maint: Re-add intel mac build, on arm this time

nix flake archive: Recurse into relative path inputs

.github/workflows/ci.yml

@@ -7,14 +7,34 @@ on:
 permissions: read-all
 
 jobs:
+  eval:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - uses: cachix/install-nix-action@v30
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
 
   tests:
-    needs: [check_secrets]
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            system: x86_64-linux
+            os: linux
+          - scenario: on macos (aarch64)
+            runs-on: macos-14
+            system: aarch64-darwin
+            os: darwin
+          - scenario: on macos (x86_64)
+            runs-on: macos-14
+            system: x86_64-darwin
+            os: darwin
+    name: tests ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
     steps:
     - uses: actions/checkout@v4
@@ -26,102 +46,53 @@ jobs:
         extra_nix_config: |
           sandbox = true
           max-jobs = 1
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
+          system = ${{ matrix.system }}
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
+    # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
+    - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+      if: matrix.os == 'linux'
+    - run: scripts/build-checks
+    - run: scripts/prepare-installer-for-github-actions
+    - name: Upload installer tarball
+      uses: actions/upload-artifact@v4
       with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-    - if: matrix.os == 'ubuntu-latest'
-      run: |
-        free -h
-        swapon --show
-        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
-        echo "Found swap: $swap"
-        sudo swapoff $swap
-        # resize it (fallocate)
-        sudo fallocate -l 10G $swap
-        sudo mkswap $swap
-        sudo swapon $swap
-        free -h
-        (
-          while sleep 60; do
-            free -h
-          done
-        ) &
-    - run: nix --experimental-features 'nix-command flakes' flake check -L
-    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
-
-  # Steps to test CI automation in your own fork.
-  # Cachix:
-  # 1. Sign-up for https://www.cachix.org/
-  # 2. Create a cache for $githubuser-nix-install-tests
-  # 3. Create a cachix auth token and save it in https://github.com/$githubuser/nix/settings/secrets/actions in "Repository secrets" as CACHIX_AUTH_TOKEN
-  # Dockerhub:
-  # 1. Sign-up for https://hub.docker.com/
-  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
-  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
-  check_secrets:
-    permissions:
-      contents: none
-    name: Check Cachix and Docker secrets present for installer tests
-    runs-on: ubuntu-latest
-    outputs:
-      cachix: ${{ steps.secret.outputs.cachix }}
-      docker: ${{ steps.secret.outputs.docker }}
-    steps:
-      - name: Check for secrets
-        id: secret
-        env:
-          _CACHIX_SECRETS: ${{ secrets.CACHIX_SIGNING_KEY }}${{ secrets.CACHIX_AUTH_TOKEN }}
-          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          echo "::set-output name=cachix::${{ env._CACHIX_SECRETS != '' }}"
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-
-  installer:
-    needs: [tests, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      installerURL: ${{ steps.prepare-installer.outputs.installerURL }}
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v30
-      with:
-        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - uses: cachix/cachix-action@v15
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-        cachixArgs: '-v'
-    - id: prepare-installer
-      run: scripts/prepare-installer-for-github-actions
+        name: installer-${{matrix.os}}
+        path: out/*
 
   installer_test:
-    needs: [installer, check_secrets]
-    if: github.event_name == 'push' && needs.check_secrets.outputs.cachix == 'true'
+    needs: [tests]
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-latest, macos-latest]
-    runs-on: ${{ matrix.os }}
+        # No x86_64-darwin (yet?) because of poor performance and similarity to aarch64-darwin
+        include:
+          - scenario: on ubuntu
+            runs-on: ubuntu-24.04
+            os: linux
+          - scenario: on macos
+            runs-on: macos-14
+            os: darwin
+    name: installer test ${{ matrix.scenario }}
+    runs-on: ${{ matrix.runs-on }}
     steps:
     - uses: actions/checkout@v4
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - name: Download installer tarball
+      uses: actions/download-artifact@v4
+      with:
+        name: installer-${{matrix.os}}
+        path: out
+    - name: Serving installer
+      id: serving_installer
+      run: ./scripts/serve-installer-for-github-actions
     - uses: cachix/install-nix-action@v30
       with:
-        install_url: '${{needs.installer.outputs.installerURL}}'
-        install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
+        install_url: 'http://localhost:8126/install'
+        install_options: "--tarball-url-prefix http://localhost:8126/"
     - run: sudo apt install fish zsh
-      if: matrix.os == 'ubuntu-latest'
+      if: matrix.os == 'linux'
     - run: brew install fish
-      if: matrix.os == 'macos-latest'
+      if: matrix.os == 'darwin'
     - run: exec bash -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec sh -c "nix-instantiate -E 'builtins.currentTime' --eval"
     - run: exec zsh -c "nix-instantiate -E 'builtins.currentTime' --eval"
@@ -129,32 +100,50 @@ jobs:
     - run: exec bash -c "nix-channel --add https://releases.nixos.org/nixos/unstable/nixos-23.05pre466020.60c1d71f2ba nixpkgs"
     - run: exec bash -c "nix-channel --update && nix-env -iA nixpkgs.hello && hello"
 
+  # Steps to test CI automation in your own fork.
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
+  check_secrets:
+    permissions:
+      contents: none
+    name: Check Docker secrets present for installer tests
+    runs-on: ubuntu-24.04
+    outputs:
+      docker: ${{ steps.secret.outputs.docker }}
+    steps:
+      - name: Check for secrets
+        id: secret
+        env:
+          _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+        run: |
+          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+
   docker_push_image:
-    needs: [check_secrets, tests, vm_tests]
+    needs: [tests, vm_tests, check_secrets]
     permissions:
       contents: read
       packages: write
     if: >-
+      needs.check_secrets.outputs.docker == 'true' &&
       github.event_name == 'push' &&
-      github.ref_name == 'master' &&
-      needs.check_secrets.outputs.cachix == 'true' &&
-      needs.check_secrets.outputs.docker == 'true'
-    runs-on: ubuntu-latest
+      github.ref_name == 'master'
+    runs-on: ubuntu-24.04
     steps:
+    - name: Check for secrets
+      id: secret
+      env:
+        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
+      run: |
+        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
     - uses: cachix/install-nix-action@v30
       with:
         install_url: https://releases.nixos.org/nix/nix-2.20.3/install
-    - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
+    - uses: DeterminateSystems/magic-nix-cache-action@main
     - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#nix.version | tr -d \")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v15
-      if: needs.check_secrets.outputs.cachix == 'true'
-      with:
-        name: '${{ env.CACHIX_NAME }}'
-        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
-        authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
     - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
     - run: docker load -i ./result/image.tar.gz
     - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
@@ -191,7 +180,7 @@ jobs:
         docker push $IMAGE_ID:master
 
   vm_tests:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - uses: DeterminateSystems/nix-installer-action@main
@@ -206,7 +195,7 @@ jobs:
 
   flake_regressions:
     needs: vm_tests
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
         uses: actions/checkout@v4

.github/workflows/labels.yml

@@ -15,7 +15,7 @@ permissions:
 
 jobs:
   labels:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     if: github.repository_owner == 'NixOS'
     steps:
     - uses: actions/labeler@v5

.gitignore

@@ -1,110 +1,12 @@
-Makefile.config
-perl/Makefile.config
-
-# /
-/aclocal.m4
-/autom4te.cache
-/precompiled-headers.h.gch
-/config.*
-/configure
-/stamp-h1
-/svn-revision
-/libtool
-/config/config.*
 # Default meson build dir
 /build
 
-# /doc/manual/
-/doc/manual/*.1
-/doc/manual/*.5
-/doc/manual/*.8
-/doc/manual/generated/*
-/doc/manual/nix.json
-/doc/manual/conf-file.json
-/doc/manual/language.json
-/doc/manual/xp-features.json
-/doc/manual/source/SUMMARY.md
-/doc/manual/source/SUMMARY-rl-next.md
-/doc/manual/source/store/types/*
-!/doc/manual/source/store/types/index.md.in
-/doc/manual/source/command-ref/new-cli
-/doc/manual/source/command-ref/conf-file.md
-/doc/manual/source/command-ref/experimental-features-shortlist.md
-/doc/manual/source/contributing/experimental-feature-descriptions.md
-/doc/manual/source/language/builtins.md
-/doc/manual/source/language/builtin-constants.md
-/doc/manual/source/release-notes/rl-next.md
-
-# /scripts/
-/scripts/nix-profile.sh
-/scripts/nix-profile-daemon.sh
-/scripts/nix-profile.fish
-/scripts/nix-profile-daemon.fish
-
-# /src/libexpr/
-/src/libexpr/lexer-tab.cc
-/src/libexpr/lexer-tab.hh
-/src/libexpr/parser-tab.cc
-/src/libexpr/parser-tab.hh
-/src/libexpr/parser-tab.output
-/src/libexpr/nix.tbl
-/src/libexpr/tests
-/src/libexpr-tests/libnixexpr-tests
-
-# /src/libfetchers
-/src/libfetchers-tests/libnixfetchers-tests
-
-# /src/libflake
-/src/libflake-tests/libnixflake-tests
-
-# /src/libstore/
-*.gen.*
-/src/libstore/tests
-/src/libstore-tests/libnixstore-tests
-
-# /src/libutil/
-/src/libutil/tests
-/src/libutil-tests/libnixutil-tests
-
-/src/nix/nix
-
-/src/nix/generated-doc
-
-# /src/nix-env/
-/src/nix-env/nix-env
-
-# /src/nix-instantiate/
-/src/nix-instantiate/nix-instantiate
-
-# /src/nix-store/
-/src/nix-store/nix-store
-
-/src/nix-prefetch-url/nix-prefetch-url
-
-/src/nix-collect-garbage/nix-collect-garbage
-
-# /src/nix-channel/
-/src/nix-channel/nix-channel
-
-# /src/nix-build/
-/src/nix-build/nix-build
-
-/src/nix-copy-closure/nix-copy-closure
-
-/src/error-demo/error-demo
-
-/src/build-remote/build-remote
-
 # /tests/functional/
-/tests/functional/test-tmp
 /tests/functional/common/subst-vars.sh
-/tests/functional/result*
 /tests/functional/restricted-innocent
-/tests/functional/shell
-/tests/functional/shell.drv
-/tests/functional/repl-result-out
 /tests/functional/debugger-test-out
 /tests/functional/test-libstoreconsumer/test-libstoreconsumer
+/tests/functional/nix-shell
 
 # /tests/functional/lang/
 /tests/functional/lang/*.out
@@ -112,27 +14,9 @@ perl/Makefile.config
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast
 
-/perl/lib/Nix/Config.pm
-/perl/lib/Nix/Store.cc
-
-/misc/systemd/nix-daemon.service
-/misc/systemd/nix-daemon.socket
-/misc/systemd/nix-daemon.conf
-/misc/upstart/nix-daemon.conf
-
 outputs/
 
-*.a
-*.o
-*.o.tmp
-*.so
-*.dylib
-*.dll
-*.exe
-*.dep
 *~
-*.pc
-*.plist
 
 # GNU Global
 GPATH
@@ -147,8 +31,6 @@ GTAGS
 compile_commands.json
 *.compile_commands.json
 
-nix-rust/target
-
 result
 result-*
 
@@ -163,3 +45,5 @@ result-*
 
 # Mac OS
 .DS_Store
+
+flake-regressions

.mergify.yml

@@ -2,10 +2,11 @@ queue_rules:
   - name: default
     # all required tests need to go here
     merge_conditions:
-      - check-success=tests (macos-latest)
-      - check-success=tests (ubuntu-latest)
+      - check-success=tests on macos
+      - check-success=tests on ubuntu
+      - check-success=installer test on macos
+      - check-success=installer test on ubuntu
       - check-success=vm_tests
-    merge_method: rebase
     batch_size: 5
 
 pull_request_rules:
@@ -26,6 +27,7 @@ pull_request_rules:
         branches:
           - 2.18-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.19
@@ -36,6 +38,7 @@ pull_request_rules:
         branches:
           - 2.19-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.20
@@ -46,6 +49,7 @@ pull_request_rules:
         branches:
           - 2.20-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.21
@@ -56,6 +60,7 @@ pull_request_rules:
         branches:
           - 2.21-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.22
@@ -66,6 +71,7 @@ pull_request_rules:
         branches:
           - 2.22-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.23
@@ -76,6 +82,7 @@ pull_request_rules:
         branches:
           - 2.23-maintenance
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.24
@@ -86,6 +93,7 @@ pull_request_rules:
         branches:
           - "2.24-maintenance"
         labels:
+          - automatic backport
           - merge-queue
 
   - name: backport patches to 2.25
@@ -96,4 +104,16 @@ pull_request_rules:
         branches:
           - "2.25-maintenance"
         labels:
+          - automatic backport
+          - merge-queue
+
+  - name: backport patches to 2.26
+    conditions:
+      - label=backport 2.26-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.26-maintenance"
+        labels:
+          - automatic backport
           - merge-queue

.version

@@ -1 +1 @@
-2.26.0
+2.27.0

default.nix

@@ -1,10 +1,9 @@
-(import
-  (
-    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
-    fetchTarball {
-      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
-      sha256 = lock.nodes.flake-compat.locked.narHash;
-    }
-  )
-  { src = ./.; }
-).defaultNix
+(import (
+  let
+    lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  in
+  fetchTarball {
+    url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  }
+) { src = ./.; }).defaultNix

doc/manual/book.toml.in

@@ -1,5 +1,5 @@
 [book]
-title = "Nix Reference Manual"
+title = "Nix @version@ Reference Manual"
 src = "source"
 
 [output.html]

doc/manual/generate-builtins.nix

@@ -5,7 +5,15 @@ in
 
 builtinsInfo:
 let
-  showBuiltin = name: { doc, type ? null, args ? [ ], experimental-feature ? null, impure-only ? false }:
+  showBuiltin =
+    name:
+    {
+      doc,
+      type ? null,
+      args ? [ ],
+      experimental-feature ? null,
+      impure-only ? false,
+    }:
     let
       type' = optionalString (type != null) " (${type})";
 

doc/manual/generate-manpage.nix

@@ -32,7 +32,13 @@ let
 
   commandInfo = fromJSON commandDump;
 
-  showCommand = { command, details, filename, toplevel }:
+  showCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
     let
 
       result = ''
@@ -56,26 +62,27 @@ let
         ${maybeOptions}
       '';
 
-      showSynopsis = command: args:
+      showSynopsis =
+        command: args:
         let
-          showArgument = arg: "*${arg.label}*" + optionalString (! arg ? arity) "...";
+          showArgument = arg: "*${arg.label}*" + optionalString (!arg ? arity) "...";
           arguments = concatStringsSep " " (map showArgument args);
-        in ''
+        in
+        ''
           `${command}` [*option*...] ${arguments}
         '';
 
-      maybeSubcommands = optionalString (details ? commands && details.commands != {})
-        ''
-          where *subcommand* is one of the following:
+      maybeSubcommands = optionalString (details ? commands && details.commands != { }) ''
+        where *subcommand* is one of the following:
 
-          ${subcommands}
-        '';
+        ${subcommands}
+      '';
 
-      subcommands = if length categories > 1
-        then listCategories
-        else listSubcommands details.commands;
+      subcommands = if length categories > 1 then listCategories else listSubcommands details.commands;
 
-      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues details.commands)));
+      categories = sort (x: y: x.id < y.id) (
+        unique (map (cmd: cmd.category) (attrValues details.commands))
+      );
 
       listCategories = concatStrings (map showCategory categories);
 
@@ -99,38 +106,39 @@ let
 
             ${allStores}
           '';
-          index = replaceStrings
-            [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
-            [ storesOverview "#local-store" "#local-daemon-store" ]
-            details.doc;
+          index =
+            replaceStrings
+              [ "@store-types@" "./local-store.md" "./local-daemon-store.md" ]
+              [ storesOverview "#local-store" "#local-daemon-store" ]
+              details.doc;
           storesOverview =
             let
-              showEntry = store:
-                "- [${store.name}](#${store.slug})";
+              showEntry = store: "- [${store.name}](#${store.slug})";
             in
             concatStringsSep "\n" (map showEntry storesList) + "\n";
           allStores = concatStringsSep "\n" (attrValues storePages);
-          storePages = listToAttrs
-            (map (s: { name = s.filename; value = s.page; }) storesList);
+          storePages = listToAttrs (
+            map (s: {
+              name = s.filename;
+              value = s.page;
+            }) storesList
+          );
           storesList = showStoreDocs {
             storeInfo = commandInfo.stores;
             inherit inlineHTML;
           };
-          hasInfix = infix: content:
+          hasInfix =
+            infix: content:
             builtins.stringLength content != builtins.stringLength (replaceStrings [ infix ] [ "" ] content);
         in
         optionalString (details ? doc) (
           # An alternate implementation with builtins.match stack overflowed on some systems.
-          if hasInfix "@store-types@" details.doc
-          then help-stores
-          else details.doc
+          if hasInfix "@store-types@" details.doc then help-stores else details.doc
         );
 
       maybeOptions =
         let
-          allVisibleOptions = filterAttrs
-            (_: o: ! o.hiddenCategory)
-            (details.flags // toplevel.flags);
+          allVisibleOptions = filterAttrs (_: o: !o.hiddenCategory) (details.flags // toplevel.flags);
         in
         optionalString (allVisibleOptions != { }) ''
           # Options
@@ -142,55 +150,73 @@ let
           > See [`man nix.conf`](@docroot@/command-ref/conf-file.md#command-line-flags) for overriding configuration settings with command line flags.
         '';
 
-      showOptions = inlineHTML: allOptions:
+      showOptions =
+        inlineHTML: allOptions:
         let
           showCategory = cat: opts: ''
             ${optionalString (cat != "") "## ${cat}"}
 
             ${concatStringsSep "\n" (attrValues (mapAttrs showOption opts))}
           '';
-          showOption = name: option:
+          showOption =
+            name: option:
             let
               result = trim ''
                 - ${item}
 
                   ${option.description}
               '';
-              item = if inlineHTML
-                then ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
-                else "`--${name}` ${shortName} ${labels}";
-              shortName = optionalString
-                (option ? shortName)
-                ("/ `-${option.shortName}`");
-              labels = optionalString
-                (option ? labels)
-                (concatStringsSep " " (map (s: "*${s}*") option.labels));
-            in result;
-          categories = mapAttrs
-            # Convert each group from a list of key-value pairs back to an attrset
-            (_: listToAttrs)
-            (groupBy
-              (cmd: cmd.value.category)
-              (attrsToList allOptions));
-        in concatStrings (attrValues (mapAttrs showCategory categories));
-    in squash result;
+              item =
+                if inlineHTML then
+                  ''<span id="opt-${name}">[`--${name}`](#opt-${name})</span> ${shortName} ${labels}''
+                else
+                  "`--${name}` ${shortName} ${labels}";
+              shortName = optionalString (option ? shortName) ("/ `-${option.shortName}`");
+              labels = optionalString (option ? labels) (concatStringsSep " " (map (s: "*${s}*") option.labels));
+            in
+            result;
+          categories =
+            mapAttrs
+              # Convert each group from a list of key-value pairs back to an attrset
+              (_: listToAttrs)
+              (groupBy (cmd: cmd.value.category) (attrsToList allOptions));
+        in
+        concatStrings (attrValues (mapAttrs showCategory categories));
+    in
+    squash result;
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 
-  processCommand = { command, details, filename, toplevel }:
+  processCommand =
+    {
+      command,
+      details,
+      filename,
+      toplevel,
+    }:
     let
       cmd = {
         inherit command;
         name = filename + ".md";
-        value = showCommand { inherit command details filename toplevel; };
+        value = showCommand {
+          inherit
+            command
+            details
+            filename
+            toplevel
+            ;
+        };
       };
-      subcommand = subCmd: processCommand {
-        command = command + " " + subCmd;
-        details = details.commands.${subCmd};
-        filename = appendName filename subCmd;
-        inherit toplevel;
-      };
-    in [ cmd ] ++ concatMap subcommand (attrNames details.commands or {});
+      subcommand =
+        subCmd:
+        processCommand {
+          command = command + " " + subCmd;
+          details = details.commands.${subCmd};
+          filename = appendName filename subCmd;
+          inherit toplevel;
+        };
+    in
+    [ cmd ] ++ concatMap subcommand (attrNames details.commands or { });
 
   manpages = processCommand {
     command = "nix";
@@ -199,9 +225,11 @@ let
     toplevel = commandInfo.args;
   };
 
-  tableOfContents = let
-    showEntry = page:
-      "    - [${page.command}](command-ref/new-cli/${page.name})";
-    in concatStringsSep "\n" (map showEntry manpages) + "\n";
+  tableOfContents =
+    let
+      showEntry = page: "    - [${page.command}](command-ref/new-cli/${page.name})";
+    in
+    concatStringsSep "\n" (map showEntry manpages) + "\n";
 
-in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }
+in
+(listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }

doc/manual/generate-settings.nix

@@ -1,67 +1,99 @@
 let
-  inherit (builtins) attrValues concatStringsSep isAttrs isBool mapAttrs;
-  inherit (import <nix/utils.nix>) concatStrings indent optionalString squash;
+  inherit (builtins)
+    attrValues
+    concatStringsSep
+    isAttrs
+    isBool
+    mapAttrs
+    ;
+  inherit (import <nix/utils.nix>)
+    concatStrings
+    indent
+    optionalString
+    squash
+    ;
 in
 
 # `inlineHTML` is a hack to accommodate inconsistent output from `lowdown`
-{ prefix, inlineHTML ? true }: settingsInfo:
+{
+  prefix,
+  inlineHTML ? true,
+}:
+settingsInfo:
 
 let
 
-  showSetting = prefix: setting: { description, documentDefault, defaultValue, aliases, value, experimentalFeature }:
+  showSetting =
+    prefix: setting:
+    {
+      description,
+      documentDefault,
+      defaultValue,
+      aliases,
+      value,
+      experimentalFeature,
+    }:
     let
       result = squash ''
-          - ${item}
+        - ${item}
 
-          ${indent "  " body}
-        '';
-      item = if inlineHTML
-        then ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
-        else "`${setting}`";
+        ${indent "  " body}
+      '';
+      item =
+        if inlineHTML then
+          ''<span id="${prefix}-${setting}">[`${setting}`](#${prefix}-${setting})</span>''
+        else
+          "`${setting}`";
       # separate body to cleanly handle indentation
       body = ''
-          ${experimentalFeatureNote}
+        ${experimentalFeatureNote}
 
-          ${description}
+        ${description}
 
-          **Default:** ${showDefault documentDefault defaultValue}
+        **Default:** ${showDefault documentDefault defaultValue}
 
-          ${showAliases aliases}
-        '';
+        ${showAliases aliases}
+      '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
-          > **Warning**
-          >
-          > This setting is part of an
-          > [experimental feature](@docroot@/development/experimental-features.md).
-          >
-          > To change this setting, make sure the
-          > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
-          > is enabled.
-          > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
-          >
-          > ```
-          > extra-experimental-features = ${experimentalFeature}
-          > ${setting} = ...
-          > ```
-        '';
+        > **Warning**
+        >
+        > This setting is part of an
+        > [experimental feature](@docroot@/development/experimental-features.md).
+        >
+        > To change this setting, make sure the
+        > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
+        > is enabled.
+        > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
+        >
+        > ```
+        > extra-experimental-features = ${experimentalFeature}
+        > ${setting} = ...
+        > ```
+      '';
 
-      showDefault = documentDefault: defaultValue:
+      showDefault =
+        documentDefault: defaultValue:
         if documentDefault then
           # a StringMap value type is specified as a string, but
           # this shows the value type. The empty stringmap is `null` in
           # JSON, but that converts to `{ }` here.
-          if defaultValue == "" || defaultValue == [] || isAttrs defaultValue
-            then "*empty*"
-            else if isBool defaultValue then
-              if defaultValue then "`true`" else "`false`"
-            else "`${toString defaultValue}`"
-        else "*machine-specific*";
+          if defaultValue == "" || defaultValue == [ ] || isAttrs defaultValue then
+            "*empty*"
+          else if isBool defaultValue then
+            if defaultValue then "`true`" else "`false`"
+          else
+            "`${toString defaultValue}`"
+        else
+          "*machine-specific*";
 
-      showAliases = aliases:
-          optionalString (aliases != [])
-            "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
+      showAliases =
+        aliases:
+        optionalString (aliases != [ ])
+          "**Deprecated alias:** ${(concatStringsSep ", " (map (s: "`${s}`") aliases))}";
 
-    in result;
+    in
+    result;
 
-in concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))
+in
+concatStrings (attrValues (mapAttrs (showSetting prefix) settingsInfo))

doc/manual/generate-store-info.nix

@@ -1,6 +1,20 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
-  inherit (import <nix/utils.nix>) optionalString filterAttrs trim squash toLower unique indent;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
+  inherit (import <nix/utils.nix>)
+    optionalString
+    filterAttrs
+    trim
+    squash
+    toLower
+    unique
+    indent
+    ;
   showSettings = import <nix/generate-settings.nix>;
 in
 
@@ -14,7 +28,13 @@ in
 
 let
 
-  showStore = { name, slug }: { settings, doc, experimentalFeature }:
+  showStore =
+    { name, slug }:
+    {
+      settings,
+      doc,
+      experimentalFeature,
+    }:
     let
       result = squash ''
         # ${name}
@@ -25,7 +45,10 @@ let
 
         ## Settings
 
-        ${showSettings { prefix = "store-${slug}"; inherit inlineHTML; } settings}
+        ${showSettings {
+          prefix = "store-${slug}";
+          inherit inlineHTML;
+        } settings}
       '';
 
       experimentalFeatureNote = optionalString (experimentalFeature != null) ''
@@ -43,15 +66,15 @@ let
         > extra-experimental-features = ${experimentalFeature}
         > ```
       '';
-    in result;
+    in
+    result;
 
-  storesList = map
-    (name: rec {
-      inherit name;
-      slug = replaceStrings [ " " ] [ "-" ] (toLower name);
-      filename = "${slug}.md";
-      page = showStore { inherit name slug; } storeInfo.${name};
-    })
-    (attrNames storeInfo);
+  storesList = map (name: rec {
+    inherit name;
+    slug = replaceStrings [ " " ] [ "-" ] (toLower name);
+    filename = "${slug}.md";
+    page = showStore { inherit name slug; } storeInfo.${name};
+  }) (attrNames storeInfo);
 
-in storesList
+in
+storesList

doc/manual/generate-store-types.nix

@@ -1,5 +1,11 @@
 let
-  inherit (builtins) attrNames listToAttrs concatStringsSep readFile replaceStrings;
+  inherit (builtins)
+    attrNames
+    listToAttrs
+    concatStringsSep
+    readFile
+    replaceStrings
+    ;
   showSettings = import <nix/generate-settings.nix>;
   showStoreDocs = import <nix/generate-store-info.nix>;
 in
@@ -14,26 +20,28 @@ let
 
   index =
     let
-      showEntry = store:
-        "- [${store.name}](./${store.filename})";
+      showEntry = store: "- [${store.name}](./${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList);
 
-  "index.md" = replaceStrings
-    [ "@store-types@" ] [ index ]
-    (readFile ./source/store/types/index.md.in);
+  "index.md" =
+    replaceStrings [ "@store-types@" ] [ index ]
+      (readFile ./source/store/types/index.md.in);
 
   tableOfContents =
     let
-      showEntry = store:
-        "    - [${store.name}](store/types/${store.filename})";
+      showEntry = store: "    - [${store.name}](store/types/${store.filename})";
     in
     concatStringsSep "\n" (map showEntry storesList) + "\n";
 
   "SUMMARY.md" = tableOfContents;
 
-  storePages = listToAttrs
-    (map (s: { name = s.filename; value = s.page; }) storesList);
+  storePages = listToAttrs (
+    map (s: {
+      name = s.filename;
+      value = s.page;
+    }) storesList
+  );
 
 in
 storePages // { inherit "index.md" "SUMMARY.md"; }

doc/manual/generate-xp-features-shortlist.nix

@@ -2,8 +2,8 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature = name: doc:
-    ''
-      - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
-    '';
-in xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))
+  showExperimentalFeature = name: doc: ''
+    - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
+  '';
+in
+xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))

doc/manual/generate-xp-features.nix

@@ -2,7 +2,8 @@ with builtins;
 with import <nix/utils.nix>;
 
 let
-  showExperimentalFeature = name: doc:
+  showExperimentalFeature =
+    name: doc:
     squash ''
       ## [`${name}`]{#xp-feature-${name}}
 

doc/manual/meson.build

@@ -83,6 +83,7 @@ manual = custom_target(
     '''
         @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
         @0@ @INPUT1@ summary @2@ < @CURRENT_SOURCE_DIR@/source/SUMMARY.md.in > @2@/source/SUMMARY.md
+        sed -e 's|@version@|@3@|g' < @INPUT2@ > @2@/book.toml
         rsync -r --include='*.md' @CURRENT_SOURCE_DIR@/ @2@/
         (cd @2@; RUST_LOG=warn @1@ build -d @2@ 3>&2 2>&1 1>&3) | { grep -Fv "because fragment resolution isn't implemented" || :; } 3>&2 2>&1 1>&3
         rm -rf @2@/manual
@@ -92,12 +93,13 @@ manual = custom_target(
       python.full_path(),
       mdbook.full_path(),
       meson.current_build_dir(),
+      meson.project_version(),
     ),
   ],
   input : [
     generate_manual_deps,
     'substitute.py',
-    'book.toml',
+    'book.toml.in',
     'anchors.jq',
     'custom.css',
     nix3_cli_files,

doc/manual/package.nix

@@ -1,19 +1,20 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,
 
-, meson
-, ninja
-, lowdown
-, mdbook
-, mdbook-linkcheck
-, jq
-, python3
-, rsync
-, nix-cli
+  meson,
+  ninja,
+  lowdown-unsandboxed,
+  mdbook,
+  mdbook-linkcheck,
+  jq,
+  python3,
+  rsync,
+  nix-cli,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 }:
 
 let
@@ -25,24 +26,28 @@ mkMesonDerivation (finalAttrs: {
   inherit version;
 
   workDir = ./.;
-  fileset = fileset.difference
-    (fileset.unions [
-      ../../.version
-      # Too many different types of files to filter for now
-      ../../doc/manual
-      ./.
-    ])
-    # Do a blacklist instead
-    ../../doc/manual/package.nix;
+  fileset =
+    fileset.difference
+      (fileset.unions [
+        ../../.version
+        # Too many different types of files to filter for now
+        ../../doc/manual
+        ./.
+      ])
+      # Do a blacklist instead
+      ../../doc/manual/package.nix;
 
