Merge pull request #11592 from NixOS/mergify/bp/2.24-maintenance/pr-11585

builtin:fetchurl: Enable TLS verification (backport #11585)

.clang-format

@@ -15,7 +15,7 @@ SpaceAfterCStyleCast: true
 SpaceAfterTemplateKeyword: false
 AccessModifierOffset: -4
 AlignAfterOpenBracket: AlwaysBreak
-AlignEscapedNewlines: DontAlign
+AlignEscapedNewlines: Left
 ColumnLimit: 120
 BreakStringLiterals: false
 BitFieldColonSpacing: None
@@ -28,3 +28,6 @@ EmptyLineBeforeAccessModifier: Leave
 #PackConstructorInitializers: BinPack
 BreakBeforeBinaryOperators: NonAssignment
 AlwaysBreakBeforeMultilineStrings: true
+IndentPPDirectives: AfterHash
+PPIndentWidth: 2
+BinPackArguments: false

.editorconfig

@@ -4,20 +4,20 @@
 # Top-most EditorConfig file
 root = true
 
-# Unix-style newlines with a newline ending every file, utf-8 charset
+# Unix-style newlines with a newline ending every file, UTF-8 charset
 [*]
 end_of_line = lf
 insert_final_newline = true
 trim_trailing_whitespace = true
 charset = utf-8
 
-# Match nix files, set indent to spaces with width of two
+# Match Nix files, set indent to spaces with width of two
 [*.nix]
 indent_style = space
 indent_size = 2
 
-# Match c++/shell/perl, set indent to spaces with width of four
-[*.{hpp,cc,hh,sh,pl,xs}]
+# Match C++/C/shell/Perl, set indent to spaces with width of four
+[*.{hpp,cc,hh,c,h,sh,pl,xs}]
 indent_style = space
 indent_size = 4
 

.github/CODEOWNERS

@@ -11,7 +11,16 @@
 .github/CODEOWNERS @edolstra
 
 # Documentation of built-in functions
-src/libexpr/primops.cc @roberth
+src/libexpr/primops.cc @roberth @fricklerhandwerk
+
+# Documentation of settings
+src/libexpr/eval-settings.hh @fricklerhandwerk
+src/libstore/globals.hh @fricklerhandwerk
+
+# Documentation
+doc/manual @fricklerhandwerk
+maintainers/*.md @fricklerhandwerk
+src/**/*.md @fricklerhandwerk
 
 # Libstore layer
-/src/libstore @thufschmitt
+/src/libstore @ericson2314

.github/labeler.yml

@@ -1,6 +1,19 @@
+"c api":
+  - changed-files:
+    - any-glob-to-any-file: "src/lib*-c/**/*"
+    - any-glob-to-any-file: "test/unit/**/nix_api_*"
+    - any-glob-to-any-file: "doc/external-api/**/*"
+
+"contributor-experience":
+  - changed-files:
+    - any-glob-to-any-file: "CONTRIBUTING.md"
+    - any-glob-to-any-file: ".github/ISSUE_TEMPLATE/*"
+    - any-glob-to-any-file: ".github/PULL_REQUEST_TEMPLATE.md"
+    - any-glob-to-any-file: "doc/manual/src/contributing/**"
+
 "documentation":
   - changed-files:
-    - any-glob-to-any-file: "doc/manual/*"
+    - any-glob-to-any-file: "doc/manual/**/*"
     - any-glob-to-any-file: "src/nix/**/*.md"
 
 "store":
@@ -27,4 +40,4 @@
     - any-glob-to-any-file: "src/*/tests/**/*"
     # Functional and integration tests
     - any-glob-to-any-file: "tests/functional/**/*"
-    
+

.github/workflows/backport.yml

@@ -1,32 +0,0 @@
-name: Backport
-on:
-  pull_request_target:
-    types: [closed, labeled]
-permissions:
-  contents: read
-jobs:
-  backport:
-    name: Backport Pull Request
-    permissions:
-      # for zeebe-io/backport-action
-      contents: write
-      pull-requests: write
-    if: github.repository_owner == 'NixOS' && github.event.pull_request.merged == true && (github.event_name != 'labeled' || startsWith('backport', github.event.label.name))
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.sha }}
-          # required to find all branches
-          fetch-depth: 0
-      - name: Create backport PRs
-        # should be kept in sync with `version`
-        uses: zeebe-io/backport-action@v2.4.1
-        with:
-          # Config README: https://github.com/zeebe-io/backport-action#backport-action
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          github_workspace: ${{ github.workspace }}
-          pull_description: |-
-            Automatic backport to `${target_branch}`, triggered by a label in #${pull_number}.
-          # should be kept in sync with `uses`
-          version: v0.0.5

