+
+- `nix copy` supports `--profile` and `--out-link` [#11657](https://github.com/NixOS/nix/pull/11657)
+
+  The `nix copy` command now has flags `--profile` and `--out-link`, similar to `nix build`. `--profile` makes a profile point to the
+  top-level store path, while `--out-link` create symlinks to the top-level store paths.
+
+  For example, when updating the local NixOS system profile from a NixOS system closure on a remote machine, instead of
+  ```
+  # nix copy --from ssh://server $path
+  # nix build --profile /nix/var/nix/profiles/system $path
+  ```
+  you can now do
+  ```
+  # nix copy --from ssh://server --profile /nix/var/nix/profiles/system $path
+  ```
+  The advantage is that this avoids a time window where *path* is not a garbage collector root, and so could be deleted by a concurrent `nix store gc` process.
+
+- `nix-instantiate --eval` now supports `--raw` [#12119](https://github.com/NixOS/nix/pull/12119)
+
+  The `nix-instantiate --eval` command now supports a `--raw` flag, when used
+  the evaluation result must be a string, which is printed verbatim without
+  quotation marks or escaping.
+
+- Improved `NIX_SSHOPTS` parsing for better SSH option handling [#5181](https://github.com/NixOS/nix/issues/5181) [#12020](https://github.com/NixOS/nix/pull/12020)
+
+  The parsing of the `NIX_SSHOPTS` environment variable has been improved to handle spaces and quotes correctly.
+  Previously, incorrectly split SSH options could cause failures in commands like `nix-copy-closure`,
+  especially when using complex SSH invocations such as `-o ProxyCommand="ssh -W %h:%p ..."`.
+
+  This change introduces a `shellSplitString` function to ensure
+  that `NIX_SSHOPTS` is parsed in a manner consistent with shell
+  behavior, addressing common parsing errors.
+
+  For example, the following now works as expected:
+
+  ```bash
+  export NIX_SSHOPTS='-o ProxyCommand="ssh -W %h:%p ..."'
+  ```
+
+  This update improves the reliability of SSH-related operations using `NIX_SSHOPTS` across Nix CLIs.
+
+- Nix is now built using Meson
+
+  As proposed in [RFC 132](https://github.com/NixOS/rfcs/pull/132), Nix's build system now uses Meson/Ninja. The old Make-based build system has been removed.
+
+- Evaluation caching now works for dirty Git workdirs [#11992](https://github.com/NixOS/nix/pull/11992)
+
+# Contributors
+
+This release was made possible by the following 45 contributors:
+
+- Anatoli Babenia [**(@abitrolly)**](https://github.com/abitrolly)
+- Domagoj Mišković [**(@allrealmsoflife)**](https://github.com/allrealmsoflife)
+- Yaroslav Bolyukin [**(@CertainLach)**](https://github.com/CertainLach)
+- bryango [**(@bryango)**](https://github.com/bryango)
+- tomberek [**(@tomberek)**](https://github.com/tomberek)
+- Matej Urbas [**(@mupdt)**](https://github.com/mupdt)
+- elikoga [**(@elikoga)**](https://github.com/elikoga)
+- wh0 [**(@wh0)**](https://github.com/wh0)
+- Félix [**(@picnoir)**](https://github.com/picnoir)
+- Valentin Gagarin [**(@fricklerhandwerk)**](https://github.com/fricklerhandwerk)
+- Gavin John [**(@Pandapip1)**](https://github.com/Pandapip1)
+- Travis A. Everett [**(@abathur)**](https://github.com/abathur)
+- Vladimir Panteleev [**(@CyberShadow)**](https://github.com/CyberShadow)
+- Ilja [**(@suruaku)**](https://github.com/suruaku)
+- Jason Yundt [**(@Jayman2000)**](https://github.com/Jayman2000)
+- Mike Kusold [**(@kusold)**](https://github.com/kusold)
+- Andy Hamon [**(@andrewhamon)**](https://github.com/andrewhamon)
+- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
+- Greg Curtis [**(@gcurtis)**](https://github.com/gcurtis)
+- Andrew Poelstra [**(@apoelstra)**](https://github.com/apoelstra)
+- Linus Heckemann [**(@lheckemann)**](https://github.com/lheckemann)
+- Tristan Ross [**(@RossComputerGuy)**](https://github.com/RossComputerGuy)
+- Dominique Martinet [**(@martinetd)**](https://github.com/martinetd)
+- h0nIg [**(@h0nIg)**](https://github.com/h0nIg)
+- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
+- Shahar "Dawn" Or [**(@mightyiam)**](https://github.com/mightyiam)
+- NAHO [**(@trueNAHO)**](https://github.com/trueNAHO)
+- Ryan Hendrickson [**(@rhendric)**](https://github.com/rhendric)
+- the-sun-will-rise-tomorrow [**(@the-sun-will-rise-tomorrow)**](https://github.com/the-sun-will-rise-tomorrow)
+- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
+- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
+- Jack Wilsdon [**(@jackwilsdon)**](https://github.com/jackwilsdon)
+- ‮rekcäH nitraM‮ [**(@dwt)**](https://github.com/dwt)
+- Martin Fischer [**(@not-my-profile)**](https://github.com/not-my-profile)
+- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
+- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
+- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
+- Siddarth Kumar [**(@siddarthkay)**](https://github.com/siddarthkay)
+- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi)
+- Robert Hensing [**(@roberth)**](https://github.com/roberth)
+- Mutsuha Asada [**(@momeemt)**](https://github.com/momeemt)
+- Parker Jones [**(@knotapun)**](https://github.com/knotapun)
+- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
+- dbdr [**(@dbdr)**](https://github.com/dbdr)
+- myclevorname [**(@myclevorname)**](https://github.com/myclevorname)
+- Philipp Otterbein
--- a/doc/manual/utils.nix
+++ b/doc/manual/utils.nix
@@ -11,10 +11,15 @@ rec {

  concatStrings = concatStringsSep "";

-  attrsToList = a:
-    map (name: { inherit name; value = a.${name}; }) (builtins.attrNames a);
+  attrsToList =
+    a:
+    map (name: {
+      inherit name;
+      value = a.${name};
+    }) (builtins.attrNames a);

-  replaceStringsRec = from: to: string:
+  replaceStringsRec =
+    from: to: string:
    # recursively replace occurrences of `from` with `to` within `string`
    # example:
    #     replaceStringRec "--" "-" "hello-----world"
@@ -22,16 +27,18 @@ rec {
    let
      replaced = replaceStrings [ from ] [ to ] string;
    in
-      if replaced == string then string else replaceStringsRec from to replaced;
+    if replaced == string then string else replaceStringsRec from to replaced;

  toLower = replaceStrings upperChars lowerChars;

  squash = replaceStringsRec "\n\n\n" "\n\n";

-  trim = string:
+  trim =
+    string:
    # trim trailing spaces and squash non-leading spaces
    let
-      trimLine = line:
+      trimLine =
+        line:
        let
          # separate leading spaces from the rest
          parts = split "(^ *)" line;
@@ -39,19 +46,30 @@ rec {
          rest = elemAt parts 2;
          # drop trailing spaces
          body = head (split " *$" rest);
-        in spaces + replaceStringsRec "  " " " body;
-    in concatStringsSep "\n" (map trimLine (splitLines string));
+        in
+        spaces + replaceStringsRec "  " " " body;
+    in
+    concatStringsSep "\n" (map trimLine (splitLines string));

  # FIXME: O(n^2)
-  unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
+  unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [ ];

  nameValuePair = name: value: { inherit name value; };

-  filterAttrs = pred: set:
-    listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
+  filterAttrs =
+    pred: set:
+    listToAttrs (
+      concatMap (
+        name:
+        let
+          v = set.${name};
+        in
+        if pred name v then [ (nameValuePair name v) ] else [ ]
+      ) (attrNames set)
+    );

  optionalString = cond: string: if cond then string else "";

-  indent = prefix: s:
-    concatStringsSep "\n" (map (x: if x == "" then x else "${prefix}${x}") (splitLines s));
+  indent =
+    prefix: s: concatStringsSep "\n" (map (x: if x == "" then x else "${prefix}${x}") (splitLines s));
 }
--- a/docker.nix
+++ b/docker.nix
@@ -1,112 +1,113 @@
-{ pkgs ? import <nixpkgs> { }
-, lib ? pkgs.lib
-, name ? "nix"
-, tag ? "latest"
-, bundleNixpkgs ? true
-, channelName ? "nixpkgs"
-, channelURL ? "https://nixos.org/channels/nixpkgs-unstable"
-, extraPkgs ? []
-, maxLayers ? 100
-, nixConf ? {}
-, flake-registry ? null
-, uid ? 0
-, gid ? 0
-, uname ? "root"
-, gname ? "root"
+{
+  pkgs ? import <nixpkgs> { },
+  lib ? pkgs.lib,
+  name ? "nix",
+  tag ? "latest",
+  bundleNixpkgs ? true,
+  channelName ? "nixpkgs",
+  channelURL ? "https://nixos.org/channels/nixpkgs-unstable",
+  extraPkgs ? [ ],
+  maxLayers ? 100,
+  nixConf ? { },
+  flake-registry ? null,
+  uid ? 0,
+  gid ? 0,
+  uname ? "root",
+  gname ? "root",
 }:
 let
-  defaultPkgs = with pkgs; [
-    nix
-    bashInteractive
-    coreutils-full
-    gnutar
-    gzip
-    gnugrep
-    which
-    curl
-    less
-    wget
-    man
-    cacert.out
-    findutils
-    iana-etc
-    git
-    openssh
-  ] ++ extraPkgs;
+  defaultPkgs =
+    with pkgs;
+    [
+      nix
+      bashInteractive
+      coreutils-full
+      gnutar
+      gzip
+      gnugrep
+      which
+      curl
+      less
+      wget
+      man
+      cacert.out
+      findutils
+      iana-etc
+      git
+      openssh
+    ]
+    ++ extraPkgs;

-  users = {
+  users =
+    {

-    root = {
-      uid = 0;
-      shell = "${pkgs.bashInteractive}/bin/bash";
-      home = "/root";
-      gid = 0;
-      groups = [ "root" ];
-      description = "System administrator";
+      root = {
+        uid = 0;
+        shell = "${pkgs.bashInteractive}/bin/bash";
+        home = "/root";
+        gid = 0;
+        groups = [ "root" ];
+        description = "System administrator";
+      };
+
+      nobody = {
+        uid = 65534;
+        shell = "${pkgs.shadow}/bin/nologin";
+        home = "/var/empty";
+        gid = 65534;
+        groups = [ "nobody" ];
+        description = "Unprivileged account (don't use!)";
+      };
+
+    }
+    // lib.optionalAttrs (uid != 0) {
+      "${uname}" = {
+        uid = uid;
+        shell = "${pkgs.bashInteractive}/bin/bash";
+        home = "/home/${uname}";
+        gid = gid;
+        groups = [ "${gname}" ];
+        description = "Nix user";
+      };
+    }
+    // lib.listToAttrs (
+      map (n: {
+        name = "nixbld${toString n}";
+        value = {
+          uid = 30000 + n;
+          gid = 30000;
+          groups = [ "nixbld" ];
+          description = "Nix build user ${toString n}";
+        };
+      }) (lib.lists.range 1 32)
+    );
+
+  groups =
+    {
+      root.gid = 0;
+      nixbld.gid = 30000;
+      nobody.gid = 65534;
+    }
+    // lib.optionalAttrs (gid != 0) {
+      "${gname}".gid = gid;
    };

-    nobody = {
-      uid = 65534;
-      shell = "${pkgs.shadow}/bin/nologin";
-      home = "/var/empty";
-      gid = 65534;
-      groups = [ "nobody" ];
-      description = "Unprivileged account (don't use!)";
-    };
-
-  } // lib.optionalAttrs (uid != 0) {
-    "${uname}" = {
-      uid = uid;
-      shell = "${pkgs.bashInteractive}/bin/bash";
-      home = "/home/${uname}";
-      gid = gid;
-      groups = [ "${gname}" ];
-      description = "Nix user";
-    };
-  } // lib.listToAttrs (
-    map
-      (
-        n: {
-          name = "nixbld${toString n}";
-          value = {
-            uid = 30000 + n;
-            gid = 30000;
-            groups = [ "nixbld" ];
-            description = "Nix build user ${toString n}";
-          };
-        }
-      )
-      (lib.lists.range 1 32)
-  );
-
-  groups = {
-    root.gid = 0;
-    nixbld.gid = 30000;
-    nobody.gid = 65534;
-  } // lib.optionalAttrs (gid != 0) {
-    "${gname}".gid = gid;
-  };
-
  userToPasswd = (
    k:
-    { uid
-    , gid ? 65534
-    , home ? "/var/empty"
-    , description ? ""
-    , shell ? "/bin/false"
-    , groups ? [ ]
-    }: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
-  );
-  passwdContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs userToPasswd users))
+    {
+      uid,
+      gid ? 65534,
+      home ? "/var/empty",
+      description ? "",
+      shell ? "/bin/false",
+      groups ? [ ],
+    }:
+    "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
  );
+  passwdContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs userToPasswd users)));

  userToShadow = k: { ... }: "${k}:!:1::::::";
-  shadowContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs userToShadow users))
-  );
+  shadowContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs userToShadow users)));

  # Map groups to members
  # {
@@ -116,42 +117,35 @@ let
    let
      # Create a flat list of user/group mappings
      mappings = (
-        builtins.foldl'
-          (
-            acc: user:
-              let
-                groups = users.${user}.groups or [ ];
-              in
-              acc ++ map
-                (group: {
-                  inherit user group;
-                })
-                groups
-          )
-          [ ]
-          (lib.attrNames users)
+        builtins.foldl' (
+          acc: user:
+          let
+            groups = users.${user}.groups or [ ];
+          in
+          acc
+          ++ map (group: {
+            inherit user group;
+          }) groups
+        ) [ ] (lib.attrNames users)
      );
    in
-    (
-      builtins.foldl'
-        (
-          acc: v: acc // {
-            ${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
-          }
-        )
-        { }
-        mappings)
+    (builtins.foldl' (
+      acc: v:
+      acc
+      // {
+        ${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
+      }
+    ) { } mappings)
  );

-  groupToGroup = k: { gid }:
+  groupToGroup =
+    k:
+    { gid }:
    let
      members = groupMemberMap.${k} or [ ];
    in
    "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
-  groupContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs groupToGroup groups))
-  );
+  groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups)));

  defaultNixConf = {
    sandbox = "false";
@@ -159,11 +153,17 @@ let
    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
  };

-  nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v:
-    let
-      vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
-    in
-      "${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n";
+  nixConfContents =
+    (lib.concatStringsSep "\n" (
+      lib.mapAttrsFlatten (
+        n: v:
+        let
+          vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
+        in
+        "${n} = ${vStr}"
+      ) (defaultNixConf // nixConf)
+    ))
+    + "\n";

  userHome = if uid == 0 then "/root" else "/home/${uname}";

@@ -184,21 +184,29 @@ let
      manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
        cat > $out <<EOF
        [
-        ${lib.concatStringsSep "\n" (builtins.map (drv: let
-          outputs = drv.outputsToInstall or [ "out" ];
-        in ''
-          {
-            ${lib.concatStringsSep "\n" (builtins.map (output: ''
-              ${output} = { outPath = "${lib.getOutput output drv}"; };
-            '') outputs)}
-            outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
-            name = "${drv.name}";
-            outPath = "${drv}";
-            system = "${drv.system}";
-            type = "derivation";
-            meta = { };
-          }
-        '') defaultPkgs)}
+        ${lib.concatStringsSep "\n" (
+          builtins.map (
+            drv:
+            let
+              outputs = drv.outputsToInstall or [ "out" ];
+            in
+            ''
+              {
+                ${lib.concatStringsSep "\n" (
+                  builtins.map (output: ''
+                    ${output} = { outPath = "${lib.getOutput output drv}"; };
+                  '') outputs
+                )}
+                outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
+                name = "${drv.name}";
+                outPath = "${drv}";
+                system = "${drv.system}";
+                type = "derivation";
+                meta = { };
+              }
+            ''
+          ) defaultPkgs
+        )}
        ]
        EOF
      '';
@@ -207,16 +215,22 @@ let
        cp -a ${rootEnv}/* $out/
        ln -s ${manifest} $out/manifest.nix
      '';
-      flake-registry-path = if (flake-registry == null) then
-        null
-      else if (builtins.readFileType (toString flake-registry)) == "directory" then
-        "${flake-registry}/flake-registry.json"
-      else
-        flake-registry;
+      flake-registry-path =
+        if (flake-registry == null) then
+          null
+        else if (builtins.readFileType (toString flake-registry)) == "directory" then
+          "${flake-registry}/flake-registry.json"
+        else
+          flake-registry;
    in
    pkgs.runCommand "base-system"
      {
-        inherit passwdContents groupContents shadowContents nixConfContents;
+        inherit
+          passwdContents
+          groupContents
+          shadowContents
+          nixConfContents
+          ;
        passAsFile = [
          "passwdContents"
          "groupContents"
@@ -225,67 +239,79 @@ let
        ];
        allowSubstitutes = false;
        preferLocalBuild = true;
-      } (''
-      env
-      set -x
-      mkdir -p $out/etc
+      }
+      (
+        ''
+          env
+          set -x
+          mkdir -p $out/etc

-      mkdir -p $out/etc/ssl/certs
-      ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
+          mkdir -p $out/etc/ssl/certs
+          ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs

-      cat $passwdContentsPath > $out/etc/passwd
-      echo "" >> $out/etc/passwd
+          cat $passwdContentsPath > $out/etc/passwd
+          echo "" >> $out/etc/passwd

-      cat $groupContentsPath > $out/etc/group
-      echo "" >> $out/etc/group
+          cat $groupContentsPath > $out/etc/group
+          echo "" >> $out/etc/group

-      cat $shadowContentsPath > $out/etc/shadow
-      echo "" >> $out/etc/shadow
+          cat $shadowContentsPath > $out/etc/shadow
+          echo "" >> $out/etc/shadow

-      mkdir -p $out/usr
-      ln -s /nix/var/nix/profiles/share $out/usr/
+          mkdir -p $out/usr
+          ln -s /nix/var/nix/profiles/share $out/usr/

-      mkdir -p $out/nix/var/nix/gcroots
+          mkdir -p $out/nix/var/nix/gcroots

-      mkdir $out/tmp
+          mkdir $out/tmp

-      mkdir -p $out/var/tmp
+          mkdir -p $out/var/tmp

-      mkdir -p $out/etc/nix
-      cat $nixConfContentsPath > $out/etc/nix/nix.conf
+          mkdir -p $out/etc/nix
+          cat $nixConfContentsPath > $out/etc/nix/nix.conf

-      mkdir -p $out${userHome}
-      mkdir -p $out/nix/var/nix/profiles/per-user/${uname}
+          mkdir -p $out${userHome}
+          mkdir -p $out/nix/var/nix/profiles/per-user/${uname}

-      ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
-      ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
-      ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
+          ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
+          ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
+          ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile

-      ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
-      ln -s /nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels
+          ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
+          ln -s /nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels

-      mkdir -p $out${userHome}/.nix-defexpr
-      ln -s /nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
-      echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
+          mkdir -p $out${userHome}/.nix-defexpr
+          ln -s /nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
+          echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels

-      mkdir -p $out/bin $out/usr/bin
-      ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
-      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
+          mkdir -p $out/bin $out/usr/bin
+          ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
+          ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh

-    '' + (lib.optionalString (flake-registry-path != null) ''
-      nixCacheDir="${userHome}/.cache/nix"
-      mkdir -p $out$nixCacheDir
-      globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
-      ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
-      mkdir -p $out/nix/var/nix/gcroots/auto
-      rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
-      ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
-    ''));
+        ''
+        + (lib.optionalString (flake-registry-path != null) ''
+          nixCacheDir="${userHome}/.cache/nix"
+          mkdir -p $out$nixCacheDir
+          globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
+          ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
+          mkdir -p $out/nix/var/nix/gcroots/auto
+          rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
+          ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
+        '')
+      );

 in
 pkgs.dockerTools.buildLayeredImageWithNixDb {

-  inherit name tag maxLayers uid gid uname gname;
+  inherit
+    name
+    tag
+    maxLayers
+    uid
+    gid
+    uname
+    gname
+    ;

  contents = [ baseSystem ];

@@ -305,15 +331,19 @@ pkgs.dockerTools.buildLayeredImageWithNixDb {
    User = "${toString uid}:${toString gid}";
    Env = [
      "USER=${uname}"
-      "PATH=${lib.concatStringsSep ":" [
-        "${userHome}/.nix-profile/bin"
-        "/nix/var/nix/profiles/default/bin"
-        "/nix/var/nix/profiles/default/sbin"
-      ]}"
-      "MANPATH=${lib.concatStringsSep ":" [
-        "${userHome}/.nix-profile/share/man"
-        "/nix/var/nix/profiles/default/share/man"
-      ]}"
+      "PATH=${
+        lib.concatStringsSep ":" [
+          "${userHome}/.nix-profile/bin"
+          "/nix/var/nix/profiles/default/bin"
+          "/nix/var/nix/profiles/default/sbin"
+        ]
+      }"
+      "MANPATH=${
+        lib.concatStringsSep ":" [
+          "${userHome}/.nix-profile/share/man"
+          "/nix/var/nix/profiles/default/share/man"
+        ]
+      }"
      "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
      "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
      "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
--- a/flake.lock
+++ b/flake.lock
@@ -3,11 +3,11 @@
    "flake-compat": {
      "flake": false,
      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
        "owner": "edolstra",
        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
        "type": "github"
      },
      "original": {
@@ -23,11 +23,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
        "type": "github"
      },
      "original": {
@@ -48,11 +48,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1721042469,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "lastModified": 1734279981,
+        "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
        "owner": "cachix",
        "repo": "git-hooks.nix",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
        "type": "github"
      },
      "original": {
@@ -61,35 +61,18 @@
        "type": "github"
      }
    },
-    "libgit2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1715853528,
-        "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "ref": "v1.8.1",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1723688146,
-        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
+        "lastModified": 1734359947,
+        "narHash": "sha256-1Noao/H+N8nFB4Beoy8fgwrcOQLVm9o4zKW1ODaqK9E=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
+        "rev": "48d12d5e70ee91fe8481378e540433a7303dbf6a",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "release-24.11",
        "repo": "nixpkgs",
        "type": "github"
      }
@@ -131,7 +114,6 @@
        "flake-compat": "flake-compat",
        "flake-parts": "flake-parts",
        "git-hooks-nix": "git-hooks-nix",
-        "libgit2": "libgit2",
        "nixpkgs": "nixpkgs",
        "nixpkgs-23-11": "nixpkgs-23-11",
        "nixpkgs-regression": "nixpkgs-regression"
--- a/flake.nix
+++ b/flake.nix
@@ -1,11 +1,14 @@
 {
  description = "The purely functional package manager";

-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/release-24.11";
+
  inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
  inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
-  inputs.flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
-  inputs.libgit2 = { url = "github:libgit2/libgit2/v1.8.1"; flake = false; };
+  inputs.flake-compat = {
+    url = "github:edolstra/flake-compat";
+    flake = false;
+  };

  # dev tooling
  inputs.flake-parts.url = "github:hercules-ci/flake-parts";
@@ -18,25 +21,37 @@
  inputs.git-hooks-nix.inputs.flake-compat.follows = "";
  inputs.git-hooks-nix.inputs.gitignore.follows = "";

-  outputs = inputs@{ self, nixpkgs, nixpkgs-regression, libgit2, ... }:
-
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      nixpkgs-regression,
+      ...
+    }:

    let
      inherit (nixpkgs) lib;

-      officialRelease = false;
+      officialRelease = true;

      linux32BitSystems = [ "i686-linux" ];
-      linux64BitSystems = [ "x86_64-linux" "aarch64-linux" ];
+      linux64BitSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
      linuxSystems = linux32BitSystems ++ linux64BitSystems;
-      darwinSystems = [ "x86_64-darwin" "aarch64-darwin" ];
+      darwinSystems = [
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
      systems = linuxSystems ++ darwinSystems;

      crossSystems = [
        "armv6l-unknown-linux-gnueabihf"
        "armv7l-unknown-linux-gnueabihf"
        "riscv64-unknown-linux-gnu"
-        "x86_64-unknown-netbsd"
+        # Disabled because of https://github.com/NixOS/nixpkgs/issues/344423
+        # "x86_64-unknown-netbsd"
        "x86_64-unknown-freebsd"
        "x86_64-w64-mingw32"
      ];
@@ -58,62 +73,77 @@
        (Provided that the names are unique.)