   # TODO the man pages should probably be separate
-  outputs = [ "out" "man" ];
+  outputs = [
+    "out"
+    "man"
+  ];
 
   # Hack for sake of the dev shell
   passthru.externalNativeBuildInputs = [
     meson
     ninja
-    (lib.getBin lowdown)
+    (lib.getBin lowdown-unsandboxed)
     mdbook
     mdbook-linkcheck
     jq
@@ -54,11 +59,10 @@ mkMesonDerivation (finalAttrs: {
     nix-cli
   ];
 
-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';
 
   postInstall = ''
     mkdir -p ''$out/nix-support

doc/manual/redirects.js

@@ -346,6 +346,9 @@ const redirects = {
     "scoping-rules": "scoping.html",
     "string-literal": "string-literals.html",
   },
+  "language/derivations.md": {
+    "builder-execution": "store/drv/building.md#builder-execution",
+  },
   "installation/installing-binary.html": {
     "linux": "uninstall.html#linux",
     "macos": "uninstall.html#macos",
@@ -372,6 +375,7 @@ const redirects = {
   "glossary.html": {
     "gloss-local-store": "store/types/local-store.html",
     "gloss-chroot-store": "store/types/local-store.html",
+    "gloss-content-addressed-derivation": "#gloss-content-addressing-derivation",
   },
 };
 

doc/manual/rl-next/curl-cloexec.md

@@ -0,0 +1,10 @@
+---
+synopsis: Set FD_CLOEXEC on sockets created by curl
+issues: []
+prs: [12439]
+---
+
+
+Curl creates sockets without setting FD_CLOEXEC/SOCK_CLOEXEC, this can cause connections to remain open forever when using commands like `nix shell`
+
+This change sets the FD_CLOEXEC flag using a CURLOPT_SOCKOPTFUNCTION callback.

doc/manual/rl-next/git-lfs-support.md

@@ -0,0 +1,18 @@
+---
+synopsis: "Git LFS support"
+prs: [10153, 12468]
+---
+
+The Git fetcher now supports Large File Storage (LFS). This can be enabled by passing the attribute `lfs = true` to the fetcher, e.g.
+```console
+nix flake prefetch 'git+ssh://git@github.com/Apress/repo-with-large-file-storage.git?lfs=1'
+```
+
+A flake can also declare that it requires lfs to be enabled:
+```
+{
+  inputs.self.lfs = true;
+}
+```
+
+Author: [**@b-camacho**](https://github.com/b-camacho), [**@kip93**](https://github.com/kip93)

doc/manual/rl-next/nix-copy-flags.md

@@ -1,18 +0,0 @@
----
-synopsis: "`nix copy` supports `--profile` and `--out-link`"
-prs: [11657]
----
-
-The `nix copy` command now has flags `--profile` and `--out-link`, similar to `nix build`. `--profile` makes a profile point to the
-top-level store path, while `--out-link` create symlinks to the top-level store paths.
-
-For example, when updating the local NixOS system profile from a NixOS system closure on a remote machine, instead of
-```
-# nix copy --from ssh://server $path
-# nix build --profile /nix/var/nix/profiles/system $path
-```
-you can now do
-```
-# nix copy --from ssh://server --profile /nix/var/nix/profiles/system $path
-```
-The advantage is that this avoids a time window where *path* is not a garbage collector root, and so could be deleted by a concurrent `nix store gc` process.

doc/manual/rl-next/self-submodules-attr.md

@@ -0,0 +1,12 @@
+---
+synopsis: "`inputs.self.submodules` flake attribute"
+prs: [12421]
+---
+
+Flakes in Git repositories can now declare that they need Git submodules to be enabled:
+```
+{
+  inputs.self.submodules = true;
+}
+```
+Thus, it's no longer needed for the caller of the flake to pass `submodules = true`.

doc/manual/source/SUMMARY.md.in

@@ -22,6 +22,8 @@
   - [Store Object](store/store-object.md)
     - [Content-Addressing Store Objects](store/store-object/content-address.md)
   - [Store Path](store/store-path.md)
+  - [Store Derivation and Deriving Path](store/drv.md)
+  - [Building](store/building.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
 - [Nix Language](language/index.md)
@@ -130,6 +132,7 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
   - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)
   - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
   - [Release 2.23 (2024-06-03)](release-notes/rl-2.23.md)

doc/manual/source/architecture/architecture.md

@@ -69,7 +69,7 @@ It can also execute build plans to produce new data, which are made available to
 A build plan itself is a series of *build tasks*, together with their build inputs.
 
 > **Important**
-> A build task in Nix is called [derivation](@docroot@/glossary.md#gloss-derivation).
+> A build task in Nix is called [store derivation](@docroot@/glossary.md#gloss-store-derivation).
 
 Each build task has a special build input executed as *build instructions* in order to perform the build.
 The result of a build task can be input to another build task.

doc/manual/source/command-ref/nix-collect-garbage.md

@@ -62,6 +62,15 @@ These options are for deleting old [profiles] prior to deleting unreachable [sto
   This is the equivalent of invoking [`nix-env --delete-generations <period>`](@docroot@/command-ref/nix-env/delete-generations.md#generations-time) on each found profile.
   See the documentation of that command for additional information about the *period* argument.
 
+  - <span id="opt-max-freed">[`--max-freed`](#opt-max-freed)</span> *bytes*
+
+<!-- duplication from https://github.com/NixOS/nix/blob/442a2623e48357ff72c77bb11cf2cf06d94d2f90/doc/manual/source/command-ref/nix-store/gc.md?plain=1#L39-L44 -->
+
+  Keep deleting paths until at least *bytes* bytes have been deleted,
+  then stop. The argument *bytes* can be followed by the
+  multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
+  or TiB units.
+  
 {{#include ./opt-common.md}}
 
 {{#include ./env-common.md}}

doc/manual/source/command-ref/nix-copy-closure.md

@@ -84,7 +84,7 @@ When using public key authentication, you can avoid typing the passphrase with `
 > Copy GNU Hello from a remote machine using a known store path, and run it:
 >
 > ```shell-session
-> $ storePath="$(nix-instantiate --eval '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath | tr -d '"')"
+> $ storePath="$(nix-instantiate --eval --raw '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath)"
 > $ nix-copy-closure --from alice@itchy.example.org "$storePath"
 > $ "$storePath"/bin/hello
 > Hello, world!

doc/manual/source/command-ref/nix-env/install.md

@@ -11,6 +11,7 @@
   [`--from-profile` *path*]
   [`--preserve-installed` | `-P`]
   [`--remove-all` | `-r`]
+  [`--priority` *priority*]
 
 # Description
 
@@ -21,11 +22,11 @@ It is based on the current generation of the active [profile](@docroot@/command-
 
 The arguments *args* map to store paths in a number of possible ways:
 
-- By default, *args* is a set of [derivation] names denoting derivations in the [default Nix expression].
+- By default, *args* is a set of names denoting derivations in the [default Nix expression].
   These are [realised], and the resulting output paths are installed.
   Currently installed derivations with a name equal to the name of a derivation being added are removed unless the option `--preserve-installed` is specified.
 
-  [derivation]: @docroot@/glossary.md#gloss-derivation
+  [derivation expression]: @docroot@/glossary.md#gloss-derivation-expression
   [default Nix expression]: @docroot@/command-ref/files/default-nix-expression.md
   [realised]: @docroot@/glossary.md#gloss-realise
 
@@ -61,11 +62,15 @@ The arguments *args* map to store paths in a number of possible ways:
   The derivations returned by those function calls are installed.
   This allows derivations to be specified in an unambiguous way, which is necessary if there are multiple derivations with the same name.
 
-- If *args* are [store derivations](@docroot@/glossary.md#gloss-store-derivation), then these are [realised], and the resulting output paths are installed.
+- If `--priority` *priority* is given, the priority of the derivations being installed is set to *priority*.
+  This can be used to override the priority of the derivations being installed.
+  This is useful if *args* are [store paths], which don't have any priority information.
 
-- If *args* are [store paths] that are not store derivations, then these are [realised] and installed.
+- If *args* are [store paths] that point to [store derivations][store derivation], then those store derivations are [realised], and the resulting output paths are installed.
 
-- By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [derivation].
+- If *args* are [store paths] that do not point to store derivations, then these are [realised] and installed.
+
+- By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [store derivation].
   This can be overridden by adding a `meta.outputsToInstall` attribute on the derivation listing a subset of the output names.
 
   Example:
@@ -117,6 +122,8 @@ The arguments *args* map to store paths in a number of possible ways:
   manifest.nix
   ```
 
+[store derivation]: @docroot@/glossary.md#gloss-store-derivation
+
 # Options
 
 - `--prebuilt-only` / `-b`
@@ -235,4 +242,3 @@ channel:
 ```console
 $ nix-env --file https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz --install --attr firefox
 ```
-

doc/manual/source/command-ref/nix-env/query.md

@@ -125,7 +125,10 @@ derivation is shown unless `--no-name` is specified.
 
   - `--drv-path`
 
-    Print the path of the [store derivation](@docroot@/glossary.md#gloss-store-derivation).
+    Print the [store path] to the [store derivation].
+
+    [store path]: @docroot@/glossary.md#gloss-store-path
+    [store derivation]: @docroot@/glossary.md#gloss-derivation
 
   - `--out-path`
 

doc/manual/source/command-ref/nix-hash.md

@@ -67,7 +67,7 @@ md5sum`.
 - `--type` *hashAlgo*
 
   Use the specified cryptographic hash algorithm, which can be one of
-  `md5`, `sha1`, `sha256`, and `sha512`.
+  `blake3`, `md5`, `sha1`, `sha256`, and `sha512`.
 
 - `--to-base16`
 

doc/manual/source/command-ref/nix-instantiate.md

@@ -5,7 +5,7 @@
 # Synopsis
 
 `nix-instantiate`
-  [`--parse` | `--eval` [`--strict`] [`--json`] [`--xml`] ]
+  [`--parse` | `--eval` [`--strict`] [`--raw` | `--json` | `--xml`] ]
   [`--read-write-mode`]
   [`--arg` *name* *value*]
   [{`--attr`| `-A`} *attrPath*]
@@ -42,8 +42,8 @@ standard input.
 - `--eval`
 
   Just parse and evaluate the input files, and print the resulting
-  values on standard output. No instantiation of store derivations
-  takes place.
+  values on standard output.
+  Store derivations are not serialized and written to the store, but instead just hashed and discarded.
 
   > **Warning**
   >
@@ -102,6 +102,11 @@ standard input.
   > This option can cause non-termination, because lazy data
   > structures can be infinitely large.
 
+- `--raw`
+
+  When used with `--eval`, the evaluation result must be a string,
+  which is printed verbatim, without quoting, escaping or trailing newline.
+
 - `--json`
 
   When used with `--eval`, print the resulting value as an JSON

doc/manual/source/command-ref/nix-prefetch-url.md

@@ -42,7 +42,7 @@ the path of the downloaded file in the Nix store is also printed.
 - `--type` *hashAlgo*
 
   Use the specified cryptographic hash algorithm,
-  which can be one of `md5`, `sha1`, `sha256`, and `sha512`.
+  which can be one of `blake3`, `md5`, `sha1`, `sha256`, and `sha512`.
   The default is `sha256`.
 
 - `--print-path`

doc/manual/source/command-ref/nix-store/add-fixed.md

@@ -21,6 +21,9 @@ This operation has the following options:
   Use recursive instead of flat hashing mode, used when adding
   directories to the store.
 
+  *paths* that refer to symlinks are not dereferenced, but added to the store
+  as symlinks with the same target.
+
 {{#include ./opt-common.md}}
 
 {{#include ../opt-common.md}}

doc/manual/source/command-ref/nix-store/add.md

@@ -11,6 +11,9 @@
 The operation `--add` adds the specified paths to the Nix store. It
 prints the resulting paths in the Nix store on standard output.
 
+*paths* that refer to symlinks are not dereferenced, but added to the store
+as symlinks with the same target.
+
 {{#include ./opt-common.md}}
 
 {{#include ../opt-common.md}}

doc/manual/source/command-ref/nix-store/realise.md

@@ -15,7 +15,7 @@ Each of *paths* is processed as follows:
   1. If it is not [valid], substitute the store derivation file itself.
   2. Realise its [output paths]:
     - Try to fetch from [substituters] the [store objects] associated with the output paths in the store derivation's [closure].
-      - With [content-addressed derivations] (experimental):
+      - With [content-addressing derivations] (experimental):
         Determine the output paths to realise by querying content-addressed realisation entries in the [Nix database].
     - For any store paths that cannot be substituted, produce the required store objects:
       1. Realise all outputs of the derivation's dependencies
@@ -32,7 +32,7 @@ If no substitutes are available and no store derivation is given, realisation fa
 [store objects]: @docroot@/store/store-object.md
 [closure]: @docroot@/glossary.md#gloss-closure
 [substituters]: @docroot@/command-ref/conf-file.md#conf-substituters
-[content-addressed derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
+[content-addressing derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
 [Nix database]: @docroot@/glossary.md#gloss-nix-database
 
 The resulting paths are printed on standard output.

doc/manual/source/development/building.md

@@ -28,7 +28,7 @@ $ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
 
 > **Note**
 >
-> You can use `native-ccacheStdenvPackages` to drastically improve rebuild time.
+> You can use `native-ccacheStdenv` to drastically improve rebuild time.
 > By default, [ccache](https://ccache.dev) keeps artifacts in `~/.cache/ccache/`.
 
 To build Nix itself in this shell:
@@ -79,7 +79,7 @@ This shell also adds `./outputs/bin/nix` to your `$PATH` so you can run `nix` im
 To get a shell with one of the other [supported compilation environments](#compilation-environments):
 
 ```console
-$ nix develop .#native-clangStdenvPackages
+$ nix develop .#native-clangStdenv
 ```
 
 > **Note**
@@ -167,11 +167,13 @@ It is useful to perform multiple cross and native builds on the same source tree
 for example to ensure that better support for one platform doesn't break the build for another.
 Meson thankfully makes this very easy by confining all build products to the build directory --- one simple shares the source directory between multiple build directories, each of which contains the build for Nix to a different platform.
 
-Nixpkgs's `configurePhase` always chooses `build` in the current directory as the name and location of the build.
-This makes having multiple build directories slightly more inconvenient.
-The good news is that Meson/Ninja seem to cope well with relocating the build directory after it is created.
+Here's how to do that:
 
-Here's how to do that
+1. Instruct Nixpkgs's infra where we want Meson to put its build directory
+
+   ```bash
+   mesonBuildDir=build-my-variant-name
+   ```
 
 1. Configure as usual
 
@@ -179,24 +181,12 @@ Here's how to do that
    configurePhase
    ```
 
-2. Rename the build directory
-
-   ```bash
-   cd .. # since `configurePhase` cd'd inside
-   mv build build-linux # or whatever name we want
-   cd build-linux
-   ```
-
 3. Build as usual
 
    ```bash
    buildPhase
    ```
 
-> **N.B.**
-> [`nixpkgs#335818`](https://github.com/NixOS/nixpkgs/issues/335818) tracks giving `mesonConfigurePhase` proper support for custom build directories.
-> When it is fixed, we can simplify these instructions and then remove this notice.
-
 ## System type
 
 Nix uses a string with the following format to identify the *system type* or *platform* it runs on:
@@ -261,7 +251,8 @@ See [supported compilation environments](#compilation-environments) and instruct
 To use the LSP with your editor, you will want a `compile_commands.json` file telling `clangd` how we are compiling the code.
 Meson's configure always produces this inside the build directory.
 
-Configure your editor to use the `clangd` from the `.#native-clangStdenvPackages` shell. You can do that either by running it inside the development shell, or by using [nix-direnv](https://github.com/nix-community/nix-direnv) and [the appropriate editor plugin](https://github.com/direnv/direnv/wiki#editor-integration).
+Configure your editor to use the `clangd` from the `.#native-clangStdenv` shell.
+You can do that either by running it inside the development shell, or by using [nix-direnv](https://github.com/nix-community/nix-direnv) and [the appropriate editor plugin](https://github.com/direnv/direnv/wiki#editor-integration).
 
 > **Note**
 >
@@ -277,6 +268,8 @@ You may run the formatters as a one-off using:
 ./maintainers/format.sh
 ```
 
+### Pre-commit hooks
+
 If you'd like to run the formatters before every commit, install the hooks:
 
 ```
@@ -291,3 +284,30 @@ If it fails, run `git add --patch` to approve the suggestions _and commit again_
 To refresh pre-commit hook's config file, do the following:
 1. Exit the development shell and start it again by running `nix develop`.
 2. If you also use the pre-commit hook, also run `pre-commit-hooks-install` again.
+
+### VSCode
+
+Insert the following json into your `.vscode/settings.json` file to configure `nixfmt`.
+This will be picked up by the _Format Document_ command, `"editor.formatOnSave"`, etc.
+
+```json
+{
+  "nix.formatterPath": "nixfmt",
+  "nix.serverSettings": {
+    "nixd": {
+      "formatting": {
+        "command": [
+          "nixfmt"
+        ],
+      },
+    },
+    "nil": {
+      "formatting": {
+        "command": [
+          "nixfmt"
+        ],
+      },
+    },
+  },
+}
+```

doc/manual/source/development/debugging.md

@@ -2,6 +2,8 @@
 
 This section shows how to build and debug Nix with debug symbols enabled.
 
+Additionally, see [Testing Nix](./testing.md) for further instructions on how to debug Nix in the context of a unit test or functional test.
+
 ## Building Nix with Debug Symbols
 
 In the development shell, set the `mesonBuildType` environment variable to `debug` before configuring the build:
@@ -13,6 +15,15 @@ In the development shell, set the `mesonBuildType` environment variable to `debu
 Then, proceed to build Nix as described in [Building Nix](./building.md).
 This will build Nix with debug symbols, which are essential for effective debugging.
 
+It is also possible to build without debugging for faster build:
+
+```console
+[nix-shell]$ NIX_HARDENING_ENABLE=$(printLines $NIX_HARDENING_ENABLE | grep -v fortify)
+[nix-shell]$ export mesonBuildType=debug
+```
+
+(The first line is needed because `fortify` hardening requires at least some optimization.)
+
 ## Debugging the Nix Binary
 
 Obtain your preferred debugger within the development shell:

doc/manual/source/development/documentation.md

@@ -19,10 +19,11 @@ nix-build -E '(import ./.).packages.${builtins.currentSystem}.nix.doc'
 or
 
 ```console
-nix build .#nix^doc
+nix build .#nix-manual
 ```
 
-and open `./result-doc/share/doc/nix/manual/index.html`.
+and open `./result/share/doc/nix/manual/index.html`.
+
 
 To build the manual incrementally, [enter the development shell](./building.md) and run:
 

doc/manual/source/development/testing.md

@@ -87,7 +87,11 @@ A environment variables that Google Test accepts are also worth knowing:
 
    This is used to avoid logging passing tests.
 
-Putting the two together, one might run
+3. [`GTEST_BREAK_ON_FAILURE`](https://google.github.io/googletest/advanced.html#turning-assertion-failures-into-break-points)
+
+   This is used to create a debugger breakpoint when an assertion failure occurs.
+
+Putting the first two together, one might run
 
 ```bash
 GTEST_BRIEF=1 GTEST_FILTER='ErrorTraceTest.*' meson test nix-expr-tests -v
@@ -95,6 +99,22 @@ GTEST_BRIEF=1 GTEST_FILTER='ErrorTraceTest.*' meson test nix-expr-tests -v
 
 for short but comprensive output.
 
+### Debugging tests
+
+For debugging, it is useful to combine the third option above with Meson's [`--gdb`](https://mesonbuild.com/Unit-tests.html#other-test-options) flag:
+
+```bash
+GTEST_BRIEF=1 GTEST_FILTER='Group.my-failing-test' meson test nix-expr-tests --gdb
+```
+
+This will:
+
+1. Run the unit test with GDB
+
+2. Run just `Group.my-failing-test`
+
+3. Stop the program when the test fails, allowing the user to then issue arbitrary commands to GDB.
+
 ### Characterisation testing { #characaterisation-testing-unit }
 
 See [functional characterisation testing](#characterisation-testing-functional) for a broader discussion of characterisation testing.
@@ -144,7 +164,7 @@ $ checkPhase
 
 Sometimes it is useful to group related tests so they can be easily run together without running the entire test suite.
 Each test group is in a subdirectory of `tests`.
-For example, `tests/functional/ca/meson.build` defines a `ca` test group for content-addressed derivation outputs.
+For example, `tests/functional/ca/meson.build` defines a `ca` test group for content-addressing derivation outputs.
 
 That test group can be run like this:
 
@@ -213,10 +233,10 @@ edit it like so:
  bar
 ```
 
-Then, running the test with `./mk/debug-test.sh` will drop you into GDB once the script reaches that point:
+Then, running the test with [`--interactive`](https://mesonbuild.com/Unit-tests.html#other-test-options) will prevent Meson from hijacking the terminal so you can drop you into GDB once the script reaches that point:
 
 ```shell-session
-$ ./mk/debug-test.sh tests/functional/${testName}.sh
+$ meson test ${testName} --interactive
 ...
 + gdb blash blub
 GNU gdb (GDB) 12.1
@@ -297,7 +317,7 @@ Creating a Cachix cache for your installer tests and adding its authorisation to
   - `armv7l-linux`
   - `x86_64-darwin`
 
-- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
+- The `installer_test` job (which runs on `ubuntu-24.04` and `macos-14`) will try to install Nix with the cached installer and run a trivial Nix command.
 
 ### One-time setup
 

doc/manual/source/glossary.md

@@ -13,37 +13,41 @@
 
     - [Content-Addressing File System Objects](@docroot@/store/file-system-object/content-address.md)
     - [Content-Addressing Store Objects](@docroot@/store/store-object/content-address.md)
-    - [content-addressed derivation](#gloss-content-addressed-derivation)
+    - [content-addressing derivation](#gloss-content-addressing-derivation)
 
   Software Heritage's writing on [*Intrinsic and Extrinsic identifiers*](https://www.softwareheritage.org/2020/07/09/intrinsic-vs-extrinsic-identifiers) is also a good introduction to the value of content-addressing over other referencing schemes.
 
   Besides content addressing, the Nix store also uses [input addressing](#gloss-input-addressed-store-object).
 
-- [derivation]{#gloss-derivation}
-
-  A description of a build task. The result of a derivation is a
-  store object. Derivations declared in Nix expressions are specified
-  using the [`derivation` primitive](./language/derivations.md). These are
-  translated into low-level *store derivations* (implicitly by
-  `nix-build`, or explicitly by `nix-instantiate`).
-
-  [derivation]: #gloss-derivation
-
 - [store derivation]{#gloss-store-derivation}
 
-  A [derivation] represented as a `.drv` file in the [store].
-  It has a [store path], like any [store object].
-  It is the [instantiated][instantiate] form of a derivation.
-
-  Example: `/nix/store/g946hcz4c8mdvq2g8vxx42z51qb71rvp-git-2.38.1.drv`
-
-  See [`nix derivation show`](./command-ref/new-cli/nix3-derivation-show.md) (experimental) for displaying the contents of store derivations.
+  A single build task.
+  See [Store Derivation](@docroot@/store/drv.md#store-derivation) for details.
 
   [store derivation]: #gloss-store-derivation
 
+- [derivation path]{#gloss-derivation-path}
+
+  A [store path] which uniquely identifies a [store derivation].
+
+  See [Referencing Store Derivations](@docroot@/store/drv.md#derivation-path) for details.
+
+  Not to be confused with [deriving path].
+
+  [derivation path]: #gloss-derivation-path
+
+- [derivation expression]{#gloss-derivation-expression}
+
+  A description of a [store derivation] in the Nix language.
+  The output(s) of a derivation are store objects.
+  Derivations are typically specified in Nix expressions using the [`derivation` primitive](./language/derivations.md).
+  These are translated into store layer *derivations* (implicitly by `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
+
+  [derivation expression]: #gloss-derivation-expression
+
 - [instantiate]{#gloss-instantiate}, instantiation
 
-  Save an evaluated [derivation] as a [store derivation] in the Nix [store].
+  Translate a [derivation expression] into a [store derivation].
 
   See [`nix-instantiate`](./command-ref/nix-instantiate.md), which produces a store derivation from a Nix expression that evaluates to a derivation.
 
@@ -55,7 +59,7 @@
 
   This can be achieved by:
   - Fetching a pre-built [store object] from a [substituter]
-  - Running the [`builder`](@docroot@/language/derivations.md#attr-builder) executable as specified in the corresponding [derivation]
+  - Running the [`builder`](@docroot@/language/derivations.md#attr-builder) executable as specified in the corresponding [store derivation]
   - Delegating to a [remote machine](@docroot@/command-ref/conf-file.md#conf-builders) and retrieving the outputs
   <!-- TODO: link [running] to build process page, #8888 -->
 
@@ -65,7 +69,7 @@
 
   [realise]: #gloss-realise
 
-- [content-addressed derivation]{#gloss-content-addressed-derivation}
+- [content-addressing derivation]{#gloss-content-addressing-derivation}
 
   A derivation which has the
   [`__contentAddressed`](./language/advanced-attributes.md#adv-attr-__contentAddressed)
@@ -73,7 +77,7 @@
 
 - [fixed-output derivation]{#gloss-fixed-output-derivation} (FOD)
 
-  A [derivation] where a cryptographic hash of the [output] is determined in advance using the [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute, and where the [`builder`](@docroot@/language/derivations.md#attr-builder) executable has access to the network.
+  A [store derivation] where a cryptographic hash of the [output] is determined in advance using the [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute, and where the [`builder`](@docroot@/language/derivations.md#attr-builder) executable has access to the network.
 
 - [store]{#gloss-store}
 
@@ -130,7 +134,7 @@
 - [input-addressed store object]{#gloss-input-addressed-store-object}
 
   A store object produced by building a
-  non-[content-addressed](#gloss-content-addressed-derivation),
+  non-[content-addressed](#gloss-content-addressing-derivation),
   non-[fixed-output](#gloss-fixed-output-derivation)
   derivation.
 
@@ -138,7 +142,7 @@
 
   A [store object] which is [content-addressed](#gloss-content-address),
   i.e. whose [store path] is determined by its contents.
-  This includes derivations, the outputs of [content-addressed derivations](#gloss-content-addressed-derivation), and the outputs of [fixed-output derivations](#gloss-fixed-output-derivation).
+  This includes derivations, the outputs of [content-addressing derivations](#gloss-content-addressing-derivation), and the outputs of [fixed-output derivations](#gloss-fixed-output-derivation).
 
   See [Content-Addressing Store Objects](@docroot@/store/store-object/content-address.md) for details.
 
@@ -188,7 +192,7 @@
   >
   > The contents of a `.nix` file form a Nix expression.
 
-  Nix expressions specify [derivations][derivation], which are [instantiated][instantiate] into the Nix store as [store derivations][store derivation].
+  Nix expressions specify [derivation expressions][derivation expression], which are [instantiated][instantiate] into the Nix store as [store derivations][store derivation].
   These derivations can then be [realised][realise] to produce [outputs][output].
 
   > **Example**
@@ -230,14 +234,14 @@
 
 - [output]{#gloss-output}
 
-  A [store object] produced by a [derivation].
+  A [store object] produced by a [store derivation].
   See [the `outputs` argument to the `derivation` function](@docroot@/language/derivations.md#attr-outputs) for details.
 
   [output]: #gloss-output
 
 - [output path]{#gloss-output-path}
 
-  The [store path] to the [output] of a [derivation].
+  The [store path] to the [output] of a [store derivation].
 
   [output path]: #gloss-output-path
 
@@ -246,14 +250,11 @@
 
 - [deriving path]{#gloss-deriving-path}
 
-  Deriving paths are a way to refer to [store objects][store object] that ar not yet [realised][realise].
-  This is necessary because, in general and particularly for [content-addressed derivations][content-addressed derivation], the [output path] of an [output] is not known in advance.
-  There are two forms:
+  Deriving paths are a way to refer to [store objects][store object] that might not yet be [realised][realise].
 
-  - *constant*: just a [store path]
-    It can be made [valid][validity] by copying it into the store: from the evaluator, command line interface or another store.
+  See [Deriving Path](./store/drv.md#deriving-path) for details.
 
-  - *output*: a pair of a [store path] to a [derivation] and an [output] name.
+  Not to be confused with [derivation path].
 
 - [deriver]{#gloss-deriver}
 

doc/manual/source/installation/uninstall.md

@@ -160,6 +160,6 @@ which you may remove.
 To remove a [single-user installation](./installing-binary.md#single-user-installation) of Nix, run:
 
 ```console
-$ rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
+rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
 ```
 You might also want to manually remove references to Nix from your `~/.profile`.

doc/manual/source/language/advanced-attributes.md

@@ -192,7 +192,7 @@ Derivations can declare some infrequently used optional attributes.
     The [`convertHash`](@docroot@/language/builtins.md#builtins-convertHash) function shows how to convert between different encodings, and the [`nix-hash` command](../command-ref/nix-hash.md) has information about obtaining the hash for some contents, as well as converting to and from encodings.
 
     The `outputHashAlgo` attribute specifies the hash algorithm used to compute the hash.
-    It can currently be `"sha1"`, `"sha256"`, `"sha512"`, or `null`.
+    It can currently be `"blake3", "sha1"`, `"sha256"`, `"sha512"`, or `null`.
     `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format.
 