.github/workflows/ci.yml

@@ -20,19 +20,46 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v25
+    - uses: cachix/install-nix-action@V27
       with:
         # The sandbox would otherwise be disabled by default on Darwin
         extra_nix_config: "sandbox = true"
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v14
+    - uses: cachix/cachix-action@v15
       if: needs.check_secrets.outputs.cachix == 'true'
       with:
         name: '${{ env.CACHIX_NAME }}'
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+    - if: matrix.os == 'ubuntu-latest'
+      run: |
+        free -h
+        swapon --show
+        swap=$(swapon --show --noheadings | head -n 1 | awk '{print $1}')
+        echo "Found swap: $swap"
+        sudo swapoff $swap
+        # resize it (fallocate)
+        sudo fallocate -l 10G $swap
+        sudo mkswap $swap
+        sudo swapon $swap
+        free -h
+        (
+          while sleep 60; do
+            free -h
+          done
+        ) &
     - run: nix --experimental-features 'nix-command flakes' flake check -L
+    - run: nix --experimental-features 'nix-command flakes' flake show --all-systems --json
 
+  # Steps to test CI automation in your own fork.
+  # Cachix:
+  # 1. Sign-up for https://www.cachix.org/
+  # 2. Create a cache for $githubuser-nix-install-tests
+  # 3. Create a cachix auth token and save it in https://github.com/$githubuser/nix/settings/secrets/actions in "Repository secrets" as CACHIX_AUTH_TOKEN
+  # Dockerhub:
+  # 1. Sign-up for https://hub.docker.com/
+  # 2. Store your dockerhub username as DOCKERHUB_USERNAME in "Repository secrets" of your fork repository settings (https://github.com/$githubuser/nix/settings/secrets/actions)
+  # 3. Create an access token in https://hub.docker.com/settings/security and store it as DOCKERHUB_TOKEN in "Repository secrets" of your fork
   check_secrets:
     permissions:
       contents: none
@@ -62,14 +89,15 @@ jobs:
       with:
         fetch-depth: 0
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v25
+    - uses: cachix/install-nix-action@V27
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.13.3/install
-    - uses: cachix/cachix-action@v14
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
+    - uses: cachix/cachix-action@v15
       with:
         name: '${{ env.CACHIX_NAME }}'
         signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+        cachixArgs: '-v'
     - id: prepare-installer
       run: scripts/prepare-installer-for-github-actions
 
@@ -84,7 +112,7 @@ jobs:
     steps:
     - uses: actions/checkout@v4
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
-    - uses: cachix/install-nix-action@v25
+    - uses: cachix/install-nix-action@V27
       with:
         install_url: '${{needs.installer.outputs.installerURL}}'
         install_options: "--tarball-url-prefix https://${{ env.CACHIX_NAME }}.cachix.org/serve"
@@ -114,12 +142,12 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
-    - uses: cachix/install-nix-action@v25
+    - uses: cachix/install-nix-action@V27
       with:
-        install_url: https://releases.nixos.org/nix/nix-2.13.3/install
+        install_url: https://releases.nixos.org/nix/nix-2.20.3/install
     - run: echo CACHIX_NAME="$(echo $GITHUB_REPOSITORY-install-tests | tr "[A-Z]/" "[a-z]-")" >> $GITHUB_ENV
     - run: echo NIX_VERSION="$(nix --experimental-features 'nix-command flakes' eval .\#default.version | tr -d \")" >> $GITHUB_ENV
-    - uses: cachix/cachix-action@v14
+    - uses: cachix/cachix-action@v15
       if: needs.check_secrets.outputs.cachix == 'true'
       with:
         name: '${{ env.CACHIX_NAME }}'
@@ -127,8 +155,8 @@ jobs:
         authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
     - run: nix --experimental-features 'nix-command flakes' build .#dockerImage -L
     - run: docker load -i ./result/image.tar.gz
-    - run: docker tag nix:$NIX_VERSION nixos/nix:$NIX_VERSION
-    - run: docker tag nix:$NIX_VERSION nixos/nix:master
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker tag nix:$NIX_VERSION ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
     # We'll deploy the newly built image to both Docker Hub and Github Container Registry.
     #
     # Push to Docker Hub first
@@ -137,8 +165,8 @@ jobs:
       with:
         username: ${{ secrets.DOCKERHUB_USERNAME }}
         password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - run: docker push nixos/nix:$NIX_VERSION
-    - run: docker push nixos/nix:master
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:$NIX_VERSION
+    - run: docker push ${{ secrets.DOCKERHUB_USERNAME }}/nix:master
     # Push to GitHub Container Registry as well
     - name: Login to GitHub Container Registry
       uses: docker/login-action@v3
@@ -153,6 +181,51 @@ jobs:
         IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
 