        See https://nixos.org/manual/nixpkgs/stable/index.html#function-library-lib.attrsets.concatMapAttrs
-       */
+      */
      flatMapAttrs = attrs: f: lib.concatMapAttrs f attrs;

      forAllSystems = lib.genAttrs systems;

      forAllCrossSystems = lib.genAttrs crossSystems;

-      forAllStdenvs = f:
-        lib.listToAttrs
-          (map
-            (stdenvName: {
-              name = "${stdenvName}Packages";
-              value = f stdenvName;
-            })
-            stdenvs);
-
+      forAllStdenvs =
+        f:
+        lib.listToAttrs (
+          map (stdenvName: {
+            name = "${stdenvName}Packages";
+            value = f stdenvName;
+          }) stdenvs
+        );

      # We don't apply flake-parts to the whole flake so that non-development attributes
      # load without fetching any development inputs.
      devFlake = inputs.flake-parts.lib.mkFlake { inherit inputs; } {
        imports = [ ./maintainers/flake-module.nix ];
        systems = lib.subtractLists crossSystems systems;
-        perSystem = { system, ... }: {
-          _module.args.pkgs = nixpkgsFor.${system}.native;
-        };
+        perSystem =
+          { system, ... }:
+          {
+            _module.args.pkgs = nixpkgsFor.${system}.native;
+          };
      };

      # Memoize nixpkgs for different platforms for efficiency.
-      nixpkgsFor = forAllSystems
-        (system: let
-          make-pkgs = crossSystem: stdenv: import nixpkgs {
-            localSystem = {
-              inherit system;
+      nixpkgsFor = forAllSystems (
+        system:
+        let
+          make-pkgs =
+            crossSystem: stdenv:
+            import nixpkgs {
+              localSystem = {
+                inherit system;
+              };
+              crossSystem =
+                if crossSystem == null then
+                  null
+                else
+                  {
+                    config = crossSystem;
+                  }
+                  // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
+                    useLLVM = true;
+                  };
+              overlays = [
+                (overlayFor (p: p.${stdenv}))
+              ];
            };
-            crossSystem = if crossSystem == null then null else {
-              config = crossSystem;
-            } // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
-              useLLVM = true;
-            };
-            overlays = [
-              (overlayFor (p: p.${stdenv}))
-            ];
-          };
          stdenvs = forAllStdenvs (make-pkgs null);
          native = stdenvs.stdenvPackages;
-        in {
+        in
+        {
          inherit stdenvs native;
          static = native.pkgsStatic;
+          llvm = native.pkgsLLVM;
          cross = forAllCrossSystems (crossSystem: make-pkgs crossSystem "stdenv");
-        });
+        }
+      );

-      binaryTarball = nix: pkgs: pkgs.callPackage ./scripts/binary-tarball.nix {
-        inherit nix;
-      };
+      binaryTarball =
+        nix: pkgs:
+        pkgs.callPackage ./scripts/binary-tarball.nix {
+          inherit nix;
+        };

-      overlayFor = getStdenv: final: prev:
+      overlayFor =
+        getStdenv: final: prev:
        let
          stdenv = getStdenv final;
        in
@@ -135,6 +165,7 @@
                f = import ./packaging/components.nix {
                  inherit (final) lib;
                  inherit officialRelease;
+                  pkgs = final;
                  src = self;
                };
              };
@@ -160,13 +191,19 @@
          # See https://github.com/NixOS/nixpkgs/pull/214409
          # Remove when fixed in this flake's nixpkgs
          pre-commit =
-            if prev.stdenv.hostPlatform.system == "i686-linux"
-            then (prev.pre-commit.override (o: { dotnet-sdk = ""; })).overridePythonAttrs (o: { doCheck = false; })
-            else prev.pre-commit;
-
+            if prev.stdenv.hostPlatform.system == "i686-linux" then
+              (prev.pre-commit.override (o: {
+                dotnet-sdk = "";
+              })).overridePythonAttrs
+                (o: {
+                  doCheck = false;
+                })
+            else
+              prev.pre-commit;
        };

-    in {
+    in
+    {
      # A Nixpkgs overlay that overrides the 'nix' and
      # 'nix-perl-bindings' packages.
      overlays.default = overlayFor (p: p.stdenv);
@@ -185,58 +222,96 @@
          ;
      };

-      checks = forAllSystems (system: {
-        binaryTarball = self.hydraJobs.binaryTarball.${system};
-        installTests = self.hydraJobs.installTests.${system};
-        nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
-        rl-next =
-          let pkgs = nixpkgsFor.${system}.native;
-          in pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
-          LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
-        '';
-        repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };
-      } // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
-        dockerImage = self.hydraJobs.dockerImage.${system};
-      } // (lib.optionalAttrs (!(builtins.elem system linux32BitSystems))) {
-        # Some perl dependencies are broken on i686-linux.
-        # Since the support is only best-effort there, disable the perl
-        # bindings
+      checks = forAllSystems (
+        system:
+        {
+          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
+          installTests = self.hydraJobs.installTests.${system};
+          nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
+          rl-next =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+            in
+            pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+              LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
+            '';
+          repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };

-        # Temporarily disabled because GitHub Actions OOM issues. Once
-        # the old build system is gone and we are back to one build
-        # system, we should reenable this.
-        #perlBindings = self.hydraJobs.perlBindings.${system};
-      }
-      # Add "passthru" tests
-      // flatMapAttrs ({
-          "" = nixpkgsFor.${system}.native;
-        } // lib.optionalAttrs (! nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
-          # TODO: enable static builds for darwin, blocked on:
-          #       https://github.com/NixOS/nixpkgs/issues/320448
-          # TODO: disabled to speed up GHA CI.
-          #"static-" = nixpkgsFor.${system}.static;
-        })
-        (nixpkgsPrefix: nixpkgs:
-          flatMapAttrs nixpkgs.nixComponents
-            (pkgName: pkg:
-              flatMapAttrs pkg.tests or {}
-              (testName: test: {
-                "${nixpkgsPrefix}${pkgName}-${testName}" = test;
-              })
+          /**
+            Checks for our packaging expressions.
+            This shouldn't build anything significant; just check that things
+            (including derivations) are _set up_ correctly.
+          */
+          packaging-overriding =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+              nix = self.packages.${system}.nix;
+            in
+            assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+            if pkgs.stdenv.buildPlatform.isDarwin then
+              lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+            else
+              # If this fails, something might be wrong with how we've wired the scope,
+              # or something could be broken in Nixpkgs.
+              pkgs.testers.testEqualContents {
+                assertion = "trivial patch does not change source contents";
+                expected = "${./.}";
+                actual =
+                  # Same for all components; nix-util is an arbitrary pick
+                  (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+              };
+        }
+        // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
+          dockerImage = self.hydraJobs.dockerImage.${system};
+        }
+        // (lib.optionalAttrs (!(builtins.elem system linux32BitSystems))) {
+          # Some perl dependencies are broken on i686-linux.
+          # Since the support is only best-effort there, disable the perl
+          # bindings
+          perlBindings = self.hydraJobs.perlBindings.${system};
+        }
+        # Add "passthru" tests
+        //
+          flatMapAttrs
+            (
+              {
+                "" = nixpkgsFor.${system}.native;
+              }
+              // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
+                # TODO: enable static builds for darwin, blocked on:
+                #       https://github.com/NixOS/nixpkgs/issues/320448
+                # TODO: disabled to speed up GHA CI.
+                #"static-" = nixpkgsFor.${system}.static;
+              }
            )
-          // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
-            "${nixpkgsPrefix}nix-functional-tests" = nixpkgs.nixComponents.nix-functional-tests;
-          }
-        )
-      // devFlake.checks.${system} or {}
+            (
+              nixpkgsPrefix: nixpkgs:
+              flatMapAttrs nixpkgs.nixComponents (
+                pkgName: pkg:
+                flatMapAttrs pkg.tests or { } (
+                  testName: test: {
+                    "${nixpkgsPrefix}${pkgName}-${testName}" = test;
+                  }
+                )
+              )
+              // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
+                "${nixpkgsPrefix}nix-functional-tests" = nixpkgs.nixComponents.nix-functional-tests;
+              }
+            )
+        // devFlake.checks.${system} or { }
      );

-      packages = forAllSystems (system:
-        { # Here we put attributes that map 1:1 into packages.<system>, ie
+      packages = forAllSystems (
+        system:
+        {
+          # Here we put attributes that map 1:1 into packages.<system>, ie
          # for which we don't apply the full build matrix such as cross or static.
          inherit (nixpkgsFor.${system}.native)
-            changelog-d;
+            changelog-d
+            ;
          default = self.packages.${system}.nix;
+          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
+          binaryTarball = self.hydraJobs.binaryTarball.${system};
          # TODO probably should be `nix-cli`
          nix = self.packages.${system}.nix-everything;
          nix-manual = nixpkgsFor.${system}.native.nixComponents.nix-manual;
@@ -244,92 +319,143 @@
          nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-external-api-docs;
        }
        # We need to flatten recursive attribute sets of derivations to pass `flake check`.
-        // flatMapAttrs
-          { # Components we'll iterate over in the upcoming lambda
-            "nix-util" = { };
-            "nix-util-c" = { };
-            "nix-util-test-support" = { };
-            "nix-util-tests" = { };
+        //
+          flatMapAttrs
+            {
+              # Components we'll iterate over in the upcoming lambda
+              "nix-util" = { };
+              "nix-util-c" = { };
+              "nix-util-test-support" = { };
+              "nix-util-tests" = { };

-            "nix-store" = { };
-            "nix-store-c" = { };
-            "nix-store-test-support" = { };
-            "nix-store-tests" = { };
+              "nix-store" = { };
+              "nix-store-c" = { };
+              "nix-store-test-support" = { };
+              "nix-store-tests" = { };

-            "nix-fetchers" = { };
-            "nix-fetchers-tests" = { };
+              "nix-fetchers" = { };
+              "nix-fetchers-tests" = { };

-            "nix-expr" = { };
-            "nix-expr-c" = { };
-            "nix-expr-test-support" = { };
-            "nix-expr-tests" = { };
+              "nix-expr" = { };
+              "nix-expr-c" = { };
+              "nix-expr-test-support" = { };
+              "nix-expr-tests" = { };

-            "nix-flake" = { };
-            "nix-flake-tests" = { };
+              "nix-flake" = { };
+              "nix-flake-tests" = { };

-            "nix-main" = { };
-            "nix-main-c" = { };
+              "nix-main" = { };
+              "nix-main-c" = { };

-            "nix-cmd" = { };
+              "nix-cmd" = { };

-            "nix-cli" = { };
+              "nix-cli" = { };

-            "nix-everything" = { };
+              "nix-everything" = { };

-            "nix-functional-tests" = { supportsCross = false; };
+              "nix-functional-tests" = {
+                supportsCross = false;
+              };

-            "nix-perl-bindings" = { supportsCross = false; };
-          }
-          (pkgName: { supportsCross ? true }: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
-              "${pkgName}-static" = nixpkgsFor.${system}.static.nixComponents.${pkgName};
+              "nix-perl-bindings" = {
+                supportsCross = false;
+              };
            }
-            // lib.optionalAttrs supportsCross (flatMapAttrs (lib.genAttrs crossSystems (_: { })) (crossSystem: {}: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName};
-            }))
-            // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (stdenvName: {}: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}-${stdenvName}" = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".nixComponents.${pkgName};
-            })
-          )
+            (
+              pkgName:
+              {
+                supportsCross ? true,
+              }:
+              {
+                # These attributes go right into `packages.<system>`.
+                "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
+                "${pkgName}-static" = nixpkgsFor.${system}.static.nixComponents.${pkgName};
+                "${pkgName}-llvm" = nixpkgsFor.${system}.llvm.nixComponents.${pkgName};
+              }
+              // lib.optionalAttrs supportsCross (
+                flatMapAttrs (lib.genAttrs crossSystems (_: { })) (
+                  crossSystem:
+                  { }:
+                  {
+                    # These attributes go right into `packages.<system>`.
+                    "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName};
+                  }
+                )
+              )
+              // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (
+                stdenvName:
+                { }:
+                {
+                  # These attributes go right into `packages.<system>`.
+                  "${pkgName}-${stdenvName}" =
+                    nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".nixComponents.${pkgName};
+                }
+              )
+            )
        // lib.optionalAttrs (builtins.elem system linux64BitSystems) {
-        dockerImage =
-          let
-            pkgs = nixpkgsFor.${system}.native;
-            image = import ./docker.nix { inherit pkgs; tag = pkgs.nix.version; };
-          in
-          pkgs.runCommand
-            "docker-image-tarball-${pkgs.nix.version}"
-            { meta.description = "Docker image with Nix for ${system}"; }
-            ''
-              mkdir -p $out/nix-support
-              image=$out/image.tar.gz
-              ln -s ${image} $image
-              echo "file binary-dist $image" >> $out/nix-support/hydra-build-products
-            '';
-      });
+          dockerImage =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+              image = import ./docker.nix {
+                inherit pkgs;
+                tag = pkgs.nix.version;
+              };
+            in
+            pkgs.runCommand "docker-image-tarball-${pkgs.nix.version}"
+              { meta.description = "Docker image with Nix for ${system}"; }
+              ''
+                mkdir -p $out/nix-support
+                image=$out/image.tar.gz
+                ln -s ${image} $image
+                echo "file binary-dist $image" >> $out/nix-support/hydra-build-products
+              '';
+        }
+      );

-      devShells = let
-        makeShell = import ./packaging/dev-shell.nix { inherit lib devFlake; };
-        prefixAttrs = prefix: lib.concatMapAttrs (k: v: { "${prefix}-${k}" = v; });
-      in
-        forAllSystems (system:
-          prefixAttrs "native" (forAllStdenvs (stdenvName: makeShell {
-            pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages";
-          })) //
-          lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.isDarwin) (
-            prefixAttrs "static" (forAllStdenvs (stdenvName: makeShell {
-              pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsStatic;
-            })) //
-            prefixAttrs "cross" (forAllCrossSystems (crossSystem: makeShell {
-              pkgs = nixpkgsFor.${system}.cross.${crossSystem};
-            }))
-          ) //
-          {
+      devShells =
+        let
+          makeShell = import ./packaging/dev-shell.nix { inherit lib devFlake; };
+          prefixAttrs = prefix: lib.concatMapAttrs (k: v: { "${prefix}-${k}" = v; });
+        in
+        forAllSystems (
+          system:
+          prefixAttrs "native" (
+            forAllStdenvs (
+              stdenvName:
+              makeShell {
+                pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages";
+              }
+            )
+          )
+          // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.isDarwin) (
+            prefixAttrs "static" (
+              forAllStdenvs (
+                stdenvName:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsStatic;
+                }
+              )
+            )
+            // prefixAttrs "llvm" (
+              forAllStdenvs (
+                stdenvName:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsLLVM;
+                }
+              )
+            )
+            // prefixAttrs "cross" (
+              forAllCrossSystems (
+                crossSystem:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.cross.${crossSystem};
+                }
+              )
+            )
+          )
+          // {
            default = self.devShells.${system}.native-stdenvPackages;
          }
        );
-  };
+    };
 }
--- a/m4/gcc_bug_80431.m4
+++ b/m4/gcc_bug_80431.m4
@@ -1,66 +0,0 @@
-# Ensure that this bug is not present in the C++ toolchain we are using.
-#
-# URL for bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80431
-#
-# The test program is from that issue, with only a slight modification
-# to set an exit status instead of printing strings.
-AC_DEFUN([ENSURE_NO_GCC_BUG_80431],
-[
-  AC_MSG_CHECKING([that GCC bug 80431 is fixed])
-  AC_LANG_PUSH(C++)
-  AC_RUN_IFELSE(
-    [AC_LANG_PROGRAM(
-      [[
-        #include <cstdio>
-
-        static bool a = true;
-        static bool b = true;
-
-        struct Options { };
-
-        struct Option
-        {
-            Option(Options * options)
-            {
-                a = false;
-            }
-
-            ~Option()
-            {
-                b = false;
-            }
-        };
-
-        struct MyOptions : Options { };
-
-        struct MyOptions2 : virtual MyOptions
-        {
-            Option foo{this};
-        };
-      ]],
-      [[
-        {
-            MyOptions2 opts;
-        }
-        return (a << 1) | b;
-      ]])],
-    [status_80431=0],
-    [status_80431=$?],
-    [status_80431=''])
-  AC_LANG_POP(C++)
-  AS_CASE([$status_80431],
-    [''],[
-      AC_MSG_RESULT(cannot check because cross compiling)
-      AC_MSG_NOTICE(assume we are bug free)
-    ],
-    [0],[
-      AC_MSG_RESULT(yes)
-    ],
-    [2],[
-      AC_MSG_RESULT(no)
-      AC_MSG_ERROR(Cannot build Nix with C++ compiler with this bug)
-    ],
-    [
-      AC_MSG_RESULT(unexpected result $status_80431: not expected failure with bug, ignoring)
-    ])
-])
--- a/maintainers/data/release-credits-email-to-handle.json
+++ b/maintainers/data/release-credits-email-to-handle.json
@@ -98,5 +98,39 @@
    "aks.kenji@protonmail.com": "a-kenji",
    "54070204+0x5a4@users.noreply.github.com": "0x5a4",
    "brian@bmcgee.ie": "brianmcgee",
-    "squalus@squalus.net": "squalus"
+    "squalus@squalus.net": "squalus",
+    "kusold@users.noreply.github.com": "kusold",
+    "37929162+mergify[bot]@users.noreply.github.com": "mergify[bot]",
+    "ilja@mailbox.org": "suruaku",
+    "and.ham95@gmail.com": "andrewhamon",
+    "andy.hamon@discordapp.com": "andrewhamon",
+    "siddarthkay@gmail.com": "siddarthkay",
+    "apoelstra@wpsoftware.net": "apoelstra",
+    "asmadeus@codewreck.org": "martinetd",
+    "tristan.ross@midstall.com": "RossComputerGuy",
+    "bryanlais@gmail.com": "bryango",
+    "157494086+allrealmsoflife@users.noreply.github.com": "allrealmsoflife",
+    "ConnorBaker01@gmail.com": "ConnorBaker",
+    "me@momee.mt": "momeemt",
+    "martin@push-f.com": "not-my-profile",
+    "90870942+trueNAHO@users.noreply.github.com": "trueNAHO",
+    "49885263+knotapun@users.noreply.github.com": "knotapun",
+    "iam@lach.pw": "CertainLach",
+    "elikowa@gmail.com": "elikoga",
+    "greg.curtis@jetpack.io": "gcurtis",
+    "git@sphalerite.org": "lheckemann",
+    "mightyiampresence@gmail.com": "mightyiam",
+    "spamfaenger@gmx.de": "dwt",
+    "graham@grahamc.com": "grahamc",
+    "wh0@users.noreply.github.com": "wh0",
+    "25388474+mupdt@users.noreply.github.com": "mupdt",
+    "anatoli@rainforce.org": "abitrolly",
+    "h0nIg@users.noreply.github.com": "h0nIg",
+    "CyberShadow@users.noreply.github.com": "CyberShadow",
+    "gavinnjohn@gmail.com": "Pandapip1",
+    "picnoir@alternativebit.fr": "picnoir",
+    "140354451+myclevorname@users.noreply.github.com": "myclevorname",
+    "bonniot@gmail.com": "dbdr",
+    "jack@wilsdon.me": "jackwilsdon",
+    "143541718+WxNzEMof@users.noreply.github.com": "the-sun-will-rise-tomorrow"
 }
--- a/maintainers/data/release-credits-handle-to-name.json
+++ b/maintainers/data/release-credits-handle-to-name.json
@@ -86,5 +86,37 @@
    "Aleksanaa": "Aleksana",
    "YorikSar": "Yuriy Taraday",
    "kjeremy": "Jeremy Kolb",
-    "artemist": "Artemis Tosini"
+    "artemist": "Artemis Tosini",
+    "the-sun-will-rise-tomorrow": null,
+    "gcurtis": "Greg Curtis",
+    "ConnorBaker": "Connor Baker",
+    "abitrolly": "Anatoli Babenia",
+    "allrealmsoflife": "Domagoj Mi\u0161kovi\u0107",
+    "andrewhamon": "Andy Hamon",
+    "picnoir": "F\u00e9lix",
+    "dbdr": null,
+    "suruaku": "Ilja",
+    "jackwilsdon": "Jack Wilsdon",
+    "mergify[bot]": null,
+    "kusold": "Mike Kusold",
+    "lheckemann": "Linus Heckemann",
+    "h0nIg": null,
+    "grahamc": "Graham Christensen",
+    "not-my-profile": "Martin Fischer",
+    "CyberShadow": "Vladimir Panteleev",
+    "Pandapip1": "Gavin John",
+    "RossComputerGuy": "Tristan Ross",
+    "elikoga": null,
+    "martinetd": "Dominique Martinet",
+    "knotapun": "Parker Jones",
+    "mightyiam": "Shahar \"Dawn\" Or",
+    "siddarthkay": "Siddarth Kumar",
+    "apoelstra": "Andrew Poelstra",
+    "myclevorname": null,
+    "CertainLach": "Yaroslav Bolyukin",
+    "trueNAHO": "NAHO",
+    "wh0": null,
+    "mupdt": "Matej Urbas",
+    "momeemt": "Mutsuha Asada",
+    "dwt": "\u202erekc\u00e4H nitraM\u202e"
 }
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
--- a/nix-meson-build-support/common/meson.build
+++ b/nix-meson-build-support/common/meson.build
@@ -16,7 +16,3 @@ add_project_arguments(
  '-Wno-deprecated-declarations',
  language : 'cpp',
 )
-
-if get_option('buildtype') not in ['debug']
-  add_project_arguments('-O3', language : 'cpp')
-endif
--- a/packaging/components.nix
+++ b/packaging/components.nix
@@ -1,5 +1,6 @@
 {
  lib,
+  pkgs,
  src,
  officialRelease,
 }:
@@ -7,17 +8,194 @@
 scope:

 let
-  inherit (scope) callPackage;
+  inherit (scope)
+    callPackage
+    ;
+  inherit
+    (scope.callPackage (
+      { stdenv }:
+      {
+        inherit stdenv;
+      }
+    ) { })
+    stdenv
+    ;
+  inherit (pkgs.buildPackages)
+    meson
+    ninja
+    pkg-config
+    ;

  baseVersion = lib.fileContents ../.version;

  versionSuffix = lib.optionalString (!officialRelease) "pre";