     The `outputHashMode` attribute determines how the hash is computed.

doc/manual/source/language/derivations.md

@@ -1,9 +1,10 @@
 # Derivations
 
-The most important built-in function is `derivation`, which is used to describe a single derivation:
-a specification for running an executable on precisely defined input files to repeatably produce output files at uniquely determined file system paths.
+The most important built-in function is `derivation`, which is used to describe a single store-layer [store derivation].
+Consult the [store chapter](@docroot@/store/drv.md) for what a store derivation is;
+this section just concerns how to create one from the Nix language.
 
-It takes as input an attribute set, the attributes of which specify the inputs to the process.
+This builtin function takes as input an attribute set, the attributes of which specify the inputs to the process.
 It outputs an attribute set, and produces a [store derivation] as a side effect of evaluation.
 
 [store derivation]: @docroot@/glossary.md#gloss-store-derivation
@@ -15,7 +16,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 - [`name`]{#attr-name} ([String](@docroot@/language/types.md#type-string))
 
   A symbolic name for the derivation.
-  It is added to the [store path] of the corresponding [store derivation] as well as to its [output paths](@docroot@/glossary.md#gloss-output-path).
+  See [derivation outputs](@docroot@/store/drv.md#outputs) for what this is affects.
 
   [store path]: @docroot@/store/store-path.md
 
@@ -28,17 +29,12 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
   > }
   > ```
   >
-  > The store derivation's path will be `/nix/store/<hash>-hello.drv`.
+  > The derivation's path will be `/nix/store/<hash>-hello.drv`.
   > The [output](#attr-outputs) paths will be of the form `/nix/store/<hash>-hello[-<output>]`
 
 - [`system`]{#attr-system} ([String](@docroot@/language/types.md#type-string))
 
-  The system type on which the [`builder`](#attr-builder) executable is meant to be run.
-
-  A necessary condition for Nix to build derivations locally is that the `system` attribute matches the current [`system` configuration option].
-  It can automatically [build on other platforms](@docroot@/language/derivations.md#attr-builder) by forwarding build requests to other machines.
-
-  [`system` configuration option]: @docroot@/command-ref/conf-file.md#conf-system
+  See [system](@docroot@/store/drv.md#system).
 
   > **Example**
   >
@@ -68,7 +64,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 
 - [`builder`]{#attr-builder} ([Path](@docroot@/language/types.md#type-path) | [String](@docroot@/language/types.md#type-string))
 
-  Path to an executable that will perform the build.
+  See [builder](@docroot@/store/drv.md#builder).
 
   > **Example**
   >
@@ -117,7 +113,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 
   Default: `[ ]`
 
-  Command-line arguments to be passed to the [`builder`](#attr-builder) executable.
+  See [args](@docroot@/store/drv.md#args).
 
   > **Example**
   >
@@ -239,77 +235,3 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
       passed as an empty string.
 
 <!-- FIXME: add a section on output attributes -->
-
-## Builder execution
-
-The [`builder`](#attr-builder) is executed as follows:
-
-- A temporary directory is created under the directory specified by
-  `TMPDIR` (default `/tmp`) where the build will take place. The
-  current directory is changed to this directory.
-
-- The environment is cleared and set to the derivation attributes, as
-  specified above.
-
-- In addition, the following variables are set:
-
-  - `NIX_BUILD_TOP` contains the path of the temporary directory for
-    this build.
-
-  - Also, `TMPDIR`, `TEMPDIR`, `TMP`, `TEMP` are set to point to the
-    temporary directory. This is to prevent the builder from
-    accidentally writing temporary files anywhere else. Doing so
-    might cause interference by other processes.
-
-  - `PATH` is set to `/path-not-set` to prevent shells from
-    initialising it to their built-in default value.
-
-  - `HOME` is set to `/homeless-shelter` to prevent programs from
-    using `/etc/passwd` or the like to find the user's home
-    directory, which could cause impurity. Usually, when `HOME` is
-    set, it is used as the location of the home directory, even if
-    it points to a non-existent path.
-
-  - `NIX_STORE` is set to the path of the top-level Nix store
-    directory (typically, `/nix/store`).
-
-  - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
-    is set to `true` for the derivation. A detailed explanation of this
-    behavior can be found in the
-    [section about structured attrs](./advanced-attributes.md#adv-attr-structuredAttrs).
-
-  - For each output declared in `outputs`, the corresponding
-    environment variable is set to point to the intended path in the
-    Nix store for that output. Each output path is a concatenation
-    of the cryptographic hash of all build inputs, the `name`
-    attribute and the output name. (The output name is omitted if
-    it’s `out`.)
-
-- If an output path already exists, it is removed. Also, locks are
-  acquired to prevent multiple Nix instances from performing the same
-  build at the same time.
-
-- A log of the combined standard output and error is written to
-  `/nix/var/log/nix`.
-
-- The builder is executed with the arguments specified by the
-  attribute `args`. If it exits with exit code 0, it is considered to
-  have succeeded.
-
-- The temporary directory is removed (unless the `-K` option was
-  specified).
-
-- If the build was successful, Nix scans each output path for
-  references to input paths by looking for the hash parts of the input
-  paths. Since these are potential runtime dependencies, Nix registers
-  them as dependencies of the output paths.
-
-- After the build, Nix sets the last-modified timestamp on all files
-  in the build result to 1 (00:00:01 1/1/1970 UTC), sets the group to
-  the default group, and sets the mode of the file to 0444 or 0555
-  (i.e., read-only, with execute permission enabled if the file was
-  originally executable). Note that possible `setuid` and `setgid`
-  bits are cleared. Setuid and setgid programs are not currently
-  supported by Nix. This is because the Nix archives used in
-  deployment have no concept of ownership information, and because it
-  makes the build result dependent on the user performing the build.

doc/manual/source/language/import-from-derivation.md

@@ -71,8 +71,9 @@ Boxes are data structures, arrow labels are transformations.
 |       evaluate       |             |                        |
 |          |           |             |                        |
 |          V           |             |                        |
-|    .------------.    |             |  .------------------.  |
-|    | derivation |----|-instantiate-|->| store derivation |  |
+|    .------------.    |             |                        |
+|    | derivation |    |             |  .------------------.  |
+|    | expression |----|-instantiate-|->| store derivation |  |
 |    '------------'    |             |  '------------------'  |
 |                      |             |           |            |
 |                      |             |        realise         |

doc/manual/source/language/string-interpolation.md

@@ -22,9 +22,9 @@ Rather than writing
 "--with-freetype2-library=" + freetype + "/lib"
 ```
 
-(where `freetype` is a [derivation]), you can instead write
+(where `freetype` is a [derivation expression]), you can instead write
 
-[derivation]: @docroot@/glossary.md#gloss-derivation
+[derivation expression]: @docroot@/glossary.md#gloss-derivation-expression
 
 ```nix
 "--with-freetype2-library=${freetype}/lib"
@@ -148,7 +148,7 @@ An expression that is interpolated must evaluate to one of the following:
   - `__toString` must be a function that takes the attribute set itself and returns a string
   - `outPath` must be a string
 
-  This includes [derivations](./derivations.md) or [flake inputs](@docroot@/command-ref/new-cli/nix3-flake.md#flake-inputs) (experimental).
+  This includes [derivation expressions](./derivations.md) or [flake inputs](@docroot@/command-ref/new-cli/nix3-flake.md#flake-inputs) (experimental).
 
 A string interpolates to itself.
 

doc/manual/source/protocols/derivation-aterm.md

@@ -1,6 +1,8 @@
 # Derivation "ATerm" file format
 
-For historical reasons, [derivations](@docroot@/glossary.md#gloss-store-derivation) are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
+For historical reasons, [store derivations][store derivation] are stored on-disk in [ATerm](https://homepages.cwi.nl/~daybuild/daily-books/technology/aterm-guide/aterm-guide.html) format.
+
+## The ATerm format used
 
 Derivations are serialised in one of the following formats:
 
@@ -17,3 +19,20 @@ Derivations are serialised in one of the following formats:
   The only `version-string`s that are in use today are for [experimental features](@docroot@/development/experimental-features.md):
 
   - `"xp-dyn-drv"` for the [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations) experimental feature.
+
+## Use for encoding to store object
+
+When derivation is encoded to a [store object] we make the following choices:
+
+- The store path name is the derivation name with `.drv` suffixed at the end
+
+  Indeed, the ATerm format above does *not* contain the name of the derivation, on the assumption that a store path will also be provided out-of-band.
+
+- The derivation is content-addressed using the ["Text" method] of content-addressing derivations
+
+Currently we always encode derivations to store object using the ATerm format (and the previous two choices),
+but we reserve the option to encode new sorts of derivations differently in the future.
+
+[store derivation]: @docroot@/glossary.md#gloss-store-derivation
+[store object]: @docroot@/glossary.md#gloss-store-object
+["Text" method]: @docroot@/store/store-object/content-address.md#method-text

doc/manual/source/protocols/json/derivation.md

@@ -38,6 +38,7 @@ is a JSON object with the following fields:
     For an output which will be [content addresed], the name of the hash algorithm used.
     Valid algorithm strings are:
 
+    - `blake3`
     - `md5`
     - `sha1`
     - `sha256`

doc/manual/source/protocols/json/store-object-info.md

@@ -41,10 +41,10 @@ In other words, the same store object residing in different store could have dif
 
 * `deriver`:
 
-  If known, the path to the [derivation] from which this store object was produced.
+  If known, the path to the [store derivation] from which this store object was produced.
   Otherwise `null`.
 
-  [derivation]: @docroot@/glossary.md#gloss-store-derivation
+  [store derivation]: @docroot@/glossary.md#gloss-store-derivation
 
 * `registrationTime` (optional):
 

doc/manual/source/release-notes/rl-0.8.md

@@ -39,29 +39,29 @@ Nix 0.8 has the following improvements:
     notion of “closure store expressions” is gone (and so is the notion
     of “successors”); the file system references of a store path are now
     just stored in the database.
-    
+
     For instance, given any store path, you can query its closure:
-    
+
         $ nix-store -qR $(which firefox)
         ... lots of paths ...
-    
+
     Also, Nix now remembers for each store path the derivation that
     built it (the “deriver”):
-    
+
         $ nix-store -qR $(which firefox)
         /nix/store/4b0jx7vq80l9aqcnkszxhymsf1ffa5jd-firefox-1.0.1.drv
-    
+
     So to see the build-time dependencies, you can do
-    
+
         $ nix-store -qR $(nix-store -qd $(which firefox))
-    
+
     or, in a nicer format:
-    
+
         $ nix-store -q --tree $(nix-store -qd $(which firefox))
-    
+
     File system references are also stored in reverse. For instance, you
     can query all paths that directly or indirectly use a certain Glibc:
-    
+
         $ nix-store -q --referrers-closure \
             /nix/store/8lz9yc6zgmc0vlqmn2ipcpkjlmbi51vv-glibc-2.3.4
 
@@ -92,28 +92,28 @@ Nix 0.8 has the following improvements:
   - `nix-channel` has new operations `--list` and `--remove`.
 
   - New ways of installing components into user environments:
-    
+
       - Copy from another user environment:
-        
+
             $ nix-env -i --from-profile .../other-profile firefox
-    
+
       - Install a store derivation directly (bypassing the Nix
         expression language entirely):
-        
+
             $ nix-env -i /nix/store/z58v41v21xd3...-aterm-2.3.1.drv
-        
+
         (This is used to implement `nix-install-package`, which is
         therefore immune to evolution in the Nix expression language.)
-    
+
       - Install an already built store path directly:
-        
+
             $ nix-env -i /nix/store/hsyj5pbn0d9i...-aterm-2.3.1
-    
+
       - Install the result of a Nix expression specified as a
         command-line argument:
-        
+
             $ nix-env -f .../i686-linux.nix -i -E 'x: x.firefoxWrapper'
-        
+
         The difference with the normal installation mode is that `-E`
         does not use the `name` attributes of derivations. Therefore,
         this can be used to disambiguate multiple derivations with the
@@ -127,7 +127,7 @@ Nix 0.8 has the following improvements:
   - Implemented a concurrent garbage collector. It is now always safe to
     run the garbage collector, even if other Nix operations are
     happening simultaneously.
-    
+
     However, there can still be GC races if you use `nix-instantiate`
     and `nix-store
                     --realise` directly to build things. To prevent races, use the
@@ -147,13 +147,13 @@ Nix 0.8 has the following improvements:
 
   - The behaviour of the garbage collector can be changed globally by
     setting options in `/nix/etc/nix/nix.conf`.
-    
+
       - `gc-keep-derivations` specifies whether deriver links should be
         followed when searching for live paths.
-    
+
       - `gc-keep-outputs` specifies whether outputs of derivations
         should be followed when searching for live paths.
-    
+
       - `env-keep-derivations` specifies whether user environments
         should store the paths of derivations when they are added (thus
         keeping the derivations alive).

doc/manual/source/release-notes/rl-2.0.md

@@ -8,13 +8,13 @@ The following incompatible changes have been made:
     It has been superseded by the binary cache substituter mechanism
     since several years. As a result, the following programs have been
     removed:
-    
+
       - `nix-pull`
-    
+
       - `nix-generate-patches`
-    
+
       - `bsdiff`
-    
+
       - `bspatch`
 
   - The “copy from other stores” substituter mechanism
@@ -58,26 +58,26 @@ This release has the following new features:
     `nix-build`, `nix-shell -p`, `nix-env -qa`, `nix-instantiate
     --eval`, `nix-push` and `nix-copy-closure`. It has the following
     major features:
-    
+
       - Unlike the legacy commands, it has a consistent way to refer to
         packages and package-like arguments (like store paths). For
         example, the following commands all copy the GNU Hello package
         to a remote machine:
-        
+
             nix copy --to ssh://machine nixpkgs.hello
-        
+
             nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
-        
+
             nix copy --to ssh://machine '(with import <nixpkgs> {}; hello)'
-        
+
         By contrast, `nix-copy-closure` only accepted store paths as
         arguments.
-    
+
       - It is self-documenting: `--help` shows all available
         command-line arguments. If `--help` is given after a subcommand,
         it shows examples for that subcommand. `nix
                                                                         --help-config` shows all configuration options.
-    
+
       - It is much less verbose. By default, it displays a single-line
         progress indicator that shows how many packages are left to be
         built or downloaded, and (if there are running builds) the most
@@ -85,7 +85,7 @@ This release has the following new features:
         last few lines of builder output. The full build log can be
         retrieved using `nix
                                                                         log`.
-    
+
       - It
         [provides](https://github.com/NixOS/nix/commit/b8283773bd64d7da6859ed520ee19867742a03ba)
         all `nix.conf` configuration options as command line flags. For
@@ -93,122 +93,122 @@ This release has the following new features:
                                                                         http-connections 100` you can write `--http-connections 100`.
         Boolean options can be written as `--foo` or `--no-foo` (e.g.
         `--no-auto-optimise-store`).
-    
+
       - Many subcommands have a `--json` flag to write results to stdout
         in JSON format.
-    
+
     > **Warning**
-    > 
+    >
     > Please note that the `nix` command is a work in progress and the
     > interface is subject to change.
-    
+
     It provides the following high-level (“porcelain”) subcommands:
-    
+
       - `nix build` is a replacement for `nix-build`.
-    
+
       - `nix run` executes a command in an environment in which the
         specified packages are available. It is (roughly) a replacement
         for `nix-shell
                                                                         -p`. Unlike that command, it does not execute the command in a
         shell, and has a flag (`-c`) that specifies the unquoted command
         line to be executed.
-        
+
         It is particularly useful in conjunction with chroot stores,
         allowing Linux users who do not have permission to install Nix
         in `/nix/store` to still use binary substitutes that assume
         `/nix/store`. For example,
-        
+
             nix run --store ~/my-nix nixpkgs.hello -c hello --greeting 'Hi everybody!'
-        
+
         downloads (or if not substitutes are available, builds) the GNU
         Hello package into `~/my-nix/nix/store`, then runs `hello` in a
         mount namespace where `~/my-nix/nix/store` is mounted onto
         `/nix/store`.
-    
+
       - `nix search` replaces `nix-env
                                                                         -qa`. It searches the available packages for occurrences of a
         search string in the attribute name, package name or
         description. Unlike `nix-env -qa`, it has a cache to speed up
         subsequent searches.
-    
+
       - `nix copy` copies paths between arbitrary Nix stores,
         generalising `nix-copy-closure` and `nix-push`.
-    
+
       - `nix repl` replaces the external program `nix-repl`. It provides
         an interactive environment for evaluating and building Nix
         expressions. Note that it uses `linenoise-ng` instead of GNU
         Readline.
-    
+
       - `nix upgrade-nix` upgrades Nix to the latest stable version.
         This requires that Nix is installed in a profile. (Thus it won’t
         work on NixOS, or if it’s installed outside of the Nix store.)
-    
+
       - `nix verify` checks whether store paths are unmodified and/or
         “trusted” (see below). It replaces `nix-store --verify` and
         `nix-store
                                                                         --verify-path`.
-    
+
       - `nix log` shows the build log of a package or path. If the
         build log is not available locally, it will try to obtain it
         from the configured substituters (such as
         [cache.nixos.org](https://cache.nixos.org/), which now
         provides build logs).
-    
+
       - `nix edit` opens the source code of a package in your editor.
-    
+
       - `nix eval` replaces `nix-instantiate --eval`.
-    
+
       - `nix
                                                                         why-depends` shows why one store path has another in its
         closure. This is primarily useful to finding the causes of
         closure bloat. For example,
-        
+
             nix why-depends nixpkgs.vlc nixpkgs.libdrm.dev
-        
+
         shows a chain of files and fragments of file contents that cause
         the VLC package to have the “dev” output of `libdrm` in its
         closure — an undesirable situation.
-    
+
       - `nix path-info` shows information about store paths, replacing
         `nix-store -q`. A useful feature is the option `--closure-size`
         (`-S`). For example, the following command show the closure
         sizes of every path in the current NixOS system closure, sorted
         by size:
-        
+
             nix path-info -rS /run/current-system | sort -nk2
-    
+
       - `nix optimise-store` replaces `nix-store --optimise`. The main
         difference is that it has a progress indicator.
-    
+
     A number of low-level (“plumbing”) commands are also available:
-    
+
       - `nix ls-store` and `nix
                                                                         ls-nar` list the contents of a store path or NAR file. The
         former is primarily useful in conjunction with remote stores,
         e.g.
-        
+
             nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
-        
+
         lists the contents of path in a binary cache.
-    
+
       - `nix cat-store` and `nix
                                                                         cat-nar` allow extracting a file from a store path or NAR file.
-    
+
       - `nix dump-path` writes the contents of a store path to stdout in
         NAR format. This replaces `nix-store --dump`.
-    
+
       - `nix
                                                                         show-derivation` displays a store derivation in JSON format.
         This is an alternative to `pp-aterm`.
-    
+
       - `nix
                                                                         add-to-store` replaces `nix-store
                                                                         --add`.
-    
+
       - `nix sign-paths` signs store paths.
-    
+
       - `nix copy-sigs` copies signatures from one store to another.
-    
+
       - `nix show-config` shows all configuration options and their
         current values.
 
@@ -224,11 +224,11 @@ This release has the following new features:
     `nix-copy-closure`, `nix-push` and substitution are all instances
     of the general notion of copying paths between different kinds of
     Nix stores.
-    
+
     Stores are specified using an URI-like syntax, e.g.
     <https://cache.nixos.org/> or <ssh://machine>. The following store
     types are supported:
-    
+
       - `LocalStore` (stori URI `local` or an absolute path) and the
         misnamed `RemoteStore` (`daemon`) provide access to a local Nix
         store, the latter via the Nix daemon. You can use `auto` or the
@@ -236,63 +236,63 @@ This release has the following new features:
         whether you have write permission to the Nix store. It is no
         longer necessary to set the `NIX_REMOTE` environment variable to
         use the Nix daemon.
-        
+
         As noted above, `LocalStore` now supports chroot builds,
         allowing the “physical” location of the Nix store (e.g.
         `/home/alice/nix/store`) to differ from its “logical” location
         (typically `/nix/store`). This allows non-root users to use Nix
         while still getting the benefits from prebuilt binaries from
         [cache.nixos.org](https://cache.nixos.org/).
-    
+
       - `BinaryCacheStore` is the abstract superclass of all binary
         cache stores. It supports writing build logs and NAR content
         listings in JSON format.
-    
+
       - `HttpBinaryCacheStore` (`http://`, `https://`) supports binary
         caches via HTTP or HTTPS. If the server supports `PUT` requests,
         it supports uploading store paths via commands such as `nix
                                                                         copy`.
-    
+
       - `LocalBinaryCacheStore` (`file://`) supports binary caches in
         the local filesystem.
-    
+
       - `S3BinaryCacheStore` (`s3://`) supports binary caches stored in
         Amazon S3, if enabled at compile time.
-    
+
       - `LegacySSHStore` (`ssh://`) is used to implement remote builds
         and `nix-copy-closure`.
-    
+
       - `SSHStore` (`ssh-ng://`) supports arbitrary Nix operations on a
         remote machine via the same protocol used by `nix-daemon`.
 
   - Security has been improved in various ways:
-    
+
       - Nix now stores signatures for local store paths. When paths are
         copied between stores (e.g., copied from a binary cache to a
         local store), signatures are propagated.
-        
+
         Locally-built paths are signed automatically using the secret
         keys specified by the `secret-key-files` store option.
         Secret/public key pairs can be generated using `nix-store
                                                                         --generate-binary-cache-key`.
-        
+
         In addition, locally-built store paths are marked as “ultimately
         trusted”, but this bit is not propagated when paths are copied
         between stores.
-    
+
       - Content-addressable store paths no longer require signatures —
         they can be imported into a store by unprivileged users even if
         they lack signatures.
-    
+
       - The command `nix verify` checks whether the specified paths are
         trusted, i.e., have a certain number of trusted signatures, are
         ultimately trusted, or are content-addressed.
-    
+
       - Substitutions from binary caches
         [now](https://github.com/NixOS/nix/commit/ecbc3fedd3d5bdc5a0e1a0a51b29062f2874ac8b)
         require signatures by default. This was already the case on
         NixOS.
-    
+
       - In Linux sandbox builds, we
         [now](https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b)
         use `/build` instead of `/tmp` as the temporary build directory.
@@ -309,7 +309,7 @@ This release has the following new features:
     hash or commit hash is specified. For example, calls to
     `builtins.fetchGit` are only allowed if a `rev` attribute is
     specified.
-    
+
     The goal of this feature is to enable true reproducibility and
     traceability of builds (including NixOS system configurations) at
     the evaluation level. For example, in the future, `nixos-rebuild`
@@ -367,21 +367,21 @@ This release has the following new features:
     log will be shown if a build fails.
 
   - Networking has been improved:
-    
+
       - HTTP/2 is now supported. This makes binary cache lookups [much
         more
         efficient](https://github.com/NixOS/nix/commit/90ad02bf626b885a5dd8967894e2eafc953bdf92).
-    
+
       - We now retry downloads on many HTTP errors, making binary caches
         substituters more resilient to temporary failures.
-    
+
       - HTTP credentials can now be configured via the standard `netrc`
         mechanism.
-    
+
       - If S3 support is enabled at compile time, <s3://> URIs are
         [supported](https://github.com/NixOS/nix/commit/9ff9c3f2f80ba4108e9c945bbfda2c64735f987b)
         in all places where Nix allows URIs.
-    
+
       - Brotli compression is now supported. In particular,
         [cache.nixos.org](https://cache.nixos.org/) build logs are now compressed
         using Brotli.
@@ -431,9 +431,9 @@ The Nix language has the following new features:
   - Derivation attributes can now reference the outputs of the
     derivation using the `placeholder` builtin function. For example,
     the attribute
-    
+
         configureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"}";
-    
+
     will cause the `configureFlags` environment variable to contain the
     actual store paths corresponding to the `out` and `dev` outputs.
 
@@ -444,7 +444,7 @@ The following builtin functions are new or extended:
     Nixpkgs, which fetches at build time and cannot be used to fetch Nix
     expressions during evaluation. A typical use case is to import
     external NixOS modules from your configuration, e.g.
-    
+
         imports = [ (builtins.fetchGit https://github.com/edolstra/dwarffs + "/module.nix") ];
 
   - Similarly, `builtins.fetchMercurial` allows you to fetch Mercurial
@@ -485,7 +485,7 @@ The Nix build environment has the following changes:
     builder via the file `.attrs.json` in the builder’s temporary
     directory. This obviates the need for `passAsFile` since JSON files
     have no size restrictions, unlike process environments.
-    
+
     [As a convenience to Bash
     builders](https://github.com/NixOS/nix/commit/2d5b1b24bf70a498e4c0b378704cfdb6471cc699),
     Nix writes a script named `.attrs.sh` to the builder’s directory

doc/manual/source/release-notes/rl-2.26.md

@@ -0,0 +1,128 @@
+# Release 2.26.0 (2025-01-22)
+
+- Support for relative path inputs [#10089](https://github.com/NixOS/nix/pull/10089)
+
+  Flakes can now refer to other flakes in the same repository using relative paths, e.g.
+  ```nix
+  inputs.foo.url = "path:./foo";
+  ```
+  uses the flake in the `foo` subdirectory of the referring flake. For more information, see the documentation on [the `path` flake input type](@docroot@/command-ref/new-cli/nix3-flake.md#path-fetcher).
+
+  This feature required a change to the lock file format. Previous Nix versions will not be able to use lock files that have locks for relative path inputs in them.
+
+- Flake lock file generation now ignores local registries [#12019](https://github.com/NixOS/nix/pull/12019)
+
+  When resolving indirect flake references like `nixpkgs` in `flake.nix` files, Nix will no longer use the system and user flake registries. It will only use the global flake registry and overrides given on the command line via `--override-flake`.
+
+  This avoids accidents where users have local registry overrides that map `nixpkgs` to a `path:` flake in the local file system, which then end up in committed lock files pushed to other users.
+
+  In the future, we may remove the use of the registry during lock file generation altogether. It's better to explicitly specify the URL of a flake input. For example, instead of
+  ```nix
+  {
+    outputs = { self, nixpkgs }: { ... };
+  }
+  ```
+  write
+  ```nix
+  {
+    inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    outputs = { self, nixpkgs }: { ... };
+  }
+  ```
+
+- `nix copy` supports `--profile` and `--out-link` [#11657](https://github.com/NixOS/nix/pull/11657)
+
+  The `nix copy` command now has flags `--profile` and `--out-link`, similar to `nix build`. `--profile` makes a profile point to the
+  top-level store path, while `--out-link` create symlinks to the top-level store paths.
+
+  For example, when updating the local NixOS system profile from a NixOS system closure on a remote machine, instead of
+  ```
+  # nix copy --from ssh://server $path
+  # nix build --profile /nix/var/nix/profiles/system $path
+  ```
+  you can now do
+  ```
+  # nix copy --from ssh://server --profile /nix/var/nix/profiles/system $path
+  ```
+  The advantage is that this avoids a time window where *path* is not a garbage collector root, and so could be deleted by a concurrent `nix store gc` process.
+
+- `nix-instantiate --eval` now supports `--raw` [#12119](https://github.com/NixOS/nix/pull/12119)
+
+  The `nix-instantiate --eval` command now supports a `--raw` flag, when used
+  the evaluation result must be a string, which is printed verbatim without
+  quotation marks or escaping.
+
+- Improved `NIX_SSHOPTS` parsing for better SSH option handling [#5181](https://github.com/NixOS/nix/issues/5181) [#12020](https://github.com/NixOS/nix/pull/12020)
+
+  The parsing of the `NIX_SSHOPTS` environment variable has been improved to handle spaces and quotes correctly.
+  Previously, incorrectly split SSH options could cause failures in commands like `nix-copy-closure`,
+  especially when using complex SSH invocations such as `-o ProxyCommand="ssh -W %h:%p ..."`.
+
+  This change introduces a `shellSplitString` function to ensure
+  that `NIX_SSHOPTS` is parsed in a manner consistent with shell
+  behavior, addressing common parsing errors.
+
+  For example, the following now works as expected:
+
+  ```bash
+  export NIX_SSHOPTS='-o ProxyCommand="ssh -W %h:%p ..."'
+  ```
+
+  This update improves the reliability of SSH-related operations using `NIX_SSHOPTS` across Nix CLIs.
+
+- Nix is now built using Meson
+
+  As proposed in [RFC 132](https://github.com/NixOS/rfcs/pull/132), Nix's build system now uses Meson/Ninja. The old Make-based build system has been removed.
+
+- Evaluation caching now works for dirty Git workdirs [#11992](https://github.com/NixOS/nix/pull/11992)
+
+# Contributors
+
+This release was made possible by the following 45 contributors:
+
+- Anatoli Babenia [**(@abitrolly)**](https://github.com/abitrolly)
+- Domagoj Mišković [**(@allrealmsoflife)**](https://github.com/allrealmsoflife)
+- Yaroslav Bolyukin [**(@CertainLach)**](https://github.com/CertainLach)
+- bryango [**(@bryango)**](https://github.com/bryango)
+- tomberek [**(@tomberek)**](https://github.com/tomberek)
+- Matej Urbas [**(@mupdt)**](https://github.com/mupdt)
+- elikoga [**(@elikoga)**](https://github.com/elikoga)
+- wh0 [**(@wh0)**](https://github.com/wh0)
+- Félix [**(@picnoir)**](https://github.com/picnoir)
+- Valentin Gagarin [**(@fricklerhandwerk)**](https://github.com/fricklerhandwerk)
+- Gavin John [**(@Pandapip1)**](https://github.com/Pandapip1)
+- Travis A. Everett [**(@abathur)**](https://github.com/abathur)
+- Vladimir Panteleev [**(@CyberShadow)**](https://github.com/CyberShadow)
+- Ilja [**(@suruaku)**](https://github.com/suruaku)
+- Jason Yundt [**(@Jayman2000)**](https://github.com/Jayman2000)
+- Mike Kusold [**(@kusold)**](https://github.com/kusold)
+- Andy Hamon [**(@andrewhamon)**](https://github.com/andrewhamon)
+- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
+- Greg Curtis [**(@gcurtis)**](https://github.com/gcurtis)
+- Andrew Poelstra [**(@apoelstra)**](https://github.com/apoelstra)
+- Linus Heckemann [**(@lheckemann)**](https://github.com/lheckemann)
+- Tristan Ross [**(@RossComputerGuy)**](https://github.com/RossComputerGuy)
+- Dominique Martinet [**(@martinetd)**](https://github.com/martinetd)
+- h0nIg [**(@h0nIg)**](https://github.com/h0nIg)
+- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
+- Shahar "Dawn" Or [**(@mightyiam)**](https://github.com/mightyiam)
+- NAHO [**(@trueNAHO)**](https://github.com/trueNAHO)
+- Ryan Hendrickson [**(@rhendric)**](https://github.com/rhendric)
+- the-sun-will-rise-tomorrow [**(@the-sun-will-rise-tomorrow)**](https://github.com/the-sun-will-rise-tomorrow)
+- Connor Baker [**(@ConnorBaker)**](https://github.com/ConnorBaker)
+- Cole Helbling [**(@cole-h)**](https://github.com/cole-h)
+- Jack Wilsdon [**(@jackwilsdon)**](https://github.com/jackwilsdon)
+- ‮rekcäH nitraM‮ [**(@dwt)**](https://github.com/dwt)
+- Martin Fischer [**(@not-my-profile)**](https://github.com/not-my-profile)
+- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
+- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
+- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
+- Siddarth Kumar [**(@siddarthkay)**](https://github.com/siddarthkay)
+- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi)
+- Robert Hensing [**(@roberth)**](https://github.com/roberth)
+- Mutsuha Asada [**(@momeemt)**](https://github.com/momeemt)
+- Parker Jones [**(@knotapun)**](https://github.com/knotapun)
+- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
+- dbdr [**(@dbdr)**](https://github.com/dbdr)
+- myclevorname [**(@myclevorname)**](https://github.com/myclevorname)
+- Philipp Otterbein

doc/manual/source/store/building.md

@@ -0,0 +1,97 @@
+# Building
+
+## Normalizing derivation inputs
+
+- Each input must be [realised] prior to building the derivation in question.
+
+[realised]: @docroot@/glossary.md#gloss-realise
+
+- Once this is done, the derivation is *normalized*, replacing each input deriving path with its store path, which we now know from realising the input.
+
+## Builder Execution
+
+The [`builder`](./drv.md#builder) is executed as follows:
+
+- A temporary directory is created under the directory specified by
+  `TMPDIR` (default `/tmp`) where the build will take place. The
+  current directory is changed to this directory.
+
+- The environment is cleared and set to the derivation attributes, as
+  specified above.
+
+- In addition, the following variables are set:
+
+  - `NIX_BUILD_TOP` contains the path of the temporary directory for
+    this build.
+
+  - Also, `TMPDIR`, `TEMPDIR`, `TMP`, `TEMP` are set to point to the
+    temporary directory. This is to prevent the builder from
+    accidentally writing temporary files anywhere else. Doing so
+    might cause interference by other processes.
+
+  - `PATH` is set to `/path-not-set` to prevent shells from
+    initialising it to their built-in default value.
+
+  - `HOME` is set to `/homeless-shelter` to prevent programs from
+    using `/etc/passwd` or the like to find the user's home
+    directory, which could cause impurity. Usually, when `HOME` is
+    set, it is used as the location of the home directory, even if
+    it points to a non-existent path.
+
+  - `NIX_STORE` is set to the path of the top-level Nix store
+    directory (typically, `/nix/store`).
+
+  - `NIX_ATTRS_JSON_FILE` & `NIX_ATTRS_SH_FILE` if `__structuredAttrs`
+    is set to `true` for the derivation. A detailed explanation of this
+    behavior can be found in the
+    [section about structured attrs](@docroot@/language/advanced-attributes.md#adv-attr-structuredAttrs).
+
+  - For each output declared in `outputs`, the corresponding
+    environment variable is set to point to the intended path in the
+    Nix store for that output. Each output path is a concatenation
+    of the cryptographic hash of all build inputs, the `name`
+    attribute and the output name. (The output name is omitted if
+    it’s `out`.)
+
+- If an output path already exists, it is removed. Also, locks are
+  acquired to prevent multiple Nix instances from performing the same
+  build at the same time.
+
+- A log of the combined standard output and error is written to
+  `/nix/var/log/nix`.
+
+- The builder is executed with the arguments specified by the
+  attribute `args`. If it exits with exit code 0, it is considered to
+  have succeeded.
+
+- The temporary directory is removed (unless the `-K` option was
+  specified).
+
+## Processing outputs
+
+If the builder exited successfully, the following steps happen in order to turn the output directories left behind by the builder into proper store objects:
+
+- **Normalize the file permissions**
+
+  Nix sets the last-modified timestamp on all files
+  in the build result to 1 (00:00:01 1/1/1970 UTC), sets the group to
+  the default group, and sets the mode of the file to 0444 or 0555
+  (i.e., read-only, with execute permission enabled if the file was
+  originally executable). Any possible `setuid` and `setgid`
+  bits are cleared.
+
+  > **Note**
+  >
+  > Setuid and setgid programs are not currently supported by Nix.
+  > This is because the Nix archives used in deployment have no concept of ownership information,
+  > and because it makes the build result dependent on the user performing the build.
+
+- **Calculate the references**
+
+  Nix scans each output path for
+  references to input paths by looking for the hash parts of the input
+  paths. Since these are potential runtime dependencies, Nix registers
+  them as dependencies of the output paths.
+
+  Nix also scans for references to other outputs' paths in the same way, because outputs are allowed to refer to each other.
+  If the outputs' references to each other form a cycle, this is an error, because the references of store objects much be acyclic.

doc/manual/source/store/drv.md

@@ -0,0 +1,310 @@
+# Store Derivation and Deriving Path
+
+Besides functioning as a [content addressed store] the Nix store layer works as a [build system].
+Other system (like Git or IPFS) also store and transfer immutable data, but they don't concern themselves with *how* that data was created.
+
+This is where Nix distinguishes itself.
+*Derivations* represent individual build steps, and *deriving paths* are needed to refer to the *outputs* of those build steps before they are built.
+<!-- The two concepts need to be introduced together because, as described below, each depends on the other. -->
+
+## Store Derivation {#store-derivation}
+
+A derivation is a specification for running an executable on precisely defined input files to repeatably produce output files at uniquely determined file system paths.
+
+A derivation consists of:
+
+ - A name
+
+ - A set of [*inputs*][inputs], a set of [deriving paths][deriving path]
+
+ - A map of [*outputs*][outputs], from names to other data
+
+ - The ["system" type][system] (e.g. `x86_64-linux`) where the executable is to run.
+
+ - The [process creation fields]: to spawn the arbitrary process which will perform the build step.
+
+[store derivation]: #store-derivation
+[inputs]: #inputs
+[input]: #inputs
+[outputs]: #outputs
+[output]: #outputs
+[process creation fields]: #process-creation-fields
+[builder]: #builder
+[args]: #args
+[env]: #env
+[system]: #system
+
+### Referencing derivations {#derivation-path}
+
+Derivations are always referred to by the [store path] of the store object they are encoded to.
+See the [encoding section](#derivation-encoding) for more details on how this encoding works, and thus what exactly what store path we would end up with for a given derivation.
+
+The store path of the store object which encodes a derivation is often called a *derivation path* for brevity.
+
+## Deriving path {#deriving-path}
+
+Deriving paths are a way to refer to [store objects][store object] that may or may not yet be [realised][realise].
+There are two forms:
+
+- [*constant*]{#deriving-path-constant}: just a [store path].
+  It can be made [valid][validity] by copying it into the store: from the evaluator, command line interface or another store.
+
+- [*output*]{#deriving-path-output}: a pair of a [store path] to a [store derivation] and an [output] name.
+
+In pseudo code:
+
+```typescript
+type OutputName = String;
+
+type ConstantPath = {
+  path: StorePath;
+};
+
+type OutputPath = {
+  drvPath: StorePath;
+  output: OutputName;
+};
+
+type DerivingPath = ConstantPath | OutputPath;
+```
+
+Deriving paths are necessary because, in general and particularly for [content-addressing derivations][content-addressing derivation], the [store path] of an [output] is not known in advance.
+We can use an output deriving path to refer to such an out, instead of the store path which we do not yet know.
+
+[deriving path]: #deriving-path
+[validity]: @docroot@/glossary.md#gloss-validity
+
+## Parts of a derivation
+
+A derivation is constructed from the parts documented in the following subsections.
+
+### Inputs {#inputs}
+
+The inputs are a set of [deriving paths][deriving path], refering to all store objects needed in order to perform this build step.
+
+The [process creation fields] will presumably include many [store paths][store path]:
+
+ - The path to the executable normally starts with a store path
+ - The arguments and environment variables likely contain many other store paths.
+
+But rather than somehow scanning all the other fields for inputs, Nix requires that all inputs be explicitly collected in the inputs field. It is instead the responsibility of the creator of a derivation (e.g. the evaluator) to  ensure that every store object referenced in another field (e.g. referenced by store path) is included in this inputs field.
+
+### Outputs {#outputs}
+
+The outputs are the derivations are the [store objects][store object] it is obligated to produce.
+
+Outputs are assigned names, and also consistent of other information based on the type of derivation.
+
+Output names can be any string which is also a valid [store path] name.
+The store path of the output store object (also called an [output path] for short), has a name based on the derivation name and the output name.
+In the general case, store paths have name `derivationName + "-" + outputName`.
+However, an output named "out" has a store path with name is just the derivation name.
+This is to allow derivations with a single output to avoid a superfluous `"-${outputName}"` in their single output's name when no disambiguation is needed.
+
+> **Example**
+>
+> A derivation is named `hello`, and has two outputs, `out`, and `dev`
+>
+> - The derivation's path will be: `/nix/store/<hash>-hello.drv`.
+>
+> - The store path of `out` will be: `/nix/store/<hash>-hello`.
+>
+> - The store path of `dev` will be: `/nix/store/<hash>-hello-dev`.
+
+### System {#system}
+
+The system type on which the [`builder`](#attr-builder) executable is meant to be run.
+
+A necessary condition for Nix to schedule a given derivation on some Nix instance is for the "system" of that derivation to match that instance's [`system` configuration option].
+
+By putting the `system` in each derivation, Nix allows *heterogenous* build plans, where not all steps can be run on the same machine or same sort of machine.
+Nix can schedule builds such that it automatically builds on other platforms by [forwarding build requests](@docroot@/advanced-topics/distributed-builds.md) to other Nix instances.
+
+[`system` configuration option]: @docroot@/command-ref/conf-file.md#conf-system
+
+[content-addressing derivation]: @docroot@/glossary.md#gloss-content-addressing-derivation
+[realise]: @docroot@/glossary.md#gloss-realise
+[store object]: @docroot@/store/store-object.md
+[store path]: @docroot@/store/store-path.md
+
+### Process creation fields {#process-creation-fields}
+
+These are the three fields which describe how to spawn the process which (along with any of its own child processes) will perform the build.
+You may note that this has everything needed for an `execve` system call.
+
+#### Builder {#builder}
+
+This is the path to an executable that will perform the build and produce the [outputs].
+
+#### Arguments {#args}
+
+Command-line arguments to be passed to the [`builder`](#builder) executable.
+
+Note that these are the arguments after the first argument.
+The first argument passed to the `builder` will be the value of `builder`, as per the usual convention on Unix.
+See [Wikipedia](https://en.wikipedia.org/wiki/Argv) for details.
+
+#### Environment Variables {#env}
+
+Environment variables which will be passed to the [builder](#builder) executable.
+
+### Placeholders
+
+Placeholders are opaque values used within the [process creation fields] to [store objects] for which we don't yet know [store path]s.
+They are strings in the form `/<hash>` that are embedded anywhere within the strings of those fields, and we are [considering](https://github.com/NixOS/nix/issues/12361) to add store-path-like placeholders.
+
+> **Note**
+>
+> Output Deriving Path exist to solve the same problem as placeholders --- that is, referring to store objects for which we don't yet know a store path.
+> They also have a string syntax with `^`, [described in the encoding section](#deriving-path-encoding).
+> We could use that syntax instead of `/<hash>` for placeholders, but its human-legibility would cause problems.
+
+There are two types of placeholder, corresponding to the two cases where this problem arises:
+
+- [Output placeholder]{#output-placeholder}:
+
+  This is a placeholder for a derivation's own output.
+
+- [Input placeholder]{#input-placeholder}:
+
+  This is a placeholder to a derivation's non-constant [input],
+  i.e. an input that is an [output derived path].
+
+> **Explanation**
+>
+> In general, we need to realise [realise] a [store object] in order to be sure to have a store object for it.
+> But for these two cases this is either impossible or impractical:
+>
+> - In the output case this is impossible:
+>
+>   We cannot build the output until we have a correct derivation, and we cannot have a correct derivation (without using placeholders) until we have the output path.
+>
+> - In the input case this is impractical:
+>
+>   If we always build a dependency first, and then refer to its output by store path, we would lose the ability for a derivation graph to describe an entire build plan consisting of multiple build steps.
+
+## Encoding
+
+### Derivation {#derivation-encoding}
+
+There are two formats, documented separately:
+
+- The legacy ["ATerm" format](@docroot@/protocols/derivation-aterm.md)
+
+- The experimental, currently under development and changing [JSON format](@docroot@/protocols/json/derivation.md)
+
+Every derivation has a canonical choice of encoding used to serialize it to a store object.
+This ensures that there is a canonical [store path] used to refer to the derivation, as described in [Referencing derivations](#derivation-path).
+
+> **Note**
+>
+> Currently, the canonical encoding for every derivation is the "ATerm" format,
+> but this is subject to change for types derivations which are not yet stable.
+
+Regardless of the format used, when serializing a derivation to a store object, that store object will be content-addressed.
+
+In the common case, the inputs to store objects are either:
+
+ - [constant deriving paths](#deriving-path-constant) for content-addressed source objects, which are "initial inputs" rather than the outputs of some other derivation
+
+ - the outputs of other derivations
+
+If those other derivations *also* abide by this common case (and likewise for transitive inputs), then the entire closure of the serialized derivation will be content-addressed.
+
+### Deriving Path {#deriving-path-encoding}
+
+- *constant*
+
+  Constant deriving paths are encoded simply as the underlying store path is.
+  Thus, we see that every encoded store path is also a valid encoded (constant) deriving path.
+
+- *output*
+
+  Output deriving paths are encoded by
+
+  - encoding of a store path referring to a derivation
+
+  - a `^` separator (or `!` in some legacy contexts)
+
+  - the name of an output of the previously referred derivation
+
+  > **Example**
+  >
+  > ```
+  > /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^out
+  > ```
+  >
+  > This parses like so:
+  >
+  > ```
+  > /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^out
+  > |------------------------------------------------------------| |-|
+  > store path (usual encoding)                                    output name
+  >                                                           |--|
+  >                                                           note the ".drv"
+  > ```
+
+## Extending the model to be higher-order
+
+**Experimental feature**: [`dynamic-derivations`](@docroot@/development/experimental-features.md#xp-feature-dynamic-derivations)
+
+So far, we have used store paths to refer to derivations.
+That works because we've implicitly assumed that all derivations are created *statically* --- created by some mechanism out of band, and then manually inserted into the store.
+But what if derivations could also be created dynamically within Nix?
+In other words, what if derivations could be the outputs of other derivations?
+
+:::{.note}
+In the parlance of "Build Systems à la carte", we are generalizing the Nix store layer to be a "Monadic" instead of "Applicative" build system.
+:::
+
+How should we refer to such derivations?
+A deriving path works, the same as how we refer to other derivation outputs.
+But what about a dynamic derivations output?
+(i.e. how do we refer to the output of an output of a derivation?)
+For that we need to generalize the definition of deriving path, replacing the store path used to refer to the derivation with a nested deriving path:
+
+```diff
+ type OutputPath = {
+-  drvPath: StorePath;
++  drvPath: DerivingPath;
+   output: OutputName;
+ };
+```
+
+Now, the `drvPath` field of `OutputPath` is itself a `DerivingPath` instead of a `StorePath`.
+
+With that change, here is updated definition:
+
+```typescript
+type OutputName = String;
+
+type ConstantPath = {
+  path: StorePath;
+};
+
+type OutputPath = {
+  drvPath: DerivingPath;
+  output: OutputName;
+};
+
+type DerivingPath = ConstantPath | OutputPath;
+```
+
+Under this extended model, `DerivingPath`s are thus inductively built up from a root `ConstantPath`, wrapped with zero or more outer `OutputPath`s.
+
+### Encoding {#deriving-path-encoding}
+
+The encoding is adjusted in the natural way, encoding the `drv` field recursively using the same deriving path encoding.
+The result of this is that it is possible to have a chain of `^<output-name>` at the end of the final string, as opposed to just a single one.
+
+> **Example**
+>
+> ```
+> /nix/store/lxrn8v5aamkikg6agxwdqd1jz7746wz4-firefox-98.0.2.drv^foo.drv^bar.drv^out
+> |----------------------------------------------------------------------------| |-|
+> inner deriving path (usual encoding)                                           output name
+> |--------------------------------------------------------------------| |-----|
+> even more inner deriving path (usual encoding)                         output name
+> |------------------------------------------------------------| |-----|
+> innermost constant store path (usual encoding)                 output name
+> ```

doc/manual/utils.nix

@@ -11,10 +11,15 @@ rec {
 
   concatStrings = concatStringsSep "";
 
-  attrsToList = a:
-    map (name: { inherit name; value = a.${name}; }) (builtins.attrNames a);
+  attrsToList =
+    a:
+    map (name: {
+      inherit name;
+      value = a.${name};
+    }) (builtins.attrNames a);
 
-  replaceStringsRec = from: to: string:
+  replaceStringsRec =
+    from: to: string:
     # recursively replace occurrences of `from` with `to` within `string`
     # example:
     #     replaceStringRec "--" "-" "hello-----world"
@@ -22,16 +27,18 @@ rec {
     let
       replaced = replaceStrings [ from ] [ to ] string;
     in
-      if replaced == string then string else replaceStringsRec from to replaced;
+    if replaced == string then string else replaceStringsRec from to replaced;
 
   toLower = replaceStrings upperChars lowerChars;
 
   squash = replaceStringsRec "\n\n\n" "\n\n";
 
-  trim = string:
+  trim =
+    string:
     # trim trailing spaces and squash non-leading spaces
     let
-      trimLine = line:
+      trimLine =
+        line:
         let
           # separate leading spaces from the rest
           parts = split "(^ *)" line;
@@ -39,19 +46,30 @@ rec {
           rest = elemAt parts 2;
           # drop trailing spaces
           body = head (split " *$" rest);
-        in spaces + replaceStringsRec "  " " " body;
-    in concatStringsSep "\n" (map trimLine (splitLines string));
+        in
+        spaces + replaceStringsRec "  " " " body;
+    in
+    concatStringsSep "\n" (map trimLine (splitLines string));
 
   # FIXME: O(n^2)
-  unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
+  unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [ ];
 
   nameValuePair = name: value: { inherit name value; };
 
-  filterAttrs = pred: set:
-    listToAttrs (concatMap (name: let v = set.${name}; in if pred name v then [(nameValuePair name v)] else []) (attrNames set));
+  filterAttrs =
+    pred: set:
+    listToAttrs (
+      concatMap (
+        name:
+        let
+          v = set.${name};
+        in
+        if pred name v then [ (nameValuePair name v) ] else [ ]
+      ) (attrNames set)
+    );
 
   optionalString = cond: string: if cond then string else "";
 
-  indent = prefix: s:
-    concatStringsSep "\n" (map (x: if x == "" then x else "${prefix}${x}") (splitLines s));
+  indent =
+    prefix: s: concatStringsSep "\n" (map (x: if x == "" then x else "${prefix}${x}") (splitLines s));
 }

docker.nix

@@ -1,112 +1,113 @@
-{ pkgs ? import <nixpkgs> { }
-, lib ? pkgs.lib
-, name ? "nix"
-, tag ? "latest"
-, bundleNixpkgs ? true
-, channelName ? "nixpkgs"
-, channelURL ? "https://nixos.org/channels/nixpkgs-unstable"
-, extraPkgs ? []
-, maxLayers ? 100
-, nixConf ? {}
-, flake-registry ? null
-, uid ? 0
-, gid ? 0
-, uname ? "root"
-, gname ? "root"
+{
+  pkgs ? import <nixpkgs> { },
+  lib ? pkgs.lib,
+  name ? "nix",
+  tag ? "latest",
+  bundleNixpkgs ? true,
+  channelName ? "nixpkgs",
+  channelURL ? "https://nixos.org/channels/nixpkgs-unstable",
+  extraPkgs ? [ ],
+  maxLayers ? 100,
+  nixConf ? { },
+  flake-registry ? null,
+  uid ? 0,
+  gid ? 0,
+  uname ? "root",
+  gname ? "root",
 }:
 let
-  defaultPkgs = with pkgs; [
-    nix
-    bashInteractive
-    coreutils-full
-    gnutar
-    gzip
-    gnugrep
-    which
-    curl
-    less
-    wget
-    man
-    cacert.out
-    findutils
-    iana-etc
-    git
-    openssh
-  ] ++ extraPkgs;
+  defaultPkgs =
+    with pkgs;
+    [
+      nix
+      bashInteractive
+      coreutils-full
+      gnutar
+      gzip
+      gnugrep
+      which
+      curl
+      less
+      wget
+      man
+      cacert.out
+      findutils
+      iana-etc
+      git
+      openssh
+    ]
+    ++ extraPkgs;
 
-  users = {
+  users =
+    {
 
-    root = {
-      uid = 0;
-      shell = "${pkgs.bashInteractive}/bin/bash";
-      home = "/root";
-      gid = 0;
-      groups = [ "root" ];
-      description = "System administrator";
+      root = {
+        uid = 0;
+        shell = "${pkgs.bashInteractive}/bin/bash";
+        home = "/root";
+        gid = 0;
+        groups = [ "root" ];
+        description = "System administrator";
+      };
+
+      nobody = {
+        uid = 65534;
+        shell = "${pkgs.shadow}/bin/nologin";
+        home = "/var/empty";
+        gid = 65534;
+        groups = [ "nobody" ];
+        description = "Unprivileged account (don't use!)";
+      };
+
+    }
+    // lib.optionalAttrs (uid != 0) {
+      "${uname}" = {
+        uid = uid;
+        shell = "${pkgs.bashInteractive}/bin/bash";
+        home = "/home/${uname}";
+        gid = gid;
+        groups = [ "${gname}" ];
+        description = "Nix user";
+      };
+    }
+    // lib.listToAttrs (
+      map (n: {
+        name = "nixbld${toString n}";
+        value = {
+          uid = 30000 + n;
+          gid = 30000;
+          groups = [ "nixbld" ];
+          description = "Nix build user ${toString n}";
+        };
+      }) (lib.lists.range 1 32)
+    );
+
+  groups =
+    {
+      root.gid = 0;
+      nixbld.gid = 30000;
+      nobody.gid = 65534;
+    }
+    // lib.optionalAttrs (gid != 0) {
+      "${gname}".gid = gid;
     };
 
-    nobody = {
-      uid = 65534;
-      shell = "${pkgs.shadow}/bin/nologin";
-      home = "/var/empty";
-      gid = 65534;
-      groups = [ "nobody" ];
-      description = "Unprivileged account (don't use!)";
-    };
-
-  } // lib.optionalAttrs (uid != 0) {
-    "${uname}" = {
-      uid = uid;
-      shell = "${pkgs.bashInteractive}/bin/bash";
-      home = "/home/${uname}";
-      gid = gid;
-      groups = [ "${gname}" ];
-      description = "Nix user";
-    };
-  } // lib.listToAttrs (
-    map
-      (
-        n: {
-          name = "nixbld${toString n}";
-          value = {
-            uid = 30000 + n;
-            gid = 30000;
-            groups = [ "nixbld" ];
-            description = "Nix build user ${toString n}";
-          };
-        }
-      )
-      (lib.lists.range 1 32)
-  );
-
-  groups = {
-    root.gid = 0;
-    nixbld.gid = 30000;
-    nobody.gid = 65534;
-  } // lib.optionalAttrs (gid != 0) {
-    "${gname}".gid = gid;
-  };
-
   userToPasswd = (
     k:
-    { uid
-    , gid ? 65534
-    , home ? "/var/empty"
-    , description ? ""
-    , shell ? "/bin/false"
-    , groups ? [ ]
-    }: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
-  );
-  passwdContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs userToPasswd users))
+    {
+      uid,
+      gid ? 65534,
+      home ? "/var/empty",
+      description ? "",
+      shell ? "/bin/false",
+      groups ? [ ],
+    }:
+    "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
   );
+  passwdContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs userToPasswd users)));
 
   userToShadow = k: { ... }: "${k}:!:1::::::";
-  shadowContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs userToShadow users))
-  );
+  shadowContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs userToShadow users)));
 
   # Map groups to members
   # {
@@ -116,42 +117,35 @@ let
     let
       # Create a flat list of user/group mappings
       mappings = (
-        builtins.foldl'
-          (
-            acc: user:
-              let
-                groups = users.${user}.groups or [ ];
-              in
-              acc ++ map
-                (group: {
-                  inherit user group;
-                })
-                groups
-          )
-          [ ]
-          (lib.attrNames users)
+        builtins.foldl' (
+          acc: user:
+          let
+            groups = users.${user}.groups or [ ];
+          in
+          acc
+          ++ map (group: {
+            inherit user group;
+          }) groups
+        ) [ ] (lib.attrNames users)
       );
     in
-    (
-      builtins.foldl'
-        (
-          acc: v: acc // {
-            ${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
-          }
-        )
-        { }
-        mappings)
+    (builtins.foldl' (
+      acc: v:
+      acc
+      // {
+        ${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
+      }
+    ) { } mappings)
   );
 
-  groupToGroup = k: { gid }:
+  groupToGroup =
+    k:
+    { gid }:
     let
       members = groupMemberMap.${k} or [ ];
     in
     "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
-  groupContents = (
-    lib.concatStringsSep "\n"
-      (lib.attrValues (lib.mapAttrs groupToGroup groups))
-  );
+  groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups)));
 
   defaultNixConf = {
     sandbox = "false";
@@ -159,11 +153,17 @@ let
     trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
   };
 
-  nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v:
-    let
-      vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
-    in
-      "${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n";
+  nixConfContents =
+    (lib.concatStringsSep "\n" (
+      lib.mapAttrsFlatten (
+        n: v:
+        let
+          vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
+        in
+        "${n} = ${vStr}"
+      ) (defaultNixConf // nixConf)
+    ))
+    + "\n";
 
   userHome = if uid == 0 then "/root" else "/home/${uname}";
 
@@ -184,21 +184,29 @@ let
       manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
         cat > $out <<EOF
         [
-        ${lib.concatStringsSep "\n" (builtins.map (drv: let
-          outputs = drv.outputsToInstall or [ "out" ];
-        in ''
-          {
-            ${lib.concatStringsSep "\n" (builtins.map (output: ''
-              ${output} = { outPath = "${lib.getOutput output drv}"; };
-            '') outputs)}
-            outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
-            name = "${drv.name}";
-            outPath = "${drv}";
-            system = "${drv.system}";
-            type = "derivation";
-            meta = { };
-          }
-        '') defaultPkgs)}
+        ${lib.concatStringsSep "\n" (
+          builtins.map (
+            drv:
+            let
+              outputs = drv.outputsToInstall or [ "out" ];
+            in
+            ''
+              {
+                ${lib.concatStringsSep "\n" (
+                  builtins.map (output: ''
+                    ${output} = { outPath = "${lib.getOutput output drv}"; };
+                  '') outputs
+                )}
+                outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
+                name = "${drv.name}";
+                outPath = "${drv}";
+                system = "${drv.system}";
+                type = "derivation";
+                meta = { };
+              }
+            ''
+          ) defaultPkgs
+        )}
         ]
         EOF
       '';
@@ -207,16 +215,22 @@ let
         cp -a ${rootEnv}/* $out/
         ln -s ${manifest} $out/manifest.nix
       '';
-      flake-registry-path = if (flake-registry == null) then
-        null
-      else if (builtins.readFileType (toString flake-registry)) == "directory" then
-        "${flake-registry}/flake-registry.json"
-      else
-        flake-registry;
+      flake-registry-path =
+        if (flake-registry == null) then
+          null
+        else if (builtins.readFileType (toString flake-registry)) == "directory" then
+          "${flake-registry}/flake-registry.json"
+        else
+          flake-registry;
     in
     pkgs.runCommand "base-system"
       {
-        inherit passwdContents groupContents shadowContents nixConfContents;
+        inherit
+          passwdContents
+          groupContents
+          shadowContents
+          nixConfContents
+          ;
         passAsFile = [
           "passwdContents"
           "groupContents"
@@ -225,67 +239,79 @@ let
         ];
         allowSubstitutes = false;
         preferLocalBuild = true;
-      } (''
-      env
-      set -x
-      mkdir -p $out/etc
+      }
+      (
+        ''
+          env
+          set -x
+          mkdir -p $out/etc
 
-      mkdir -p $out/etc/ssl/certs
-      ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
+          mkdir -p $out/etc/ssl/certs
+          ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
 
-      cat $passwdContentsPath > $out/etc/passwd
-      echo "" >> $out/etc/passwd
+          cat $passwdContentsPath > $out/etc/passwd
+          echo "" >> $out/etc/passwd
 
-      cat $groupContentsPath > $out/etc/group
-      echo "" >> $out/etc/group
+          cat $groupContentsPath > $out/etc/group
+          echo "" >> $out/etc/group
 
-      cat $shadowContentsPath > $out/etc/shadow
-      echo "" >> $out/etc/shadow
+          cat $shadowContentsPath > $out/etc/shadow
+          echo "" >> $out/etc/shadow
 
-      mkdir -p $out/usr
-      ln -s /nix/var/nix/profiles/share $out/usr/
+          mkdir -p $out/usr
+          ln -s /nix/var/nix/profiles/share $out/usr/
 
-      mkdir -p $out/nix/var/nix/gcroots
+          mkdir -p $out/nix/var/nix/gcroots
 