-  fineVersionSuffix = lib.optionalString
-    (!officialRelease)
-    "pre${builtins.substring 0 8 (src.lastModifiedDate or src.lastModified or "19700101")}_${src.shortRev or "dirty"}";
+  fineVersionSuffix =
+    lib.optionalString (!officialRelease)
+      "pre${
+        builtins.substring 0 8 (src.lastModifiedDate or src.lastModified or "19700101")
+      }_${src.shortRev or "dirty"}";

  fineVersion = baseVersion + fineVersionSuffix;
+
+  root = ../.;
+
+  # Indirection for Nixpkgs to override when package.nix files are vendored
+  filesetToSource = lib.fileset.toSource;
+
+  /**
+    Given a set of layers, create a mkDerivation-like function
+  */
+  mkPackageBuilder =
+    exts: userFn: stdenv.mkDerivation (lib.extends (lib.composeManyExtensions exts) userFn);
+
+  setVersionLayer = finalAttrs: prevAttrs: {
+    preConfigure =
+      prevAttrs.preConfigure or ""
+      +
+        # Update the repo-global .version file.
+        # Symlink ./.version points there, but by default only workDir is writable.
+        ''
+          chmod u+w ./.version
+          echo ${finalAttrs.version} > ./.version
+        '';
+  };
+
+  localSourceLayer =
+    finalAttrs: prevAttrs:
+    let
+      workDirPath =
+        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
+        # the requirement that everything except passthru and meta must be
+        # serialized by mkDerivation, which doesn't work for this.
+        prevAttrs.workDir;
+
+      workDirSubpath = lib.path.removePrefix root workDirPath;
+      sources =
+        assert prevAttrs.fileset._type == "fileset";
+        prevAttrs.fileset;
+      src = lib.fileset.toSource {
+        fileset = sources;
+        inherit root;
+      };
+
+    in
+    {
+      sourceRoot = "${src.name}/" + workDirSubpath;
+      inherit src;
+
+      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
+      fileset = null;
+      workDir = null;
+    };
+
+  resolveRelPath = p: lib.path.removePrefix root p;
+
+  makeFetchedSourceLayer =
+    finalScope: finalAttrs: prevAttrs:
+    let
+      workDirPath =
+        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
+        # the requirement that everything except passthru and meta must be
+        # serialized by mkDerivation, which doesn't work for this.
+        prevAttrs.workDir;
+
+      workDirSubpath = resolveRelPath workDirPath;
+
+    in
+    {
+      sourceRoot = "${finalScope.patchedSrc.name}/" + workDirSubpath;
+      src = finalScope.patchedSrc;
+      version =
+        let
+          n = lib.length finalScope.patches;
+        in
+        if n == 0 then finalAttrs.version else finalAttrs.version + "+${toString n}";
+
+      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
+      fileset = null;
+      workDir = null;
+    };
+
+  mesonLayer = finalAttrs: prevAttrs: {
+    # NOTE:
+    # As of https://github.com/NixOS/nixpkgs/blob/8baf8241cea0c7b30e0b8ae73474cb3de83c1a30/pkgs/by-name/me/meson/setup-hook.sh#L26,
+    # `mesonBuildType` defaults to `plain` if not specified. We want our Nix-built binaries to be optimized by default.
+    # More on build types here: https://mesonbuild.com/Builtin-options.html#details-for-buildtype.
+    mesonBuildType = "release";
+    # NOTE:
+    # Users who are debugging Nix builds are expected to set the environment variable `mesonBuildType`, per the
+    # guidance in https://github.com/NixOS/nix/blob/8a3fc27f1b63a08ac983ee46435a56cf49ebaf4a/doc/manual/source/development/debugging.md?plain=1#L10.
+    # For this reason, we don't want to refer to `finalAttrs.mesonBuildType` here, but rather use the environment variable.
+    preConfigure =
+      prevAttrs.preConfigure or ""
+      +
+        lib.optionalString
+          (
+            !stdenv.hostPlatform.isWindows
+            # build failure
+            && !stdenv.hostPlatform.isStatic
+            # LTO breaks exception handling on x86-64-darwin.
+            && stdenv.system != "x86_64-darwin"
+          )
+          ''
+            case "$mesonBuildType" in
+            release|minsize) appendToVar mesonFlags "-Db_lto=true"  ;;
+            *)               appendToVar mesonFlags "-Db_lto=false" ;;
+            esac
+          '';
+    nativeBuildInputs = [
+      meson
+      ninja
+    ] ++ prevAttrs.nativeBuildInputs or [ ];
+    mesonCheckFlags = prevAttrs.mesonCheckFlags or [ ] ++ [
+      "--print-errorlogs"
+    ];
+  };
+
+  mesonBuildLayer = finalAttrs: prevAttrs: {
+    nativeBuildInputs = prevAttrs.nativeBuildInputs or [ ] ++ [
+      pkg-config
+    ];
+    separateDebugInfo = !stdenv.hostPlatform.isStatic;
+    hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
+    env =
+      prevAttrs.env or { }
+      // lib.optionalAttrs (
+        stdenv.isLinux
+        && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")
+        && !(stdenv.hostPlatform.useLLVM or false)
+      ) { LDFLAGS = "-fuse-ld=gold"; };
+  };
+
+  mesonLibraryLayer = finalAttrs: prevAttrs: {
+    outputs = prevAttrs.outputs or [ "out" ] ++ [ "dev" ];
+  };
+
+  # Work around weird `--as-needed` linker behavior with BSD, see
+  # https://github.com/mesonbuild/meson/issues/3593
+  bsdNoLinkAsNeeded =
+    finalAttrs: prevAttrs:
+    lib.optionalAttrs stdenv.hostPlatform.isBSD {
+      mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [ ];
+    };
+
+  miscGoodPractice = finalAttrs: prevAttrs: {
+    strictDeps = prevAttrs.strictDeps or true;
+    enableParallelBuilding = true;
+  };
+
+  /**
+    Append patches to the source layer.
+  */
+  appendPatches =
+    scope: patches:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        patches = prevScope.patches ++ patches;
+      }
+    );
+
 in

 # This becomes the pkgs.nixComponents attribute set
@@ -25,6 +203,110 @@ in
  version = baseVersion + versionSuffix;
  inherit versionSuffix;

+  inherit filesetToSource;
+
+  /**
+    A user-provided extension function to apply to each component derivation.
+  */
+  mesonComponentOverrides = finalAttrs: prevAttrs: { };
+
+  /**
+    An overridable derivation layer for handling the sources.
+  */
+  sourceLayer = localSourceLayer;
+
+  /**
+    Resolve a path value to either itself or a path in the `src`, depending
+    whether `overrideSource` was called.
+  */
+  resolvePath = p: p;
+
+  /**
+    Apply an extension function (i.e. overlay-shaped) to all component derivations.
+  */
+  overrideAllMesonComponents =
+    f:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        mesonComponentOverrides = lib.composeExtensions scope.mesonComponentOverrides f;
+      }
+    );
+
+  /**
+    Provide an alternate source. This allows the expressions to be vendored without copying the sources,
+    but it does make the build non-granular; all components will use a complete source.
+
+    Packaging expressions will be ignored.
+  */
+  overrideSource =
+    src:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        sourceLayer = makeFetchedSourceLayer finalScope;
+        /**
+          Unpatched source for the build of Nix. Packaging expressions will be ignored.
+        */
+        src = src;
+        /**
+          Patches for the whole Nix source. Changes to packaging expressions will be ignored.
+        */
+        patches = [ ];
+        /**
+          Fetched and patched source to be used in component derivations.
+        */
+        patchedSrc =
+          if finalScope.patches == [ ] then
+            src
+          else
+            pkgs.buildPackages.srcOnly (
+              pkgs.buildPackages.stdenvNoCC.mkDerivation {
+                name = "${finalScope.src.name or "nix-source"}-patched";
+                inherit (finalScope) src patches;
+              }
+            );
+        resolvePath = p: finalScope.patchedSrc + "/${resolveRelPath p}";
+        appendPatches = appendPatches finalScope;
+      }
+    );
+
+  /**
+    Append patches to be applied to the whole Nix source.
+    This affects all components.
+
+    Changes to the packaging expressions will be ignored.
+  */
+  appendPatches =
+    patches:
+    # switch to "fetched" source first, so that patches apply to the whole tree.
+    (scope.overrideSource "${./..}").appendPatches patches;
+
+  mkMesonDerivation = mkPackageBuilder [
+    miscGoodPractice
+    scope.sourceLayer
+    setVersionLayer
+    mesonLayer
+    scope.mesonComponentOverrides
+  ];
+  mkMesonExecutable = mkPackageBuilder [
+    miscGoodPractice
+    bsdNoLinkAsNeeded
+    scope.sourceLayer
+    setVersionLayer
+    mesonLayer
+    mesonBuildLayer
+    scope.mesonComponentOverrides
+  ];
+  mkMesonLibrary = mkPackageBuilder [
+    miscGoodPractice
+    bsdNoLinkAsNeeded
+    scope.sourceLayer
+    mesonLayer
+    setVersionLayer
+    mesonBuildLayer
+    mesonLibraryLayer
+    scope.mesonComponentOverrides
+  ];
+
  nix-util = callPackage ../src/libutil/package.nix { };
  nix-util-c = callPackage ../src/libutil-c/package.nix { };
  nix-util-test-support = callPackage ../src/libutil-test-support/package.nix { };
@@ -54,7 +336,9 @@ in

  nix-cli = callPackage ../src/nix/package.nix { version = fineVersion; };

-  nix-functional-tests = callPackage ../src/nix-functional-tests/package.nix { version = fineVersion; };
+  nix-functional-tests = callPackage ../tests/functional/package.nix {
+    version = fineVersion;
+  };

  nix-manual = callPackage ../doc/manual/package.nix { version = fineVersion; };
  nix-internal-api-docs = callPackage ../src/internal-api-docs/package.nix { version = fineVersion; };
@@ -62,5 +346,33 @@ in

  nix-perl-bindings = callPackage ../src/perl/package.nix { };

-  nix-everything = callPackage ../packaging/everything.nix { };
+  nix-everything = callPackage ../packaging/everything.nix { } // {
+    # Note: no `passthru.overrideAllMesonComponents`
+    #       This would propagate into `nix.overrideAttrs f`, but then discard
+    #       `f` when `.overrideAllMesonComponents` is used.
+    #       Both "methods" should be views on the same fixpoint overriding mechanism
+    #       for that to work. For now, we intentionally don't support the broken
+    #       two-fixpoint solution.
+    /**
+      Apply an extension function (i.e. overlay-shaped) to all component derivations, and return the nix package.
+    */
+    overrideAllMesonComponents = f: (scope.overrideAllMesonComponents f).nix-everything;
+
+    /**
+      Append patches to be applied to the whole Nix source.
+      This affects all components.
+
+      Changes to the packaging expressions will be ignored.
+    */
+    appendPatches = ps: (scope.appendPatches ps).nix-everything;
+
+    /**
+      Provide an alternate source. This allows the expressions to be vendored without copying the sources,
+      but it does make the build non-granular; all components will use a complete source.
+
+      Packaging expressions will be ignored.
+    */
+    overrideSource = src: (scope.overrideSource src).nix-everything;
+
+  };
 }
--- a/packaging/dependencies.nix
+++ b/packaging/dependencies.nix
@@ -17,11 +17,7 @@ in
 let
  inherit (pkgs) lib;

-  root = ../.;
-
-  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64
-    then darwinStdenv
-    else prevStdenv;
+  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64 then darwinStdenv else prevStdenv;

  # Fix the following error with the default x86_64-darwin SDK:
  #
@@ -32,196 +28,76 @@ let
  # all the way back to 10.6.
  darwinStdenv = pkgs.overrideSDK prevStdenv { darwinMinVersion = "10.13"; };

-  # Nixpkgs implements this by returning a subpath into the fetched Nix sources.
-  resolvePath = p: p;
-
-  # Indirection for Nixpkgs to override when package.nix files are vendored
-  filesetToSource = lib.fileset.toSource;
-
-  /** Given a set of layers, create a mkDerivation-like function */
-  mkPackageBuilder = exts: userFn:
-    stdenv.mkDerivation (lib.extends (lib.composeManyExtensions exts) userFn);
-
-  localSourceLayer = finalAttrs: prevAttrs:
-    let
-      workDirPath =
-        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
-        # the requirement that everything except passthru and meta must be
-        # serialized by mkDerivation, which doesn't work for this.
-        prevAttrs.workDir;
-
-      workDirSubpath = lib.path.removePrefix root workDirPath;
-      sources = assert prevAttrs.fileset._type == "fileset"; prevAttrs.fileset;
-      src = lib.fileset.toSource { fileset = sources; inherit root; };
-
-    in
-    {
-      sourceRoot = "${src.name}/" + workDirSubpath;
-      inherit src;
-
-      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
-      fileset = null;
-      workDir = null;
-    };
-
-  mesonLayer = finalAttrs: prevAttrs:
-    {
-      nativeBuildInputs = [
-        pkgs.buildPackages.meson
-        pkgs.buildPackages.ninja
-      ] ++ prevAttrs.nativeBuildInputs or [];
-      mesonCheckFlags = prevAttrs.mesonCheckFlags or [] ++ [
-        "--print-errorlogs"
-      ];
-    };
-
-  mesonBuildLayer = finalAttrs: prevAttrs:
-    {
-      nativeBuildInputs = prevAttrs.nativeBuildInputs or [] ++ [
-        pkgs.buildPackages.pkg-config
-      ];
-      separateDebugInfo = !stdenv.hostPlatform.isStatic;
-      hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
-    };
-
-  mesonLibraryLayer = finalAttrs: prevAttrs:
-    {
-      outputs = prevAttrs.outputs or [ "out" ] ++ [ "dev" ];
-    };
-
-  # Work around weird `--as-needed` linker behavior with BSD, see
-  # https://github.com/mesonbuild/meson/issues/3593
-  bsdNoLinkAsNeeded = finalAttrs: prevAttrs:
-    lib.optionalAttrs stdenv.hostPlatform.isBSD {
-      mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [];
-    };
-
-  miscGoodPractice = finalAttrs: prevAttrs:
-    {
-      strictDeps = prevAttrs.strictDeps or true;
-      enableParallelBuilding = true;
-    };
 in
 scope: {
  inherit stdenv;

-  aws-sdk-cpp = (pkgs.aws-sdk-cpp.override {
-    apis = [ "s3" "transfer" ];
-    customMemoryManagement = false;
-  }).overrideAttrs {
-    # only a stripped down version is built, which takes a lot less resources
-    # to build, so we don't need a "big-parallel" machine.
-    requiredSystemFeatures = [ ];
-  };
-
-  libseccomp = pkgs.libseccomp.overrideAttrs (_: rec {
-    version = "2.5.5";
-    src = pkgs.fetchurl {
-      url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
-      hash = "sha256-JIosik2bmFiqa69ScSw0r+/PnJ6Ut23OAsHJqiX7M3U=";
-    };
-  });
+  aws-sdk-cpp =
+    (pkgs.aws-sdk-cpp.override {
+      apis = [
+        "s3"
+        "transfer"
+      ];
+      customMemoryManagement = false;
+    }).overrideAttrs
+      {
+        # only a stripped down version is built, which takes a lot less resources
+        # to build, so we don't need a "big-parallel" machine.
+        requiredSystemFeatures = [ ];
+      };

  boehmgc = pkgs.boehmgc.override {
    enableLargeConfig = true;
  };

  # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
-  boost = (pkgs.boost.override {
-    extraB2Args = [
-      "--with-container"
-      "--with-context"
-      "--with-coroutine"
-    ];
-  }).overrideAttrs (old: {
-    # Need to remove `--with-*` to use `--with-libraries=...`
-    buildPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.buildPhase;
-    installPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.installPhase;
-  });
-
-  libgit2 = pkgs.libgit2.overrideAttrs (attrs: {
-    src = inputs.libgit2;
-    version = inputs.libgit2.lastModifiedDate;
-    cmakeFlags = attrs.cmakeFlags or []
-      ++ [ "-DUSE_SSH=exec" ];
-    nativeBuildInputs = attrs.nativeBuildInputs or []
-      # gitMinimal does not build on Windows. See packbuilder patch.
-      ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-        # Needed for `git apply`; see `prePatch`
-        pkgs.buildPackages.gitMinimal
+  boost =
+    (pkgs.boost.override {
+      extraB2Args = [
+        "--with-container"
+        "--with-context"
+        "--with-coroutine"
      ];
-    # Only `git apply` can handle git binary patches
-    prePatch = attrs.prePatch or ""
-      + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
-        patch() {
-          git apply
-        }
-      '';
-    patches = attrs.patches or []
-      ++ [
-        ./patches/libgit2-mempack-thin-packfile.patch
-      ]
-      # gitMinimal does not build on Windows, but fortunately this patch only
-      # impacts interruptibility
-      ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-        # binary patch; see `prePatch`
-        ./patches/libgit2-packbuilder-callback-interruptible.patch
-      ];
-  });
+    }).overrideAttrs
+      (old: {
+        # Need to remove `--with-*` to use `--with-libraries=...`
+        buildPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.buildPhase;
+        installPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.installPhase;
+      });

-  busybox-sandbox-shell = pkgs.busybox-sandbox-shell or (pkgs.busybox.override {
-    useMusl = true;
-    enableStatic = true;
-    enableMinimal = true;
-    extraConfig = ''
-      CONFIG_FEATURE_FANCY_ECHO y
-      CONFIG_FEATURE_SH_MATH y
-      CONFIG_FEATURE_SH_MATH_64 y
-
-      CONFIG_ASH y
-      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
-
-      CONFIG_ASH_ALIAS y
-      CONFIG_ASH_BASH_COMPAT y
-      CONFIG_ASH_CMDCMD y
-      CONFIG_ASH_ECHO y
-      CONFIG_ASH_GETOPTS y
-      CONFIG_ASH_INTERNAL_GLOB y
-      CONFIG_ASH_JOB_CONTROL y
-      CONFIG_ASH_PRINTF y
-      CONFIG_ASH_TEST y
-    '';
-  });
-
-  # TODO change in Nixpkgs, Windows works fine. First commit of
-  # https://github.com/NixOS/nixpkgs/pull/322977 backported will fix.
-  toml11 = pkgs.toml11.overrideAttrs (old: {
-    meta.platforms = lib.platforms.all;
-  });
-
-  inherit resolvePath filesetToSource;
-
-  mkMesonDerivation =
-    mkPackageBuilder [
-      miscGoodPractice
-      localSourceLayer
-      mesonLayer
-    ];
-  mkMesonExecutable =
-    mkPackageBuilder [
-      miscGoodPractice
-      bsdNoLinkAsNeeded
-      localSourceLayer
-      mesonLayer
-      mesonBuildLayer
-    ];
-  mkMesonLibrary =
-    mkPackageBuilder [
-      miscGoodPractice
-      bsdNoLinkAsNeeded
-      localSourceLayer
-      mesonLayer
-      mesonBuildLayer
-      mesonLibraryLayer
-    ];
+  libgit2 = pkgs.libgit2.overrideAttrs (
+    attrs:
+    {
+      cmakeFlags = attrs.cmakeFlags or [ ] ++ [ "-DUSE_SSH=exec" ];
+    }
+    # libgit2: Nixpkgs 24.11 has < 1.9.0, which needs our patches
+    // lib.optionalAttrs (!lib.versionAtLeast pkgs.libgit2.version "1.9.0") {
+      nativeBuildInputs =
+        attrs.nativeBuildInputs or [ ]
+        # gitMinimal does not build on Windows. See packbuilder patch.
+        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+          # Needed for `git apply`; see `prePatch`
+          pkgs.buildPackages.gitMinimal
+        ];
+      # Only `git apply` can handle git binary patches
+      prePatch =
+        attrs.prePatch or ""
+        + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
+          patch() {
+            git apply
+          }
+        '';
+      patches =
+        attrs.patches or [ ]
+        ++ [
+          ./patches/libgit2-mempack-thin-packfile.patch
+        ]
+        # gitMinimal does not build on Windows, but fortunately this patch only
+        # impacts interruptibility
+        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+          # binary patch; see `prePatch`
+          ./patches/libgit2-packbuilder-callback-interruptible.patch
+        ];
+    }
+  );
 }
--- a/packaging/dev-shell.nix
+++ b/packaging/dev-shell.nix
@@ -2,127 +2,135 @@

 { pkgs }:

-pkgs.nixComponents.nix-util.overrideAttrs (attrs:
+pkgs.nixComponents.nix-util.overrideAttrs (
+  attrs:

-let
-  stdenv = pkgs.nixDependencies.stdenv;
-  buildCanExecuteHost = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
-  modular = devFlake.getSystem stdenv.buildPlatform.system;
-  transformFlag = prefix: flag:
-    assert builtins.isString flag;
-    let
-      rest = builtins.substring 2 (builtins.stringLength flag) flag;
-    in
+  let
+    stdenv = pkgs.nixDependencies.stdenv;
+    buildCanExecuteHost = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
+    modular = devFlake.getSystem stdenv.buildPlatform.system;
+    transformFlag =
+      prefix: flag:
+      assert builtins.isString flag;
+      let
+        rest = builtins.substring 2 (builtins.stringLength flag) flag;
+      in
      "-D${prefix}:${rest}";
-  havePerl = stdenv.buildPlatform == stdenv.hostPlatform && stdenv.hostPlatform.isUnix;
-  ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
-in {
-  pname = "shell-for-" + attrs.pname;
+    havePerl = stdenv.buildPlatform == stdenv.hostPlatform && stdenv.hostPlatform.isUnix;
+    ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
+  in
+  {
+    pname = "shell-for-" + attrs.pname;

-  # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
-  version = lib.fileContents ../.version;
-  name = attrs.pname;
+    # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
+    version = lib.fileContents ../.version;
+    name = attrs.pname;

-  installFlags = "sysconfdir=$(out)/etc";
-  shellHook = ''
-    PATH=$prefix/bin:$PATH
-    unset PYTHONPATH
-    export MANPATH=$out/share/man:$MANPATH
+    installFlags = "sysconfdir=$(out)/etc";
+    shellHook = ''
+      PATH=$prefix/bin:$PATH
+      unset PYTHONPATH
+      export MANPATH=$out/share/man:$MANPATH

-    # Make bash completion work.
-    XDG_DATA_DIRS+=:$out/share
+      # Make bash completion work.
+      XDG_DATA_DIRS+=:$out/share

-    # Make the default phases do the right thing.
-    # FIXME: this wouldn't be needed if the ninja package set buildPhase() instead of $buildPhase.
-    # FIXME: mesonConfigurePhase shouldn't cd to the build directory. It would be better to pass '-C <dir>' to ninja.
+      # Make the default phases do the right thing.
+      # FIXME: this wouldn't be needed if the ninja package set buildPhase() instead of $buildPhase.
+      # FIXME: mesonConfigurePhase shouldn't cd to the build directory. It would be better to pass '-C <dir>' to ninja.