-      mkdir $out/tmp
+          mkdir $out/tmp
 
-      mkdir -p $out/var/tmp
+          mkdir -p $out/var/tmp
 
-      mkdir -p $out/etc/nix
-      cat $nixConfContentsPath > $out/etc/nix/nix.conf
+          mkdir -p $out/etc/nix
+          cat $nixConfContentsPath > $out/etc/nix/nix.conf
 
-      mkdir -p $out${userHome}
-      mkdir -p $out/nix/var/nix/profiles/per-user/${uname}
+          mkdir -p $out${userHome}
+          mkdir -p $out/nix/var/nix/profiles/per-user/${uname}
 
-      ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
-      ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
-      ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
+          ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
+          ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
+          ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
 
-      ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
-      ln -s /nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels
+          ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
+          ln -s /nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels
 
-      mkdir -p $out${userHome}/.nix-defexpr
-      ln -s /nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
-      echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
+          mkdir -p $out${userHome}/.nix-defexpr
+          ln -s /nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
+          echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
 
-      mkdir -p $out/bin $out/usr/bin
-      ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
-      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
+          mkdir -p $out/bin $out/usr/bin
+          ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
+          ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
 
-    '' + (lib.optionalString (flake-registry-path != null) ''
-      nixCacheDir="${userHome}/.cache/nix"
-      mkdir -p $out$nixCacheDir
-      globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
-      ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
-      mkdir -p $out/nix/var/nix/gcroots/auto
-      rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
-      ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
-    ''));
+        ''
+        + (lib.optionalString (flake-registry-path != null) ''
+          nixCacheDir="${userHome}/.cache/nix"
+          mkdir -p $out$nixCacheDir
+          globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
+          ln -s ${flake-registry-path} $out$globalFlakeRegistryPath
+          mkdir -p $out/nix/var/nix/gcroots/auto
+          rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
+          ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
+        '')
+      );
 
 in
 pkgs.dockerTools.buildLayeredImageWithNixDb {
 
-  inherit name tag maxLayers uid gid uname gname;
+  inherit
+    name
+    tag
+    maxLayers
+    uid
+    gid
+    uname
+    gname
+    ;
 
   contents = [ baseSystem ];
 
@@ -305,15 +331,19 @@ pkgs.dockerTools.buildLayeredImageWithNixDb {
     User = "${toString uid}:${toString gid}";
     Env = [
       "USER=${uname}"
-      "PATH=${lib.concatStringsSep ":" [
-        "${userHome}/.nix-profile/bin"
-        "/nix/var/nix/profiles/default/bin"
-        "/nix/var/nix/profiles/default/sbin"
-      ]}"
-      "MANPATH=${lib.concatStringsSep ":" [
-        "${userHome}/.nix-profile/share/man"
-        "/nix/var/nix/profiles/default/share/man"
-      ]}"
+      "PATH=${
+        lib.concatStringsSep ":" [
+          "${userHome}/.nix-profile/bin"
+          "/nix/var/nix/profiles/default/bin"
+          "/nix/var/nix/profiles/default/sbin"
+        ]
+      }"
+      "MANPATH=${
+        lib.concatStringsSep ":" [
+          "${userHome}/.nix-profile/share/man"
+          "/nix/var/nix/profiles/default/share/man"
+        ]
+      }"
       "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
       "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
       "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"

flake.lock

@@ -3,11 +3,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
         "type": "github"
       },
       "original": {
@@ -23,11 +23,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1719994518,
-        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
+        "lastModified": 1733312601,
+        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
+        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
         "type": "github"
       },
       "original": {
@@ -48,11 +48,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1721042469,
-        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
+        "lastModified": 1734279981,
+        "narHash": "sha256-NdaCraHPp8iYMWzdXAt5Nv6sA3MUzlCiGiR586TCwo0=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
+        "rev": "aa9f40c906904ebd83da78e7f328cd8aeaeae785",
         "type": "github"
       },
       "original": {
@@ -61,35 +61,18 @@
         "type": "github"
       }
     },
-    "libgit2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1715853528,
-        "narHash": "sha256-J2rCxTecyLbbDdsyBWn9w7r3pbKRMkI9E7RvRgAqBdY=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "36f7e21ad757a3dacc58cf7944329da6bc1d6e96",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "ref": "v1.8.1",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1723688146,
-        "narHash": "sha256-sqLwJcHYeWLOeP/XoLwAtYjr01TISlkOfz+NG82pbdg=",
+        "lastModified": 1734359947,
+        "narHash": "sha256-1Noao/H+N8nFB4Beoy8fgwrcOQLVm9o4zKW1ODaqK9E=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c3d4ac725177c030b1e289015989da2ad9d56af0",
+        "rev": "48d12d5e70ee91fe8481378e540433a7303dbf6a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.05",
+        "ref": "release-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -131,7 +114,6 @@
         "flake-compat": "flake-compat",
         "flake-parts": "flake-parts",
         "git-hooks-nix": "git-hooks-nix",
-        "libgit2": "libgit2",
         "nixpkgs": "nixpkgs",
         "nixpkgs-23-11": "nixpkgs-23-11",
         "nixpkgs-regression": "nixpkgs-regression"

flake.nix

@@ -1,11 +1,14 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/release-24.11";
+
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
   inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
-  inputs.flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
-  inputs.libgit2 = { url = "github:libgit2/libgit2/v1.8.1"; flake = false; };
+  inputs.flake-compat = {
+    url = "github:edolstra/flake-compat";
+    flake = false;
+  };
 
   # dev tooling
   inputs.flake-parts.url = "github:hercules-ci/flake-parts";
@@ -18,8 +21,13 @@
   inputs.git-hooks-nix.inputs.flake-compat.follows = "";
   inputs.git-hooks-nix.inputs.gitignore.follows = "";
 
-  outputs = inputs@{ self, nixpkgs, nixpkgs-regression, libgit2, ... }:
-
+  outputs =
+    inputs@{
+      self,
+      nixpkgs,
+      nixpkgs-regression,
+      ...
+    }:
 
     let
       inherit (nixpkgs) lib;
@@ -27,16 +35,23 @@
       officialRelease = false;
 
       linux32BitSystems = [ "i686-linux" ];
-      linux64BitSystems = [ "x86_64-linux" "aarch64-linux" ];
+      linux64BitSystems = [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
       linuxSystems = linux32BitSystems ++ linux64BitSystems;
-      darwinSystems = [ "x86_64-darwin" "aarch64-darwin" ];
+      darwinSystems = [
+        "x86_64-darwin"
+        "aarch64-darwin"
+      ];
       systems = linuxSystems ++ darwinSystems;
 
       crossSystems = [
         "armv6l-unknown-linux-gnueabihf"
         "armv7l-unknown-linux-gnueabihf"
         "riscv64-unknown-linux-gnu"
-        "x86_64-unknown-netbsd"
+        # Disabled because of https://github.com/NixOS/nixpkgs/issues/344423
+        # "x86_64-unknown-netbsd"
         "x86_64-unknown-freebsd"
         "x86_64-w64-mingw32"
       ];
@@ -58,62 +73,66 @@
         (Provided that the names are unique.)
 
         See https://nixos.org/manual/nixpkgs/stable/index.html#function-library-lib.attrsets.concatMapAttrs
-       */
+      */
       flatMapAttrs = attrs: f: lib.concatMapAttrs f attrs;
 
       forAllSystems = lib.genAttrs systems;
 
       forAllCrossSystems = lib.genAttrs crossSystems;
 
-      forAllStdenvs = f:
-        lib.listToAttrs
-          (map
-            (stdenvName: {
-              name = "${stdenvName}Packages";
-              value = f stdenvName;
-            })
-            stdenvs);
-
+      forAllStdenvs = lib.genAttrs stdenvs;
 
       # We don't apply flake-parts to the whole flake so that non-development attributes
       # load without fetching any development inputs.
       devFlake = inputs.flake-parts.lib.mkFlake { inherit inputs; } {
         imports = [ ./maintainers/flake-module.nix ];
         systems = lib.subtractLists crossSystems systems;
-        perSystem = { system, ... }: {
-          _module.args.pkgs = nixpkgsFor.${system}.native;
-        };
+        perSystem =
+          { system, ... }:
+          {
+            _module.args.pkgs = nixpkgsFor.${system}.native;
+          };
       };
 
       # Memoize nixpkgs for different platforms for efficiency.
-      nixpkgsFor = forAllSystems
-        (system: let
-          make-pkgs = crossSystem: stdenv: import nixpkgs {
-            localSystem = {
-              inherit system;
-            };
-            crossSystem = if crossSystem == null then null else {
-              config = crossSystem;
-            } // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
-              useLLVM = true;
-            };
-            overlays = [
-              (overlayFor (p: p.${stdenv}))
-            ];
-          };
-          stdenvs = forAllStdenvs (make-pkgs null);
-          native = stdenvs.stdenvPackages;
-        in {
-          inherit stdenvs native;
-          static = native.pkgsStatic;
-          cross = forAllCrossSystems (crossSystem: make-pkgs crossSystem "stdenv");
-        });
+      nixpkgsFor = forAllSystems (
+        system:
+        let
+          make-pkgs =
+            crossSystem:
+            forAllStdenvs (
+              stdenv:
+              import nixpkgs {
+                localSystem = {
+                  inherit system;
+                };
+                crossSystem =
+                  if crossSystem == null then
+                    null
+                  else
+                    {
+                      config = crossSystem;
+                    }
+                    // lib.optionalAttrs (crossSystem == "x86_64-unknown-freebsd13") {
+                      useLLVM = true;
+                    };
+                overlays = [
+                  (overlayFor (pkgs: pkgs.${stdenv}))
+                ];
+              }
+            );
+        in
+        rec {
+          nativeForStdenv = make-pkgs null;
+          crossForStdenv = forAllCrossSystems make-pkgs;
+          # Alias for convenience
+          native = nativeForStdenv.stdenv;
+          cross = forAllCrossSystems (crossSystem: crossForStdenv.${crossSystem}.stdenv);
+        }
+      );
 
-      binaryTarball = nix: pkgs: pkgs.callPackage ./scripts/binary-tarball.nix {
-        inherit nix;
-      };
-
-      overlayFor = getStdenv: final: prev:
+      overlayFor =
+        getStdenv: final: prev:
         let
           stdenv = getStdenv final;
         in
@@ -135,6 +154,7 @@
                 f = import ./packaging/components.nix {
                   inherit (final) lib;
                   inherit officialRelease;
+                  pkgs = final;
                   src = self;
                 };
               };
@@ -160,13 +180,19 @@
           # See https://github.com/NixOS/nixpkgs/pull/214409
           # Remove when fixed in this flake's nixpkgs
           pre-commit =
-            if prev.stdenv.hostPlatform.system == "i686-linux"
-            then (prev.pre-commit.override (o: { dotnet-sdk = ""; })).overridePythonAttrs (o: { doCheck = false; })
-            else prev.pre-commit;
-
+            if prev.stdenv.hostPlatform.system == "i686-linux" then
+              (prev.pre-commit.override (o: {
+                dotnet-sdk = "";
+              })).overridePythonAttrs
+                (o: {
+                  doCheck = false;
+                })
+            else
+              prev.pre-commit;
         };
 
-    in {
+    in
+    {
       # A Nixpkgs overlay that overrides the 'nix' and
       # 'nix-perl-bindings' packages.
       overlays.default = overlayFor (p: p.stdenv);
@@ -174,7 +200,6 @@
       hydraJobs = import ./packaging/hydra.nix {
         inherit
           inputs
-          binaryTarball
           forAllCrossSystems
           forAllSystems
           lib
@@ -185,58 +210,96 @@
           ;
       };
 
-      checks = forAllSystems (system: {
-        binaryTarball = self.hydraJobs.binaryTarball.${system};
-        installTests = self.hydraJobs.installTests.${system};
-        nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
-        rl-next =
-          let pkgs = nixpkgsFor.${system}.native;
-          in pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
-          LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
-        '';
-        repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };
-      } // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
-        dockerImage = self.hydraJobs.dockerImage.${system};
-      } // (lib.optionalAttrs (!(builtins.elem system linux32BitSystems))) {
-        # Some perl dependencies are broken on i686-linux.
-        # Since the support is only best-effort there, disable the perl
-        # bindings
+      checks = forAllSystems (
+        system:
+        {
+          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
+          installTests = self.hydraJobs.installTests.${system};
+          nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
+          rl-next =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+            in
+            pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+              LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
+            '';
+          repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };
 
-        # Temporarily disabled because GitHub Actions OOM issues. Once
-        # the old build system is gone and we are back to one build
-        # system, we should reenable this.
-        #perlBindings = self.hydraJobs.perlBindings.${system};
-      }
-      # Add "passthru" tests
-      // flatMapAttrs ({
-          "" = nixpkgsFor.${system}.native;
-        } // lib.optionalAttrs (! nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
-          # TODO: enable static builds for darwin, blocked on:
-          #       https://github.com/NixOS/nixpkgs/issues/320448
-          # TODO: disabled to speed up GHA CI.
-          #"static-" = nixpkgsFor.${system}.static;
-        })
-        (nixpkgsPrefix: nixpkgs:
-          flatMapAttrs nixpkgs.nixComponents
-            (pkgName: pkg:
-              flatMapAttrs pkg.tests or {}
-              (testName: test: {
-                "${nixpkgsPrefix}${pkgName}-${testName}" = test;
-              })
+          /**
+            Checks for our packaging expressions.
+            This shouldn't build anything significant; just check that things
+            (including derivations) are _set up_ correctly.
+          */
+          packaging-overriding =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+              nix = self.packages.${system}.nix;
+            in
+            assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+            if pkgs.stdenv.buildPlatform.isDarwin then
+              lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+            else
+              # If this fails, something might be wrong with how we've wired the scope,
+              # or something could be broken in Nixpkgs.
+              pkgs.testers.testEqualContents {
+                assertion = "trivial patch does not change source contents";
+                expected = "${./.}";
+                actual =
+                  # Same for all components; nix-util is an arbitrary pick
+                  (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+              };
+        }
+        // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
+          dockerImage = self.hydraJobs.dockerImage.${system};
+        }
+        // (lib.optionalAttrs (!(builtins.elem system linux32BitSystems))) {
+          # Some perl dependencies are broken on i686-linux.
+          # Since the support is only best-effort there, disable the perl
+          # bindings
+          perlBindings = self.hydraJobs.perlBindings.${system};
+        }
+        # Add "passthru" tests
+        //
+          flatMapAttrs
+            (
+              {
+                "" = nixpkgsFor.${system}.native;
+              }
+              // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
+                # TODO: enable static builds for darwin, blocked on:
+                #       https://github.com/NixOS/nixpkgs/issues/320448
+                # TODO: disabled to speed up GHA CI.
+                #"static-" = nixpkgsFor.${system}.native.pkgsStatic;
+              }
             )
-          // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
-            "${nixpkgsPrefix}nix-functional-tests" = nixpkgs.nixComponents.nix-functional-tests;
-          }
-        )
-      // devFlake.checks.${system} or {}
+            (
+              nixpkgsPrefix: nixpkgs:
+              flatMapAttrs nixpkgs.nixComponents (
+                pkgName: pkg:
+                flatMapAttrs pkg.tests or { } (
+                  testName: test: {
+                    "${nixpkgsPrefix}${pkgName}-${testName}" = test;
+                  }
+                )
+              )
+              // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
+                "${nixpkgsPrefix}nix-functional-tests" = nixpkgs.nixComponents.nix-functional-tests;
+              }
+            )
+        // devFlake.checks.${system} or { }
       );
 
-      packages = forAllSystems (system:
-        { # Here we put attributes that map 1:1 into packages.<system>, ie
+      packages = forAllSystems (
+        system:
+        {
+          # Here we put attributes that map 1:1 into packages.<system>, ie
           # for which we don't apply the full build matrix such as cross or static.
           inherit (nixpkgsFor.${system}.native)
-            changelog-d;
+            changelog-d
+            ;
           default = self.packages.${system}.nix;
+          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
+          binaryTarball = self.hydraJobs.binaryTarball.${system};
           # TODO probably should be `nix-cli`
           nix = self.packages.${system}.nix-everything;
           nix-manual = nixpkgsFor.${system}.native.nixComponents.nix-manual;
@@ -244,92 +307,144 @@
           nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-external-api-docs;
         }
         # We need to flatten recursive attribute sets of derivations to pass `flake check`.
-        // flatMapAttrs
-          { # Components we'll iterate over in the upcoming lambda
-            "nix-util" = { };
-            "nix-util-c" = { };
-            "nix-util-test-support" = { };
-            "nix-util-tests" = { };
+        //
+          flatMapAttrs
+            {
+              # Components we'll iterate over in the upcoming lambda
+              "nix-util" = { };
+              "nix-util-c" = { };
+              "nix-util-test-support" = { };
+              "nix-util-tests" = { };
 
-            "nix-store" = { };
-            "nix-store-c" = { };
-            "nix-store-test-support" = { };
-            "nix-store-tests" = { };
+              "nix-store" = { };
+              "nix-store-c" = { };
+              "nix-store-test-support" = { };
+              "nix-store-tests" = { };
 
-            "nix-fetchers" = { };
-            "nix-fetchers-tests" = { };
+              "nix-fetchers" = { };
+              "nix-fetchers-tests" = { };
 
-            "nix-expr" = { };
-            "nix-expr-c" = { };
-            "nix-expr-test-support" = { };
-            "nix-expr-tests" = { };
+              "nix-expr" = { };
+              "nix-expr-c" = { };
+              "nix-expr-test-support" = { };
+              "nix-expr-tests" = { };
 
-            "nix-flake" = { };
-            "nix-flake-tests" = { };
+              "nix-flake" = { };
+              "nix-flake-tests" = { };
 
-            "nix-main" = { };
-            "nix-main-c" = { };
+              "nix-main" = { };
+              "nix-main-c" = { };
 
-            "nix-cmd" = { };
+              "nix-cmd" = { };
 
-            "nix-cli" = { };
+              "nix-cli" = { };
 
-            "nix-everything" = { };
+              "nix-everything" = { };
 
-            "nix-functional-tests" = { supportsCross = false; };
+              "nix-functional-tests" = {
+                supportsCross = false;
+              };
 
-            "nix-perl-bindings" = { supportsCross = false; };
-          }
-          (pkgName: { supportsCross ? true }: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
-              "${pkgName}-static" = nixpkgsFor.${system}.static.nixComponents.${pkgName};
+              "nix-perl-bindings" = {
+                supportsCross = false;
+              };
             }
-            // lib.optionalAttrs supportsCross (flatMapAttrs (lib.genAttrs crossSystems (_: { })) (crossSystem: {}: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName};
-            }))
-            // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (stdenvName: {}: {
-              # These attributes go right into `packages.<system>`.
-              "${pkgName}-${stdenvName}" = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".nixComponents.${pkgName};
-            })
-          )
+            (
+              pkgName:
+              {
+                supportsCross ? true,
+              }:
+              {
+                # These attributes go right into `packages.<system>`.
+                "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
+                "${pkgName}-static" = nixpkgsFor.${system}.native.pkgsStatic.nixComponents.${pkgName};
+                "${pkgName}-llvm" = nixpkgsFor.${system}.native.pkgsLLVM.nixComponents.${pkgName};
+              }
+              // lib.optionalAttrs supportsCross (
+                flatMapAttrs (lib.genAttrs crossSystems (_: { })) (
+                  crossSystem:
+                  { }:
+                  {
+                    # These attributes go right into `packages.<system>`.
+                    "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName};
+                  }
+                )
+              )
+              // flatMapAttrs (lib.genAttrs stdenvs (_: { })) (
+                stdenvName:
+                { }:
+                {
+                  # These attributes go right into `packages.<system>`.
+                  "${pkgName}-${stdenvName}" =
+                    nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.nixComponents.${pkgName};
+                }
+              )
+            )
         // lib.optionalAttrs (builtins.elem system linux64BitSystems) {
-        dockerImage =
-          let
-            pkgs = nixpkgsFor.${system}.native;
-            image = import ./docker.nix { inherit pkgs; tag = pkgs.nix.version; };
-          in
-          pkgs.runCommand
-            "docker-image-tarball-${pkgs.nix.version}"
-            { meta.description = "Docker image with Nix for ${system}"; }
-            ''
-              mkdir -p $out/nix-support
-              image=$out/image.tar.gz
-              ln -s ${image} $image
-              echo "file binary-dist $image" >> $out/nix-support/hydra-build-products
-            '';
-      });
+          dockerImage =
+            let
+              pkgs = nixpkgsFor.${system}.native;
+              image = import ./docker.nix {
+                inherit pkgs;
+                tag = pkgs.nix.version;
+              };
+            in
+            pkgs.runCommand "docker-image-tarball-${pkgs.nix.version}"
+              { meta.description = "Docker image with Nix for ${system}"; }
+              ''
+                mkdir -p $out/nix-support
+                image=$out/image.tar.gz
+                ln -s ${image} $image
+                echo "file binary-dist $image" >> $out/nix-support/hydra-build-products
+              '';
+        }
+      );
 
-      devShells = let
-        makeShell = import ./packaging/dev-shell.nix { inherit lib devFlake; };
-        prefixAttrs = prefix: lib.concatMapAttrs (k: v: { "${prefix}-${k}" = v; });
-      in
-        forAllSystems (system:
-          prefixAttrs "native" (forAllStdenvs (stdenvName: makeShell {
-            pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages";
-          })) //
-          lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.isDarwin) (
-            prefixAttrs "static" (forAllStdenvs (stdenvName: makeShell {
-              pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsStatic;
-            })) //
-            prefixAttrs "cross" (forAllCrossSystems (crossSystem: makeShell {
-              pkgs = nixpkgsFor.${system}.cross.${crossSystem};
-            }))
-          ) //
-          {
-            default = self.devShells.${system}.native-stdenvPackages;
+      devShells =
+        let
+          makeShell = import ./packaging/dev-shell.nix { inherit lib devFlake; };
+          prefixAttrs = prefix: lib.concatMapAttrs (k: v: { "${prefix}-${k}" = v; });
+        in
+        forAllSystems (
+          system:
+          prefixAttrs "native" (
+            forAllStdenvs (
+              stdenvName:
+              makeShell {
+                pkgs = nixpkgsFor.${system}.nativeForStdenv.${stdenvName};
+              }
+            )
+          )
+          // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.isDarwin) (
+            prefixAttrs "static" (
+              forAllStdenvs (
+                stdenvName:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.pkgsStatic;
+                }
+              )
+            )
+            // prefixAttrs "llvm" (
+              forAllStdenvs (
+                stdenvName:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.pkgsLLVM;
+                }
+              )
+            )
+            // prefixAttrs "cross" (
+              forAllCrossSystems (
+                crossSystem:
+                makeShell {
+                  pkgs = nixpkgsFor.${system}.cross.${crossSystem};
+                }
+              )
+            )
+          )
+          // {
+            native = self.devShells.${system}.native-stdenv;
+            default = self.devShells.${system}.native;
           }
         );
-  };
+    };
 }

m4/gcc_bug_80431.m4

@@ -1,66 +0,0 @@
-# Ensure that this bug is not present in the C++ toolchain we are using.
-#
-# URL for bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80431
-#
-# The test program is from that issue, with only a slight modification
-# to set an exit status instead of printing strings.
-AC_DEFUN([ENSURE_NO_GCC_BUG_80431],
-[
-  AC_MSG_CHECKING([that GCC bug 80431 is fixed])
-  AC_LANG_PUSH(C++)
-  AC_RUN_IFELSE(
-    [AC_LANG_PROGRAM(
-      [[
-        #include <cstdio>
-
-        static bool a = true;
-        static bool b = true;
-
-        struct Options { };
-
-        struct Option
-        {
-            Option(Options * options)
-            {
-                a = false;
-            }
-
-            ~Option()
-            {
-                b = false;
-            }
-        };
-
-        struct MyOptions : Options { };
-
-        struct MyOptions2 : virtual MyOptions
-        {
-            Option foo{this};
-        };
-      ]],
-      [[
-        {
-            MyOptions2 opts;
-        }
-        return (a << 1) | b;
-      ]])],
-    [status_80431=0],
-    [status_80431=$?],
-    [status_80431=''])
-  AC_LANG_POP(C++)
-  AS_CASE([$status_80431],
-    [''],[
-      AC_MSG_RESULT(cannot check because cross compiling)
-      AC_MSG_NOTICE(assume we are bug free)
-    ],
-    [0],[
-      AC_MSG_RESULT(yes)
-    ],
-    [2],[
-      AC_MSG_RESULT(no)
-      AC_MSG_ERROR(Cannot build Nix with C++ compiler with this bug)
-    ],
-    [
-      AC_MSG_RESULT(unexpected result $status_80431: not expected failure with bug, ignoring)
-    ])
-])

maintainers/data/release-credits-email-to-handle.json

@@ -98,5 +98,39 @@
     "aks.kenji@protonmail.com": "a-kenji",
     "54070204+0x5a4@users.noreply.github.com": "0x5a4",
     "brian@bmcgee.ie": "brianmcgee",
-    "squalus@squalus.net": "squalus"
+    "squalus@squalus.net": "squalus",
+    "kusold@users.noreply.github.com": "kusold",
+    "37929162+mergify[bot]@users.noreply.github.com": "mergify[bot]",
+    "ilja@mailbox.org": "suruaku",
+    "and.ham95@gmail.com": "andrewhamon",
+    "andy.hamon@discordapp.com": "andrewhamon",
+    "siddarthkay@gmail.com": "siddarthkay",
+    "apoelstra@wpsoftware.net": "apoelstra",
+    "asmadeus@codewreck.org": "martinetd",
+    "tristan.ross@midstall.com": "RossComputerGuy",
+    "bryanlais@gmail.com": "bryango",
+    "157494086+allrealmsoflife@users.noreply.github.com": "allrealmsoflife",
+    "ConnorBaker01@gmail.com": "ConnorBaker",
+    "me@momee.mt": "momeemt",
+    "martin@push-f.com": "not-my-profile",
+    "90870942+trueNAHO@users.noreply.github.com": "trueNAHO",
+    "49885263+knotapun@users.noreply.github.com": "knotapun",
+    "iam@lach.pw": "CertainLach",
+    "elikowa@gmail.com": "elikoga",
+    "greg.curtis@jetpack.io": "gcurtis",
+    "git@sphalerite.org": "lheckemann",
+    "mightyiampresence@gmail.com": "mightyiam",
+    "spamfaenger@gmx.de": "dwt",
+    "graham@grahamc.com": "grahamc",
+    "wh0@users.noreply.github.com": "wh0",
+    "25388474+mupdt@users.noreply.github.com": "mupdt",
+    "anatoli@rainforce.org": "abitrolly",
+    "h0nIg@users.noreply.github.com": "h0nIg",
+    "CyberShadow@users.noreply.github.com": "CyberShadow",
+    "gavinnjohn@gmail.com": "Pandapip1",
+    "picnoir@alternativebit.fr": "picnoir",
+    "140354451+myclevorname@users.noreply.github.com": "myclevorname",
+    "bonniot@gmail.com": "dbdr",
+    "jack@wilsdon.me": "jackwilsdon",
+    "143541718+WxNzEMof@users.noreply.github.com": "the-sun-will-rise-tomorrow"
 }

maintainers/data/release-credits-handle-to-name.json

@@ -86,5 +86,37 @@
     "Aleksanaa": "Aleksana",
     "YorikSar": "Yuriy Taraday",
     "kjeremy": "Jeremy Kolb",
-    "artemist": "Artemis Tosini"
+    "artemist": "Artemis Tosini",
+    "the-sun-will-rise-tomorrow": null,
+    "gcurtis": "Greg Curtis",
+    "ConnorBaker": "Connor Baker",
+    "abitrolly": "Anatoli Babenia",
+    "allrealmsoflife": "Domagoj Mi\u0161kovi\u0107",
+    "andrewhamon": "Andy Hamon",
+    "picnoir": "F\u00e9lix",
+    "dbdr": null,
+    "suruaku": "Ilja",
+    "jackwilsdon": "Jack Wilsdon",
+    "mergify[bot]": null,
+    "kusold": "Mike Kusold",
+    "lheckemann": "Linus Heckemann",
+    "h0nIg": null,
+    "grahamc": "Graham Christensen",
+    "not-my-profile": "Martin Fischer",
+    "CyberShadow": "Vladimir Panteleev",
+    "Pandapip1": "Gavin John",
+    "RossComputerGuy": "Tristan Ross",
+    "elikoga": null,
+    "martinetd": "Dominique Martinet",
+    "knotapun": "Parker Jones",
+    "mightyiam": "Shahar \"Dawn\" Or",
+    "siddarthkay": "Siddarth Kumar",
+    "apoelstra": "Andrew Poelstra",
+    "myclevorname": null,
+    "CertainLach": "Yaroslav Bolyukin",
+    "trueNAHO": "NAHO",
+    "wh0": null,
+    "mupdt": "Matej Urbas",
+    "momeemt": "Mutsuha Asada",
+    "dwt": "\u202erekc\u00e4H nitraM\u202e"
 }

maintainers/release-process.md

@@ -144,12 +144,10 @@ release:
 
   Make a pull request and auto-merge it.
 
-* Create a milestone for the next release, move all unresolved issues
-  from the previous milestone, and close the previous milestone. Set
-  the date for the next milestone 6 weeks from now.
-
 * Create a backport label.
 
+* Add the new backport label to `.mergify.yml`.
+
 * Post an [announcement on Discourse](https://discourse.nixos.org/c/announcements/8), including the contents of
   `rl-$VERSION.md`.
 

maintainers/upload-release.pl

@@ -42,7 +42,7 @@ my $flakeUrl = $evalInfo->{flake};
 my $flakeInfo = decode_json(`nix flake metadata --json "$flakeUrl"` or die) if $flakeUrl;
 my $nixRev = ($flakeInfo ? $flakeInfo->{revision} : $evalInfo->{jobsetevalinputs}->{nix}->{revision}) or die;
 
-my $buildInfo = decode_json(fetch("$evalUrl/job/build.nix.x86_64-linux", 'application/json'));
+my $buildInfo = decode_json(fetch("$evalUrl/job/build.nix-everything.x86_64-linux", 'application/json'));
 #print Dumper($buildInfo);
 
 my $releaseName = $buildInfo->{nixname};
@@ -91,7 +91,7 @@ sub getStorePath {
 sub copyManual {
     my $manual;
     eval {
-        $manual = getStorePath("build.nix.x86_64-linux", "doc");
+        $manual = getStorePath("manual");
     };
     if ($@) {
         warn "$@";
@@ -240,12 +240,12 @@ if ($haveDocker) {
 # Upload nix-fallback-paths.nix.
 write_file("$tmpDir/fallback-paths.nix",
     "{\n" .
-    "  x86_64-linux = \"" . getStorePath("build.nix.x86_64-linux") . "\";\n" .
-    "  i686-linux = \"" . getStorePath("build.nix.i686-linux") . "\";\n" .
-    "  aarch64-linux = \"" . getStorePath("build.nix.aarch64-linux") . "\";\n" .
-    "  riscv64-linux = \"" . getStorePath("buildCross.nix.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
-    "  x86_64-darwin = \"" . getStorePath("build.nix.x86_64-darwin") . "\";\n" .
-    "  aarch64-darwin = \"" . getStorePath("build.nix.aarch64-darwin") . "\";\n" .
+    "  x86_64-linux = \"" . getStorePath("build.nix-everything.x86_64-linux") . "\";\n" .
+    "  i686-linux = \"" . getStorePath("build.nix-everything.i686-linux") . "\";\n" .
+    "  aarch64-linux = \"" . getStorePath("build.nix-everything.aarch64-linux") . "\";\n" .
+    "  riscv64-linux = \"" . getStorePath("buildCross.nix-everything.riscv64-unknown-linux-gnu.x86_64-linux") . "\";\n" .
+    "  x86_64-darwin = \"" . getStorePath("build.nix-everything.x86_64-darwin") . "\";\n" .
+    "  aarch64-darwin = \"" . getStorePath("build.nix-everything.aarch64-darwin") . "\";\n" .
     "}\n");
 
 # Upload release files to S3.

nix-meson-build-support/big-objs/meson.build

@@ -0,0 +1,6 @@
+if host_machine.system() == 'windows'
+  # libexpr's primops creates a large object
+  # Without the following flag, we'll get errors when cross-compiling to mingw32:
+  # Fatal error: can't write 66 bytes to section .text of src/libexpr/libnixexpr.dll.p/primops.cc.obj: 'file too big'
+  add_project_arguments([ '-Wa,-mbig-obj' ], language: 'cpp')
+endif

nix-meson-build-support/common/meson.build

@@ -16,7 +16,3 @@ add_project_arguments(
   '-Wno-deprecated-declarations',
   language : 'cpp',
 )
-
-if get_option('buildtype') not in ['debug']
-  add_project_arguments('-O3', language : 'cpp')
-endif

packaging/binary-tarball.nix

@@ -1,14 +1,18 @@
-{ runCommand
-, system
-, buildPackages
-, cacert
-, nix
+{
+  runCommand,
+  system,
+  buildPackages,
+  cacert,
+  nix,
 }:
 
 let
 
   installerClosureInfo = buildPackages.closureInfo {
-    rootPaths = [ nix cacert ];
+    rootPaths = [
+      nix
+      cacert
+    ];
   };
 
   inherit (nix) version;
@@ -22,18 +26,18 @@ in
 
 runCommand "nix-binary-tarball-${version}" env ''
   cp ${installerClosureInfo}/registration $TMPDIR/reginfo
-  cp ${./create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
-  substitute ${./install-nix-from-tarball.sh} $TMPDIR/install \
+  cp ${../scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
+  substitute ${../scripts/install-nix-from-tarball.sh} $TMPDIR/install \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
 
-  substitute ${./install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
+  substitute ${../scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
-  substitute ${./install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
+  substitute ${../scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
-  substitute ${./install-multi-user.sh} $TMPDIR/install-multi-user \
+  substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
 
@@ -65,7 +69,7 @@ runCommand "nix-binary-tarball-${version}" env ''
   fn=$out/$dir.tar.xz
   mkdir -p $out/nix-support
   echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
-  tar cvfJ $fn \
+  tar cfJ $fn \
     --owner=0 --group=0 --mode=u+rw,uga+r \
     --mtime='1970-01-01' \
     --absolute-names \

packaging/components.nix

@@ -1,5 +1,6 @@
 {
   lib,
+  pkgs,
   src,
   officialRelease,
 }:
@@ -7,17 +8,194 @@
 scope:
 
 let
-  inherit (scope) callPackage;
+  inherit (scope)
+    callPackage
+    ;
+  inherit
+    (scope.callPackage (
+      { stdenv }:
+      {
+        inherit stdenv;
+      }
+    ) { })
+    stdenv
+    ;
+  inherit (pkgs.buildPackages)
+    meson
+    ninja
+    pkg-config
+    ;
 
   baseVersion = lib.fileContents ../.version;
 
   versionSuffix = lib.optionalString (!officialRelease) "pre";
 
-  fineVersionSuffix = lib.optionalString
-    (!officialRelease)
-    "pre${builtins.substring 0 8 (src.lastModifiedDate or src.lastModified or "19700101")}_${src.shortRev or "dirty"}";
+  fineVersionSuffix =
+    lib.optionalString (!officialRelease)
+      "pre${
+        builtins.substring 0 8 (src.lastModifiedDate or src.lastModified or "19700101")
+      }_${src.shortRev or "dirty"}";
 
   fineVersion = baseVersion + fineVersionSuffix;
+
+  root = ../.;
+
+  # Indirection for Nixpkgs to override when package.nix files are vendored
+  filesetToSource = lib.fileset.toSource;
+
+  /**
+    Given a set of layers, create a mkDerivation-like function
+  */
+  mkPackageBuilder =
+    exts: userFn: stdenv.mkDerivation (lib.extends (lib.composeManyExtensions exts) userFn);
+
+  setVersionLayer = finalAttrs: prevAttrs: {
+    preConfigure =
+      prevAttrs.prevAttrs or ""
+      +
+        # Update the repo-global .version file.
+        # Symlink ./.version points there, but by default only workDir is writable.
+        ''
+          chmod u+w ./.version
+          echo ${finalAttrs.version} > ./.version
+        '';
+  };
+
+  localSourceLayer =
+    finalAttrs: prevAttrs:
+    let
+      workDirPath =
+        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
+        # the requirement that everything except passthru and meta must be
+        # serialized by mkDerivation, which doesn't work for this.
+        prevAttrs.workDir;
+
+      workDirSubpath = lib.path.removePrefix root workDirPath;
+      sources =
+        assert prevAttrs.fileset._type == "fileset";
+        prevAttrs.fileset;
+      src = lib.fileset.toSource {
+        fileset = sources;
+        inherit root;
+      };
+
+    in
+    {
+      sourceRoot = "${src.name}/" + workDirSubpath;
+      inherit src;
+
+      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
+      fileset = null;
+      workDir = null;
+    };
+
+  resolveRelPath = p: lib.path.removePrefix root p;
+
+  makeFetchedSourceLayer =
+    finalScope: finalAttrs: prevAttrs:
+    let
+      workDirPath =
+        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
+        # the requirement that everything except passthru and meta must be
+        # serialized by mkDerivation, which doesn't work for this.
+        prevAttrs.workDir;
+
+      workDirSubpath = resolveRelPath workDirPath;
+
+    in
+    {
+      sourceRoot = "${finalScope.patchedSrc.name}/" + workDirSubpath;
+      src = finalScope.patchedSrc;
+      version =
+        let
+          n = lib.length finalScope.patches;
+        in
+        if n == 0 then finalAttrs.version else finalAttrs.version + "+${toString n}";
+
+      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
+      fileset = null;
+      workDir = null;
+    };
+
+  mesonLayer = finalAttrs: prevAttrs: {
+    # NOTE:
+    # As of https://github.com/NixOS/nixpkgs/blob/8baf8241cea0c7b30e0b8ae73474cb3de83c1a30/pkgs/by-name/me/meson/setup-hook.sh#L26,
+    # `mesonBuildType` defaults to `plain` if not specified. We want our Nix-built binaries to be optimized by default.
+    # More on build types here: https://mesonbuild.com/Builtin-options.html#details-for-buildtype.
+    mesonBuildType = "release";
+    # NOTE:
+    # Users who are debugging Nix builds are expected to set the environment variable `mesonBuildType`, per the
+    # guidance in https://github.com/NixOS/nix/blob/8a3fc27f1b63a08ac983ee46435a56cf49ebaf4a/doc/manual/source/development/debugging.md?plain=1#L10.
+    # For this reason, we don't want to refer to `finalAttrs.mesonBuildType` here, but rather use the environment variable.
+    preConfigure =
+      prevAttrs.preConfigure or ""
+      +
+        lib.optionalString
+          (
+            !stdenv.hostPlatform.isWindows
+            # build failure
+            && !stdenv.hostPlatform.isStatic
+            # LTO breaks exception handling on x86-64-darwin.
+            && stdenv.system != "x86_64-darwin"
+          )
+          ''
+            case "$mesonBuildType" in
+            release|minsize) appendToVar mesonFlags "-Db_lto=true"  ;;
+            *)               appendToVar mesonFlags "-Db_lto=false" ;;
+            esac
+          '';
+    nativeBuildInputs = [
+      meson
+      ninja
+    ] ++ prevAttrs.nativeBuildInputs or [ ];
+    mesonCheckFlags = prevAttrs.mesonCheckFlags or [ ] ++ [
+      "--print-errorlogs"
+    ];
+  };
+
+  mesonBuildLayer = finalAttrs: prevAttrs: {
+    nativeBuildInputs = prevAttrs.nativeBuildInputs or [ ] ++ [
+      pkg-config
+    ];
+    separateDebugInfo = !stdenv.hostPlatform.isStatic;
+    hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
+    env =
+      prevAttrs.env or { }
+      // lib.optionalAttrs (
+        stdenv.isLinux
+        && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")
+        && !(stdenv.hostPlatform.useLLVM or false)
+      ) { LDFLAGS = "-fuse-ld=gold"; };
+  };
+
+  mesonLibraryLayer = finalAttrs: prevAttrs: {
+    outputs = prevAttrs.outputs or [ "out" ] ++ [ "dev" ];
+  };
+
+  # Work around weird `--as-needed` linker behavior with BSD, see
+  # https://github.com/mesonbuild/meson/issues/3593
+  bsdNoLinkAsNeeded =
+    finalAttrs: prevAttrs:
+    lib.optionalAttrs stdenv.hostPlatform.isBSD {
+      mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [ ];
+    };
+
+  miscGoodPractice = finalAttrs: prevAttrs: {
+    strictDeps = prevAttrs.strictDeps or true;
+    enableParallelBuilding = true;
+  };
+
+  /**
+    Append patches to the source layer.
+  */
+  appendPatches =
+    scope: patches:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        patches = prevScope.patches ++ patches;
+      }
+    );
+
 in
 
 # This becomes the pkgs.nixComponents attribute set
@@ -25,6 +203,110 @@ in
   version = baseVersion + versionSuffix;
   inherit versionSuffix;
 
+  inherit filesetToSource;
+
+  /**
+    A user-provided extension function to apply to each component derivation.
+  */
+  mesonComponentOverrides = finalAttrs: prevAttrs: { };
+
+  /**
+    An overridable derivation layer for handling the sources.
+  */
+  sourceLayer = localSourceLayer;
+
+  /**
+    Resolve a path value to either itself or a path in the `src`, depending
+    whether `overrideSource` was called.
+  */
+  resolvePath = p: p;
+
+  /**
+    Apply an extension function (i.e. overlay-shaped) to all component derivations.
+  */
+  overrideAllMesonComponents =
+    f:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        mesonComponentOverrides = lib.composeExtensions scope.mesonComponentOverrides f;
+      }
+    );
+
+  /**
+    Provide an alternate source. This allows the expressions to be vendored without copying the sources,
+    but it does make the build non-granular; all components will use a complete source.
+
+    Packaging expressions will be ignored.
+  */
+  overrideSource =
+    src:
+    scope.overrideScope (
+      finalScope: prevScope: {
+        sourceLayer = makeFetchedSourceLayer finalScope;
+        /**
+          Unpatched source for the build of Nix. Packaging expressions will be ignored.
+        */
+        src = src;
+        /**
+          Patches for the whole Nix source. Changes to packaging expressions will be ignored.
+        */
+        patches = [ ];
+        /**
+          Fetched and patched source to be used in component derivations.
+        */
+        patchedSrc =
+          if finalScope.patches == [ ] then
+            src
+          else
+            pkgs.buildPackages.srcOnly (
+              pkgs.buildPackages.stdenvNoCC.mkDerivation {
+                name = "${finalScope.src.name or "nix-source"}-patched";
+                inherit (finalScope) src patches;
+              }
+            );
+        resolvePath = p: finalScope.patchedSrc + "/${resolveRelPath p}";
+        appendPatches = appendPatches finalScope;
+      }
+    );
+
+  /**
+    Append patches to be applied to the whole Nix source.
+    This affects all components.
+
+    Changes to the packaging expressions will be ignored.
+  */
+  appendPatches =
+    patches:
+    # switch to "fetched" source first, so that patches apply to the whole tree.
+    (scope.overrideSource "${./..}").appendPatches patches;
+
+  mkMesonDerivation = mkPackageBuilder [
+    miscGoodPractice
+    scope.sourceLayer
+    setVersionLayer
+    mesonLayer
+    scope.mesonComponentOverrides
+  ];
+  mkMesonExecutable = mkPackageBuilder [
+    miscGoodPractice
+    bsdNoLinkAsNeeded
+    scope.sourceLayer
+    setVersionLayer
+    mesonLayer
+    mesonBuildLayer
+    scope.mesonComponentOverrides
+  ];
+  mkMesonLibrary = mkPackageBuilder [
+    miscGoodPractice
+    bsdNoLinkAsNeeded
+    scope.sourceLayer
+    mesonLayer
+    setVersionLayer
+    mesonBuildLayer
+    mesonLibraryLayer
+    scope.mesonComponentOverrides
+  ];
+
   nix-util = callPackage ../src/libutil/package.nix { };
   nix-util-c = callPackage ../src/libutil-c/package.nix { };
   nix-util-test-support = callPackage ../src/libutil-test-support/package.nix { };
@@ -54,7 +336,9 @@ in
 
   nix-cli = callPackage ../src/nix/package.nix { version = fineVersion; };
 
-  nix-functional-tests = callPackage ../src/nix-functional-tests/package.nix { version = fineVersion; };
+  nix-functional-tests = callPackage ../tests/functional/package.nix {
+    version = fineVersion;
+  };
 
   nix-manual = callPackage ../doc/manual/package.nix { version = fineVersion; };
   nix-internal-api-docs = callPackage ../src/internal-api-docs/package.nix { version = fineVersion; };
@@ -62,5 +346,33 @@ in
 
   nix-perl-bindings = callPackage ../src/perl/package.nix { };
 
-  nix-everything = callPackage ../packaging/everything.nix { };
+  nix-everything = callPackage ../packaging/everything.nix { } // {
+    # Note: no `passthru.overrideAllMesonComponents`
+    #       This would propagate into `nix.overrideAttrs f`, but then discard
+    #       `f` when `.overrideAllMesonComponents` is used.
+    #       Both "methods" should be views on the same fixpoint overriding mechanism
+    #       for that to work. For now, we intentionally don't support the broken
+    #       two-fixpoint solution.
+    /**
+      Apply an extension function (i.e. overlay-shaped) to all component derivations, and return the nix package.
+    */
+    overrideAllMesonComponents = f: (scope.overrideAllMesonComponents f).nix-everything;
+
+    /**
+      Append patches to be applied to the whole Nix source.
+      This affects all components.
+
+      Changes to the packaging expressions will be ignored.
+    */
+    appendPatches = ps: (scope.appendPatches ps).nix-everything;
+
+    /**
+      Provide an alternate source. This allows the expressions to be vendored without copying the sources,
+      but it does make the build non-granular; all components will use a complete source.
+
+      Packaging expressions will be ignored.
+    */
+    overrideSource = src: (scope.overrideSource src).nix-everything;
+
+  };
 }

packaging/dependencies.nix

@@ -17,11 +17,7 @@ in
 let
   inherit (pkgs) lib;
 
-  root = ../.;
-
-  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64
-    then darwinStdenv
-    else prevStdenv;
+  stdenv = if prevStdenv.isDarwin && prevStdenv.isx86_64 then darwinStdenv else prevStdenv;
 
   # Fix the following error with the default x86_64-darwin SDK:
   #
@@ -32,196 +28,76 @@ let
   # all the way back to 10.6.
   darwinStdenv = pkgs.overrideSDK prevStdenv { darwinMinVersion = "10.13"; };
 
-  # Nixpkgs implements this by returning a subpath into the fetched Nix sources.
-  resolvePath = p: p;
-
-  # Indirection for Nixpkgs to override when package.nix files are vendored
-  filesetToSource = lib.fileset.toSource;
-
-  /** Given a set of layers, create a mkDerivation-like function */
-  mkPackageBuilder = exts: userFn:
-    stdenv.mkDerivation (lib.extends (lib.composeManyExtensions exts) userFn);
-
-  localSourceLayer = finalAttrs: prevAttrs:
-    let
-      workDirPath =
-        # Ideally we'd pick finalAttrs.workDir, but for now `mkDerivation` has
-        # the requirement that everything except passthru and meta must be
-        # serialized by mkDerivation, which doesn't work for this.
-        prevAttrs.workDir;
-
-      workDirSubpath = lib.path.removePrefix root workDirPath;
-      sources = assert prevAttrs.fileset._type == "fileset"; prevAttrs.fileset;
-      src = lib.fileset.toSource { fileset = sources; inherit root; };
-
-    in
-    {
-      sourceRoot = "${src.name}/" + workDirSubpath;
-      inherit src;
-
-      # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
-      fileset = null;
-      workDir = null;
-    };
-
-  mesonLayer = finalAttrs: prevAttrs:
-    {
-      nativeBuildInputs = [
-        pkgs.buildPackages.meson
-        pkgs.buildPackages.ninja
-      ] ++ prevAttrs.nativeBuildInputs or [];
-      mesonCheckFlags = prevAttrs.mesonCheckFlags or [] ++ [
-        "--print-errorlogs"
-      ];
-    };
-
-  mesonBuildLayer = finalAttrs: prevAttrs:
-    {
-      nativeBuildInputs = prevAttrs.nativeBuildInputs or [] ++ [
-        pkgs.buildPackages.pkg-config
-      ];
-      separateDebugInfo = !stdenv.hostPlatform.isStatic;
-      hardeningDisable = lib.optional stdenv.hostPlatform.isStatic "pie";
-    };
-
-  mesonLibraryLayer = finalAttrs: prevAttrs:
-    {
-      outputs = prevAttrs.outputs or [ "out" ] ++ [ "dev" ];
-    };
-
-  # Work around weird `--as-needed` linker behavior with BSD, see
-  # https://github.com/mesonbuild/meson/issues/3593
-  bsdNoLinkAsNeeded = finalAttrs: prevAttrs:
-    lib.optionalAttrs stdenv.hostPlatform.isBSD {
-      mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [];
-    };
-
-  miscGoodPractice = finalAttrs: prevAttrs:
-    {
-      strictDeps = prevAttrs.strictDeps or true;
-      enableParallelBuilding = true;
-    };
 in
 scope: {
   inherit stdenv;
 
-  aws-sdk-cpp = (pkgs.aws-sdk-cpp.override {
-    apis = [ "s3" "transfer" ];
-    customMemoryManagement = false;
-  }).overrideAttrs {
-    # only a stripped down version is built, which takes a lot less resources
-    # to build, so we don't need a "big-parallel" machine.
-    requiredSystemFeatures = [ ];
-  };
-
-  libseccomp = pkgs.libseccomp.overrideAttrs (_: rec {
-    version = "2.5.5";
-    src = pkgs.fetchurl {
-      url = "https://github.com/seccomp/libseccomp/releases/download/v${version}/libseccomp-${version}.tar.gz";
-      hash = "sha256-JIosik2bmFiqa69ScSw0r+/PnJ6Ut23OAsHJqiX7M3U=";
-    };
-  });
+  aws-sdk-cpp =
+    (pkgs.aws-sdk-cpp.override {
+      apis = [
+        "s3"
+        "transfer"
+      ];
+      customMemoryManagement = false;
+    }).overrideAttrs
+      {
+        # only a stripped down version is built, which takes a lot less resources
+        # to build, so we don't need a "big-parallel" machine.
+        requiredSystemFeatures = [ ];
+      };
 
   boehmgc = pkgs.boehmgc.override {
     enableLargeConfig = true;
   };
 
   # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
-  boost = (pkgs.boost.override {
-    extraB2Args = [
-      "--with-container"
-      "--with-context"
-      "--with-coroutine"
-    ];
-  }).overrideAttrs (old: {
-    # Need to remove `--with-*` to use `--with-libraries=...`
-    buildPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.buildPhase;
-    installPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.installPhase;
-  });
-
-  libgit2 = pkgs.libgit2.overrideAttrs (attrs: {
-    src = inputs.libgit2;
-    version = inputs.libgit2.lastModifiedDate;
-    cmakeFlags = attrs.cmakeFlags or []
-      ++ [ "-DUSE_SSH=exec" ];
-    nativeBuildInputs = attrs.nativeBuildInputs or []
-      # gitMinimal does not build on Windows. See packbuilder patch.
-      ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-        # Needed for `git apply`; see `prePatch`
-        pkgs.buildPackages.gitMinimal
+  boost =
+    (pkgs.boost.override {
+      extraB2Args = [
+        "--with-container"
+        "--with-context"
+        "--with-coroutine"
       ];
-    # Only `git apply` can handle git binary patches
-    prePatch = attrs.prePatch or ""
-      + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
-        patch() {
-          git apply
-        }
-      '';
-    patches = attrs.patches or []
-      ++ [
-        ./patches/libgit2-mempack-thin-packfile.patch
-      ]
-      # gitMinimal does not build on Windows, but fortunately this patch only
-      # impacts interruptibility
-      ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-        # binary patch; see `prePatch`
-        ./patches/libgit2-packbuilder-callback-interruptible.patch
-      ];
-  });
+    }).overrideAttrs
+      (old: {
+        # Need to remove `--with-*` to use `--with-libraries=...`
+        buildPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.buildPhase;
+        installPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.installPhase;
+      });
 
-  busybox-sandbox-shell = pkgs.busybox-sandbox-shell or (pkgs.busybox.override {
-    useMusl = true;
-    enableStatic = true;
-    enableMinimal = true;
-    extraConfig = ''
-      CONFIG_FEATURE_FANCY_ECHO y
-      CONFIG_FEATURE_SH_MATH y
-      CONFIG_FEATURE_SH_MATH_64 y
-
-      CONFIG_ASH y
-      CONFIG_ASH_OPTIMIZE_FOR_SIZE y
-
-      CONFIG_ASH_ALIAS y
-      CONFIG_ASH_BASH_COMPAT y
-      CONFIG_ASH_CMDCMD y
-      CONFIG_ASH_ECHO y
-      CONFIG_ASH_GETOPTS y
-      CONFIG_ASH_INTERNAL_GLOB y
-      CONFIG_ASH_JOB_CONTROL y
-      CONFIG_ASH_PRINTF y
-      CONFIG_ASH_TEST y
-    '';
-  });
-
-  # TODO change in Nixpkgs, Windows works fine. First commit of
-  # https://github.com/NixOS/nixpkgs/pull/322977 backported will fix.
-  toml11 = pkgs.toml11.overrideAttrs (old: {
-    meta.platforms = lib.platforms.all;
-  });
-
-  inherit resolvePath filesetToSource;
-
-  mkMesonDerivation =
-    mkPackageBuilder [
-      miscGoodPractice
-      localSourceLayer
-      mesonLayer
-    ];
-  mkMesonExecutable =
-    mkPackageBuilder [
-      miscGoodPractice
-      bsdNoLinkAsNeeded
-      localSourceLayer
-      mesonLayer
-      mesonBuildLayer
-    ];
-  mkMesonLibrary =
-    mkPackageBuilder [
-      miscGoodPractice
-      bsdNoLinkAsNeeded
-      localSourceLayer
-      mesonLayer
-      mesonBuildLayer
-      mesonLibraryLayer
-    ];
+  libgit2 = pkgs.libgit2.overrideAttrs (
+    attrs:
+    {
+      cmakeFlags = attrs.cmakeFlags or [ ] ++ [ "-DUSE_SSH=exec" ];
+    }
+    # libgit2: Nixpkgs 24.11 has < 1.9.0, which needs our patches
+    // lib.optionalAttrs (!lib.versionAtLeast pkgs.libgit2.version "1.9.0") {
+      nativeBuildInputs =
+        attrs.nativeBuildInputs or [ ]
+        # gitMinimal does not build on Windows. See packbuilder patch.
+        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+          # Needed for `git apply`; see `prePatch`
+          pkgs.buildPackages.gitMinimal
+        ];
+      # Only `git apply` can handle git binary patches
+      prePatch =
+        attrs.prePatch or ""
+        + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
+          patch() {
+            git apply
+          }
+        '';
+      patches =
+        attrs.patches or [ ]
+        ++ [
+          ./patches/libgit2-mempack-thin-packfile.patch
+        ]
+        # gitMinimal does not build on Windows, but fortunately this patch only
+        # impacts interruptibility
+        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+          # binary patch; see `prePatch`
+          ./patches/libgit2-packbuilder-callback-interruptible.patch
+        ];
+    }
+  );
 }

packaging/dev-shell.nix

@@ -1,128 +1,140 @@
-{ lib, devFlake }:
+{
+  lib,
+  devFlake,
+}:
 
 { pkgs }:
 
-pkgs.nixComponents.nix-util.overrideAttrs (attrs:
+pkgs.nixComponents.nix-util.overrideAttrs (
+  attrs:
 
-let
-  stdenv = pkgs.nixDependencies.stdenv;
-  buildCanExecuteHost = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
-  modular = devFlake.getSystem stdenv.buildPlatform.system;
-  transformFlag = prefix: flag:
-    assert builtins.isString flag;
-    let
-      rest = builtins.substring 2 (builtins.stringLength flag) flag;
-    in
+  let
+    stdenv = pkgs.nixDependencies.stdenv;
+    buildCanExecuteHost = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
+    modular = devFlake.getSystem stdenv.buildPlatform.system;
+    transformFlag =
+      prefix: flag:
+      assert builtins.isString flag;
+      let
+        rest = builtins.substring 2 (builtins.stringLength flag) flag;
+      in
       "-D${prefix}:${rest}";
-  havePerl = stdenv.buildPlatform == stdenv.hostPlatform && stdenv.hostPlatform.isUnix;
-  ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
-in {
-  pname = "shell-for-" + attrs.pname;
+    havePerl = stdenv.buildPlatform == stdenv.hostPlatform && stdenv.hostPlatform.isUnix;
+    ignoreCrossFile = flags: builtins.filter (flag: !(lib.strings.hasInfix "cross-file" flag)) flags;
+  in
+  {
+    pname = "shell-for-" + attrs.pname;
 
-  # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
-  version = lib.fileContents ../.version;
-  name = attrs.pname;
+    # Remove the version suffix to avoid unnecessary attempts to substitute in nix develop
+    version = lib.fileContents ../.version;
+    name = attrs.pname;
 
-  installFlags = "sysconfdir=$(out)/etc";
-  shellHook = ''
-    PATH=$prefix/bin:$PATH
-    unset PYTHONPATH
-    export MANPATH=$out/share/man:$MANPATH
+    installFlags = "sysconfdir=$(out)/etc";
+    shellHook = ''
+      PATH=$prefix/bin:$PATH
+      unset PYTHONPATH
+      export MANPATH=$out/share/man:$MANPATH
 
-    # Make bash completion work.
-    XDG_DATA_DIRS+=:$out/share
+      # Make bash completion work.
+      XDG_DATA_DIRS+=:$out/share
 
-    # Make the default phases do the right thing.
-    # FIXME: this wouldn't be needed if the ninja package set buildPhase() instead of $buildPhase.
-    # FIXME: mesonConfigurePhase shouldn't cd to the build directory. It would be better to pass '-C <dir>' to ninja.
+      # Make the default phases do the right thing.
+      # FIXME: this wouldn't be needed if the ninja package set buildPhase() instead of $buildPhase.
+      # FIXME: mesonConfigurePhase shouldn't cd to the build directory. It would be better to pass '-C <dir>' to ninja.
 