-    cdToBuildDir() {
-        if [[ ! -e build.ninja ]]; then
-            cd build
-        fi
-    }
+      cdToBuildDir() {
+          if [[ ! -e build.ninja ]]; then
+              cd build
+          fi
+      }

-    configurePhase() {
-        mesonConfigurePhase
-    }
+      configurePhase() {
+          mesonConfigurePhase
+      }

-    buildPhase() {
-        cdToBuildDir
-        ninjaBuildPhase
-    }
+      buildPhase() {
+          cdToBuildDir
+          ninjaBuildPhase
+      }

-    checkPhase() {
-        cdToBuildDir
-        mesonCheckPhase
-    }
+      checkPhase() {
+          cdToBuildDir
+          mesonCheckPhase
+      }

-    installPhase() {
-        cdToBuildDir
-        ninjaInstallPhase
-    }
-  '';
+      installPhase() {
+          cdToBuildDir
+          ninjaInstallPhase
+      }
+    '';

-  # We use this shell with the local checkout, not unpackPhase.
-  src = null;
+    # We use this shell with the local checkout, not unpackPhase.
+    src = null;

-  env = {
-    # Needed for Meson to find Boost.
-    # https://github.com/NixOS/nixpkgs/issues/86131.
-    BOOST_INCLUDEDIR = "${lib.getDev pkgs.nixDependencies.boost}/include";
-    BOOST_LIBRARYDIR = "${lib.getLib pkgs.nixDependencies.boost}/lib";
-    # For `make format`, to work without installing pre-commit
-    _NIX_PRE_COMMIT_HOOKS_CONFIG =
-      "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml" modular.pre-commit.settings.rawConfig}";
-  };
+    env = {
+      # Needed for Meson to find Boost.
+      # https://github.com/NixOS/nixpkgs/issues/86131.
+      BOOST_INCLUDEDIR = "${lib.getDev pkgs.nixDependencies.boost}/include";
+      BOOST_LIBRARYDIR = "${lib.getLib pkgs.nixDependencies.boost}/lib";
+      # For `make format`, to work without installing pre-commit
+      _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
+        modular.pre-commit.settings.rawConfig
+      }";
+    };

-  mesonFlags =
-    map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents.nix-util.mesonFlags)
-    ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents.nix-store.mesonFlags)
-    ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents.nix-fetchers.mesonFlags)
-    ++ lib.optionals havePerl (map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents.nix-perl-bindings.mesonFlags))
-    ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents.nix-expr.mesonFlags)
-    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents.nix-cmd.mesonFlags)
-    ;
+    mesonFlags =
+      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents.nix-util.mesonFlags)
+      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents.nix-store.mesonFlags)
+      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents.nix-fetchers.mesonFlags)
+      ++ lib.optionals havePerl (
+        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents.nix-perl-bindings.mesonFlags)
+      )
+      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents.nix-expr.mesonFlags)
+      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents.nix-cmd.mesonFlags);

-  nativeBuildInputs = attrs.nativeBuildInputs or []
-    ++ pkgs.nixComponents.nix-util.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-store.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-fetchers.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-expr.nativeBuildInputs
-    ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.nativeBuildInputs
-    ++ lib.optionals buildCanExecuteHost pkgs.nixComponents.nix-manual.externalNativeBuildInputs
-    ++ pkgs.nixComponents.nix-internal-api-docs.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-external-api-docs.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-functional-tests.externalNativeBuildInputs
-    ++ lib.optional
-      (!buildCanExecuteHost
-         # Hack around https://github.com/nixos/nixpkgs/commit/bf7ad8cfbfa102a90463433e2c5027573b462479
-         && !(stdenv.hostPlatform.isWindows && stdenv.buildPlatform.isDarwin)
-         && stdenv.hostPlatform.emulatorAvailable pkgs.buildPackages
-         && lib.meta.availableOn stdenv.buildPlatform (stdenv.hostPlatform.emulator pkgs.buildPackages))
-      pkgs.buildPackages.mesonEmulatorHook
-    ++ [
-      pkgs.buildPackages.cmake
-      pkgs.buildPackages.shellcheck
-      pkgs.buildPackages.changelog-d
-      modular.pre-commit.settings.package
-      (pkgs.writeScriptBin "pre-commit-hooks-install"
-        modular.pre-commit.settings.installationScript)
-    ]
-    # TODO: Remove the darwin check once
-    # https://github.com/NixOS/nixpkgs/pull/291814 is available
-    ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
-    ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (lib.hiPrio pkgs.buildPackages.clang-tools);
+    nativeBuildInputs =
+      attrs.nativeBuildInputs or [ ]
+      ++ pkgs.nixComponents.nix-util.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-store.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-fetchers.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-expr.nativeBuildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.nativeBuildInputs
+      ++ lib.optionals buildCanExecuteHost pkgs.nixComponents.nix-manual.externalNativeBuildInputs
+      ++ pkgs.nixComponents.nix-internal-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-external-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-functional-tests.externalNativeBuildInputs
+      ++ lib.optional (
+        !buildCanExecuteHost
+        # Hack around https://github.com/nixos/nixpkgs/commit/bf7ad8cfbfa102a90463433e2c5027573b462479
+        && !(stdenv.hostPlatform.isWindows && stdenv.buildPlatform.isDarwin)
+        && stdenv.hostPlatform.emulatorAvailable pkgs.buildPackages
+        && lib.meta.availableOn stdenv.buildPlatform (stdenv.hostPlatform.emulator pkgs.buildPackages)
+      ) pkgs.buildPackages.mesonEmulatorHook
+      ++ [
+        pkgs.buildPackages.cmake
+        pkgs.buildPackages.shellcheck
+        pkgs.buildPackages.changelog-d
+        modular.pre-commit.settings.package
+        (pkgs.writeScriptBin "pre-commit-hooks-install" modular.pre-commit.settings.installationScript)
+      ]
+      # TODO: Remove the darwin check once
+      # https://github.com/NixOS/nixpkgs/pull/291814 is available
+      ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
+      ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
+        lib.hiPrio pkgs.buildPackages.clang-tools
+      );

-  buildInputs = attrs.buildInputs or []
-    ++ pkgs.nixComponents.nix-util.buildInputs
-    ++ pkgs.nixComponents.nix-store.buildInputs
-    ++ pkgs.nixComponents.nix-store-tests.externalBuildInputs
-    ++ pkgs.nixComponents.nix-fetchers.buildInputs
-    ++ pkgs.nixComponents.nix-expr.buildInputs
-    ++ pkgs.nixComponents.nix-expr.externalPropagatedBuildInputs
-    ++ pkgs.nixComponents.nix-cmd.buildInputs
-    ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.externalBuildInputs
-    ++ lib.optional havePerl pkgs.perl
-    ;
-})
+    buildInputs =
+      attrs.buildInputs or [ ]
+      ++ pkgs.nixComponents.nix-util.buildInputs
+      ++ pkgs.nixComponents.nix-store.buildInputs
+      ++ pkgs.nixComponents.nix-store-tests.externalBuildInputs
+      ++ pkgs.nixComponents.nix-fetchers.buildInputs
+      ++ pkgs.nixComponents.nix-expr.buildInputs
+      ++ pkgs.nixComponents.nix-expr.externalPropagatedBuildInputs
+      ++ pkgs.nixComponents.nix-cmd.buildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.externalBuildInputs
+      ++ lib.optional havePerl pkgs.perl;
+  }
+)
--- a/packaging/everything.nix
+++ b/packaging/everything.nix
@@ -1,6 +1,7 @@
 {
  lib,
  stdenv,
+  lndir,
  buildEnv,

  nix-util,
@@ -38,41 +39,51 @@
  nix-perl-bindings,

  testers,
-  runCommand,
 }:

 let
+  libs =
+    {
+      inherit
+        nix-util
+        nix-util-c
+        nix-store
+        nix-store-c
+        nix-fetchers
+        nix-expr
+        nix-expr-c
+        nix-flake
+        nix-flake-c
+        nix-main
+        nix-main-c
+        nix-cmd
+        ;
+    }
+    // lib.optionalAttrs
+      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+      {
+        # Currently fails in static build
+        inherit
+          nix-perl-bindings
+          ;
+      };
+
  dev = stdenv.mkDerivation (finalAttrs: {
    name = "nix-${nix-cli.version}-dev";
    pname = "nix";
    version = nix-cli.version;
    dontUnpack = true;
    dontBuild = true;
-    libs = map lib.getDev [
-      nix-cmd
-      nix-expr
-      nix-expr-c
-      nix-fetchers
-      nix-flake
-      nix-flake-c
-      nix-main
-      nix-main-c
-      nix-store
-      nix-store-c
-      nix-util
-      nix-util-c
-      nix-perl-bindings
-    ];
+    libs = map lib.getDev (lib.attrValues libs);
    installPhase = ''
      mkdir -p $out/nix-support
      echo $libs >> $out/nix-support/propagated-build-inputs
    '';
    passthru = {
      tests = {
-        pkg-config =
-          testers.hasPkgConfigModules {
-            package = finalAttrs.finalPackage;
-          };
+        pkg-config = testers.hasPkgConfigModules {
+          package = finalAttrs.finalPackage;
+        };
      };

      # If we were to fully emulate output selection here, we'd confuse the Nix CLIs,
@@ -82,6 +93,7 @@ let
      libs = throw "`nix.dev.libs` is not meant to be used; use `nix.libs` instead.";
    };
    meta = {
+      mainProgram = "nix";
      pkgConfigModules = [
        "nix-cmd"
        "nix-expr"
@@ -107,42 +119,93 @@ let
  };

 in
-(buildEnv {
-  name = "nix-${nix-cli.version}";
-  paths = [
-    nix-cli
-    nix-manual.man
+stdenv.mkDerivation (finalAttrs: {
+  pname = "nix";
+  version = nix-cli.version;
+
+  /**
+    This package uses a multi-output derivation, even though some outputs could
+    have been provided directly by the constituent component that provides it.
+
+    This is because not all tooling handles packages composed of arbitrary
+    outputs yet. This includes nix itself, https://github.com/NixOS/nix/issues/6507.
+
+    `devdoc` is also available, but not listed here, because this attribute is
+    not an output of the same derivation that provides `out`, `dev`, etc.
+  */
+  outputs = [
+    "out"
+    "dev"
+    "doc"
+    "man"
  ];

-  meta.mainProgram = "nix";
-}).overrideAttrs (finalAttrs: prevAttrs: {
+  /**
+    Unpacking is handled in this package's constituent components
+  */
+  dontUnpack = true;
+  /**
+    Building is handled in this package's constituent components
+  */
+  dontBuild = true;
+
+  /**
+    `doCheck` controles whether tests are added as build gate for the combined package.
+    This includes both the unit tests and the functional tests, but not the
+    integration tests that run in CI (the flake's `hydraJobs` and some of the `checks`).
+  */
  doCheck = true;
-  doInstallCheck = true;

-  checkInputs = [
-    # Make sure the unit tests have passed
-    nix-util-tests.tests.run
-    nix-store-tests.tests.run
-    nix-expr-tests.tests.run
-    nix-fetchers-tests.tests.run
-    nix-flake-tests.tests.run
+  /**
+    `fixupPhase` currently doesn't understand that a symlink output isn't writable.

-    # dev bundle is ok
-    # (checkInputs must be empty paths??)
-    (runCommand "check-pkg-config" { checked = dev.tests.pkg-config; } "mkdir $out")
-  ] ++
-    (if stdenv.buildPlatform.canExecute stdenv.hostPlatform
-    then [
-      # TODO: add perl.tests
-      nix-perl-bindings
+    We don't compile or link anything in this derivation, so fixups aren't needed.
+  */
+  dontFixup = true;
+
+  checkInputs =
+    [
+      # Make sure the unit tests have passed
+      nix-util-tests.tests.run
+      nix-store-tests.tests.run
+      nix-expr-tests.tests.run
+      nix-fetchers-tests.tests.run
+      nix-flake-tests.tests.run
+
+      # Make sure the functional tests have passed
+      nix-functional-tests
    ]
-    else [
-      nix-perl-bindings
-    ]);
-  installCheckInputs = [
-    nix-functional-tests
+    ++ lib.optionals
+      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+      [
+        # Perl currently fails in static build
+        # TODO: Split out tests into a separate derivation?
+        nix-perl-bindings
+      ];
+
+  nativeBuildInputs = [
+    lndir
  ];
-  passthru = prevAttrs.passthru // {
+
+  installPhase =
+    let
+      devPaths = lib.mapAttrsToList (_k: lib.getDev) finalAttrs.finalPackage.libs;
+    in
+    ''
+      mkdir -p $out $dev $doc $man
+
+      # Merged outputs
+      lndir ${nix-cli} $out
+      for lib in ${lib.escapeShellArgs devPaths}; do
+        lndir $lib $dev
+      done
+
+      # Forwarded outputs
+      ln -s ${nix-manual} $doc
+      ln -s ${nix-manual.man} $man
+    '';
+
+  passthru = {
    inherit (nix-cli) version;

    /**
@@ -161,42 +224,31 @@ in
        unusedInputsForTests = [ nix ];
        disallowedReferences = nix.all;
      ```
-     */
-    libs = {
-      inherit
-        nix-util
-        nix-util-c
-        nix-store
-        nix-store-c
-        nix-fetchers
-        nix-expr
-        nix-expr-c
-        nix-flake
-        nix-flake-c
-        nix-main
-        nix-main-c
-      ;
-    };
-
-    tests = prevAttrs.passthru.tests or {} // {
-      # TODO: create a proper fixpoint and:
-      # pkg-config =
-      #   testers.hasPkgConfigModules {
-      #     package = finalPackage;
-      #   };
-    };
+    */
+    inherit libs;

    /**
-      A derivation referencing the `dev` outputs of the Nix libraries.
-     */
-    inherit dev;
+      Developer documentation for `nix`, in `share/doc/nix/{internal,external}-api/`.
+
+      This is not a proper output; see `outputs` for context.
+    */
    inherit devdoc;
-    doc = nix-manual;
-    outputs = [ "out" "dev" "devdoc" "doc" ];
-    all = lib.attrValues (lib.genAttrs finalAttrs.passthru.outputs (outName: finalAttrs.finalPackage.${outName}));
+
+    /**
+      Extra tests that test this package, but do not run as part of the build.
+      See <https://nixos.org/manual/nixpkgs/stable/index.html#var-passthru-tests>
+    */
+    tests = {
+      pkg-config = testers.hasPkgConfigModules {
+        package = finalAttrs.finalPackage;
+      };
+    };
  };
-  meta = prevAttrs.meta // {
+
+  meta = {
+    mainProgram = "nix";
    description = "The Nix package manager";
    pkgConfigModules = dev.meta.pkgConfigModules;
  };
+
 })
--- a/packaging/hydra.nix
+++ b/packaging/hydra.nix
@@ -1,22 +1,25 @@
-{ inputs
-, binaryTarball
-, forAllCrossSystems
-, forAllSystems
-, lib
-, linux64BitSystems
-, nixpkgsFor
-, self
-, officialRelease
+{
+  inputs,
+  binaryTarball,
+  forAllCrossSystems,
+  forAllSystems,
+  lib,
+  linux64BitSystems,
+  nixpkgsFor,
+  self,
+  officialRelease,
 }:
 let
  inherit (inputs) nixpkgs nixpkgs-regression;

-  installScriptFor = tarballs:
+  installScriptFor =
+    tarballs:
    nixpkgsFor.x86_64-linux.native.callPackage ../scripts/installer.nix {
      inherit tarballs;
    };

-  testNixVersions = pkgs: daemon:
+  testNixVersions =
+    pkgs: daemon:
    pkgs.nixComponents.nix-functional-tests.override {
      pname = "nix-daemon-compat-tests";
      version = "${pkgs.nix.version}-with-daemon-${daemon.version}";
@@ -54,44 +57,70 @@ let
 in
 {
  # Binary package for various platforms.
-  build = forAllPackages (pkgName:
-    forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.${pkgName}));
+  build = forAllPackages (
+    pkgName: forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.${pkgName})
+  );

-  shellInputs = removeAttrs
-    (forAllSystems (system: self.devShells.${system}.default.inputDerivation))
-    [ "i686-linux" ];
+  shellInputs = removeAttrs (forAllSystems (
+    system: self.devShells.${system}.default.inputDerivation
+  )) [ "i686-linux" ];

-  buildStatic = forAllPackages (pkgName:
-    lib.genAttrs linux64BitSystems (system: nixpkgsFor.${system}.static.nixComponents.${pkgName}));
+  buildStatic = forAllPackages (
+    pkgName:
+    lib.genAttrs linux64BitSystems (system: nixpkgsFor.${system}.static.nixComponents.${pkgName})
+  );

-  buildCross = forAllPackages (pkgName:
+  buildCross = forAllPackages (
+    pkgName:
    # Hack to avoid non-evaling package
-    (if pkgName == "nix-functional-tests" then lib.flip builtins.removeAttrs ["x86_64-w64-mingw32"] else lib.id)
-    (forAllCrossSystems (crossSystem:
-      lib.genAttrs [ "x86_64-linux" ] (system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName}))));
+    (
+      if pkgName == "nix-functional-tests" then
+        lib.flip builtins.removeAttrs [ "x86_64-w64-mingw32" ]
+      else
+        lib.id
+    )
+      (
+        forAllCrossSystems (
+          crossSystem:
+          lib.genAttrs [ "x86_64-linux" ] (
+            system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName}
+          )
+        )
+      )
+  );

-  buildNoGc = let
-    components = forAllSystems (system:
-      nixpkgsFor.${system}.native.nixComponents.overrideScope (self: super: {
-        nix-expr = super.nix-expr.override { enableGC = false; };
-      })
-    );
-  in forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
+  buildNoGc =
+    let
+      components = forAllSystems (
+        system:
+        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+          self: super: {
+            nix-expr = super.nix-expr.override { enableGC = false; };
+          }
+        )
+      );
+    in
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));

  buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-cli);

  # Toggles some settings for better coverage. Windows needs these
  # library combinations, and Debian build Nix with GNU readline too.
-  buildReadlineNoMarkdown = let
-    components = forAllSystems (system:
-      nixpkgsFor.${system}.native.nixComponents.overrideScope (self: super: {
-        nix-cmd = super.nix-cmd.override {
-          enableMarkdown = false;
-          readlineFlavor = "readline";
-        };
-      })
-    );
-  in forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
+  buildReadlineNoMarkdown =
+    let
+      components = forAllSystems (
+        system:
+        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+          self: super: {
+            nix-cmd = super.nix-cmd.override {
+              enableMarkdown = false;
+              readlineFlavor = "readline";
+            };
+          }
+        )
+      );
+    in
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));

  # Perl bindings for various platforms.
  perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-perl-bindings);
@@ -99,13 +128,18 @@ in
  # Binary tarball for various platforms, containing a Nix store
  # with the closure of 'nix' package, and the second half of
  # the installation script.
-  binaryTarball = forAllSystems (system: binaryTarball nixpkgsFor.${system}.native.nix nixpkgsFor.${system}.native);
+  binaryTarball = forAllSystems (
+    system: binaryTarball nixpkgsFor.${system}.native.nix nixpkgsFor.${system}.native
+  );

-  binaryTarballCross = lib.genAttrs [ "x86_64-linux" ] (system:
-    forAllCrossSystems (crossSystem:
-      binaryTarball
-        nixpkgsFor.${system}.cross.${crossSystem}.nix
-        nixpkgsFor.${system}.cross.${crossSystem}));
+  binaryTarballCross = lib.genAttrs [ "x86_64-linux" ] (
+    system:
+    forAllCrossSystems (
+      crossSystem:
+      binaryTarball nixpkgsFor.${system}.cross.${crossSystem}.nix
+        nixpkgsFor.${system}.cross.${crossSystem}
+    )
+  );

  # The first half of the installation script. This is uploaded
  # to https://nixos.org/nix/install. It downloads the binary
@@ -123,15 +157,13 @@ in
    self.hydraJobs.binaryTarballCross."x86_64-linux"."armv7l-unknown-linux-gnueabihf"
    self.hydraJobs.binaryTarballCross."x86_64-linux"."riscv64-unknown-linux-gnu"
  ];
-  installerScriptForGHA = installScriptFor [
-    # Native
-    self.hydraJobs.binaryTarball."x86_64-linux"
-    self.hydraJobs.binaryTarball."aarch64-darwin"
-    # Cross
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."armv6l-unknown-linux-gnueabihf"
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."armv7l-unknown-linux-gnueabihf"
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."riscv64-unknown-linux-gnu"
-  ];
+
+  installerScriptForGHA = forAllSystems (
+    system:
+    nixpkgsFor.${system}.native.callPackage ../scripts/installer.nix {
+      tarballs = [ self.hydraJobs.binaryTarball.${system} ];
+    }
+  );

  # docker image with Nix inside
  dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);
@@ -152,16 +184,24 @@ in
  external-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents.nix-external-api-docs;

  # System tests.
-  tests = import ../tests/nixos { inherit lib nixpkgs nixpkgsFor self; } // {
+  tests =
+    import ../tests/nixos {
+      inherit
+        lib
+        nixpkgs
+        nixpkgsFor
+        self
+        ;
+    }
+    // {

-    # Make sure that nix-env still produces the exact same result
-    # on a particular version of Nixpkgs.
-    evalNixpkgs =
-      let
-        inherit (nixpkgsFor.x86_64-linux.native) runCommand nix;
-      in
-      runCommand "eval-nixos" { buildInputs = [ nix ]; }
-        ''
+      # Make sure that nix-env still produces the exact same result
+      # on a particular version of Nixpkgs.
+      evalNixpkgs =
+        let
+          inherit (nixpkgsFor.x86_64-linux.native) runCommand nix;
+        in
+        runCommand "eval-nixos" { buildInputs = [ nix ]; } ''
          type -p nix-env
          # Note: we're filtering out nixos-install-tools because https://github.com/NixOS/nixpkgs/pull/153594#issuecomment-1020530593.
          (
@@ -172,36 +212,36 @@ in
          mkdir $out
        '';

-    nixpkgsLibTests =
-      forAllSystems (system:
-        import (nixpkgs + "/lib/tests/test-with-nix.nix")
-          {
-            lib = nixpkgsFor.${system}.native.lib;
-            nix = self.packages.${system}.nix-cli;
-            pkgs = nixpkgsFor.${system}.native;
-          }
+      nixpkgsLibTests = forAllSystems (
+        system:
+        import (nixpkgs + "/lib/tests/test-with-nix.nix") {
+          lib = nixpkgsFor.${system}.native.lib;
+          nix = self.packages.${system}.nix-cli;
+          pkgs = nixpkgsFor.${system}.native;
+        }
      );
-  };
+    };

  metrics.nixpkgs = import "${nixpkgs-regression}/pkgs/top-level/metrics.nix" {
    pkgs = nixpkgsFor.x86_64-linux.native;
    nixpkgs = nixpkgs-regression;
  };

-  installTests = forAllSystems (system:
-    let pkgs = nixpkgsFor.${system}.native; in
-    pkgs.runCommand "install-tests"
-      {
-        againstSelf = testNixVersions pkgs pkgs.nix;
-        againstCurrentLatest =
-          # FIXME: temporarily disable this on macOS because of #3605.
-          if system == "x86_64-linux"
-          then testNixVersions pkgs pkgs.nixVersions.latest
-          else null;
-        # Disabled because the latest stable version doesn't handle
-        # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
-        # againstLatestStable = testNixVersions pkgs pkgs.nixStable;
-      } "touch $out");
+  installTests = forAllSystems (
+    system:
+    let
+      pkgs = nixpkgsFor.${system}.native;
+    in
+    pkgs.runCommand "install-tests" {
+      againstSelf = testNixVersions pkgs pkgs.nix;
+      againstCurrentLatest =
+        # FIXME: temporarily disable this on macOS because of #3605.
+        if system == "x86_64-linux" then testNixVersions pkgs pkgs.nixVersions.latest else null;
+      # Disabled because the latest stable version doesn't handle
+      # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
+      # againstLatestStable = testNixVersions pkgs pkgs.nixStable;
+    } "touch $out"
+  );

  installerTests = import ../tests/installer {
    binaryTarballs = self.hydraJobs.binaryTarball;
--- a/scripts/binary-tarball.nix
+++ b/scripts/binary-tarball.nix
@@ -1,14 +1,18 @@
-{ runCommand
-, system
-, buildPackages
-, cacert
-, nix
+{
+  runCommand,
+  system,
+  buildPackages,
+  cacert,
+  nix,
 }:

 let

  installerClosureInfo = buildPackages.closureInfo {
-    rootPaths = [ nix cacert ];
+    rootPaths = [
+      nix
+      cacert
+    ];
  };

  inherit (nix) version;
@@ -65,7 +69,7 @@ runCommand "nix-binary-tarball-${version}" env ''
  fn=$out/$dir.tar.xz
  mkdir -p $out/nix-support
  echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
-  tar cvfJ $fn \
+  tar cfJ $fn \
    --owner=0 --group=0 --mode=u+rw,uga+r \
    --mtime='1970-01-01' \
    --absolute-names \
--- a/scripts/build-checks
+++ b/scripts/build-checks
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+nix eval --json ".#checks.$system" --apply builtins.attrNames | \
+  jq -r '.[]' | \
+  xargs -P0 -I '{}' sh -c "nix build -L .#checks.$system.{} || { echo 'FAILED: \033[0;31mnix build -L .#checks.$system.{}\\033[0m'; kill 0; }"
--- a/scripts/install-darwin-multi-user.sh
+++ b/scripts/install-darwin-multi-user.sh
@@ -145,13 +145,28 @@ poly_user_id_get() {
    dsclattr "/Users/$1" "UniqueID"
 }

+dscl_create() {
+    # workaround a bug in dscl where it sometimes fails with eNotYetImplemented:
+    # https://github.com/NixOS/nix/issues/12140
+    while ! _sudo "$1" /usr/bin/dscl . -create "$2" "$3" "$4" 2> "$SCRATCH/dscl.err"; do
+        local err=$?
+        if [[ $err -eq 140 ]] && grep -q "-14988 (eNotYetImplemented)" "$SCRATCH/dscl.err"; then
+            echo "dscl failed with eNotYetImplemented, retrying..."
+            sleep 1
+            continue
+        fi
+        cat "$SCRATCH/dscl.err"
+        return $err
+    done
+}
+
 poly_user_hidden_get() {
    dsclattr "/Users/$1" "IsHidden"
 }

 poly_user_hidden_set() {
-    _sudo "in order to make $1 a hidden user" \
-          /usr/bin/dscl . -create "/Users/$1" "IsHidden" "1"
+    dscl_create "in order to make $1 a hidden user" \
+          "/Users/$1" "IsHidden" "1"
 }

 poly_user_home_get() {
@@ -161,8 +176,8 @@ poly_user_home_get() {
 poly_user_home_set() {
    # This can trigger a permission prompt now:
    # "Terminal" would like to administer your computer. Administration can include modifying passwords, networking, and system settings.
-    _sudo "in order to give $1 a safe home directory" \
-          /usr/bin/dscl . -create "/Users/$1" "NFSHomeDirectory" "$2"
+    dscl_create "in order to give $1 a safe home directory" \
+          "/Users/$1" "NFSHomeDirectory" "$2"
 }

 poly_user_note_get() {
@@ -170,8 +185,8 @@ poly_user_note_get() {
 }

 poly_user_note_set() {
-    _sudo "in order to give $username a useful note" \
-          /usr/bin/dscl . -create "/Users/$1" "RealName" "$2"
+    dscl_create "in order to give $1 a useful note" \
+          "/Users/$1" "RealName" "$2"
 }

 poly_user_shell_get() {
@@ -179,8 +194,8 @@ poly_user_shell_get() {
 }

 poly_user_shell_set() {
-    _sudo "in order to give $1 a safe shell" \
-          /usr/bin/dscl . -create "/Users/$1" "UserShell" "$2"
+    dscl_create "in order to give $1 a safe shell" \
+          "/Users/$1" "UserShell" "$2"
 }

 poly_user_in_group_check() {
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@"
 #readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
 readonly EXTRACTED_NIX_PATH="$(dirname "$0")"

+# allow to override identity change command
+readonly NIX_BECOME=${NIX_BECOME:-sudo}
+
 readonly ROOT_HOME=~root

 if [ -t 0 ] && [ -z "${NIX_INSTALLER_YES:-}" ]; then
@@ -123,7 +126,7 @@ uninstall_directions() {
            cat <<EOF
 $step. Restore $profile_target$PROFILE_BACKUP_SUFFIX back to $profile_target

-  sudo mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target
+  $NIX_BECOME mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target

 (after this one, you may need to re-open any terminals that were
 opened while it existed.)
@@ -136,7 +139,7 @@ EOF
    cat <<EOF
 $step. Delete the files Nix added to your system:

-  sudo rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"
+  $NIX_BECOME rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"

 and that is it.