-    cdToBuildDir() {
-        if [[ ! -e build.ninja ]]; then
-            cd build
-        fi
-    }
+      cdToBuildDir() {
+          if [[ ! -e build.ninja ]]; then
+              cd build
+          fi
+      }
 
-    configurePhase() {
-        mesonConfigurePhase
-    }
+      configurePhase() {
+          mesonConfigurePhase
+      }
 
-    buildPhase() {
-        cdToBuildDir
-        ninjaBuildPhase
-    }
+      buildPhase() {
+          cdToBuildDir
+          ninjaBuildPhase
+      }
 
-    checkPhase() {
-        cdToBuildDir
-        mesonCheckPhase
-    }
+      checkPhase() {
+          cdToBuildDir
+          mesonCheckPhase
+      }
 
-    installPhase() {
-        cdToBuildDir
-        ninjaInstallPhase
-    }
-  '';
+      installPhase() {
+          cdToBuildDir
+          ninjaInstallPhase
+      }
+    '';
 
-  # We use this shell with the local checkout, not unpackPhase.
-  src = null;
+    # We use this shell with the local checkout, not unpackPhase.
+    src = null;
 
-  env = {
-    # Needed for Meson to find Boost.
-    # https://github.com/NixOS/nixpkgs/issues/86131.
-    BOOST_INCLUDEDIR = "${lib.getDev pkgs.nixDependencies.boost}/include";
-    BOOST_LIBRARYDIR = "${lib.getLib pkgs.nixDependencies.boost}/lib";
-    # For `make format`, to work without installing pre-commit
-    _NIX_PRE_COMMIT_HOOKS_CONFIG =
-      "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml" modular.pre-commit.settings.rawConfig}";
-  };
+    env = {
+      # Needed for Meson to find Boost.
+      # https://github.com/NixOS/nixpkgs/issues/86131.
+      BOOST_INCLUDEDIR = "${lib.getDev pkgs.nixDependencies.boost}/include";
+      BOOST_LIBRARYDIR = "${lib.getLib pkgs.nixDependencies.boost}/lib";
+      # For `make format`, to work without installing pre-commit
+      _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
+        modular.pre-commit.settings.rawConfig
+      }";
+    };
 
-  mesonFlags =
-    map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents.nix-util.mesonFlags)
-    ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents.nix-store.mesonFlags)
-    ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents.nix-fetchers.mesonFlags)
-    ++ lib.optionals havePerl (map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents.nix-perl-bindings.mesonFlags))
-    ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents.nix-expr.mesonFlags)
-    ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents.nix-cmd.mesonFlags)
-    ;
+    mesonFlags =
+      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents.nix-util.mesonFlags)
+      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents.nix-store.mesonFlags)
+      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents.nix-fetchers.mesonFlags)
+      ++ lib.optionals havePerl (
+        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents.nix-perl-bindings.mesonFlags)
+      )
+      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents.nix-expr.mesonFlags)
+      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents.nix-cmd.mesonFlags);
 
-  nativeBuildInputs = attrs.nativeBuildInputs or []
-    ++ pkgs.nixComponents.nix-util.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-store.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-fetchers.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-expr.nativeBuildInputs
-    ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.nativeBuildInputs
-    ++ lib.optionals buildCanExecuteHost pkgs.nixComponents.nix-manual.externalNativeBuildInputs
-    ++ pkgs.nixComponents.nix-internal-api-docs.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-external-api-docs.nativeBuildInputs
-    ++ pkgs.nixComponents.nix-functional-tests.externalNativeBuildInputs
-    ++ lib.optional
-      (!buildCanExecuteHost
-         # Hack around https://github.com/nixos/nixpkgs/commit/bf7ad8cfbfa102a90463433e2c5027573b462479
-         && !(stdenv.hostPlatform.isWindows && stdenv.buildPlatform.isDarwin)
-         && stdenv.hostPlatform.emulatorAvailable pkgs.buildPackages
-         && lib.meta.availableOn stdenv.buildPlatform (stdenv.hostPlatform.emulator pkgs.buildPackages))
-      pkgs.buildPackages.mesonEmulatorHook
-    ++ [
-      pkgs.buildPackages.cmake
-      pkgs.buildPackages.shellcheck
-      pkgs.buildPackages.changelog-d
-      modular.pre-commit.settings.package
-      (pkgs.writeScriptBin "pre-commit-hooks-install"
-        modular.pre-commit.settings.installationScript)
-    ]
-    # TODO: Remove the darwin check once
-    # https://github.com/NixOS/nixpkgs/pull/291814 is available
-    ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
-    ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (lib.hiPrio pkgs.buildPackages.clang-tools);
+    nativeBuildInputs =
+      attrs.nativeBuildInputs or [ ]
+      ++ pkgs.nixComponents.nix-util.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-store.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-fetchers.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-expr.nativeBuildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.nativeBuildInputs
+      ++ lib.optionals buildCanExecuteHost pkgs.nixComponents.nix-manual.externalNativeBuildInputs
+      ++ pkgs.nixComponents.nix-internal-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-external-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents.nix-functional-tests.externalNativeBuildInputs
+      ++ lib.optional (
+        !buildCanExecuteHost
+        # Hack around https://github.com/nixos/nixpkgs/commit/bf7ad8cfbfa102a90463433e2c5027573b462479
+        && !(stdenv.hostPlatform.isWindows && stdenv.buildPlatform.isDarwin)
+        && stdenv.hostPlatform.emulatorAvailable pkgs.buildPackages
+        && lib.meta.availableOn stdenv.buildPlatform (stdenv.hostPlatform.emulator pkgs.buildPackages)
+      ) pkgs.buildPackages.mesonEmulatorHook
+      ++ [
+        pkgs.buildPackages.cmake
+        pkgs.buildPackages.shellcheck
+        pkgs.buildPackages.changelog-d
+        modular.pre-commit.settings.package
+        (pkgs.writeScriptBin "pre-commit-hooks-install" modular.pre-commit.settings.installationScript)
+        pkgs.buildPackages.nixfmt-rfc-style
+      ]
+      # TODO: Remove the darwin check once
+      # https://github.com/NixOS/nixpkgs/pull/291814 is available
+      ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
+      ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
+        lib.hiPrio pkgs.buildPackages.clang-tools
+      );
 
-  buildInputs = attrs.buildInputs or []
-    ++ pkgs.nixComponents.nix-util.buildInputs
-    ++ pkgs.nixComponents.nix-store.buildInputs
-    ++ pkgs.nixComponents.nix-store-tests.externalBuildInputs
-    ++ pkgs.nixComponents.nix-fetchers.buildInputs
-    ++ pkgs.nixComponents.nix-expr.buildInputs
-    ++ pkgs.nixComponents.nix-expr.externalPropagatedBuildInputs
-    ++ pkgs.nixComponents.nix-cmd.buildInputs
-    ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.externalBuildInputs
-    ++ lib.optional havePerl pkgs.perl
-    ;
-})
+    buildInputs =
+      attrs.buildInputs or [ ]
+      ++ pkgs.nixComponents.nix-util.buildInputs
+      ++ pkgs.nixComponents.nix-store.buildInputs
+      ++ pkgs.nixComponents.nix-store-tests.externalBuildInputs
+      ++ pkgs.nixComponents.nix-fetchers.buildInputs
+      ++ pkgs.nixComponents.nix-expr.buildInputs
+      ++ pkgs.nixComponents.nix-expr.externalPropagatedBuildInputs
+      ++ pkgs.nixComponents.nix-cmd.buildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.externalBuildInputs
+      ++ lib.optional havePerl pkgs.perl;
+  }
+)

packaging/everything.nix

@@ -42,37 +42,48 @@
 }:
 
 let
+  libs =
+    {
+      inherit
+        nix-util
+        nix-util-c
+        nix-store
+        nix-store-c
+        nix-fetchers
+        nix-expr
+        nix-expr-c
+        nix-flake
+        nix-flake-c
+        nix-main
+        nix-main-c
+        nix-cmd
+        ;
+    }
+    // lib.optionalAttrs
+      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+      {
+        # Currently fails in static build
+        inherit
+          nix-perl-bindings
+          ;
+      };
+
   dev = stdenv.mkDerivation (finalAttrs: {
     name = "nix-${nix-cli.version}-dev";
     pname = "nix";
     version = nix-cli.version;
     dontUnpack = true;
     dontBuild = true;
-    libs = map lib.getDev [
-      nix-cmd
-      nix-expr
-      nix-expr-c
-      nix-fetchers
-      nix-flake
-      nix-flake-c
-      nix-main
-      nix-main-c
-      nix-store
-      nix-store-c
-      nix-util
-      nix-util-c
-      nix-perl-bindings
-    ];
+    libs = map lib.getDev (lib.attrValues libs);
     installPhase = ''
       mkdir -p $out/nix-support
       echo $libs >> $out/nix-support/propagated-build-inputs
     '';
     passthru = {
       tests = {
-        pkg-config =
-          testers.hasPkgConfigModules {
-            package = finalAttrs.finalPackage;
-          };
+        pkg-config = testers.hasPkgConfigModules {
+          package = finalAttrs.finalPackage;
+        };
       };
 
       # If we were to fully emulate output selection here, we'd confuse the Nix CLIs,
@@ -82,6 +93,7 @@ let
       libs = throw "`nix.dev.libs` is not meant to be used; use `nix.libs` instead.";
     };
     meta = {
+      mainProgram = "nix";
       pkgConfigModules = [
         "nix-cmd"
         "nix-expr"
@@ -115,88 +127,84 @@ in
   ];
 
   meta.mainProgram = "nix";
-}).overrideAttrs (finalAttrs: prevAttrs: {
-  doCheck = true;
-  doInstallCheck = true;
+}).overrideAttrs
+  (
+    finalAttrs: prevAttrs: {
+      doCheck = true;
+      doInstallCheck = true;
 
-  checkInputs = [
-    # Make sure the unit tests have passed
-    nix-util-tests.tests.run
-    nix-store-tests.tests.run
-    nix-expr-tests.tests.run
-    nix-fetchers-tests.tests.run
-    nix-flake-tests.tests.run
+      checkInputs =
+        [
+          # Make sure the unit tests have passed
+          nix-util-tests.tests.run
+          nix-store-tests.tests.run
+          nix-expr-tests.tests.run
+          nix-fetchers-tests.tests.run
+          nix-flake-tests.tests.run
 
-    # dev bundle is ok
-    # (checkInputs must be empty paths??)
-    (runCommand "check-pkg-config" { checked = dev.tests.pkg-config; } "mkdir $out")
-  ] ++
-    (if stdenv.buildPlatform.canExecute stdenv.hostPlatform
-    then [
-      # TODO: add perl.tests
-      nix-perl-bindings
-    ]
-    else [
-      nix-perl-bindings
-    ]);
-  installCheckInputs = [
-    nix-functional-tests
-  ];
-  passthru = prevAttrs.passthru // {
-    inherit (nix-cli) version;
+          # Make sure the functional tests have passed
+          nix-functional-tests
 
-    /**
-      These are the libraries that are part of the Nix project. They are used
-      by the Nix CLI and other tools.
+          # dev bundle is ok
+          # (checkInputs must be empty paths??)
+          (runCommand "check-pkg-config" { checked = dev.tests.pkg-config; } "mkdir $out")
+        ]
+        ++ lib.optionals
+          (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+          [
+            # Perl currently fails in static build
+            # TODO: Split out tests into a separate derivation?
+            nix-perl-bindings
+          ];
+      passthru = prevAttrs.passthru // {
+        inherit (nix-cli) version;
 
-      If you need to use these libraries in your project, we recommend to use
-      the `-c` C API libraries exclusively, if possible.
+        /**
+          These are the libraries that are part of the Nix project. They are used
+          by the Nix CLI and other tools.
 
-      We also recommend that you build the complete package to ensure that the unit tests pass.
-      You could do this in CI, or by passing it in an unused environment variable. e.g in a `mkDerivation` call:
+          If you need to use these libraries in your project, we recommend to use
+          the `-c` C API libraries exclusively, if possible.
 
-      ```nix
-        buildInputs = [ nix.libs.nix-util-c nix.libs.nix-store-c ];
-        # Make sure the nix libs we use are ok
-        unusedInputsForTests = [ nix ];
-        disallowedReferences = nix.all;
-      ```
-     */
-    libs = {
-      inherit
-        nix-util
-        nix-util-c
-        nix-store
-        nix-store-c
-        nix-fetchers
-        nix-expr
-        nix-expr-c
-        nix-flake
-        nix-flake-c
-        nix-main
-        nix-main-c
-      ;
-    };
+          We also recommend that you build the complete package to ensure that the unit tests pass.
+          You could do this in CI, or by passing it in an unused environment variable. e.g in a `mkDerivation` call:
 
-    tests = prevAttrs.passthru.tests or {} // {
-      # TODO: create a proper fixpoint and:
-      # pkg-config =
-      #   testers.hasPkgConfigModules {
-      #     package = finalPackage;
-      #   };
-    };
+          ```nix
+            buildInputs = [ nix.libs.nix-util-c nix.libs.nix-store-c ];
+            # Make sure the nix libs we use are ok
+            unusedInputsForTests = [ nix ];
+            disallowedReferences = nix.all;
+          ```
+        */
+        inherit libs;
 
-    /**
-      A derivation referencing the `dev` outputs of the Nix libraries.
-     */
-    inherit dev;
-    inherit devdoc;
-    doc = nix-manual;
-    outputs = [ "out" "dev" "devdoc" "doc" ];
-    all = lib.attrValues (lib.genAttrs finalAttrs.passthru.outputs (outName: finalAttrs.finalPackage.${outName}));
-  };
-  meta = prevAttrs.meta // {
-    description = "The Nix package manager";
-    pkgConfigModules = dev.meta.pkgConfigModules;
-  };
-})
+        tests = prevAttrs.passthru.tests or { } // {
+          # TODO: create a proper fixpoint and:
+          # pkg-config =
+          #   testers.hasPkgConfigModules {
+          #     package = finalPackage;
+          #   };
+        };
+
+        /**
+          A derivation referencing the `dev` outputs of the Nix libraries.
+        */
+        inherit dev;
+        inherit devdoc;
+        doc = nix-manual;
+        outputs = [
+          "out"
+          "dev"
+          "devdoc"
+          "doc"
+        ];
+        all = lib.attrValues (
+          lib.genAttrs finalAttrs.passthru.outputs (outName: finalAttrs.finalPackage.${outName})
+        );
+      };
+      meta = prevAttrs.meta // {
+        description = "The Nix package manager";
+        pkgConfigModules = dev.meta.pkgConfigModules;
+      };
+    }
+  )

packaging/hydra.nix

@@ -1,22 +1,24 @@
-{ inputs
-, binaryTarball
-, forAllCrossSystems
-, forAllSystems
-, lib
-, linux64BitSystems
-, nixpkgsFor
-, self
-, officialRelease
+{
+  inputs,
+  forAllCrossSystems,
+  forAllSystems,
+  lib,
+  linux64BitSystems,
+  nixpkgsFor,
+  self,
+  officialRelease,
 }:
 let
   inherit (inputs) nixpkgs nixpkgs-regression;
 
-  installScriptFor = tarballs:
-    nixpkgsFor.x86_64-linux.native.callPackage ../scripts/installer.nix {
+  installScriptFor =
+    tarballs:
+    nixpkgsFor.x86_64-linux.native.callPackage ./installer {
       inherit tarballs;
     };
 
-  testNixVersions = pkgs: daemon:
+  testNixVersions =
+    pkgs: daemon:
     pkgs.nixComponents.nix-functional-tests.override {
       pname = "nix-daemon-compat-tests";
       version = "${pkgs.nix.version}-with-daemon-${daemon.version}";
@@ -54,44 +56,72 @@ let
 in
 {
   # Binary package for various platforms.
-  build = forAllPackages (pkgName:
-    forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.${pkgName}));
+  build = forAllPackages (
+    pkgName: forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.${pkgName})
+  );
 
-  shellInputs = removeAttrs
-    (forAllSystems (system: self.devShells.${system}.default.inputDerivation))
-    [ "i686-linux" ];
+  shellInputs = removeAttrs (forAllSystems (
+    system: self.devShells.${system}.default.inputDerivation
+  )) [ "i686-linux" ];
 
-  buildStatic = forAllPackages (pkgName:
-    lib.genAttrs linux64BitSystems (system: nixpkgsFor.${system}.static.nixComponents.${pkgName}));
+  buildStatic = forAllPackages (
+    pkgName:
+    lib.genAttrs linux64BitSystems (
+      system: nixpkgsFor.${system}.native.pkgsStatic.nixComponents.${pkgName}
+    )
+  );
 
-  buildCross = forAllPackages (pkgName:
+  buildCross = forAllPackages (
+    pkgName:
     # Hack to avoid non-evaling package
-    (if pkgName == "nix-functional-tests" then lib.flip builtins.removeAttrs ["x86_64-w64-mingw32"] else lib.id)
-    (forAllCrossSystems (crossSystem:
-      lib.genAttrs [ "x86_64-linux" ] (system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName}))));
+    (
+      if pkgName == "nix-functional-tests" then
+        lib.flip builtins.removeAttrs [ "x86_64-w64-mingw32" ]
+      else
+        lib.id
+    )
+      (
+        forAllCrossSystems (
+          crossSystem:
+          lib.genAttrs [ "x86_64-linux" ] (
+            system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName}
+          )
+        )
+      )
+  );
 
-  buildNoGc = let
-    components = forAllSystems (system:
-      nixpkgsFor.${system}.native.nixComponents.overrideScope (self: super: {
-        nix-expr = super.nix-expr.override { enableGC = false; };
-      })
-    );
-  in forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
+  buildNoGc =
+    let
+      components = forAllSystems (
+        system:
+        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+          self: super: {
+            nix-expr = super.nix-expr.override { enableGC = false; };
+          }
+        )
+      );
+    in
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
   buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-cli);
 
   # Toggles some settings for better coverage. Windows needs these
   # library combinations, and Debian build Nix with GNU readline too.
-  buildReadlineNoMarkdown = let
-    components = forAllSystems (system:
-      nixpkgsFor.${system}.native.nixComponents.overrideScope (self: super: {
-        nix-cmd = super.nix-cmd.override {
-          enableMarkdown = false;
-          readlineFlavor = "readline";
-        };
-      })
-    );
-  in forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
+  buildReadlineNoMarkdown =
+    let
+      components = forAllSystems (
+        system:
+        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+          self: super: {
+            nix-cmd = super.nix-cmd.override {
+              enableMarkdown = false;
+              readlineFlavor = "readline";
+            };
+          }
+        )
+      );
+    in
+    forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
   # Perl bindings for various platforms.
   perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-perl-bindings);
@@ -99,13 +129,16 @@ in
   # Binary tarball for various platforms, containing a Nix store
   # with the closure of 'nix' package, and the second half of
   # the installation script.
-  binaryTarball = forAllSystems (system: binaryTarball nixpkgsFor.${system}.native.nix nixpkgsFor.${system}.native);
+  binaryTarball = forAllSystems (
+    system: nixpkgsFor.${system}.native.callPackage ./binary-tarball.nix { }
+  );
 
-  binaryTarballCross = lib.genAttrs [ "x86_64-linux" ] (system:
-    forAllCrossSystems (crossSystem:
-      binaryTarball
-        nixpkgsFor.${system}.cross.${crossSystem}.nix
-        nixpkgsFor.${system}.cross.${crossSystem}));
+  binaryTarballCross = lib.genAttrs [ "x86_64-linux" ] (
+    system:
+    forAllCrossSystems (
+      crossSystem: nixpkgsFor.${system}.cross.${crossSystem}.callPackage ./binary-tarball.nix { }
+    )
+  );
 
   # The first half of the installation script. This is uploaded
   # to https://nixos.org/nix/install. It downloads the binary
@@ -123,15 +156,13 @@ in
     self.hydraJobs.binaryTarballCross."x86_64-linux"."armv7l-unknown-linux-gnueabihf"
     self.hydraJobs.binaryTarballCross."x86_64-linux"."riscv64-unknown-linux-gnu"
   ];
-  installerScriptForGHA = installScriptFor [
-    # Native
-    self.hydraJobs.binaryTarball."x86_64-linux"
-    self.hydraJobs.binaryTarball."aarch64-darwin"
-    # Cross
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."armv6l-unknown-linux-gnueabihf"
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."armv7l-unknown-linux-gnueabihf"
-    self.hydraJobs.binaryTarballCross."x86_64-linux"."riscv64-unknown-linux-gnu"
-  ];
+
+  installerScriptForGHA = forAllSystems (
+    system:
+    nixpkgsFor.${system}.native.callPackage ./installer {
+      tarballs = [ self.hydraJobs.binaryTarball.${system} ];
+    }
+  );
 
   # docker image with Nix inside
   dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);
@@ -152,16 +183,20 @@ in
   external-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents.nix-external-api-docs;
 
   # System tests.
-  tests = import ../tests/nixos { inherit lib nixpkgs nixpkgsFor self; } // {
+  tests =
+    import ../tests/nixos {
+      inherit lib nixpkgs nixpkgsFor;
+      inherit (self.inputs) nixpkgs-23-11;
+    }
+    // {
 
-    # Make sure that nix-env still produces the exact same result
-    # on a particular version of Nixpkgs.
-    evalNixpkgs =
-      let
-        inherit (nixpkgsFor.x86_64-linux.native) runCommand nix;
-      in
-      runCommand "eval-nixos" { buildInputs = [ nix ]; }
-        ''
+      # Make sure that nix-env still produces the exact same result
+      # on a particular version of Nixpkgs.
+      evalNixpkgs =
+        let
+          inherit (nixpkgsFor.x86_64-linux.native) runCommand nix;
+        in
+        runCommand "eval-nixos" { buildInputs = [ nix ]; } ''
           type -p nix-env
           # Note: we're filtering out nixos-install-tools because https://github.com/NixOS/nixpkgs/pull/153594#issuecomment-1020530593.
           (
@@ -172,36 +207,36 @@ in
           mkdir $out
         '';
 
-    nixpkgsLibTests =
-      forAllSystems (system:
-        import (nixpkgs + "/lib/tests/test-with-nix.nix")
-          {
-            lib = nixpkgsFor.${system}.native.lib;
-            nix = self.packages.${system}.nix-cli;
-            pkgs = nixpkgsFor.${system}.native;
-          }
+      nixpkgsLibTests = forAllSystems (
+        system:
+        import (nixpkgs + "/lib/tests/test-with-nix.nix") {
+          lib = nixpkgsFor.${system}.native.lib;
+          nix = self.packages.${system}.nix-cli;
+          pkgs = nixpkgsFor.${system}.native;
+        }
       );
-  };
+    };
 
   metrics.nixpkgs = import "${nixpkgs-regression}/pkgs/top-level/metrics.nix" {
     pkgs = nixpkgsFor.x86_64-linux.native;
     nixpkgs = nixpkgs-regression;
   };
 
-  installTests = forAllSystems (system:
-    let pkgs = nixpkgsFor.${system}.native; in
-    pkgs.runCommand "install-tests"
-      {
-        againstSelf = testNixVersions pkgs pkgs.nix;
-        againstCurrentLatest =
-          # FIXME: temporarily disable this on macOS because of #3605.
-          if system == "x86_64-linux"
-          then testNixVersions pkgs pkgs.nixVersions.latest
-          else null;
-        # Disabled because the latest stable version doesn't handle
-        # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
-        # againstLatestStable = testNixVersions pkgs pkgs.nixStable;
-      } "touch $out");
+  installTests = forAllSystems (
+    system:
+    let
+      pkgs = nixpkgsFor.${system}.native;
+    in
+    pkgs.runCommand "install-tests" {
+      againstSelf = testNixVersions pkgs pkgs.nix;
+      againstCurrentLatest =
+        # FIXME: temporarily disable this on macOS because of #3605.
+        if system == "x86_64-linux" then testNixVersions pkgs pkgs.nixVersions.latest else null;
+      # Disabled because the latest stable version doesn't handle
+      # `NIX_DAEMON_SOCKET_PATH` which is required for the tests to work
+      # againstLatestStable = testNixVersions pkgs pkgs.nixStable;
+    } "touch $out"
+  );
 
   installerTests = import ../tests/installer {
     binaryTarballs = self.hydraJobs.binaryTarball;

packaging/installer/default.nix

@@ -0,0 +1,42 @@
+{
+  lib,
+  runCommand,
+  nix,
+  tarballs,
+}:
+
+runCommand "installer-script"
+  {
+    buildInputs = [ nix ];
+  }
+  ''
+    mkdir -p $out/nix-support
+
+    # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
+    tarballPath() {
+      # Remove the store prefix
+      local path=''${1#${builtins.storeDir}/}
+      # Get the path relative to the derivation root
+      local rest=''${path#*/}
+      # Get the derivation hash
+      local drvHash=''${path%%-*}
+      echo "$drvHash/$rest"
+    }
+
+    substitute ${./install.in} $out/install \
+      ${
+        lib.concatMapStrings (
+          tarball:
+          let
+            inherit (tarball.stdenv.hostPlatform) system;
+          in
+          ''
+            \
+                   --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
+                   --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
+          ''
+        ) tarballs
+      } --replace '@nixVersion@' ${nix.version}
+
+    echo "file installer $out/install" >> $out/nix-support/hydra-build-products
+  ''

scripts/build-checks

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+system=$(nix eval --raw --impure --expr builtins.currentSystem)
+nix eval --json ".#checks.$system" --apply builtins.attrNames | \
+  jq -r '.[]' | \
+  xargs -P0 -I '{}' sh -c "nix build -L .#checks.$system.{} || { echo 'FAILED: \033[0;31mnix build -L .#checks.$system.{}\\033[0m'; kill 0; }"

scripts/install-darwin-multi-user.sh

@@ -145,13 +145,28 @@ poly_user_id_get() {
     dsclattr "/Users/$1" "UniqueID"
 }
 
+dscl_create() {
+    # workaround a bug in dscl where it sometimes fails with eNotYetImplemented:
+    # https://github.com/NixOS/nix/issues/12140
+    while ! _sudo "$1" /usr/bin/dscl . -create "$2" "$3" "$4" 2> "$SCRATCH/dscl.err"; do
+        local err=$?
+        if [[ $err -eq 140 ]] && grep -q "-14988 (eNotYetImplemented)" "$SCRATCH/dscl.err"; then
+            echo "dscl failed with eNotYetImplemented, retrying..."
+            sleep 1
+            continue
+        fi
+        cat "$SCRATCH/dscl.err"
+        return $err
+    done
+}
+
 poly_user_hidden_get() {
     dsclattr "/Users/$1" "IsHidden"
 }
 
 poly_user_hidden_set() {
-    _sudo "in order to make $1 a hidden user" \
-          /usr/bin/dscl . -create "/Users/$1" "IsHidden" "1"
+    dscl_create "in order to make $1 a hidden user" \
+          "/Users/$1" "IsHidden" "1"
 }
 
 poly_user_home_get() {
@@ -161,8 +176,8 @@ poly_user_home_get() {
 poly_user_home_set() {
     # This can trigger a permission prompt now:
     # "Terminal" would like to administer your computer. Administration can include modifying passwords, networking, and system settings.
-    _sudo "in order to give $1 a safe home directory" \
-          /usr/bin/dscl . -create "/Users/$1" "NFSHomeDirectory" "$2"
+    dscl_create "in order to give $1 a safe home directory" \
+          "/Users/$1" "NFSHomeDirectory" "$2"
 }
 
 poly_user_note_get() {
@@ -170,8 +185,8 @@ poly_user_note_get() {
 }
 
 poly_user_note_set() {
-    _sudo "in order to give $username a useful note" \
-          /usr/bin/dscl . -create "/Users/$1" "RealName" "$2"
+    dscl_create "in order to give $1 a useful note" \
+          "/Users/$1" "RealName" "$2"
 }
 
 poly_user_shell_get() {
@@ -179,8 +194,8 @@ poly_user_shell_get() {
 }
 
 poly_user_shell_set() {
-    _sudo "in order to give $1 a safe shell" \
-          /usr/bin/dscl . -create "/Users/$1" "UserShell" "$2"
+    dscl_create "in order to give $1 a safe shell" \
+          "/Users/$1" "UserShell" "$2"
 }
 
 poly_user_in_group_check() {

scripts/install-multi-user.sh

@@ -56,6 +56,9 @@ readonly NIX_INSTALLED_CACERT="@cacert@"
 #readonly NIX_INSTALLED_CACERT="/nix/store/7dxhzymvy330i28ii676fl1pqwcahv2f-nss-cacert-3.49.2"
 readonly EXTRACTED_NIX_PATH="$(dirname "$0")"
 
+# allow to override identity change command
+readonly NIX_BECOME=${NIX_BECOME:-sudo}
+
 readonly ROOT_HOME=~root
 
 if [ -t 0 ] && [ -z "${NIX_INSTALLER_YES:-}" ]; then
@@ -123,7 +126,7 @@ uninstall_directions() {
             cat <<EOF
 $step. Restore $profile_target$PROFILE_BACKUP_SUFFIX back to $profile_target
 
-  sudo mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target
+  $NIX_BECOME mv $profile_target$PROFILE_BACKUP_SUFFIX $profile_target
 
 (after this one, you may need to re-open any terminals that were
 opened while it existed.)
@@ -136,7 +139,7 @@ EOF
     cat <<EOF
 $step. Delete the files Nix added to your system:
 
-  sudo rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"
+  $NIX_BECOME rm -rf "/etc/nix" "$NIX_ROOT" "$ROOT_HOME/.nix-profile" "$ROOT_HOME/.nix-defexpr" "$ROOT_HOME/.nix-channels" "$ROOT_HOME/.local/state/nix" "$ROOT_HOME/.cache/nix" "$HOME/.nix-profile" "$HOME/.nix-defexpr" "$HOME/.nix-channels" "$HOME/.local/state/nix" "$HOME/.cache/nix"
 
 and that is it.
 
@@ -343,7 +346,7 @@ __sudo() {
 
     echo "I am executing:"
     echo ""
-    printf "    $ sudo %s\\n" "$cmd"
+    printf "    $ $NIX_BECOME %s\\n" "$cmd"
     echo ""
     echo "$expl"
     echo ""
@@ -361,7 +364,9 @@ _sudo() {
     if is_root; then
         env "$@"
     else
-        sudo "$@"
+        # env sets environment variables for sudo alternatives
+        # that don't support "VAR=value command" syntax
+        $NIX_BECOME env "$@"
     fi
 }
 
@@ -557,7 +562,7 @@ create_build_user_for_core() {
         if [ "$actual_uid" != "$uid" ]; then
             failure <<EOF
 It seems the build user $username already exists, but with the UID
-with the UID '$actual_uid'. This script can't really handle that right
+'$actual_uid'. This script can't really handle that right
 now, so I'm going to give up.
 