@@ -343,7 +346,7 @@ __sudo() {

    echo "I am executing:"
    echo ""
-    printf "    $ sudo %s\\n" "$cmd"
+    printf "    $ $NIX_BECOME %s\\n" "$cmd"
    echo ""
    echo "$expl"
    echo ""
@@ -361,7 +364,9 @@ _sudo() {
    if is_root; then
        env "$@"
    else
-        sudo "$@"
+        # env sets environment variables for sudo alternatives
+        # that don't support "VAR=value command" syntax
+        $NIX_BECOME env "$@"
    fi
 }

@@ -557,7 +562,7 @@ create_build_user_for_core() {
        if [ "$actual_uid" != "$uid" ]; then
            failure <<EOF
 It seems the build user $username already exists, but with the UID
-with the UID '$actual_uid'. This script can't really handle that right
+'$actual_uid'. This script can't really handle that right
 now, so I'm going to give up.

 If you already created the users and you know they start from
--- a/scripts/install-nix-from-tarball.sh
+++ b/scripts/install-nix-from-tarball.sh
@@ -9,6 +9,8 @@ self="$(dirname "$0")"
 nix="@nix@"
 cacert="@cacert@"

+# allow to override identity change command
+readonly NIX_BECOME="${NIX_BECOME:-sudo}"

 if ! [ -e "$self/.reginfo" ]; then
    echo "$0: incomplete installer (.reginfo is missing)" >&2
@@ -63,7 +65,6 @@ while [ $# -gt 0 ]; do
                exit 1
            fi
            INSTALL_MODE=no-daemon
-            # intentional tail space
            ACTION=install
            ;;
        --yes)
@@ -135,8 +136,8 @@ echo "performing a single-user installation of Nix..." >&2

 if ! [ -e "$dest" ]; then
    cmd="mkdir -m 0755 $dest && chown $USER $dest"
-    echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
-    if ! sudo sh -c "$cmd"; then
+    echo "directory $dest does not exist; creating it by running '$cmd' using $NIX_BECOME" >&2
+    if ! $NIX_BECOME sh -c "$cmd"; then
        echo "$0: please manually run '$cmd' as root to create $dest" >&2
        exit 1
    fi
--- a/scripts/installer.nix
+++ b/scripts/installer.nix
@@ -1,36 +1,42 @@
-{ lib
-, runCommand
-, nix
-, tarballs
+{
+  lib,
+  runCommand,
+  nix,
+  tarballs,
 }:

-runCommand "installer-script" {
-  buildInputs = [ nix ];
-} ''
-  mkdir -p $out/nix-support
-
-  # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
-  tarballPath() {
-    # Remove the store prefix
-    local path=''${1#${builtins.storeDir}/}
-    # Get the path relative to the derivation root
-    local rest=''${path#*/}
-    # Get the derivation hash
-    local drvHash=''${path%%-*}
-    echo "$drvHash/$rest"
+runCommand "installer-script"
+  {
+    buildInputs = [ nix ];
  }
+  ''
+    mkdir -p $out/nix-support

-  substitute ${./install.in} $out/install \
-    ${lib.concatMapStrings
-      (tarball: let
-          inherit (tarball.stdenv.hostPlatform) system;
-        in '' \
-        --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
-        --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
-        ''
-      )
-      tarballs
-    } --replace '@nixVersion@' ${nix.version}
+    # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
+    tarballPath() {
+      # Remove the store prefix
+      local path=''${1#${builtins.storeDir}/}
+      # Get the path relative to the derivation root
+      local rest=''${path#*/}
+      # Get the derivation hash
+      local drvHash=''${path%%-*}
+      echo "$drvHash/$rest"
+    }

-  echo "file installer $out/install" >> $out/nix-support/hydra-build-products
-''
+    substitute ${./install.in} $out/install \
+      ${
+        lib.concatMapStrings (
+          tarball:
+          let
+            inherit (tarball.stdenv.hostPlatform) system;
+          in
+          ''
+            \
+                   --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
+                   --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
+          ''
+        ) tarballs
+      } --replace '@nixVersion@' ${nix.version}
+
+    echo "file installer $out/install" >> $out/nix-support/hydra-build-products
+  ''
--- a/scripts/nix-profile.fish.in
+++ b/scripts/nix-profile.fish.in
@@ -29,7 +29,7 @@ if test -n "$HOME" && test -n "$USER"
    end

    # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
-    if test -n "$NIX_SSH_CERT_FILE"
+    if test -n "$NIX_SSL_CERT_FILE"
        : # Allow users to override the NIX_SSL_CERT_FILE
    else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
        set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
--- a/scripts/prepare-installer-for-github-actions
+++ b/scripts/prepare-installer-for-github-actions
@@ -1,10 +1,11 @@
 #!/usr/bin/env bash

-set -e
+set -euo pipefail

-script=$(nix-build -A outputs.hydraJobs.installerScriptForGHA --no-out-link)
-installerHash=$(echo "$script" | cut -b12-43 -)
+nix build -L ".#installerScriptForGHA" ".#binaryTarball"

-installerURL=https://$CACHIX_NAME.cachix.org/serve/$installerHash/install
-
-echo "::set-output name=installerURL::$installerURL"
+mkdir -p out
+cp ./result/install "out/install"
+name="$(basename "$(realpath ./result-1)")"
+# everything before the first dash
+cp -r ./result-1 "out/${name%%-*}"
--- a/scripts/sequoia-nixbld-user-migration.sh
+++ b/scripts/sequoia-nixbld-user-migration.sh
@@ -2,6 +2,9 @@

 set -eo pipefail

+# stock path to avoid unexpected command versions
+PATH="$(/usr/bin/getconf PATH)"
+
 ((NEW_NIX_FIRST_BUILD_UID=351))
 ((TEMP_NIX_FIRST_BUILD_UID=31000))

--- a/scripts/serve-installer-for-github-actions
+++ b/scripts/serve-installer-for-github-actions
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+if [[ ! -d out ]]; then
+  echo "run prepare-installer-for-github-actions first"
+  exit 1
+fi
+cd out
+PORT=${PORT:-8126}
+nohup python -m http.server "$PORT" >/dev/null 2>&1 &
+pid=$!
+
+while ! curl -s "http://localhost:$PORT"; do
+  sleep 1
+  if ! kill -0 $pid; then
+    echo "Failed to start http server"
+    exit 1
+  fi
+done
+
+echo 'To install nix, run the following command:'
+echo "sh <(curl http://localhost:$PORT/install) --tarball-url-prefix http://localhost:$PORT"
--- a/src/external-api-docs/package.nix
+++ b/src/external-api-docs/package.nix
@@ -1,11 +1,12 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,

-, doxygen
+  doxygen,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -39,11 +40,10 @@ mkMesonDerivation (finalAttrs: {
    doxygen
  ];

-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';

  postInstall = ''
    mkdir -p ''${!outputDoc}/nix-support
--- a/src/internal-api-docs/package.nix
+++ b/src/internal-api-docs/package.nix
@@ -1,11 +1,12 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,

-, doxygen
+  doxygen,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -17,27 +18,28 @@ mkMesonDerivation (finalAttrs: {
  inherit version;

  workDir = ./.;
-  fileset = let
-    cpp = fileset.fileFilter (file: file.hasExt "cc" || file.hasExt "hh");
-  in fileset.unions [
-    ./.version
-    ../../.version
-    ./meson.build
-    ./doxygen.cfg.in
-    # Source is not compiled, but still must be available for Doxygen
-    # to gather comments.
-    (cpp ../.)
-  ];
+  fileset =
+    let
+      cpp = fileset.fileFilter (file: file.hasExt "cc" || file.hasExt "hh");
+    in
+    fileset.unions [
+      ./.version
+      ../../.version
+      ./meson.build
+      ./doxygen.cfg.in
+      # Source is not compiled, but still must be available for Doxygen
+      # to gather comments.
+      (cpp ../.)
+    ];

  nativeBuildInputs = [
    doxygen
  ];

-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';

  postInstall = ''
    mkdir -p ''${!outputDoc}/nix-support
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@@ -450,7 +450,7 @@ ref<eval_cache::EvalCache> openEvalCache(
    std::shared_ptr<flake::LockedFlake> lockedFlake)
 {
    auto fingerprint = evalSettings.useEvalCache && evalSettings.pureEval
-        ? lockedFlake->getFingerprint(state.store)
+        ? lockedFlake->getFingerprint(state.store, state.fetchSettings)
        : std::nullopt;
    auto rootLoader = [&state, lockedFlake]()
        {
--- a/src/libcmd/markdown.cc
+++ b/src/libcmd/markdown.cc
@@ -16,13 +16,25 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
 {
    int windowWidth = getWindowSize().second;

-    struct lowdown_opts opts
-    {
-        .type = LOWDOWN_TERM,
-        .maxdepth = 20,
+#if HAVE_LOWDOWN_1_4
+    struct lowdown_opts_term opts_term {
        .cols = (size_t) std::max(windowWidth - 5, 60),
        .hmargin = 0,
        .vmargin = 0,
+    };
+#endif
+    struct lowdown_opts opts
+    {
+        .type = LOWDOWN_TERM,
+#if HAVE_LOWDOWN_1_4
+        .term = opts_term,
+#endif
+        .maxdepth = 20,
+#if !HAVE_LOWDOWN_1_4
+        .cols = (size_t) std::max(windowWidth - 5, 60),
+        .hmargin = 0,
+        .vmargin = 0,
+#endif
        .feat = LOWDOWN_COMMONMARK | LOWDOWN_FENCED | LOWDOWN_DEFLIST | LOWDOWN_TABLES,
        .oflags = LOWDOWN_TERM_NOLINK,
    };
--- a/src/libcmd/meson.build
+++ b/src/libcmd/meson.build
@@ -4,8 +4,6 @@ project('nix-cmd', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
@@ -36,6 +34,8 @@ deps_public += nlohmann_json
 lowdown = dependency('lowdown', version : '>= 0.9.0', required : get_option('markdown'))
 deps_private += lowdown
 configdata.set('HAVE_LOWDOWN', lowdown.found().to_int())
+# The API changed slightly around terminal initialization.
+configdata.set('HAVE_LOWDOWN_1_4', lowdown.version().version_compare('>= 1.4.0').to_int())

 readline_flavor = get_option('readline-flavor')
 if readline_flavor == 'editline'
--- a/src/libcmd/package.nix
+++ b/src/libcmd/package.nix
@@ -1,32 +1,33 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  stdenv,
+  mkMesonLibrary,

-, nix-util
-, nix-store
-, nix-fetchers
-, nix-expr
-, nix-flake
-, nix-main
-, editline
-, readline
-, lowdown
-, nlohmann_json
+  nix-util,
+  nix-store,
+  nix-fetchers,
+  nix-expr,
+  nix-flake,
+  nix-main,
+  editline,
+  readline,
+  lowdown,
+  nlohmann_json,

-# Configuration Options
+  # Configuration Options

-, version
+  version,

-# Whether to enable Markdown rendering in the Nix binary.
-, enableMarkdown ? !stdenv.hostPlatform.isWindows
+  # Whether to enable Markdown rendering in the Nix binary.
+  enableMarkdown ? !stdenv.hostPlatform.isWindows,

-# Which interactive line editor library to use for Nix's repl.
-#
-# Currently supported choices are:
-#
-# - editline (default)
-# - readline
-, readlineFlavor ? if stdenv.hostPlatform.isWindows then "readline" else "editline"
+  # Which interactive line editor library to use for Nix's repl.
+  #
+  # Currently supported choices are:
+  #
+  # - editline (default)
+  # - readline
+  readlineFlavor ? if stdenv.hostPlatform.isWindows then "readline" else "editline",
 }:

 let
@@ -63,23 +64,11 @@ mkMesonLibrary (finalAttrs: {
    nlohmann_json
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
    (lib.mesonEnable "markdown" enableMarkdown)
    (lib.mesonOption "readline-flavor" readlineFlavor)
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  meta = {
    platforms = lib.platforms.unix ++ lib.platforms.windows;
  };
--- a/src/libexpr-c/meson.build
+++ b/src/libexpr-c/meson.build
@@ -4,8 +4,6 @@ project('nix-expr-c', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libexpr-c/nix_api_value.cc
+++ b/src/libexpr-c/nix_api_value.cc
@@ -613,12 +613,8 @@ nix_realised_string * nix_string_realise(nix_c_context * context, EvalState * st
        context->last_err_code = NIX_OK;
    try {
        auto & v = check_value_in(value);
-        nix::NixStringContext stringContext;
-        auto rawStr = state->state.coerceToString(nix::noPos, v, stringContext, "while realising a string").toOwned();
        nix::StorePathSet storePaths;
-        auto rewrites = state->state.realiseContext(stringContext, &storePaths);
-
-        auto s = nix::rewriteStrings(rawStr, rewrites);
+        auto s = state->state.realiseString(v, &storePaths, isIFD);

        // Convert to the C API StorePath type and convert to vector for index-based access
        std::vector<StorePath> vec;
--- a/src/libexpr-c/package.nix
+++ b/src/libexpr-c/package.nix
@@ -1,13 +1,13 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  mkMesonLibrary,

-, nix-store-c
-, nix-expr
+  nix-store-c,
+  nix-expr,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -36,21 +36,9 @@ mkMesonLibrary (finalAttrs: {
    nix-expr
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  meta = {
    platforms = lib.platforms.unix ++ lib.platforms.windows;
  };
--- a/src/libexpr-test-support/meson.build
+++ b/src/libexpr-test-support/meson.build
@@ -4,8 +4,6 @@ project('nix-expr-test-support', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libexpr-test-support/package.nix
+++ b/src/libexpr-test-support/package.nix
@@ -1,16 +1,16 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  mkMesonLibrary,

-, nix-store-test-support
-, nix-expr
-, nix-expr-c
+  nix-store-test-support,
+  nix-expr,
+  nix-expr-c,

-, rapidcheck
+  rapidcheck,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -40,21 +40,9 @@ mkMesonLibrary (finalAttrs: {
    rapidcheck
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  meta = {
    platforms = lib.platforms.unix ++ lib.platforms.windows;
  };
--- a/src/libexpr-tests/error_traces.cc
+++ b/src/libexpr-tests/error_traces.cc
@@ -691,15 +691,15 @@ namespace nix {
        ASSERT_TRACE2("elemAt \"foo\" (-1)",
                      TypeError,
                      HintFmt("expected a list but found %s: %s", "a string", Uncolored(ANSI_MAGENTA "\"foo\"" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.elemAt"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.elemAt'"));

        ASSERT_TRACE1("elemAt [] (-1)",
                      Error,
-                      HintFmt("list index %d is out of bounds", -1));
+                      HintFmt("'builtins.elemAt' called with index %d on a list of size %d", -1, 0));

        ASSERT_TRACE1("elemAt [\"foo\"] 3",
                      Error,
-                      HintFmt("list index %d is out of bounds", 3));
+                      HintFmt("'builtins.elemAt' called with index %d on a list of size %d", 3, 1));

    }

@@ -708,11 +708,11 @@ namespace nix {
        ASSERT_TRACE2("head 1",
                      TypeError,
                      HintFmt("expected a list but found %s: %s", "an integer", Uncolored(ANSI_CYAN "1" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.elemAt"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.head'"));

        ASSERT_TRACE1("head []",
                      Error,
-                      HintFmt("list index %d is out of bounds", 0));
+                      HintFmt("'builtins.head' called on an empty list"));

    }

@@ -721,11 +721,11 @@ namespace nix {
        ASSERT_TRACE2("tail 1",
                      TypeError,
                      HintFmt("expected a list but found %s: %s", "an integer", Uncolored(ANSI_CYAN "1" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.tail"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.tail'"));

        ASSERT_TRACE1("tail []",
                      Error,
-                      HintFmt("'tail' called on an empty list"));
+                      HintFmt("'builtins.tail' called on an empty list"));

    }

--- a/src/libexpr-tests/meson.build
+++ b/src/libexpr-tests/meson.build
@@ -4,8 +4,6 @@ project('nix-expr-tests', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libexpr-tests/package.nix
+++ b/src/libexpr-tests/package.nix
@@ -1,20 +1,21 @@
-{ lib
-, buildPackages
-, stdenv
-, mkMesonExecutable
+{
+  lib,
+  buildPackages,
+  stdenv,
+  mkMesonExecutable,

-, nix-expr
-, nix-expr-c
-, nix-expr-test-support
+  nix-expr,
+  nix-expr-c,
+  nix-expr-test-support,

-, rapidcheck
-, gtest
-, runCommand
+  rapidcheck,
+  gtest,
+  runCommand,

-# Configuration Options
+  # Configuration Options

-, version
-, resolvePath
+  version,
+  resolvePath,
 }:

 let
@@ -45,33 +46,27 @@ mkMesonExecutable (finalAttrs: {
    gtest
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  passthru = {
    tests = {
-      run = runCommand "${finalAttrs.pname}-run" {
-        meta.broken = !stdenv.hostPlatform.emulatorAvailable buildPackages;
-      } (lib.optionalString stdenv.hostPlatform.isWindows ''
-        export HOME="$PWD/home-dir"
-        mkdir -p "$HOME"
-      '' + ''
-        export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
-        ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
-        touch $out
-      '');
+      run =
+        runCommand "${finalAttrs.pname}-run"
+          {
+            meta.broken = !stdenv.hostPlatform.emulatorAvailable buildPackages;
+          }
+          (
+            lib.optionalString stdenv.hostPlatform.isWindows ''
+              export HOME="$PWD/home-dir"
+              mkdir -p "$HOME"
+            ''
+            + ''
+              export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
+              ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
+              touch $out
+            ''
+          );
    };
  };

--- a/src/libexpr/call-flake.nix
+++ b/src/libexpr/call-flake.nix
@@ -20,70 +20,77 @@ let
  # Resolve a input spec into a node name. An input spec is
  # either a node name, or a 'follows' path from the root
  # node.
-  resolveInput = inputSpec:
-    if builtins.isList inputSpec
-    then getInputByPath lockFile.root inputSpec
-    else inputSpec;
+  resolveInput =
+    inputSpec: if builtins.isList inputSpec then getInputByPath lockFile.root inputSpec else inputSpec;

  # Follow an input path (e.g. ["dwarffs" "nixpkgs"]) from the
  # root node, returning the final node.
-  getInputByPath = nodeName: path:
-    if path == []
-    then nodeName
+  getInputByPath =
+    nodeName: path:
+    if path == [ ] then
+      nodeName
    else
      getInputByPath
        # Since this could be a 'follows' input, call resolveInput.
        (resolveInput lockFile.nodes.${nodeName}.inputs.${builtins.head path})
        (builtins.tail path);

-  allNodes =
-    builtins.mapAttrs
-      (key: node:
-        let
+  allNodes = builtins.mapAttrs (
+    key: node:
+    let

-          sourceInfo =
-            if overrides ? ${key}
-            then
-              overrides.${key}.sourceInfo
-            else
-              # FIXME: remove obsolete node.info.
-              # Note: lock file entries are always final.
-              fetchTreeFinal (node.info or {} // removeAttrs node.locked ["dir"]);
+      parentNode = allNodes.${getInputByPath lockFile.root node.parent};

-          subdir = overrides.${key}.dir or node.locked.dir or "";
+      sourceInfo =
+        if overrides ? ${key} then
+          overrides.${key}.sourceInfo
+        else if node.locked.type == "path" && builtins.substring 0 1 node.locked.path != "/" then
+          parentNode.sourceInfo
+          // {
+            outPath = parentNode.outPath + ("/" + node.locked.path);
+          }
+        else
+          # FIXME: remove obsolete node.info.
+          # Note: lock file entries are always final.
+          fetchTreeFinal (node.info or { } // removeAttrs node.locked [ "dir" ]);

-          outPath = sourceInfo + ((if subdir == "" then "" else "/") + subdir);
+      subdir = overrides.${key}.dir or node.locked.dir or "";

-          flake = import (outPath + "/flake.nix");
+      outPath = sourceInfo + ((if subdir == "" then "" else "/") + subdir);

-          inputs = builtins.mapAttrs
-            (inputName: inputSpec: allNodes.${resolveInput inputSpec})
-            (node.inputs or {});
+      flake = import (outPath + "/flake.nix");

-          outputs = flake.outputs (inputs // { self = result; });
+      inputs = builtins.mapAttrs (inputName: inputSpec: allNodes.${resolveInput inputSpec}) (
+        node.inputs or { }
+      );

-          result =
-            outputs
-            # We add the sourceInfo attribute for its metadata, as they are
-            # relevant metadata for the flake. However, the outPath of the
-            # sourceInfo does not necessarily match the outPath of the flake,
-            # as the flake may be in a subdirectory of a source.
-            # This is shadowed in the next //
-            // sourceInfo
-            // {
-              # This shadows the sourceInfo.outPath
-              inherit outPath;
+      outputs = flake.outputs (inputs // { self = result; });

-              inherit inputs; inherit outputs; inherit sourceInfo; _type = "flake";
-            };
+      result =
+        outputs
+        # We add the sourceInfo attribute for its metadata, as they are
+        # relevant metadata for the flake. However, the outPath of the
+        # sourceInfo does not necessarily match the outPath of the flake,
+        # as the flake may be in a subdirectory of a source.
+        # This is shadowed in the next //
+        // sourceInfo
+        // {
+          # This shadows the sourceInfo.outPath
+          inherit outPath;

-        in
-          if node.flake or true then
-            assert builtins.isFunction flake.outputs;
-            result
-          else
-            sourceInfo
-      )
-      lockFile.nodes;
+          inherit inputs;
+          inherit outputs;
+          inherit sourceInfo;
+          _type = "flake";
+        };

-in allNodes.${lockFile.root}
+    in
+    if node.flake or true then
+      assert builtins.isFunction flake.outputs;
+      result
+    else
+      sourceInfo
+  ) lockFile.nodes;
+
+in
+allNodes.${lockFile.root}
--- a/src/libexpr/eval-settings.cc
+++ b/src/libexpr/eval-settings.cc
@@ -57,7 +57,7 @@ Strings EvalSettings::getDefaultNixPath()
 {
    Strings res;
    auto add = [&](const Path & p, const std::string & s = std::string()) {
-        if (pathAccessible(p)) {
+        if (std::filesystem::exists(p)) {
            if (s.empty()) {
                res.push_back(p);
            } else {
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -347,6 +347,16 @@ void EvalState::allowPath(const StorePath & storePath)
        rootFS2->allowPrefix(CanonPath(store->toRealPath(storePath)));
 }

+void EvalState::allowClosure(const StorePath & storePath)
+{
+    if (!rootFS.dynamic_pointer_cast<AllowListSourceAccessor>()) return;
+
+    StorePathSet closure;
+    store->computeFSClosure(storePath, closure);
+    for (auto & p : closure)
+        allowPath(p);
+}
+
 void EvalState::allowAndSetStorePathString(const StorePath & storePath, Value & v)
 {
    allowPath(storePath);
@@ -396,7 +406,7 @@ void EvalState::checkURI(const std::string & uri)

    /* If the URI is a path, then check it against allowedPaths as
       well. */
-    if (hasPrefix(uri, "/")) {
+    if (isAbsolute(uri)) {
        if (auto rootFS2 = rootFS.dynamic_pointer_cast<AllowListSourceAccessor>())
            rootFS2->checkAccess(CanonPath(uri));
        return;
@@ -2374,7 +2384,7 @@ StorePath EvalState::copyPathToStore(NixStringContext & context, const SourcePat
        : [&]() {
            auto dstPath = fetchToStore(
                *store,
-                path.resolveSymlinks(),
+                path.resolveSymlinks(SymlinkResolution::Ancestors),
                settings.readOnlyMode ? FetchMode::DryRun : FetchMode::Copy,
                path.baseName(),
                ContentAddressMethod::Raw::NixArchive,
@@ -3060,8 +3070,11 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
    auto i = lookupPathResolved.find(value);
    if (i != lookupPathResolved.end()) return i->second;

-    auto finish = [&](SourcePath res) {
-        debug("resolved search path element '%s' to '%s'", value, res);
+    auto finish = [&](std::optional<SourcePath> res) {
+        if (res)
+            debug("resolved search path element '%s' to '%s'", value, *res);
+        else
+            debug("failed to resolve search path element '%s'", value);
        lookupPathResolved.emplace(value, res);
        return res;
    };
@@ -3099,15 +3112,12 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
            allowPath(path.path.abs());
            if (store->isInStore(path.path.abs())) {
                try {
-                    StorePathSet closure;
-                    store->computeFSClosure(store->toStorePath(path.path.abs()).first, closure);
-                    for (auto & p : closure)
-                        allowPath(p);
+                    allowClosure(store->toStorePath(path.path.abs()).first);
                } catch (InvalidPath &) { }
            }
        }

-        if (path.pathExists())
+        if (path.resolveSymlinks().pathExists())
            return finish(std::move(path));
        else {
            logWarning({
@@ -3116,8 +3126,7 @@ std::optional<SourcePath> EvalState::resolveLookupPathPath(const LookupPath::Pat
        }
    }

-    debug("failed to resolve search path element '%s'", value);
-    return std::nullopt;
+    return finish(std::nullopt);
 }


@@ -3178,12 +3187,16 @@ std::ostream & operator << (std::ostream & str, const ExternalValueBase & v) {
    return v.print(str);
 }

-void forceNoNullByte(std::string_view s)
+void forceNoNullByte(std::string_view s, std::function<Pos()> pos)
 {
    if (s.find('\0') != s.npos) {
        using namespace std::string_view_literals;
        auto str = replaceStrings(std::string(s), "\0"sv, "␀"sv);
-        throw Error("input string '%s' cannot be represented as Nix string because it contains null bytes", str);
+        Error error("input string '%s' cannot be represented as Nix string because it contains null bytes", str);
+        if (pos) {
+            error.atPos(pos());
+        }
+        throw error;
    }
 }

--- a/src/libexpr/eval.hh
+++ b/src/libexpr/eval.hh
@@ -400,6 +400,11 @@ public:
     */
    void allowPath(const StorePath & storePath);

+    /**
+     * Allow access to the closure of a store path.
+     */
+    void allowClosure(const StorePath & storePath);
+
    /**
     * Allow access to a store path and return it as a string.
     */
@@ -815,6 +820,15 @@ public:
     */
    [[nodiscard]] StringMap realiseContext(const NixStringContext & context, StorePathSet * maybePaths = nullptr, bool isIFD = true);

+    /**
+     * Realise the given string with context, and return the string with outputs instead of downstream output placeholders.
+     * @param[in] str the string to realise
+     * @param[out] paths all referenced store paths will be added to this set
+     * @return the realised string
+     * @throw EvalError if the value is not a string, path or derivation (see `coerceToString`)
+     */
+    std::string realiseString(Value & str, StorePathSet * storePathsOutMaybe, bool isIFD = true, const PosIdx pos = noPos);
+
    /* Call the binary path filter predicate used builtins.path etc. */
    bool callPathFilter(
        Value * filterFun,
--- a/src/libexpr/fetchurl.nix
+++ b/src/libexpr/fetchurl.nix
@@ -1,40 +1,72 @@
-{ system ? "" # obsolete
-, url
-, hash ? "" # an SRI hash
+{
+  system ? "", # obsolete
+  url,
+  hash ? "", # an SRI hash

-# Legacy hash specification
-, md5 ? "", sha1 ? "", sha256 ? "", sha512 ? ""
-, outputHash ?
-    if hash != "" then hash else if sha512 != "" then sha512 else if sha1 != "" then sha1 else if md5 != "" then md5 else sha256
-, outputHashAlgo ?
-    if hash != "" then "" else if sha512 != "" then "sha512" else if sha1 != "" then "sha1" else if md5 != "" then "md5" else "sha256"
+  # Legacy hash specification
+  md5 ? "",
+  sha1 ? "",
+  sha256 ? "",
+  sha512 ? "",
+  outputHash ?
+    if hash != "" then
+      hash
+    else if sha512 != "" then
+      sha512
+    else if sha1 != "" then
+      sha1
+    else if md5 != "" then
+      md5
+    else
+      sha256,
+  outputHashAlgo ?
+    if hash != "" then
+      ""
+    else if sha512 != "" then
+      "sha512"
+    else if sha1 != "" then
+      "sha1"
+    else if md5 != "" then
+      "md5"
+    else
+      "sha256",

-, executable ? false
-, unpack ? false
-, name ? baseNameOf (toString url)
-, impure ? false
+  executable ? false,
+  unpack ? false,
+  name ? baseNameOf (toString url),
+  impure ? false,
 }:

-derivation ({
-  builder = "builtin:fetchurl";
+derivation (
+  {
+    builder = "builtin:fetchurl";

-  # New-style output content requirements.
-  outputHashMode = if unpack || executable then "recursive" else "flat";
+    # New-style output content requirements.
+    outputHashMode = if unpack || executable then "recursive" else "flat";

-  inherit name url executable unpack;
+    inherit
+      name
+      url
+      executable
+      unpack
+      ;

-  system = "builtin";
+    system = "builtin";

-  # No need to double the amount of network traffic
-  preferLocalBuild = true;
+    # No need to double the amount of network traffic
+    preferLocalBuild = true;

-  # This attribute does nothing; it's here to avoid changing evaluation results.
-  impureEnvVars = [
-    "http_proxy" "https_proxy" "ftp_proxy" "all_proxy" "no_proxy"
-  ];
+    # This attribute does nothing; it's here to avoid changing evaluation results.
+    impureEnvVars = [
+      "http_proxy"
+      "https_proxy"
+      "ftp_proxy"
+      "all_proxy"
+      "no_proxy"
+    ];

-  # To make "nix-prefetch-url" work.
-  urls = [ url ];
-} // (if impure
-      then { __impure = true; }
-      else { inherit outputHashAlgo outputHash; }))
+    # To make "nix-prefetch-url" work.
+    urls = [ url ];
+  }
+  // (if impure then { __impure = true; } else { inherit outputHashAlgo outputHash; })
+)
--- a/src/libexpr/imported-drv-to-derivation.nix
+++ b/src/libexpr/imported-drv-to-derivation.nix
@@ -1,21 +1,27 @@
-attrs @ { drvPath, outputs, name, ... }:
+attrs@{
+  drvPath,
+  outputs,
+  name,
+  ...
+}:

 let

-  commonAttrs = (builtins.listToAttrs outputsList) //
-    { all = map (x: x.value) outputsList;
-      inherit drvPath name;
-      type = "derivation";
-    };
+  commonAttrs = (builtins.listToAttrs outputsList) // {
+    all = map (x: x.value) outputsList;
+    inherit drvPath name;
+    type = "derivation";
+  };

-  outputToAttrListElement = outputName:
-    { name = outputName;
-      value = commonAttrs // {
-        outPath = builtins.getAttr outputName attrs;
-        inherit outputName;
-      };
+  outputToAttrListElement = outputName: {
+    name = outputName;
+    value = commonAttrs // {
+      outPath = builtins.getAttr outputName attrs;
+      inherit outputName;
    };
-    
+  };
+
  outputsList = map outputToAttrListElement outputs;
-    
-in (builtins.head outputsList).value
+
+in
+(builtins.head outputsList).value
--- a/src/libexpr/lexer-helpers.hh
+++ b/src/libexpr/lexer-helpers.hh
@@ -1,5 +1,13 @@
 #pragma once

+#include <cstddef>
+
+// inluding the generated headers twice leads to errors
+#ifndef BISON_HEADER
+#  include "lexer-tab.hh"
+#  include "parser-tab.hh"
+#endif
+
 namespace nix::lexer::internal {

 void initLoc(YYLTYPE * loc);
--- a/src/libexpr/lexer.l
+++ b/src/libexpr/lexer.l
@@ -41,16 +41,18 @@ namespace nix {

 // we make use of the fact that the parser receives a private copy of the input
 // string and can munge around in it.
-static StringToken unescapeStr(SymbolTable & symbols, char * s, size_t length)
+// getting the position is expensive and thus it is implemented lazily.
+static StringToken unescapeStr(char * const s, size_t length, std::function<Pos()> && pos)
 {
-    char * result = s;
+    bool noNullByte = true;
    char * t = s;
-    char c;
    // the input string is terminated with *two* NULs, so we can safely take
    // *one* character after the one being checked against.
-    while ((c = *s++)) {
+    for (size_t i = 0; i < length; t++) {
+        char c = s[i++];
+        noNullByte &= c != '\0';
        if (c == '\\') {
-            c = *s++;
+            c = s[i++];
            if (c == 'n') *t = '\n';
            else if (c == 'r') *t = '\r';
            else if (c == 't') *t = '\t';
@@ -59,12 +61,14 @@ static StringToken unescapeStr(SymbolTable & symbols, char * s, size_t length)
        else if (c == '\r') {
            /* Normalise CR and CR/LF into LF. */
            *t = '\n';
-            if (*s == '\n') s++; /* cr/lf */
+            if (s[i] == '\n') i++; /* cr/lf */
        }
        else *t = c;
-        t++;
    }
-    return {result, size_t(t - result)};
+    if (!noNullByte) {
+        forceNoNullByte({s, size_t(t - s)}, std::move(pos));
+    }
+    return {s, size_t(t - s)};
 }

 static void requireExperimentalFeature(const ExperimentalFeature & feature, const Pos & pos)
@@ -175,7 +179,7 @@ or          { return OR_KW; }
                /* It is impossible to match strings ending with '$' with one
                   regex because trailing contexts are only valid at the end
                   of a rule. (A sane but undocumented limitation.) */
-                yylval->str = unescapeStr(state->symbols, yytext, yyleng);
+                yylval->str = unescapeStr(yytext, yyleng, [&]() { return state->positions[CUR_POS]; });
                return STR;
              }
 <STRING>\$\{  { PUSH_STATE(DEFAULT); return DOLLAR_CURLY; }
@@ -191,6 +195,7 @@ or          { return OR_KW; }
 \'\'(\ *\n)?     { PUSH_STATE(IND_STRING); return IND_STRING_OPEN; }
 <IND_STRING>([^\$\']|\$[^\{\']|\'[^\'\$])+ {
                   yylval->str = {yytext, (size_t) yyleng, true};
+                   forceNoNullByte(yylval->str, [&]() { return state->positions[CUR_POS]; });
                   return IND_STR;
                 }
 <IND_STRING>\'\'\$ |
@@ -203,7 +208,7 @@ or          { return OR_KW; }
                   return IND_STR;
                 }
 <IND_STRING>\'\'\\{ANY} {
-                   yylval->str = unescapeStr(state->symbols, yytext + 2, yyleng - 2);
+                   yylval->str = unescapeStr(yytext + 2, yyleng - 2, [&]() { return state->positions[CUR_POS]; });
                   return IND_STR;
                 }
 <IND_STRING>\$\{ { PUSH_STATE(DEFAULT); return DOLLAR_CURLY; }
--- a/src/libexpr/meson.build
+++ b/src/libexpr/meson.build
@@ -4,8 +4,6 @@ project('nix-expr', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libexpr/nixexpr.hh
+++ b/src/libexpr/nixexpr.hh
@@ -168,7 +168,7 @@ struct ExprVar : Expr
       the set stored in the environment that is `level` levels up
       from the current one.*/
    Level level;
-    Displacement displ;
+    Displacement displ = 0;

    ExprVar(Symbol name) : name(name) { };
    ExprVar(const PosIdx & pos, Symbol name) : pos(pos), name(name) { };
@@ -242,7 +242,7 @@ struct ExprAttrs : Expr
        Kind kind;
        Expr * e;
        PosIdx pos;
-        Displacement displ; // displacement
+        Displacement displ = 0; // displacement
        AttrDef(Expr * e, const PosIdx & pos, Kind kind = Kind::Plain)
            : kind(kind), e(e), pos(pos) { };
        AttrDef() { };
--- a/src/libexpr/package.nix
+++ b/src/libexpr/package.nix
@@ -1,33 +1,34 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  stdenv,
+  mkMesonLibrary,

-, bison
-, flex
-, cmake # for resolving toml11 dep
+  bison,
+  flex,
+  cmake, # for resolving toml11 dep

-, nix-util
-, nix-store
-, nix-fetchers
-, boost
-, boehmgc
-, nlohmann_json
-, toml11
+  nix-util,
+  nix-store,
+  nix-fetchers,
+  boost,
+  boehmgc,
+  nlohmann_json,
+  toml11,

-# Configuration Options
+  # Configuration Options

-, version
+  version,

-# Whether to use garbage collection for the Nix language evaluator.
-#
-# If it is disabled, we just leak memory, but this is not as bad as it
-# sounds so long as evaluation just takes places within short-lived
-# processes. (When the process exits, the memory is reclaimed; it is
-# only leaked *within* the process.)
-#
-# Temporarily disabled on Windows because the `GC_throw_bad_alloc`
-# symbol is missing during linking.
-, enableGC ? !stdenv.hostPlatform.isWindows
+  # Whether to use garbage collection for the Nix language evaluator.
+  #
+  # If it is disabled, we just leak memory, but this is not as bad as it
+  # sounds so long as evaluation just takes places within short-lived
+  # processes. (When the process exits, the memory is reclaimed; it is
+  # only leaked *within* the process.)
+  #
+  # Temporarily disabled on Windows because the `GC_throw_bad_alloc`
+  # symbol is missing during linking.
+  enableGC ? !stdenv.hostPlatform.isWindows,
 }:

 let
@@ -51,10 +52,7 @@ mkMesonLibrary (finalAttrs: {
    (fileset.fileFilter (file: file.hasExt "hh") ./.)
    ./lexer.l
    ./parser.y
-    (fileset.difference
-      (fileset.fileFilter (file: file.hasExt "nix") ./.)
-      ./package.nix
-    )
+    (fileset.difference (fileset.fileFilter (file: file.hasExt "nix") ./.) ./package.nix)
  ];

  nativeBuildInputs = [
@@ -79,14 +77,6 @@ mkMesonLibrary (finalAttrs: {
    nlohmann_json
  ] ++ lib.optional enableGC boehmgc;

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
    (lib.mesonEnable "gc" enableGC)
  ];
@@ -96,8 +86,6 @@ mkMesonLibrary (finalAttrs: {
    # https://github.com/NixOS/nixpkgs/issues/86131.
    BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
    BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
  };

  meta = {
--- a/src/libexpr/primops.cc
+++ b/src/libexpr/primops.cc
@@ -47,6 +47,15 @@ static inline Value * mkString(EvalState & state, const std::csub_match & match)
    return v;
 }

+std::string EvalState::realiseString(Value & s, StorePathSet * storePathsOutMaybe, bool isIFD, const PosIdx pos)
+{
+    nix::NixStringContext stringContext;
+    auto rawStr = coerceToString(pos, s, stringContext, "while realising a string").toOwned();
+    auto rewrites = realiseContext(stringContext, storePathsOutMaybe, isIFD);
+
+    return nix::rewriteStrings(rawStr, rewrites);
+}
+
 StringMap EvalState::realiseContext(const NixStringContext & context, StorePathSet * maybePathsOut, bool isIFD)
 {
    std::vector<DerivedPath::Built> drvs;
@@ -119,11 +128,9 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
    if (store != buildStore) copyClosure(*buildStore, *store, outputsToCopyAndAllow);

    if (isIFD) {
-        for (auto & outputPath : outputsToCopyAndAllow) {
-            /* Add the output of this derivations to the allowed
-            paths. */
-            allowPath(outputPath);
-        }
+        /* Allow access to the output closures of this derivation. */
+        for (auto & outputPath : outputsToCopyAndAllow)
+            allowClosure(outputPath);
    }

    return res;
@@ -2047,7 +2054,7 @@ static RegisterPrimOp primop_readFileType({
    .args = {"p"},
    .doc = R"(
      Determine the directory entry type of a filesystem node, being
-      one of "directory", "regular", "symlink", or "unknown".
+      one of `"directory"`, `"regular"`, `"symlink"`, or `"unknown"`.
    )",
    .fun = prim_readFileType,
 });
@@ -3259,23 +3266,19 @@ static RegisterPrimOp primop_isList({
    .fun = prim_isList,
 });

-static void elemAt(EvalState & state, const PosIdx pos, Value & list, int n, Value & v)
-{
-    state.forceList(list, pos, "while evaluating the first argument passed to builtins.elemAt");
-    if (n < 0 || (unsigned int) n >= list.listSize())
-        state.error<EvalError>(
-            "list index %1% is out of bounds",
-            n
-        ).atPos(pos).debugThrow();
-    state.forceValue(*list.listElems()[n], pos);
-    v = *list.listElems()[n];
-}
-
 /* Return the n-1'th element of a list. */
 static void prim_elemAt(EvalState & state, const PosIdx pos, Value * * args, Value & v)
 {
-    NixInt::Inner elem = state.forceInt(*args[1], pos, "while evaluating the second argument passed to builtins.elemAt").value;
-    elemAt(state, pos, *args[0], elem, v);
+    NixInt::Inner n = state.forceInt(*args[1], pos, "while evaluating the second argument passed to 'builtins.elemAt'").value;
+    state.forceList(*args[0], pos, "while evaluating the first argument passed to 'builtins.elemAt'");
+    if (n < 0 || (unsigned int) n >= args[0]->listSize())
+        state.error<EvalError>(
+            "'builtins.elemAt' called with index %d on a list of size %d",
+            n,
+            args[0]->listSize()
+        ).atPos(pos).debugThrow();
+    state.forceValue(*args[0]->listElems()[n], pos);
+    v = *args[0]->listElems()[n];
 }

 static RegisterPrimOp primop_elemAt({
@@ -3291,7 +3294,13 @@ static RegisterPrimOp primop_elemAt({
 /* Return the first element of a list. */
 static void prim_head(EvalState & state, const PosIdx pos, Value * * args, Value & v)
 {
-    elemAt(state, pos, *args[0], 0, v);
+    state.forceList(*args[0], pos, "while evaluating the first argument passed to 'builtins.head'");
+    if (args[0]->listSize() == 0)
+        state.error<EvalError>(
+            "'builtins.head' called on an empty list"
+        ).atPos(pos).debugThrow();
+    state.forceValue(*args[0]->listElems()[0], pos);
+    v = *args[0]->listElems()[0];
 }

 static RegisterPrimOp primop_head({
@@ -3310,9 +3319,9 @@ static RegisterPrimOp primop_head({
   don't want to use it!  */
 static void prim_tail(EvalState & state, const PosIdx pos, Value * * args, Value & v)
 {
-    state.forceList(*args[0], pos, "while evaluating the first argument passed to builtins.tail");
+    state.forceList(*args[0], pos, "while evaluating the first argument passed to 'builtins.tail'");
    if (args[0]->listSize() == 0)
-        state.error<EvalError>("'tail' called on an empty list").atPos(pos).debugThrow();
+        state.error<EvalError>("'builtins.tail' called on an empty list").atPos(pos).debugThrow();

    auto list = state.buildList(args[0]->listSize() - 1);
    for (const auto & [n, v] : enumerate(list))
@@ -4059,7 +4068,7 @@ static RegisterPrimOp primop_toString({
 });

 /* `substring start len str' returns the substring of `str' starting
-   at character position `min(start, stringLength str)' inclusive and
+   at byte position `min(start, stringLength str)' inclusive and
   ending at `min(start + len, stringLength str)'.  `start' must be
   non-negative. */
 static void prim_substring(EvalState & state, const PosIdx pos, Value * * args, Value & v)
@@ -4098,7 +4107,7 @@ static RegisterPrimOp primop_substring({
    .name = "__substring",
    .args = {"start", "len", "s"},
    .doc = R"(
-      Return the substring of *s* from character position *start*
+      Return the substring of *s* from byte position *start*
      (zero-based) up to but not including *start + len*. If *start* is
      greater than the length of the string, an empty string is returned.
      If *start + len* lies beyond the end of the string or *len* is `-1`,
--- a/src/libexpr/primops/derivation.nix
+++ b/src/libexpr/primops/derivation.nix
@@ -26,27 +26,34 @@
  Note that `derivation` is very bare-bones, and provides almost no commands during the build.
  Most likely, you'll want to use functions like `stdenv.mkDerivation` in Nixpkgs to set up a basic environment.
 */
-drvAttrs @ { outputs ? [ "out" ], ... }:
+drvAttrs@{
+  outputs ? [ "out" ],
+  ...
+}:

 let

  strict = derivationStrict drvAttrs;

-  commonAttrs = drvAttrs // (builtins.listToAttrs outputsList) //
-    { all = map (x: x.value) outputsList;
+  commonAttrs =
+    drvAttrs
+    // (builtins.listToAttrs outputsList)
+    // {
+      all = map (x: x.value) outputsList;
      inherit drvAttrs;
    };

-  outputToAttrListElement = outputName:
-    { name = outputName;
-      value = commonAttrs // {
-        outPath = builtins.getAttr outputName strict;
-        drvPath = strict.drvPath;
-        type = "derivation";
-        inherit outputName;
-      };
+  outputToAttrListElement = outputName: {
+    name = outputName;
+    value = commonAttrs // {
+      outPath = builtins.getAttr outputName strict;
+      drvPath = strict.drvPath;
+      type = "derivation";
+      inherit outputName;
    };
+  };

  outputsList = map outputToAttrListElement outputs;

-in (builtins.head outputsList).value
+in
+(builtins.head outputsList).value
--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@@ -182,7 +182,7 @@ static void fetchTree(
    if (!state.settings.pureEval && !input.isDirect() && experimentalFeatureSettings.isEnabled(Xp::Flakes))
        input = lookupInRegistries(state.store, input).first;

-    if (state.settings.pureEval && !input.isLocked()) {
+    if (state.settings.pureEval && !input.isConsideredLocked(state.fetchSettings)) {
        auto fetcher = "fetchTree";
        if (params.isFetchGit)
            fetcher = "fetchGit";
--- a/src/libexpr/print-options.hh
+++ b/src/libexpr/print-options.hh
@@ -5,6 +5,7 @@
 */

 #include <limits>
+#include <stddef.h>

 namespace nix {

--- a/src/libexpr/value-to-json.cc
+++ b/src/libexpr/value-to-json.cc
@@ -108,7 +108,11 @@ json printValueAsJSON(EvalState & state, bool strict,
 void printValueAsJSON(EvalState & state, bool strict,
    Value & v, const PosIdx pos, std::ostream & str, NixStringContext & context, bool copyToStore)
 {
-    str << printValueAsJSON(state, strict, v, pos, context, copyToStore);
+    try {
+        str << printValueAsJSON(state, strict, v, pos, context, copyToStore);
+    } catch (nlohmann::json::exception & e) {
+        throw JSONSerializationError("JSON serialization error: %s", e.what());
+    }
 }

 json ExternalValueBase::printValueAsJSON(EvalState & state, bool strict,
--- a/src/libexpr/value-to-json.hh
+++ b/src/libexpr/value-to-json.hh
@@ -16,4 +16,7 @@ nlohmann::json printValueAsJSON(EvalState & state, bool strict,
 void printValueAsJSON(EvalState & state, bool strict,
    Value & v, const PosIdx pos, std::ostream & str, NixStringContext & context, bool copyToStore = true);

+
+MakeError(JSONSerializationError, Error);
+
 }
--- a/src/libexpr/value.hh
+++ b/src/libexpr/value.hh
@@ -510,6 +510,6 @@ typedef std::shared_ptr<Value *> RootValue;

 RootValue allocRootValue(Value * v);

-void forceNoNullByte(std::string_view s);
+void forceNoNullByte(std::string_view s, std::function<Pos()> = nullptr);