 If you already created the users and you know they start from

scripts/install-nix-from-tarball.sh

@@ -9,6 +9,8 @@ self="$(dirname "$0")"
 nix="@nix@"
 cacert="@cacert@"
 
+# allow to override identity change command
+readonly NIX_BECOME="${NIX_BECOME:-sudo}"
 
 if ! [ -e "$self/.reginfo" ]; then
     echo "$0: incomplete installer (.reginfo is missing)" >&2
@@ -63,7 +65,6 @@ while [ $# -gt 0 ]; do
                 exit 1
             fi
             INSTALL_MODE=no-daemon
-            # intentional tail space
             ACTION=install
             ;;
         --yes)
@@ -135,8 +136,8 @@ echo "performing a single-user installation of Nix..." >&2
 
 if ! [ -e "$dest" ]; then
     cmd="mkdir -m 0755 $dest && chown $USER $dest"
-    echo "directory $dest does not exist; creating it by running '$cmd' using sudo" >&2
-    if ! sudo sh -c "$cmd"; then
+    echo "directory $dest does not exist; creating it by running '$cmd' using $NIX_BECOME" >&2
+    if ! $NIX_BECOME sh -c "$cmd"; then
         echo "$0: please manually run '$cmd' as root to create $dest" >&2
         exit 1
     fi

scripts/installer.nix

@@ -1,36 +0,0 @@
-{ lib
-, runCommand
-, nix
-, tarballs
-}:
-
-runCommand "installer-script" {
-  buildInputs = [ nix ];
-} ''
-  mkdir -p $out/nix-support
-
-  # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
-  tarballPath() {
-    # Remove the store prefix
-    local path=''${1#${builtins.storeDir}/}
-    # Get the path relative to the derivation root
-    local rest=''${path#*/}
-    # Get the derivation hash
-    local drvHash=''${path%%-*}
-    echo "$drvHash/$rest"
-  }
-
-  substitute ${./install.in} $out/install \
-    ${lib.concatMapStrings
-      (tarball: let
-          inherit (tarball.stdenv.hostPlatform) system;
-        in '' \
-        --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
-        --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
-        ''
-      )
-      tarballs
-    } --replace '@nixVersion@' ${nix.version}
-
-  echo "file installer $out/install" >> $out/nix-support/hydra-build-products
-''

scripts/nix-profile-daemon.fish.in

@@ -1,3 +1,13 @@
+# Only execute this file once per shell.
+if test -z "$HOME" || \
+    test -n "$__ETC_PROFILE_NIX_SOURCED"
+    exit
+end
+
+set --global __ETC_PROFILE_NIX_SOURCED 1
+
+# Local helpers
+
 function add_path --argument-names new_path
     if type -q fish_add_path
         # fish 3.2.0 or newer
@@ -10,48 +20,51 @@ function add_path --argument-names new_path
     end
 end
 
-# Only execute this file once per shell.
-if test -n "$__ETC_PROFILE_NIX_SOURCED"
-  exit
-end
+# Main configuration
 
-set __ETC_PROFILE_NIX_SOURCED 1
+# Set up the per-user profile.
 
+set --local NIX_LINK $HOME/.nix-profile
+
+# Set up environment.
+# This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
 set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile"
 
 # Populate bash completions, .desktop files, etc
 if test -z "$XDG_DATA_DIRS"
     # According to XDG spec the default is /usr/local/share:/usr/share, don't set something that prevents that default
-    set --export XDG_DATA_DIRS "/usr/local/share:/usr/share:/nix/var/nix/profiles/default/share"
+    set --export XDG_DATA_DIRS "/usr/local/share:/usr/share:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
 else
-    set --export XDG_DATA_DIRS "$XDG_DATA_DIRS:/nix/var/nix/profiles/default/share"
+    set --export XDG_DATA_DIRS "$XDG_DATA_DIRS:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
 end
 
 # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
 if test -n "$NIX_SSL_CERT_FILE"
-  : # Allow users to override the NIX_SSL_CERT_FILE
+    : # Allow users to override the NIX_SSL_CERT_FILE
 else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
-  set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+    set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
 else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed
-  set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem
+    set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem
 else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS
-  set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt
+    set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt
 else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS
-  set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt
+    set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt
 else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile
-  set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
+    set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
 else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile
-  set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt"
+    set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt"
 else
-  # Fall back to what is in the nix profiles, favouring whatever is defined last.
-  for i in (string split ' ' $NIX_PROFILES)
-    if test -e "$i/etc/ssl/certs/ca-bundle.crt"
-      set --export NIX_SSL_CERT_FILE "$i/etc/ssl/certs/ca-bundle.crt"
+    # Fall back to what is in the nix profiles, favouring whatever is defined last.
+    for i in (string split ' ' $NIX_PROFILES)
+        if test -e "$i/etc/ssl/certs/ca-bundle.crt"
+            set --export NIX_SSL_CERT_FILE "$i/etc/ssl/certs/ca-bundle.crt"
+        end
     end
-  end
 end
 
 add_path "@localstatedir@/nix/profiles/default/bin"
-add_path "$HOME/.nix-profile/bin"
+add_path "$NIX_LINK/bin"
+
+# Cleanup
 
 functions -e add_path

scripts/nix-profile.fish.in

@@ -1,3 +1,13 @@
+# Only execute this file once per shell.
+if test -z "$HOME" || test -z "$USER" || \
+    test -n "$__ETC_PROFILE_NIX_SOURCED"
+    exit
+end
+
+set --global __ETC_PROFILE_NIX_SOURCED 1
+
+# Local helpers
+
 function add_path --argument-names new_path
     if type -q fish_add_path
         # fish 3.2.0 or newer
@@ -10,50 +20,50 @@ function add_path --argument-names new_path
     end
 end
 
-if test -n "$HOME" && test -n "$USER"
+# Main configuration
 
-    # Set up the per-user profile.
+# Set up the per-user profile.
 
-    set NIX_LINK $HOME/.nix-profile
+set --local NIX_LINK $HOME/.nix-profile
 
-    # Set up environment.
-    # This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
-    set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile"
+# Set up environment.
+# This part should be kept in sync with nixpkgs:nixos/modules/programs/environment.nix
+set --export NIX_PROFILES "@localstatedir@/nix/profiles/default $HOME/.nix-profile"
 
-    # Populate bash completions, .desktop files, etc
-    if test -z "$XDG_DATA_DIRS"
-        # According to XDG spec the default is /usr/local/share:/usr/share, don't set something that prevents that default
-        set --export XDG_DATA_DIRS "/usr/local/share:/usr/share:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
-    else
-        set --export XDG_DATA_DIRS "$XDG_DATA_DIRS:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
-    end
-
-    # Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
-    if test -n "$NIX_SSH_CERT_FILE"
-        : # Allow users to override the NIX_SSL_CERT_FILE
-    else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
-        set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
-    else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed
-        set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem
-    else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS
-        set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt
-    else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS
-        set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt
-    else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile
-        set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
-    else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile
-        set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt"
-    end
-
-    # Only use MANPATH if it is already set. In general `man` will just simply
-    # pick up `.nix-profile/share/man` because is it close to `.nix-profile/bin`
-    # which is in the $PATH. For more info, run `manpath -d`.
-    if set --query MANPATH
-      set --export --prepend --path MANPATH "$NIX_LINK/share/man"
-    end
-
-    add_path "$NIX_LINK/bin"
-    set --erase NIX_LINK
+# Populate bash completions, .desktop files, etc
+if test -z "$XDG_DATA_DIRS"
+    # According to XDG spec the default is /usr/local/share:/usr/share, don't set something that prevents that default
+    set --export XDG_DATA_DIRS "/usr/local/share:/usr/share:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
+else
+    set --export XDG_DATA_DIRS "$XDG_DATA_DIRS:$NIX_LINK/share:/nix/var/nix/profiles/default/share"
 end
 
+# Set $NIX_SSL_CERT_FILE so that Nixpkgs applications like curl work.
+if test -n "$NIX_SSL_CERT_FILE"
+    : # Allow users to override the NIX_SSL_CERT_FILE
+else if test -e /etc/ssl/certs/ca-certificates.crt # NixOS, Ubuntu, Debian, Gentoo, Arch
+    set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+else if test -e /etc/ssl/ca-bundle.pem # openSUSE Tumbleweed
+    set --export NIX_SSL_CERT_FILE /etc/ssl/ca-bundle.pem
+else if test -e /etc/ssl/certs/ca-bundle.crt # Old NixOS
+    set --export NIX_SSL_CERT_FILE /etc/ssl/certs/ca-bundle.crt
+else if test -e /etc/pki/tls/certs/ca-bundle.crt # Fedora, CentOS
+    set --export NIX_SSL_CERT_FILE /etc/pki/tls/certs/ca-bundle.crt
+else if test -e "$NIX_LINK/etc/ssl/certs/ca-bundle.crt" # fall back to cacert in Nix profile
+    set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ssl/certs/ca-bundle.crt"
+else if test -e "$NIX_LINK/etc/ca-bundle.crt" # old cacert in Nix profile
+    set --export NIX_SSL_CERT_FILE "$NIX_LINK/etc/ca-bundle.crt"
+end
+
+# Only use MANPATH if it is already set. In general `man` will just simply
+# pick up `.nix-profile/share/man` because is it close to `.nix-profile/bin`
+# which is in the $PATH. For more info, run `manpath -d`.
+if set --query MANPATH
+    set --export --prepend --path MANPATH "$NIX_LINK/share/man"
+end
+
+add_path "$NIX_LINK/bin"
+
+# Cleanup
+
 functions -e add_path

scripts/prepare-installer-for-github-actions

@@ -1,10 +1,11 @@
 #!/usr/bin/env bash
 
-set -e
+set -euo pipefail
 
-script=$(nix-build -A outputs.hydraJobs.installerScriptForGHA --no-out-link)
-installerHash=$(echo "$script" | cut -b12-43 -)
+nix build -L ".#installerScriptForGHA" ".#binaryTarball"
 
-installerURL=https://$CACHIX_NAME.cachix.org/serve/$installerHash/install
-
-echo "::set-output name=installerURL::$installerURL"
+mkdir -p out
+cp ./result/install "out/install"
+name="$(basename "$(realpath ./result-1)")"
+# everything before the first dash
+cp -r ./result-1 "out/${name%%-*}"

scripts/sequoia-nixbld-user-migration.sh

@@ -2,6 +2,9 @@
 
 set -eo pipefail
 
+# stock path to avoid unexpected command versions
+PATH="$(/usr/bin/getconf PATH)"
+
 ((NEW_NIX_FIRST_BUILD_UID=351))
 ((TEMP_NIX_FIRST_BUILD_UID=31000))
 

scripts/serve-installer-for-github-actions

@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+if [[ ! -d out ]]; then
+  echo "run prepare-installer-for-github-actions first"
+  exit 1
+fi
+cd out
+PORT=${PORT:-8126}
+nohup python -m http.server "$PORT" >/dev/null 2>&1 &
+pid=$!
+
+while ! curl -s "http://localhost:$PORT"; do
+  sleep 1
+  if ! kill -0 $pid; then
+    echo "Failed to start http server"
+    exit 1
+  fi
+done
+
+echo 'To install nix, run the following command:'
+echo "sh <(curl http://localhost:$PORT/install) --tarball-url-prefix http://localhost:$PORT"

src/build-remote/build-remote.cc

@@ -51,7 +51,7 @@ static bool allSupportedLocally(Store & store, const std::set<std::string>& requ
 static int main_build_remote(int argc, char * * argv)
 {
     {
-        logger = makeJSONLogger(*logger);
+        logger = makeJSONLogger(getStandardError());
 
         /* Ensure we don't get any SSH passphrase or host key popups. */
         unsetenv("DISPLAY");

src/external-api-docs/package.nix

@@ -1,11 +1,12 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,
 
-, doxygen
+  doxygen,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 }:
 
 let
@@ -39,11 +40,10 @@ mkMesonDerivation (finalAttrs: {
     doxygen
   ];
 
-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';
 
   postInstall = ''
     mkdir -p ''${!outputDoc}/nix-support

src/internal-api-docs/package.nix

@@ -1,11 +1,12 @@
-{ lib
-, mkMesonDerivation
+{
+  lib,
+  mkMesonDerivation,
 
-, doxygen
+  doxygen,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 }:
 
 let
@@ -17,27 +18,28 @@ mkMesonDerivation (finalAttrs: {
   inherit version;
 
   workDir = ./.;
-  fileset = let
-    cpp = fileset.fileFilter (file: file.hasExt "cc" || file.hasExt "hh");
-  in fileset.unions [
-    ./.version
-    ../../.version
-    ./meson.build
-    ./doxygen.cfg.in
-    # Source is not compiled, but still must be available for Doxygen
-    # to gather comments.
-    (cpp ../.)
-  ];
+  fileset =
+    let
+      cpp = fileset.fileFilter (file: file.hasExt "cc" || file.hasExt "hh");
+    in
+    fileset.unions [
+      ./.version
+      ../../.version
+      ./meson.build
+      ./doxygen.cfg.in
+      # Source is not compiled, but still must be available for Doxygen
+      # to gather comments.
+      (cpp ../.)
+    ];
 
   nativeBuildInputs = [
     doxygen
   ];
 
-  preConfigure =
-    ''
-      chmod u+w ./.version
-      echo ${finalAttrs.version} > ./.version
-    '';
+  preConfigure = ''
+    chmod u+w ./.version
+    echo ${finalAttrs.version} > ./.version
+  '';
 
   postInstall = ''
     mkdir -p ''${!outputDoc}/nix-support

src/libcmd/command.cc

@@ -369,11 +369,7 @@ void MixEnvironment::setEnviron()
     return;
 }
 
-void createOutLinks(
-    const std::filesystem::path & outLink,
-    const BuiltPaths & buildables,
-    LocalFSStore & store,
-    PathSet & symlinks)
+void createOutLinks(const std::filesystem::path & outLink, const BuiltPaths & buildables, LocalFSStore & store)
 {
     for (const auto & [_i, buildable] : enumerate(buildables)) {
         auto i = _i;
@@ -384,7 +380,6 @@ void createOutLinks(
                     if (i)
                         symlink += fmt("-%d", i);
                     store.addPermRoot(bo.path, absPath(symlink.string()));
-                    symlinks.insert(symlink);
                 },
                 [&](const BuiltPath::Built & bfd) {
                     for (auto & output : bfd.outputs) {
@@ -394,7 +389,6 @@ void createOutLinks(
                         if (output.first != "out")
                             symlink += fmt("-%s", output.first);
                         store.addPermRoot(output.second, absPath(symlink.string()));
-                        symlinks.insert(symlink);
                     }
                 },
             },

src/libcmd/command.hh

@@ -347,7 +347,7 @@ struct MixEnvironment : virtual Args
     void setEnviron();
 };
 
-void completeFlakeInputPath(
+void completeFlakeInputAttrPath(
     AddCompletions & completions,
     ref<EvalState> evalState,
     const std::vector<FlakeRef> & flakeRefs,
@@ -372,10 +372,6 @@ void printClosureDiff(
  * Create symlinks prefixed by `outLink` to the store paths in
  * `buildables`.
  */
-void createOutLinks(
-    const std::filesystem::path & outLink,
-    const BuiltPaths & buildables,
-    LocalFSStore & store,
-    PathSet & symlinks);
+void createOutLinks(const std::filesystem::path & outLink, const BuiltPaths & buildables, LocalFSStore & store);
 
 }

src/libcmd/common-eval-args.cc

@@ -34,8 +34,10 @@ EvalSettings evalSettings {
                 // FIXME `parseFlakeRef` should take a `std::string_view`.
                 auto flakeRef = parseFlakeRef(fetchSettings, std::string { rest }, {}, true, false);
                 debug("fetching flake search path element '%s''", rest);
-                auto storePath = flakeRef.resolve(state.store).fetchTree(state.store).first;
-                return state.rootPath(state.store->toRealPath(storePath));
+                auto [accessor, lockedRef] = flakeRef.resolve(state.store).lazyFetch(state.store);
+                auto storePath = nix::fetchToStore(*state.store, SourcePath(accessor), FetchMode::Copy, lockedRef.input.getName());
+                state.allowPath(storePath);
+                return state.storePath(storePath);
             },
         },
     },
@@ -177,14 +179,16 @@ SourcePath lookupFileArg(EvalState & state, std::string_view s, const Path * bas
             state.fetchSettings,
             EvalSettings::resolvePseudoUrl(s));
         auto storePath = fetchToStore(*state.store, SourcePath(accessor), FetchMode::Copy);
-        return state.rootPath(CanonPath(state.store->toRealPath(storePath)));
+        return state.storePath(storePath);
     }
 
     else if (hasPrefix(s, "flake:")) {
         experimentalFeatureSettings.require(Xp::Flakes);
         auto flakeRef = parseFlakeRef(fetchSettings, std::string(s.substr(6)), {}, true, false);
-        auto storePath = flakeRef.resolve(state.store).fetchTree(state.store).first;
-        return state.rootPath(CanonPath(state.store->toRealPath(storePath)));
+        auto [accessor, lockedRef] = flakeRef.resolve(state.store).lazyFetch(state.store);
+        auto storePath = nix::fetchToStore(*state.store, SourcePath(accessor), FetchMode::Copy, lockedRef.input.getName());
+        state.allowPath(storePath);
+        return state.storePath(storePath);
     }
 
     else if (s.size() > 2 && s.at(0) == '<' && s.at(s.size() - 1) == '>') {

src/libcmd/installable-flake.cc

@@ -75,7 +75,7 @@ InstallableFlake::InstallableFlake(
 
 DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
 {
-    Activity act(*logger, lvlTalkative, actEvaluate, fmt("evaluating derivation '%s'", what()));
+    Activity act(*logger, lvlTalkative, actUnknown, fmt("evaluating derivation '%s'", what()));
 
     auto attr = getCursor(*state);
 

src/libcmd/installables.cc

@@ -33,7 +33,7 @@ namespace nix {
 
 namespace fs { using namespace std::filesystem; }
 
-void completeFlakeInputPath(
+void completeFlakeInputAttrPath(
     AddCompletions & completions,
     ref<EvalState> evalState,
     const std::vector<FlakeRef> & flakeRefs,
@@ -117,10 +117,10 @@ MixFlakeOptions::MixFlakeOptions()
         .labels = {"input-path"},
         .handler = {[&](std::string s) {
             warn("'--update-input' is a deprecated alias for 'flake update' and will be removed in a future version.");
-            lockFlags.inputUpdates.insert(flake::parseInputPath(s));
+            lockFlags.inputUpdates.insert(flake::parseInputAttrPath(s));
         }},
         .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
-            completeFlakeInputPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
+            completeFlakeInputAttrPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
         }}
     });
 
@@ -129,15 +129,15 @@ MixFlakeOptions::MixFlakeOptions()
         .description = "Override a specific flake input (e.g. `dwarffs/nixpkgs`). This implies `--no-write-lock-file`.",
         .category = category,
         .labels = {"input-path", "flake-url"},
-        .handler = {[&](std::string inputPath, std::string flakeRef) {
+        .handler = {[&](std::string inputAttrPath, std::string flakeRef) {
             lockFlags.writeLockFile = false;
             lockFlags.inputOverrides.insert_or_assign(
-                flake::parseInputPath(inputPath),
+                flake::parseInputAttrPath(inputAttrPath),
                 parseFlakeRef(fetchSettings, flakeRef, absPath(getCommandBaseDir()), true));
         }},
         .completer = {[&](AddCompletions & completions, size_t n, std::string_view prefix) {
             if (n == 0) {
-                completeFlakeInputPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
+                completeFlakeInputAttrPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
             } else if (n == 1) {
                 completeFlakeRef(completions, getEvalState()->store, prefix);
             }
@@ -450,7 +450,7 @@ ref<eval_cache::EvalCache> openEvalCache(
     std::shared_ptr<flake::LockedFlake> lockedFlake)
 {
     auto fingerprint = evalSettings.useEvalCache && evalSettings.pureEval
-        ? lockedFlake->getFingerprint(state.store)
+        ? lockedFlake->getFingerprint(state.store, state.fetchSettings)
         : std::nullopt;
     auto rootLoader = [&state, lockedFlake]()
         {

src/libcmd/markdown.cc

@@ -16,13 +16,25 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
 {
     int windowWidth = getWindowSize().second;
 
-    struct lowdown_opts opts
-    {
-        .type = LOWDOWN_TERM,
-        .maxdepth = 20,
+#if HAVE_LOWDOWN_1_4
+    struct lowdown_opts_term opts_term {
         .cols = (size_t) std::max(windowWidth - 5, 60),
         .hmargin = 0,
         .vmargin = 0,
+    };
+#endif
+    struct lowdown_opts opts
+    {
+        .type = LOWDOWN_TERM,
+#if HAVE_LOWDOWN_1_4
+        .term = opts_term,
+#endif
+        .maxdepth = 20,
+#if !HAVE_LOWDOWN_1_4
+        .cols = (size_t) std::max(windowWidth - 5, 60),
+        .hmargin = 0,
+        .vmargin = 0,
+#endif
         .feat = LOWDOWN_COMMONMARK | LOWDOWN_FENCED | LOWDOWN_DEFLIST | LOWDOWN_TABLES,
         .oflags = LOWDOWN_TERM_NOLINK,
     };

src/libcmd/meson.build

@@ -4,8 +4,6 @@ project('nix-cmd', 'cpp',
     'cpp_std=c++2a',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
-    'debug=true',
-    'optimization=2',
     'errorlogs=true', # Please print logs for tests that fail
   ],
   meson_version : '>= 1.1',
@@ -36,6 +34,8 @@ deps_public += nlohmann_json
 lowdown = dependency('lowdown', version : '>= 0.9.0', required : get_option('markdown'))
 deps_private += lowdown
 configdata.set('HAVE_LOWDOWN', lowdown.found().to_int())
+# The API changed slightly around terminal initialization.
+configdata.set('HAVE_LOWDOWN_1_4', lowdown.version().version_compare('>= 1.4.0').to_int())
 
 readline_flavor = get_option('readline-flavor')
 if readline_flavor == 'editline'

src/libcmd/misc-store-flags.cc

@@ -50,7 +50,7 @@ Args::Flag hashAlgo(std::string && longName, HashAlgorithm * ha)
 {
     return Args::Flag {
             .longName = std::move(longName),
-            .description = "Hash algorithm (`md5`, `sha1`, `sha256`, or `sha512`).",
+            .description = "Hash algorithm (`blake3`, `md5`, `sha1`, `sha256`, or `sha512`).",
             .labels = {"hash-algo"},
             .handler = {[ha](std::string s) {
                 *ha = parseHashAlgo(s);
@@ -63,7 +63,7 @@ Args::Flag hashAlgoOpt(std::string && longName, std::optional<HashAlgorithm> * o
 {
     return Args::Flag {
             .longName = std::move(longName),
-            .description = "Hash algorithm (`md5`, `sha1`, `sha256`, or `sha512`). Can be omitted for SRI hashes.",
+            .description = "Hash algorithm (`blake3`, `md5`, `sha1`, `sha256`, or `sha512`). Can be omitted for SRI hashes.",
             .labels = {"hash-algo"},
             .handler = {[oha](std::string s) {
                 *oha = std::optional<HashAlgorithm>{parseHashAlgo(s)};
@@ -120,7 +120,7 @@ Args::Flag contentAddressMethod(ContentAddressMethod * method)
 
     - [`text`](@docroot@/store/store-object/content-address.md#method-text):
       Like `flat`, but used for
-      [derivations](@docroot@/glossary.md#store-derivation) serialized in store object and
+      [derivations](@docroot@/glossary.md#gloss-store-derivation) serialized in store object and
       [`builtins.toFile`](@docroot@/language/builtins.html#builtins-toFile).
       For advanced use-cases only;
       for regular usage prefer `nar` and `flat`.

src/libcmd/package.nix

@@ -1,32 +1,33 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  stdenv,
+  mkMesonLibrary,
 
-, nix-util
-, nix-store
-, nix-fetchers
-, nix-expr
-, nix-flake
-, nix-main
-, editline
-, readline
-, lowdown
-, nlohmann_json
+  nix-util,
+  nix-store,
+  nix-fetchers,
+  nix-expr,
+  nix-flake,
+  nix-main,
+  editline,
+  readline,
+  lowdown,
+  nlohmann_json,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 
-# Whether to enable Markdown rendering in the Nix binary.
-, enableMarkdown ? !stdenv.hostPlatform.isWindows
+  # Whether to enable Markdown rendering in the Nix binary.
+  enableMarkdown ? !stdenv.hostPlatform.isWindows,
 
-# Which interactive line editor library to use for Nix's repl.
-#
-# Currently supported choices are:
-#
-# - editline (default)
-# - readline
-, readlineFlavor ? if stdenv.hostPlatform.isWindows then "readline" else "editline"
+  # Which interactive line editor library to use for Nix's repl.
+  #
+  # Currently supported choices are:
+  #
+  # - editline (default)
+  # - readline
+  readlineFlavor ? if stdenv.hostPlatform.isWindows then "readline" else "editline",
 }:
 
 let
@@ -63,23 +64,11 @@ mkMesonLibrary (finalAttrs: {
     nlohmann_json
   ];
 
-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
   mesonFlags = [
     (lib.mesonEnable "markdown" enableMarkdown)
     (lib.mesonOption "readline-flavor" readlineFlavor)
   ];
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
   meta = {
     platforms = lib.platforms.unix ++ lib.platforms.windows;
   };

src/libcmd/repl.cc

@@ -101,6 +101,9 @@ struct NixRepl
                               Value & v,
                               unsigned int maxDepth = std::numeric_limits<unsigned int>::max())
     {
+        // Hide the progress bar during printing because it might interfere
+        logger->pause();
+        Finally resumeLoggerDefer([]() { logger->resume(); });
         ::nix::printValue(*state, str, v, PrintOptions {
             .ansiColors = true,
             .force = true,

src/libexpr-c/meson.build

@@ -4,8 +4,6 @@ project('nix-expr-c', 'cpp',
     'cpp_std=c++2a',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
-    'debug=true',
-    'optimization=2',
     'errorlogs=true', # Please print logs for tests that fail
   ],
   meson_version : '>= 1.1',

src/libexpr-c/nix_api_value.cc

@@ -613,12 +613,8 @@ nix_realised_string * nix_string_realise(nix_c_context * context, EvalState * st
         context->last_err_code = NIX_OK;
     try {
         auto & v = check_value_in(value);
-        nix::NixStringContext stringContext;
-        auto rawStr = state->state.coerceToString(nix::noPos, v, stringContext, "while realising a string").toOwned();
         nix::StorePathSet storePaths;
-        auto rewrites = state->state.realiseContext(stringContext, &storePaths);
-
-        auto s = nix::rewriteStrings(rawStr, rewrites);
+        auto s = state->state.realiseString(v, &storePaths, isIFD);
 
         // Convert to the C API StorePath type and convert to vector for index-based access
         std::vector<StorePath> vec;

src/libexpr-c/package.nix

@@ -1,13 +1,13 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  mkMesonLibrary,
 
-, nix-store-c
-, nix-expr
+  nix-store-c,
+  nix-expr,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 }:
 
 let
@@ -36,21 +36,9 @@ mkMesonLibrary (finalAttrs: {
     nix-expr
   ];
 
-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
   mesonFlags = [
   ];
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
   meta = {
     platforms = lib.platforms.unix ++ lib.platforms.windows;
   };

src/libexpr-test-support/meson.build

@@ -4,8 +4,6 @@ project('nix-expr-test-support', 'cpp',
     'cpp_std=c++2a',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
-    'debug=true',
-    'optimization=2',
     'errorlogs=true', # Please print logs for tests that fail
   ],
   meson_version : '>= 1.1',

src/libexpr-test-support/package.nix

@@ -1,16 +1,16 @@
-{ lib
-, stdenv
-, mkMesonLibrary
+{
+  lib,
+  mkMesonLibrary,
 
-, nix-store-test-support
-, nix-expr
-, nix-expr-c
+  nix-store-test-support,
+  nix-expr,
+  nix-expr-c,
 
-, rapidcheck
+  rapidcheck,
 
-# Configuration Options
+  # Configuration Options
 
-, version
+  version,
 }:
 
 let
@@ -40,21 +40,9 @@ mkMesonLibrary (finalAttrs: {
     rapidcheck
   ];
 
-  preConfigure =
-    # "Inline" .version so it's not a symlink, and includes the suffix.
-    # Do the meson utils, without modification.
-    ''
-      chmod u+w ./.version
-      echo ${version} > ../../.version
-    '';
-
   mesonFlags = [
   ];
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
-    LDFLAGS = "-fuse-ld=gold";
-  };
-
   meta = {
     platforms = lib.platforms.unix ++ lib.platforms.windows;
   };

src/libexpr-tests/error_traces.cc

@@ -691,15 +691,15 @@ namespace nix {
         ASSERT_TRACE2("elemAt \"foo\" (-1)",
                       TypeError,
                       HintFmt("expected a list but found %s: %s", "a string", Uncolored(ANSI_MAGENTA "\"foo\"" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.elemAt"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.elemAt'"));
 
         ASSERT_TRACE1("elemAt [] (-1)",
                       Error,
-                      HintFmt("list index %d is out of bounds", -1));
+                      HintFmt("'builtins.elemAt' called with index %d on a list of size %d", -1, 0));
 
         ASSERT_TRACE1("elemAt [\"foo\"] 3",
                       Error,
-                      HintFmt("list index %d is out of bounds", 3));
+                      HintFmt("'builtins.elemAt' called with index %d on a list of size %d", 3, 1));
 
     }
 
@@ -708,11 +708,11 @@ namespace nix {
         ASSERT_TRACE2("head 1",
                       TypeError,
                       HintFmt("expected a list but found %s: %s", "an integer", Uncolored(ANSI_CYAN "1" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.elemAt"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.head'"));
 
         ASSERT_TRACE1("head []",
                       Error,
-                      HintFmt("list index %d is out of bounds", 0));
+                      HintFmt("'builtins.head' called on an empty list"));
 
     }
 
@@ -721,11 +721,11 @@ namespace nix {
         ASSERT_TRACE2("tail 1",
                       TypeError,
                       HintFmt("expected a list but found %s: %s", "an integer", Uncolored(ANSI_CYAN "1" ANSI_NORMAL)),
-                      HintFmt("while evaluating the first argument passed to builtins.tail"));
+                      HintFmt("while evaluating the first argument passed to 'builtins.tail'"));
 
         ASSERT_TRACE1("tail []",
                       Error,
-                      HintFmt("'tail' called on an empty list"));
+                      HintFmt("'builtins.tail' called on an empty list"));
 
     }
 
@@ -1152,7 +1152,7 @@ namespace nix {
 
         ASSERT_TRACE1("hashString \"foo\" \"content\"",
                       UsageError,
-                      HintFmt("unknown hash algorithm '%s', expect 'md5', 'sha1', 'sha256', or 'sha512'", "foo"));
+                      HintFmt("unknown hash algorithm '%s', expect 'blake3', 'md5', 'sha1', 'sha256', or 'sha512'", "foo"));
 
         ASSERT_TRACE2("hashString \"sha256\" {}",
                       TypeError,