 }
--- a/src/libfetchers-tests/meson.build
+++ b/src/libfetchers-tests/meson.build
@@ -4,8 +4,6 @@ project('nix-fetchers-tests', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libfetchers-tests/package.nix
+++ b/src/libfetchers-tests/package.nix
@@ -1,19 +1,20 @@
-{ lib
-, buildPackages
-, stdenv
-, mkMesonExecutable
+{
+  lib,
+  buildPackages,
+  stdenv,
+  mkMesonExecutable,

-, nix-fetchers
-, nix-store-test-support
+  nix-fetchers,
+  nix-store-test-support,

-, rapidcheck
-, gtest
-, runCommand
+  rapidcheck,
+  gtest,
+  runCommand,

-# Configuration Options
+  # Configuration Options

-, version
-, resolvePath
+  version,
+  resolvePath,
 }:

 let
@@ -43,33 +44,27 @@ mkMesonExecutable (finalAttrs: {
    gtest
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
  mesonFlags = [
  ];

-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  passthru = {
    tests = {
-      run = runCommand "${finalAttrs.pname}-run" {
-        meta.broken = !stdenv.hostPlatform.emulatorAvailable buildPackages;
-      } (lib.optionalString stdenv.hostPlatform.isWindows ''
-        export HOME="$PWD/home-dir"
-        mkdir -p "$HOME"
-      '' + ''
-        export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
-        ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
-        touch $out
-      '');
+      run =
+        runCommand "${finalAttrs.pname}-run"
+          {
+            meta.broken = !stdenv.hostPlatform.emulatorAvailable buildPackages;
+          }
+          (
+            lib.optionalString stdenv.hostPlatform.isWindows ''
+              export HOME="$PWD/home-dir"
+              mkdir -p "$HOME"
+            ''
+            + ''
+              export _NIX_TEST_UNIT_DATA=${resolvePath ./data}
+              ${stdenv.hostPlatform.emulator buildPackages} ${lib.getExe finalAttrs.finalPackage}
+              touch $out
+            ''
+          );
    };
  };

--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@@ -70,6 +70,22 @@ struct Settings : public Config
    Setting<bool> warnDirty{this, true, "warn-dirty",
        "Whether to warn about dirty Git/Mercurial trees."};

+    Setting<bool> allowDirtyLocks{
+        this,
+        false,
+        "allow-dirty-locks",
+        R"(
+          Whether to allow dirty inputs (such as dirty Git workdirs)
+          to be locked via their NAR hash. This is generally bad
+          practice since Nix has no way to obtain such inputs if they
+          are subsequently modified. Therefore lock files with dirty
+          locks should generally only be used for local testing, and
+          should not be pushed to other users.
+        )",
+        {},
+        true,
+        Xp::Flakes};
+
    Setting<bool> trustTarballsFromGitForges{
        this, true, "trust-tarballs-from-git-forges",
        R"(
--- a/src/libfetchers/fetchers.cc
+++ b/src/libfetchers/fetchers.cc
@@ -4,6 +4,7 @@
 #include "fetch-to-store.hh"
 #include "json-utils.hh"
 #include "store-path-accessor.hh"
+#include "fetch-settings.hh"

 #include <nlohmann/json.hpp>

@@ -66,7 +67,7 @@ Input Input::fromURL(
        }
    }

-    throw Error("input '%s' is unsupported", url.url);
+    throw Error("input '%s' is unsupported", url);
 }

 Input Input::fromAttrs(const Settings & settings, Attrs && attrs)
@@ -113,7 +114,15 @@ Input Input::fromAttrs(const Settings & settings, Attrs && attrs)

 std::optional<std::string> Input::getFingerprint(ref<Store> store) const
 {
-    return scheme ? scheme->getFingerprint(store, *this) : std::nullopt;
+    if (!scheme) return std::nullopt;
+
+    if (cachedFingerprint) return *cachedFingerprint;
+
+    auto fingerprint = scheme->getFingerprint(store, *this);
+
+    cachedFingerprint = fingerprint;
+
+    return fingerprint;
 }

 ParsedURL Input::toURL() const
@@ -146,11 +155,23 @@ bool Input::isLocked() const
    return scheme && scheme->isLocked(*this);
 }

+bool Input::isConsideredLocked(
+    const Settings & settings) const
+{
+    return isLocked() || (settings.allowDirtyLocks && getNarHash());
+}
+
 bool Input::isFinal() const
 {
    return maybeGetBoolAttr(attrs, "__final").value_or(false);
 }

+std::optional<std::string> Input::isRelative() const
+{
+    assert(scheme);
+    return scheme->isRelative(*this);
+}
+
 Attrs Input::toAttrs() const
 {
    return attrs;
@@ -307,7 +328,7 @@ std::pair<ref<SourceAccessor>, Input> Input::getAccessorUnchecked(ref<Store> sto

            auto accessor = makeStorePathAccessor(store, storePath);

-            accessor->fingerprint = scheme->getFingerprint(store, *this);
+            accessor->fingerprint = getFingerprint(store);

            return {accessor, *this};
        } catch (Error & e) {
@@ -318,7 +339,7 @@ std::pair<ref<SourceAccessor>, Input> Input::getAccessorUnchecked(ref<Store> sto
    auto [accessor, result] = scheme->getAccessor(store, *this);

    assert(!accessor->fingerprint);
-    accessor->fingerprint = scheme->getFingerprint(store, result);
+    accessor->fingerprint = result.getFingerprint(store);

    return {accessor, std::move(result)};
 }
@@ -337,7 +358,7 @@ void Input::clone(const Path & destDir) const
    scheme->clone(*this, destDir);
 }

-std::optional<Path> Input::getSourcePath() const
+std::optional<std::filesystem::path> Input::getSourcePath() const
 {
    assert(scheme);
    return scheme->getSourcePath(*this);
@@ -440,7 +461,7 @@ Input InputScheme::applyOverrides(
    return input;
 }

-std::optional<Path> InputScheme::getSourcePath(const Input & input) const
+std::optional<std::filesystem::path> InputScheme::getSourcePath(const Input & input) const
 {
    return {};
 }
--- a/src/libfetchers/fetchers.hh
+++ b/src/libfetchers/fetchers.hh
@@ -42,9 +42,9 @@ struct Input
    Attrs attrs;

    /**
-     * path of the parent of this input, used for relative path resolution
+     * Cached result of getFingerprint().
     */
-    std::optional<Path> parent;
+    mutable std::optional<std::optional<std::string>> cachedFingerprint;

 public:
    /**
@@ -90,6 +90,21 @@ public:
     */
    bool isLocked() const;

+    /**
+     * Return whether the input is either locked, or, if
+     * `allow-dirty-locks` is enabled, it has a NAR hash. In the
+     * latter case, we can verify the input but we may not be able to
+     * fetch it from anywhere.
+     */
+    bool isConsideredLocked(
+        const Settings & settings) const;
+
+    /**
+     * Only for relative path flakes, i.e. 'path:./foo', returns the
+     * relative path, i.e. './foo'.
+     */
+    std::optional<std::string> isRelative() const;
+
    /**
     * Return whether this is a "final" input, meaning that fetching
     * it will not add, remove or change any attributes. (See
@@ -104,6 +119,11 @@ public:

    bool operator ==(const Input & other) const noexcept;

+    bool operator <(const Input & other) const
+    {
+        return attrs < other.attrs;
+    }
+
    bool contains(const Input & other) const;

    /**
@@ -144,7 +164,7 @@ public:

    void clone(const Path & destDir) const;

-    std::optional<Path> getSourcePath() const;
+    std::optional<std::filesystem::path> getSourcePath() const;

    /**
     * Write a file to this input, for input types that support
@@ -227,7 +247,7 @@ struct InputScheme

    virtual void clone(const Input & input, const Path & destDir) const;

-    virtual std::optional<Path> getSourcePath(const Input & input) const;
+    virtual std::optional<std::filesystem::path> getSourcePath(const Input & input) const;

    virtual void putFile(
        const Input & input,
@@ -250,6 +270,9 @@ struct InputScheme

    virtual bool isLocked(const Input & input) const
    { return false; }
+
+    virtual std::optional<std::string> isRelative(const Input & input) const
+    { return std::nullopt; }
 };

 void registerInputScheme(std::shared_ptr<InputScheme> && fetcher);
--- a/src/libfetchers/git-utils.cc
+++ b/src/libfetchers/git-utils.cc
@@ -5,6 +5,7 @@
 #include "signals.hh"
 #include "users.hh"
 #include "fs-sink.hh"
+#include "sync.hh"

 #include <git2/attr.h>
 #include <git2/blob.h>
@@ -205,7 +206,8 @@ static git_packbuilder_progress PACKBUILDER_PROGRESS_CHECK_INTERRUPT = &packBuil

 } // extern "C"

-static void initRepoAtomically(std::filesystem::path &path, bool bare) {
+static void initRepoAtomically(std::filesystem::path &path, bool bare)
+{
    if (pathExists(path.string())) return;

    Path tmpDir = createTempDir(os_string_to_string(PathViewNG { std::filesystem::path(path).parent_path() }));
@@ -437,7 +439,12 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
        {
            if (!(statusFlags & GIT_STATUS_INDEX_DELETED) &&
                !(statusFlags & GIT_STATUS_WT_DELETED))
+            {
                info.files.insert(CanonPath(path));
+                if (statusFlags != GIT_STATUS_CURRENT)
+                    info.dirtyFiles.insert(CanonPath(path));
+            } else
+                info.deletedFiles.insert(CanonPath(path));
            if (statusFlags != GIT_STATUS_CURRENT)
                info.isDirty = true;
            return 0;
@@ -501,7 +508,10 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
     */
    ref<GitSourceAccessor> getRawAccessor(const Hash & rev);

-    ref<SourceAccessor> getAccessor(const Hash & rev, bool exportIgnore) override;
+    ref<SourceAccessor> getAccessor(
+        const Hash & rev,
+        bool exportIgnore,
+        std::string displayPrefix) override;

    ref<SourceAccessor> getAccessor(const WorkdirInfo & wd, bool exportIgnore, MakeNotAllowedError e) override;

@@ -538,13 +548,10 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>
        //       then use code that was removed in this commit (see blame)

        auto dir = this->path;
-        Strings gitArgs;
-        if (shallow) {
-            gitArgs = { "-C", dir.string(), "fetch", "--quiet", "--force", "--depth", "1", "--", url, refspec };
-        }
-        else {
-            gitArgs = { "-C", dir.string(), "fetch", "--quiet", "--force", "--", url, refspec };
-        }
+        Strings gitArgs{"-C", dir.string(), "--git-dir", ".", "fetch", "--quiet", "--force"};
+        if (shallow)
+            append(gitArgs, {"--depth", "1"});
+        append(gitArgs, {std::string("--"), url, refspec});

        runProgram(RunOptions {
            .program = "git",
@@ -623,7 +630,7 @@ struct GitRepoImpl : GitRepo, std::enable_shared_from_this<GitRepoImpl>

    Hash treeHashToNarHash(const Hash & treeHash) override
    {
-        auto accessor = getAccessor(treeHash, false);
+        auto accessor = getAccessor(treeHash, false, "");

        fetchers::Cache::Key cacheKey{"treeHashToNarHash", {{"treeHash", treeHash.gitRev()}}};

@@ -1190,16 +1197,18 @@ ref<GitSourceAccessor> GitRepoImpl::getRawAccessor(const Hash & rev)
    return make_ref<GitSourceAccessor>(self, rev);
 }

-ref<SourceAccessor> GitRepoImpl::getAccessor(const Hash & rev, bool exportIgnore)
+ref<SourceAccessor> GitRepoImpl::getAccessor(
+    const Hash & rev,
+    bool exportIgnore,
+    std::string displayPrefix)
 {
    auto self = ref<GitRepoImpl>(shared_from_this());
    ref<GitSourceAccessor> rawGitAccessor = getRawAccessor(rev);
-    if (exportIgnore) {
+    rawGitAccessor->setPathDisplay(std::move(displayPrefix));
+    if (exportIgnore)
        return make_ref<GitExportIgnoreSourceAccessor>(self, rawGitAccessor, rev);
-    }
-    else {
+    else
        return rawGitAccessor;
-    }
 }

 ref<SourceAccessor> GitRepoImpl::getAccessor(const WorkdirInfo & wd, bool exportIgnore, MakeNotAllowedError makeNotAllowedError)
@@ -1232,7 +1241,7 @@ std::vector<std::tuple<GitRepoImpl::Submodule, Hash>> GitRepoImpl::getSubmodules
    /* Read the .gitmodules files from this revision. */
    CanonPath modulesFile(".gitmodules");

-    auto accessor = getAccessor(rev, exportIgnore);
+    auto accessor = getAccessor(rev, exportIgnore, "");
    if (!accessor->pathExists(modulesFile)) return {};

    /* Parse it and get the revision of each submodule. */
@@ -1262,4 +1271,17 @@ ref<GitRepo> getTarballCache()
    return GitRepo::openRepo(repoDir, true, true);
 }

+GitRepo::WorkdirInfo GitRepo::getCachedWorkdirInfo(const std::filesystem::path & path)
+{
+    static Sync<std::map<std::filesystem::path, WorkdirInfo>> _cache;
+    {
+        auto cache(_cache.lock());
+        auto i = cache->find(path);
+        if (i != cache->end()) return i->second;
+    }
+    auto workdirInfo = GitRepo::openRepo(path)->getWorkdirInfo();
+    _cache.lock()->emplace(path, workdirInfo);
+    return workdirInfo;
+}
+
 }
--- a/src/libfetchers/git-utils.hh
+++ b/src/libfetchers/git-utils.hh
@@ -59,12 +59,20 @@ struct GitRepo
           modified or added, but excluding deleted files. */
        std::set<CanonPath> files;

+        /* All modified or added files. */
+        std::set<CanonPath> dirtyFiles;
+
+        /* The deleted files. */
+        std::set<CanonPath> deletedFiles;
+
        /* The submodules listed in .gitmodules of this workdir. */
        std::vector<Submodule> submodules;
    };

    virtual WorkdirInfo getWorkdirInfo() = 0;

+    static WorkdirInfo getCachedWorkdirInfo(const std::filesystem::path & path);
+
    /* Get the ref that HEAD points to. */
    virtual std::optional<std::string> getWorkdirRef() = 0;

@@ -78,7 +86,10 @@ struct GitRepo

    virtual bool hasObject(const Hash & oid) = 0;

-    virtual ref<SourceAccessor> getAccessor(const Hash & rev, bool exportIgnore) = 0;
+    virtual ref<SourceAccessor> getAccessor(
+        const Hash & rev,
+        bool exportIgnore,
+        std::string displayPrefix) = 0;

    virtual ref<SourceAccessor> getAccessor(const WorkdirInfo & wd, bool exportIgnore, MakeNotAllowedError makeNotAllowedError) = 0;

--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -15,6 +15,7 @@
 #include "finally.hh"
 #include "fetch-settings.hh"
 #include "json-utils.hh"
+#include "archive.hh"

 #include <regex>
 #include <string.h>
@@ -68,7 +69,7 @@ std::optional<std::string> readHead(const Path & path)

    std::string_view line = output;
    line = line.substr(0, line.find("\n"));
-    if (const auto parseResult = git::parseLsRemoteLine(line)) {
+    if (const auto parseResult = git::parseLsRemoteLine(line); parseResult && parseResult->reference == "HEAD") {
        switch (parseResult->kind) {
            case git::LsRemoteRefLine::Kind::Symbolic:
                debug("resolved HEAD ref '%s' for repo '%s'", parseResult->target, path);
@@ -296,7 +297,7 @@ struct GitInputScheme : InputScheme

        Strings args = {"clone"};

-        args.push_back(repoInfo.url);
+        args.push_back(repoInfo.locationToArg());

        if (auto ref = input.getRef()) {
            args.push_back("--branch");
@@ -310,11 +311,9 @@ struct GitInputScheme : InputScheme
        runProgram("git", true, args, {}, true);
    }

-    std::optional<Path> getSourcePath(const Input & input) const override
+    std::optional<std::filesystem::path> getSourcePath(const Input & input) const override
    {
-        auto repoInfo = getRepoInfo(input);
-        if (repoInfo.isLocal) return repoInfo.url;
-        return std::nullopt;
+        return getRepoInfo(input).getPath();
    }

    void putFile(
@@ -324,14 +323,15 @@ struct GitInputScheme : InputScheme
        std::optional<std::string> commitMsg) const override
    {
        auto repoInfo = getRepoInfo(input);
-        if (!repoInfo.isLocal)
+        auto repoPath = repoInfo.getPath();
+        if (!repoPath)
            throw Error("cannot commit '%s' to Git repository '%s' because it's not a working tree", path, input.to_string());

-        writeFile((CanonPath(repoInfo.url) / path).abs(), contents);
+        writeFile(*repoPath / path.rel(), contents);

        auto result = runProgram(RunOptions {
            .program = "git",
-            .args = {"-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "check-ignore", "--quiet", std::string(path.rel())},
+            .args = {"-C", repoPath->string(), "--git-dir", repoInfo.gitDir, "check-ignore", "--quiet", std::string(path.rel())},
        });
        auto exitCode =
 #ifndef WIN32 // TODO abstract over exit status handling on Windows
@@ -344,7 +344,7 @@ struct GitInputScheme : InputScheme
        if (exitCode != 0) {
            // The path is not `.gitignore`d, we can add the file.
            runProgram("git", true,
-                { "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "add", "--intent-to-add", "--", std::string(path.rel()) });
+                { "-C", repoPath->string(), "--git-dir", repoInfo.gitDir, "add", "--intent-to-add", "--", std::string(path.rel()) });


            if (commitMsg) {
@@ -352,7 +352,7 @@ struct GitInputScheme : InputScheme
                logger->pause();
                Finally restoreLogger([]() { logger->resume(); });
                runProgram("git", true,
-                    { "-C", repoInfo.url, "--git-dir", repoInfo.gitDir, "commit", std::string(path.rel()), "-F", "-" },
+                    { "-C", repoPath->string(), "--git-dir", repoInfo.gitDir, "commit", std::string(path.rel()), "-F", "-" },
                    *commitMsg);
            }
        }
@@ -360,24 +360,41 @@ struct GitInputScheme : InputScheme

    struct RepoInfo
    {
-        /* Whether this is a local, non-bare repository. */
-        bool isLocal = false;
+        /* Either the path of the repo (for local, non-bare repos), or
+           the URL (which is never a `file` URL). */
+        std::variant<std::filesystem::path, ParsedURL> location;

        /* Working directory info: the complete list of files, and
           whether the working directory is dirty compared to HEAD. */
        GitRepo::WorkdirInfo workdirInfo;

-        /* URL of the repo, or its path if isLocal. Never a `file` URL. */
-        std::string url;
+        std::string locationToArg() const
+        {
+            return std::visit(
+                overloaded {
+                    [&](const std::filesystem::path & path)
+                    { return path.string(); },
+                    [&](const ParsedURL & url)
+                    { return url.to_string(); }
+                }, location);
+        }
+
+        std::optional<std::filesystem::path> getPath() const
+        {
+            if (auto path = std::get_if<std::filesystem::path>(&location))
+                return *path;
+            else
+                return std::nullopt;
+        }

        void warnDirty(const Settings & settings) const
        {
            if (workdirInfo.isDirty) {
                if (!settings.allowDirty)
-                    throw Error("Git tree '%s' is dirty", url);
+                    throw Error("Git tree '%s' is dirty", locationToArg());

                if (settings.warnDirty)
-                    warn("Git tree '%s' is dirty", url);
+                    warn("Git tree '%s' is dirty", locationToArg());
            }
        }

@@ -424,18 +441,42 @@ struct GitInputScheme : InputScheme
        static bool forceHttp = getEnv("_NIX_FORCE_HTTP") == "1"; // for testing
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        bool isBareRepository = url.scheme == "file" && !pathExists(url.path + "/.git");
-        repoInfo.isLocal = url.scheme == "file" && !forceHttp && !isBareRepository;
-        repoInfo.url = repoInfo.isLocal ? url.path : url.base;
+        //
+        // FIXME: here we turn a possibly relative path into an absolute path.
+        // This allows relative git flake inputs to be resolved against the
+        // **current working directory** (as in POSIX), which tends to work out
+        // ok in the context of flakes, but is the wrong behavior,
+        // as it should resolve against the flake.nix base directory instead.
+        //
+        // See: https://discourse.nixos.org/t/57783 and #9708
+        //
+        if (url.scheme == "file" && !forceHttp && !isBareRepository) {
+            if (!isAbsolute(url.path)) {
+                warn(
+                    "Fetching Git repository '%s', which uses a path relative to the current directory. "
+                    "This is not supported and will stop working in a future release. "
+                    "See https://github.com/NixOS/nix/issues/12281 for details.",
+                    url);
+            }
+            repoInfo.location = std::filesystem::absolute(url.path);
+        } else {
+            if (url.scheme == "file")
+                /* Query parameters are meaningless for file://, but
+                   Git interprets them as part of the file name. So get
+                   rid of them. */
+                url.query.clear();
+            repoInfo.location = url;
+        }

        // If this is a local directory and no ref or revision is
        // given, then allow the use of an unclean working tree.
-        if (!input.getRef() && !input.getRev() && repoInfo.isLocal)
-            repoInfo.workdirInfo = GitRepo::openRepo(repoInfo.url)->getWorkdirInfo();
+        if (auto repoPath = repoInfo.getPath(); !input.getRef() && !input.getRev() && repoPath)
+            repoInfo.workdirInfo = GitRepo::getCachedWorkdirInfo(*repoPath);

        return repoInfo;
    }

-    uint64_t getLastModified(const RepoInfo & repoInfo, const std::string & repoDir, const Hash & rev) const
+    uint64_t getLastModified(const RepoInfo & repoInfo, const std::filesystem::path & repoDir, const Hash & rev) const
    {
        Cache::Key key{"gitLastModified", {{"rev", rev.gitRev()}}};

@@ -451,7 +492,7 @@ struct GitInputScheme : InputScheme
        return lastModified;
    }

-    uint64_t getRevCount(const RepoInfo & repoInfo, const std::string & repoDir, const Hash & rev) const
+    uint64_t getRevCount(const RepoInfo & repoInfo, const std::filesystem::path & repoDir, const Hash & rev) const
    {
        Cache::Key key{"gitRevCount", {{"rev", rev.gitRev()}}};

@@ -460,7 +501,7 @@ struct GitInputScheme : InputScheme
        if (auto revCountAttrs = cache->lookup(key))
            return getIntAttr(*revCountAttrs, "revCount");

-        Activity act(*logger, lvlChatty, actUnknown, fmt("getting Git revision count of '%s'", repoInfo.url));
+        Activity act(*logger, lvlChatty, actUnknown, fmt("getting Git revision count of '%s'", repoInfo.locationToArg()));

        auto revCount = GitRepo::openRepo(repoDir)->getRevCount(rev);

@@ -471,11 +512,15 @@ struct GitInputScheme : InputScheme

    std::string getDefaultRef(const RepoInfo & repoInfo) const
    {
-        auto head = repoInfo.isLocal
-            ? GitRepo::openRepo(repoInfo.url)->getWorkdirRef()
-            : readHeadCached(repoInfo.url);
+        auto head = std::visit(
+            overloaded {
+                [&](const std::filesystem::path & path)
+                { return GitRepo::openRepo(path)->getWorkdirRef(); },
+                [&](const ParsedURL & url)
+                { return readHeadCached(url.to_string()); }
+            }, repoInfo.location);
        if (!head) {
-            warn("could not read HEAD ref from repo at '%s', using 'master'", repoInfo.url);
+            warn("could not read HEAD ref from repo at '%s', using 'master'", repoInfo.locationToArg());
            return "master";
        }
        return *head;
@@ -518,29 +563,30 @@ struct GitInputScheme : InputScheme
        auto ref = originalRef ? *originalRef : getDefaultRef(repoInfo);
        input.attrs.insert_or_assign("ref", ref);

-        Path repoDir;
+        std::filesystem::path repoDir;

-        if (repoInfo.isLocal) {
-            repoDir = repoInfo.url;
+        if (auto repoPath = repoInfo.getPath()) {
+            repoDir = *repoPath;
            if (!input.getRev())
                input.attrs.insert_or_assign("rev", GitRepo::openRepo(repoDir)->resolveRef(ref).gitRev());
        } else {
-            Path cacheDir = getCachePath(repoInfo.url, getShallowAttr(input));
+            auto repoUrl = std::get<ParsedURL>(repoInfo.location);
+            std::filesystem::path cacheDir = getCachePath(repoUrl.to_string(), getShallowAttr(input));
            repoDir = cacheDir;
            repoInfo.gitDir = ".";

-            createDirs(dirOf(cacheDir));
-            PathLocks cacheDirLock({cacheDir});
+            std::filesystem::create_directories(cacheDir.parent_path());
+            PathLocks cacheDirLock({cacheDir.string()});

            auto repo = GitRepo::openRepo(cacheDir, true, true);

            // We need to set the origin so resolving submodule URLs works
-            repo->setRemote("origin", repoInfo.url);
+            repo->setRemote("origin", repoUrl.to_string());

-            Path localRefFile =
+            auto localRefFile =
                ref.compare(0, 5, "refs/") == 0
-                ? cacheDir + "/" + ref
-                : cacheDir + "/refs/heads/" + ref;
+                ? cacheDir / ref
+                : cacheDir / "refs/heads" / ref;

            bool doFetch;
            time_t now = time(0);
@@ -556,7 +602,7 @@ struct GitInputScheme : InputScheme
                    /* If the local ref is older than ‘tarball-ttl’ seconds, do a
                       git fetch to update the local ref to the remote ref. */
                    struct stat st;
-                    doFetch = stat(localRefFile.c_str(), &st) != 0 ||
+                    doFetch = stat(localRefFile.string().c_str(), &st) != 0 ||
                        !isCacheFileWithinTtl(now, st);
                }
            }
@@ -565,20 +611,20 @@ struct GitInputScheme : InputScheme
                try {
                    auto fetchRef =
                        getAllRefsAttr(input)
-                        ? "refs/*"
+                        ? "refs/*:refs/*"
                        : input.getRev()
                        ? input.getRev()->gitRev()
                        : ref.compare(0, 5, "refs/") == 0
-                        ? ref
+                        ? fmt("%1%:%1%", ref)
                        : ref == "HEAD"
                        ? ref
-                        : "refs/heads/" + ref;
+                        : fmt("%1%:%1%", "refs/heads/" + ref);

-                    repo->fetch(repoInfo.url, fmt("%s:%s", fetchRef, fetchRef), getShallowAttr(input));
+                    repo->fetch(repoUrl.to_string(), fetchRef, getShallowAttr(input));
                } catch (Error & e) {
-                    if (!pathExists(localRefFile)) throw;
+                    if (!std::filesystem::exists(localRefFile)) throw;
                    logError(e.info());
-                    warn("could not update local clone of Git repository '%s'; continuing with the most recent version", repoInfo.url);
+                    warn("could not update local clone of Git repository '%s'; continuing with the most recent version", repoInfo.locationToArg());
                }

                try {
@@ -587,8 +633,8 @@ struct GitInputScheme : InputScheme
                } catch (Error & e) {
                    warn("could not update mtime for file '%s': %s", localRefFile, e.info().msg);
                }
-                if (!originalRef && !storeCachedHead(repoInfo.url, ref))
-                    warn("could not update cached head '%s' for '%s'", ref, repoInfo.url);
+                if (!originalRef && !storeCachedHead(repoUrl.to_string(), ref))
+                    warn("could not update cached head '%s' for '%s'", ref, repoInfo.locationToArg());
            }

            if (auto rev = input.getRev()) {
@@ -600,8 +646,7 @@ struct GitInputScheme : InputScheme
                        "allRefs = true;" ANSI_NORMAL " to " ANSI_BOLD "fetchGit" ANSI_NORMAL ".",
                        rev->gitRev(),
                        ref,
-                        repoInfo.url
-                        );
+                        repoInfo.locationToArg());
            } else
                input.attrs.insert_or_assign("rev", repo->resolveRef(ref).gitRev());

@@ -613,7 +658,7 @@ struct GitInputScheme : InputScheme
        auto isShallow = repo->isShallow();

        if (isShallow && !getShallowAttr(input))
-            throw Error("'%s' is a shallow Git repository, but shallow repositories are only allowed when `shallow = true;` is specified", repoInfo.url);
+            throw Error("'%s' is a shallow Git repository, but shallow repositories are only allowed when `shallow = true;` is specified", repoInfo.locationToArg());

        // FIXME: check whether rev is an ancestor of ref?

@@ -628,14 +673,12 @@ struct GitInputScheme : InputScheme
            infoAttrs.insert_or_assign("revCount",
                getRevCount(repoInfo, repoDir, rev));

-        printTalkative("using revision %s of repo '%s'", rev.gitRev(), repoInfo.url);
+        printTalkative("using revision %s of repo '%s'", rev.gitRev(), repoInfo.locationToArg());

        verifyCommit(input, repo);

        bool exportIgnore = getExportIgnoreAttr(input);
-        auto accessor = repo->getAccessor(rev, exportIgnore);
-
-        accessor->setPathDisplay("«" + input.to_string() + "»");
+        auto accessor = repo->getAccessor(rev, exportIgnore, "«" + input.to_string() + "»");

        /* If the repo has submodules, fetch them and return a mounted
           input accessor consisting of the accessor for the top-level
@@ -682,21 +725,21 @@ struct GitInputScheme : InputScheme
        RepoInfo & repoInfo,
        Input && input) const
    {
+        auto repoPath = repoInfo.getPath().value();
+
        if (getSubmodulesAttr(input))
            /* Create mountpoints for the submodules. */
            for (auto & submodule : repoInfo.workdirInfo.submodules)
                repoInfo.workdirInfo.files.insert(submodule.path);

-        auto repo = GitRepo::openRepo(repoInfo.url, false, false);
+        auto repo = GitRepo::openRepo(repoPath, false, false);

        auto exportIgnore = getExportIgnoreAttr(input);

        ref<SourceAccessor> accessor =
            repo->getAccessor(repoInfo.workdirInfo,
                exportIgnore,
-                makeNotAllowedError(repoInfo.url));
-
-        accessor->setPathDisplay(repoInfo.url);
+                makeNotAllowedError(repoInfo.locationToArg()));

        /* If the repo has submodules, return a mounted input accessor
           consisting of the accessor for the top-level repo and the
@@ -705,10 +748,10 @@ struct GitInputScheme : InputScheme
            std::map<CanonPath, nix::ref<SourceAccessor>> mounts;

            for (auto & submodule : repoInfo.workdirInfo.submodules) {
-                auto submodulePath = CanonPath(repoInfo.url) / submodule.path;
+                auto submodulePath = repoPath / submodule.path.rel();
                fetchers::Attrs attrs;
                attrs.insert_or_assign("type", "git");
-                attrs.insert_or_assign("url", submodulePath.abs());
+                attrs.insert_or_assign("url", submodulePath.string());
                attrs.insert_or_assign("exportIgnore", Explicit<bool>{ exportIgnore });
                attrs.insert_or_assign("submodules", Explicit<bool>{ true });
                // TODO: fall back to getAccessorFromCommit-like fetch when submodules aren't checked out
@@ -732,7 +775,7 @@ struct GitInputScheme : InputScheme
        }

        if (!repoInfo.workdirInfo.isDirty) {
-            auto repo = GitRepo::openRepo(repoInfo.url);
+            auto repo = GitRepo::openRepo(repoPath);

            if (auto ref = repo->getWorkdirRef())
                input.attrs.insert_or_assign("ref", *ref);
@@ -742,7 +785,7 @@ struct GitInputScheme : InputScheme

            input.attrs.insert_or_assign("rev", rev.gitRev());
            input.attrs.insert_or_assign("revCount",
-                rev == nullRev ? 0 : getRevCount(repoInfo, repoInfo.url, rev));
+                rev == nullRev ? 0 : getRevCount(repoInfo, repoPath, rev));

            verifyCommit(input, repo);
        } else {
@@ -761,7 +804,7 @@ struct GitInputScheme : InputScheme
        input.attrs.insert_or_assign(
            "lastModified",
            repoInfo.workdirInfo.headRev
-            ? getLastModified(repoInfo, repoInfo.url, *repoInfo.workdirInfo.headRev)
+            ? getLastModified(repoInfo, repoPath, *repoInfo.workdirInfo.headRev)
            : 0);

        return {accessor, std::move(input)};
@@ -784,7 +827,7 @@ struct GitInputScheme : InputScheme
        }

        auto [accessor, final] =
-            input.getRef() || input.getRev() || !repoInfo.isLocal
+            input.getRef() || input.getRev() || !repoInfo.getPath()
            ? getAccessorFromCommit(store, repoInfo, std::move(input))
            : getAccessorFromWorkdir(store, repoInfo, std::move(input));

@@ -793,10 +836,33 @@ struct GitInputScheme : InputScheme

    std::optional<std::string> getFingerprint(ref<Store> store, const Input & input) const override
    {
+        auto makeFingerprint = [&](const Hash & rev)
+        {
+            return rev.gitRev() + (getSubmodulesAttr(input) ? ";s" : "") + (getExportIgnoreAttr(input) ? ";e" : "");
+        };
+
        if (auto rev = input.getRev())
-            return rev->gitRev() + (getSubmodulesAttr(input) ? ";s" : "") + (getExportIgnoreAttr(input) ? ";e" : "");
-        else
+            return makeFingerprint(*rev);
+        else {
+            auto repoInfo = getRepoInfo(input);
+            if (auto repoPath = repoInfo.getPath(); repoPath && repoInfo.workdirInfo.headRev && repoInfo.workdirInfo.submodules.empty()) {
+                /* Calculate a fingerprint that takes into account the
+                   deleted and modified/added files. */
+                HashSink hashSink{HashAlgorithm::SHA512};
+                for (auto & file : repoInfo.workdirInfo.dirtyFiles) {
+                    writeString("modified:", hashSink);
+                    writeString(file.abs(), hashSink);
+                    dumpPath((*repoPath / file.rel()).string(), hashSink);
+                }
+                for (auto & file : repoInfo.workdirInfo.deletedFiles) {
+                    writeString("deleted:", hashSink);
+                    writeString(file.abs(), hashSink);
+                }
+                return makeFingerprint(*repoInfo.workdirInfo.headRev)
+                    + ";d=" + hashSink.finish().first.to_string(HashFormat::Base16, false);
+            }
            return std::nullopt;
+        }
    }

    bool isLocked(const Input & input) const override
--- a/src/libfetchers/github.cc
+++ b/src/libfetchers/github.cc
@@ -50,7 +50,7 @@ struct GitArchiveInputScheme : InputScheme
            else if (std::regex_match(path[2], refRegex))
                ref = path[2];
            else
-                throw BadURL("in URL '%s', '%s' is not a commit hash or branch/tag name", url.url, path[2]);
+                throw BadURL("in URL '%s', '%s' is not a commit hash or branch/tag name", url, path[2]);
        } else if (size > 3) {
            std::string rs;
            for (auto i = std::next(path.begin(), 2); i != path.end(); i++) {
@@ -63,34 +63,34 @@ struct GitArchiveInputScheme : InputScheme
            if (std::regex_match(rs, refRegex)) {
                ref = rs;
            } else {
-                throw BadURL("in URL '%s', '%s' is not a branch/tag name", url.url, rs);
+                throw BadURL("in URL '%s', '%s' is not a branch/tag name", url, rs);
            }
        } else if (size < 2)
-            throw BadURL("URL '%s' is invalid", url.url);
+            throw BadURL("URL '%s' is invalid", url);

        for (auto &[name, value] : url.query) {
            if (name == "rev") {
                if (rev)
-                    throw BadURL("URL '%s' contains multiple commit hashes", url.url);
+                    throw BadURL("URL '%s' contains multiple commit hashes", url);
                rev = Hash::parseAny(value, HashAlgorithm::SHA1);
            }
            else if (name == "ref") {
                if (!std::regex_match(value, refRegex))
-                    throw BadURL("URL '%s' contains an invalid branch/tag name", url.url);
+                    throw BadURL("URL '%s' contains an invalid branch/tag name", url);
                if (ref)
-                    throw BadURL("URL '%s' contains multiple branch/tag names", url.url);
+                    throw BadURL("URL '%s' contains multiple branch/tag names", url);
                ref = value;
            }
            else if (name == "host") {
                if (!std::regex_match(value, hostRegex))
-                    throw BadURL("URL '%s' contains an invalid instance host", url.url);
+                    throw BadURL("URL '%s' contains an invalid instance host", url);
                host_url = value;
            }
            // FIXME: barf on unsupported attributes
        }

        if (ref && rev)
-            throw BadURL("URL '%s' contains both a commit hash and a branch/tag name %s %s", url.url, *ref, rev->gitRev());
+            throw BadURL("URL '%s' contains both a commit hash and a branch/tag name %s %s", url, *ref, rev->gitRev());

        Input input{settings};
        input.attrs.insert_or_assign("type", std::string { schemeName() });
@@ -294,9 +294,10 @@ struct GitArchiveInputScheme : InputScheme
        #endif
        input.attrs.insert_or_assign("lastModified", uint64_t(tarballInfo.lastModified));

-        auto accessor = getTarballCache()->getAccessor(tarballInfo.treeHash, false);
-
-        accessor->setPathDisplay("«" + input.to_string() + "»");
+        auto accessor = getTarballCache()->getAccessor(
+            tarballInfo.treeHash,
+            false,
+            "«" + input.to_string() + "»");

        return {accessor, input};
    }
--- a/src/libfetchers/indirect.cc
+++ b/src/libfetchers/indirect.cc
@@ -26,16 +26,16 @@ struct IndirectInputScheme : InputScheme
            else if (std::regex_match(path[1], refRegex))
                ref = path[1];
            else
-                throw BadURL("in flake URL '%s', '%s' is not a commit hash or branch/tag name", url.url, path[1]);
+                throw BadURL("in flake URL '%s', '%s' is not a commit hash or branch/tag name", url, path[1]);
        } else if (path.size() == 3) {
            if (!std::regex_match(path[1], refRegex))
-                throw BadURL("in flake URL '%s', '%s' is not a branch/tag name", url.url, path[1]);
+                throw BadURL("in flake URL '%s', '%s' is not a branch/tag name", url, path[1]);
            ref = path[1];
            if (!std::regex_match(path[2], revRegex))
-                throw BadURL("in flake URL '%s', '%s' is not a commit hash", url.url, path[2]);
+                throw BadURL("in flake URL '%s', '%s' is not a commit hash", url, path[2]);
            rev = Hash::parseAny(path[2], HashAlgorithm::SHA1);
        } else
-            throw BadURL("GitHub URL '%s' is invalid", url.url);
+            throw BadURL("GitHub URL '%s' is invalid", url);

        std::string id = path[0];
        if (!std::regex_match(id, flakeRegex))
--- a/src/libfetchers/mercurial.cc
+++ b/src/libfetchers/mercurial.cc
@@ -126,7 +126,7 @@ struct MercurialInputScheme : InputScheme
        return res;
    }

-    std::optional<Path> getSourcePath(const Input & input) const override
+    std::optional<std::filesystem::path> getSourcePath(const Input & input) const override
    {
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        if (url.scheme == "file" && !input.getRef() && !input.getRev())
@@ -161,7 +161,7 @@ struct MercurialInputScheme : InputScheme
    {
        auto url = parseURL(getStrAttr(input.attrs, "url"));
        bool isLocal = url.scheme == "file";
-        return {isLocal, isLocal ? url.path : url.base};
+        return {isLocal, isLocal ? url.path : url.to_string()};
    }

    StorePath fetchToStore(ref<Store> store, Input & input) const
--- a/src/libfetchers/meson.build
+++ b/src/libfetchers/meson.build
@@ -4,8 +4,6 @@ project('nix-fetchers', 'cpp',
    'cpp_std=c++2a',
    # TODO(Qyriad): increase the warning level
    'warning_level=1',
-    'debug=true',
-    'optimization=2',
    'errorlogs=true', # Please print logs for tests that fail
  ],
  meson_version : '>= 1.1',
--- a/src/libfetchers/package.nix
+++ b/src/libfetchers/package.nix
@@ -1,15 +1,15 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  mkMesonLibrary,

-, nix-util
-, nix-store
-, nlohmann_json
-, libgit2
+  nix-util,
+  nix-store,
+  nlohmann_json,
+  libgit2,

-# Configuration Options
+  # Configuration Options

-, version
+  version,
 }:

 let
@@ -41,18 +41,6 @@ mkMesonLibrary (finalAttrs: {
    nlohmann_json
  ];

-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
  meta = {
    platforms = lib.platforms.unix ++ lib.platforms.windows;
  };
--- a/src/libfetchers/path.cc
+++ b/src/libfetchers/path.cc
@@ -14,7 +14,7 @@ struct PathInputScheme : InputScheme
        if (url.scheme != "path") return {};

        if (url.authority && *url.authority != "")
-            throw Error("path URL '%s' should not have an authority ('%s')", url.url, *url.authority);
+            throw Error("path URL '%s' should not have an authority ('%s')", url, *url.authority);

        Input input{settings};
        input.attrs.insert_or_assign("type", "path");
@@ -27,10 +27,10 @@ struct PathInputScheme : InputScheme
                if (auto n = string2Int<uint64_t>(value))
                    input.attrs.insert_or_assign(name, *n);
                else
-                    throw Error("path URL '%s' has invalid parameter '%s'", url.to_string(), name);
+                    throw Error("path URL '%s' has invalid parameter '%s'", url, name);
            }
            else
-                throw Error("path URL '%s' has unsupported parameter '%s'", url.to_string(), name);
+                throw Error("path URL '%s' has unsupported parameter '%s'", url, name);

        return input;
    }
@@ -80,9 +80,9 @@ struct PathInputScheme : InputScheme
        };
    }

-    std::optional<Path> getSourcePath(const Input & input) const override
+    std::optional<std::filesystem::path> getSourcePath(const Input & input) const override
    {
-        return getStrAttr(input.attrs, "path");
+        return getAbsPath(input);
    }

    void putFile(
@@ -91,13 +91,13 @@ struct PathInputScheme : InputScheme
        std::string_view contents,
        std::optional<std::string> commitMsg) const override
    {
-        writeFile((CanonPath(getAbsPath(input)) / path).abs(), contents);
+        writeFile(getAbsPath(input) / path.rel(), contents);
    }

-    std::optional<std::string> isRelative(const Input & input) const
+    std::optional<std::string> isRelative(const Input & input) const override
    {
        auto path = getStrAttr(input.attrs, "path");
-        if (hasPrefix(path, "/"))
+        if (isAbsolute(path))
            return std::nullopt;
        else
            return path;
@@ -108,12 +108,12 @@ struct PathInputScheme : InputScheme
        return (bool) input.getNarHash();
    }

-    CanonPath getAbsPath(const Input & input) const
+    std::filesystem::path getAbsPath(const Input & input) const
    {
        auto path = getStrAttr(input.attrs, "path");

-        if (path[0] == '/')
-            return CanonPath(path);
+        if (isAbsolute(path))
+            return canonPath(path);

        throw Error("cannot fetch input '%s' because it uses a relative path", input.to_string());
    }
@@ -121,31 +121,14 @@ struct PathInputScheme : InputScheme
    std::pair<ref<SourceAccessor>, Input> getAccessor(ref<Store> store, const Input & _input) const override
    {
        Input input(_input);
-        std::string absPath;
        auto path = getStrAttr(input.attrs, "path");

-        if (path[0] != '/') {
-            if (!input.parent)
-                throw Error("cannot fetch input '%s' because it uses a relative path", input.to_string());
+        auto absPath = getAbsPath(input);

-            auto parent = canonPath(*input.parent);
-
-            // the path isn't relative, prefix it
-            absPath = nix::absPath(path, parent);
-
-            // for security, ensure that if the parent is a store path, it's inside it
-            if (store->isInStore(parent)) {
-                auto storePath = store->printStorePath(store->toStorePath(parent).first);
-                if (!isDirOrInDir(absPath, storePath))
-                    throw BadStorePath("relative path '%s' points outside of its parent's store path '%s'", path, storePath);
-            }
-        } else
-            absPath = path;
-
-        Activity act(*logger, lvlTalkative, actUnknown, fmt("copying '%s'", absPath));
+        Activity act(*logger, lvlTalkative, actUnknown, fmt("copying '%s' to the store", absPath));

        // FIXME: check whether access to 'path' is allowed.
-        auto storePath = store->maybeParseStorePath(absPath);
+        auto storePath = store->maybeParseStorePath(absPath.string());

        if (storePath)
            store->addTempRoot(*storePath);
@@ -154,7 +137,7 @@ struct PathInputScheme : InputScheme
        if (!storePath || storePath->name() != "source" || !store->isValidPath(*storePath)) {
            // FIXME: try to substitute storePath.
            auto src = sinkToSource([&](Sink & sink) {
-                mtime = dumpPathAndGetMtime(absPath, sink, defaultPathFilter);
+                mtime = dumpPathAndGetMtime(absPath.string(), sink, defaultPathFilter);
            });
            storePath = store->addToStoreFromDump(*src, "source");
        }
@@ -176,7 +159,7 @@ struct PathInputScheme : InputScheme
           store object and the subpath. */
        auto path = getAbsPath(input);
        try {
-            auto [storePath, subPath] = store->toStorePath(path.abs());
+            auto [storePath, subPath] = store->toStorePath(path.string());
            auto info = store->queryPathInfo(storePath);
            return fmt("path:%s:%s", info->narHash.to_string(HashFormat::Base16, false), subPath);
        } catch (Error &) {
--- a/src/libfetchers/registry.cc
+++ b/src/libfetchers/registry.cc
@@ -153,7 +153,7 @@ static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, re
            return std::make_shared<Registry>(settings, Registry::Global); // empty registry
        }

-        if (!hasPrefix(path, "/")) {
+        if (!isAbsolute(path)) {
            auto storePath = downloadFile(store, path, "flake-registry.json").storePath;
            if (auto store2 = store.dynamic_pointer_cast<LocalFSStore>())
                store2->addPermRoot(storePath, getCacheDir() + "/flake-registry.json");
@@ -178,7 +178,8 @@ Registries getRegistries(const Settings & settings, ref<Store> store)

 std::pair<Input, Attrs> lookupInRegistries(
    ref<Store> store,
-    const Input & _input)
+    const Input & _input,
+    const RegistryFilter & filter)
 {
    Attrs extraAttrs;
    int n = 0;
@@ -190,6 +191,7 @@ std::pair<Input, Attrs> lookupInRegistries(
    if (n > 100) throw Error("cycle detected in flake registry for '%s'", input.to_string());

    for (auto & registry : getRegistries(*input.settings, store)) {
+        if (filter && !filter(registry->type)) continue;
        // FIXME: O(n)
        for (auto & entry : registry->entries) {
            if (entry.exact) {
--- a/src/libfetchers/registry.hh
+++ b/src/libfetchers/registry.hh
@@ -65,8 +65,15 @@ void overrideRegistry(
    const Input & to,
    const Attrs & extraAttrs);

+using RegistryFilter = std::function<bool(Registry::RegistryType)>;
+
+/**
+ * Rewrite a flakeref using the registries. If `filter` is set, only
+ * use the registries for which the filter function returns true.
+ */
 std::pair<Input, Attrs> lookupInRegistries(
    ref<Store> store,
-    const Input & input);
+    const Input & input,
+    const RegistryFilter & filter = {});

 }
--- a/src/libfetchers/tarball.cc
+++ b/src/libfetchers/tarball.cc
@@ -105,7 +105,8 @@ DownloadFileResult downloadFile(

 static DownloadTarballResult downloadTarball_(
    const std::string & url,
-    const Headers & headers)
+    const Headers & headers,
+    const std::string & displayPrefix)
 {
    Cache::Key cacheKey{"tarball", {{"url", url}}};

@@ -118,7 +119,7 @@ static DownloadTarballResult downloadTarball_(
            .treeHash = treeHash,
            .lastModified = (time_t) getIntAttr(infoAttrs, "lastModified"),
            .immutableUrl = maybeGetStrAttr(infoAttrs, "immutableUrl"),
-            .accessor = getTarballCache()->getAccessor(treeHash, false),
+            .accessor = getTarballCache()->getAccessor(treeHash, false, displayPrefix),
        };
    };

@@ -371,9 +372,10 @@ struct TarballInputScheme : CurlInputScheme
    {
        auto input(_input);

-        auto result = downloadTarball_(getStrAttr(input.attrs, "url"), {});
-
-        result.accessor->setPathDisplay("«" + input.to_string() + "»");
+        auto result = downloadTarball_(
+            getStrAttr(input.attrs, "url"),
+            {},
+            "«" + input.to_string() + "»");

        if (result.immutableUrl) {
            auto immutableInput = Input::fromURL(*input.settings, *result.immutableUrl);
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .26.0
 .26.3