         docker tag nix:$NIX_VERSION $IMAGE_ID:$NIX_VERSION
-        docker tag nix:$NIX_VERSION $IMAGE_ID:master
+        docker tag nix:$NIX_VERSION $IMAGE_ID:latest
         docker push $IMAGE_ID:$NIX_VERSION
+        docker push $IMAGE_ID:latest
+        # deprecated 2024-02-24
+        docker tag nix:$NIX_VERSION $IMAGE_ID:master
         docker push $IMAGE_ID:master
+
+  vm_tests:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix build -L .#hydraJobs.tests.githubFlakes .#hydraJobs.tests.tarballFlakes .#hydraJobs.tests.functional_user
+
+  meson_build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      # Only meson packages that don't have a tests.run derivation.
+      # Those that have it are already built and tested as part of nix flake check.
+      - run: nix build -L .#hydraJobs.build.{nix-cmd,nix-main}.$(nix-instantiate --eval --expr builtins.currentSystem | sed -e 's/"//g')
+
+  flake_regressions:
+    needs: vm_tests
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout nix
+        uses: actions/checkout@v4
+      - name: Checkout flake-regressions
+        uses: actions/checkout@v4
+        with:
+          repository: NixOS/flake-regressions
+          path: flake-regressions
+      - name: Checkout flake-regressions-data
+        uses: actions/checkout@v4
+        with:
+          repository: NixOS/flake-regressions-data
+          path: flake-regressions/tests
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: nix build --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH scripts/flake-regressions.sh

.github/workflows/hydra_status.yml

@@ -1,20 +0,0 @@
-name: Hydra status
-
-permissions: read-all
-
-on:
-  schedule:
-    - cron: "12,42 * * * *"
-  workflow_dispatch:
-
-jobs:
-  check_hydra_status:
-    name: Check Hydra status
-    if: github.repository_owner == 'NixOS'
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - run: bash scripts/check-hydra-status.sh
-

.gitignore

@@ -10,6 +10,9 @@ perl/Makefile.config
 /stamp-h1
 /svn-revision
 /libtool
+/config/config.*
+# Default meson build dir
+/build
 
 # /doc/manual/
 /doc/manual/*.1
@@ -45,13 +48,22 @@ perl/Makefile.config
 /src/libexpr/parser-tab.hh
 /src/libexpr/parser-tab.output
 /src/libexpr/nix.tbl
+/src/libexpr/tests
 /tests/unit/libexpr/libnixexpr-tests
 
+# /src/libfetchers
+/tests/unit/libfetchers/libnixfetchers-tests
+
+# /src/libflake
+/tests/unit/libflake/libnixflake-tests
+
 # /src/libstore/
 *.gen.*
+/src/libstore/tests
 /tests/unit/libstore/libnixstore-tests
 
 # /src/libutil/
+/src/libutil/tests
 /tests/unit/libutil/libnixutil-tests
 
 /src/nix/nix
@@ -85,7 +97,7 @@ perl/Makefile.config
 
 # /tests/functional/
 /tests/functional/test-tmp
-/tests/functional/common/vars-and-functions.sh
+/tests/functional/common/subst-vars.sh
 /tests/functional/result*
 /tests/functional/restricted-innocent
 /tests/functional/shell
@@ -111,8 +123,6 @@ perl/Makefile.config
 /misc/systemd/nix-daemon.conf
 /misc/upstart/nix-daemon.conf
 
-/src/resolve-system-dependencies/resolve-system-dependencies
-
 outputs/
 
 *.a
@@ -138,6 +148,7 @@ GTAGS
 
 # auto-generated compilation database
 compile_commands.json
+*.compile_commands.json
 
 nix-rust/target
 
@@ -148,6 +159,8 @@ result-*
 .vscode/
 .idea/
 
+.pre-commit-config.yaml
+
 # clangd and possibly more
 .cache/
 

.mergify.yml

@@ -0,0 +1,92 @@
+queue_rules:
+  - name: default
+    # all required tests need to go here
+    merge_conditions:
+      - check-success=installer
+      - check-success=installer_test (macos-latest)
+      - check-success=installer_test (ubuntu-latest)
+      - check-success=tests (macos-latest)
+      - check-success=tests (ubuntu-latest)
+      - check-success=vm_tests
+    merge_method: rebase
+    batch_size: 5
+
+pull_request_rules:
+  - name: merge using the merge queue
+    conditions:
+      - base=master
+      - label~=merge-queue|dependencies
+    actions:
+      queue: {}
+
+# The rules below will first create backport pull requests and put those in a merge queue.
+
+  - name: backport patches to 2.18
+    conditions:
+      - label=backport 2.18-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.18-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.19
+    conditions:
+      - label=backport 2.19-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.19-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.20
+    conditions:
+      - label=backport 2.20-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.20-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.21
+    conditions:
+      - label=backport 2.21-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.21-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.22
+    conditions:
+      - label=backport 2.22-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.22-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.23
+    conditions:
+      - label=backport 2.23-maintenance
+    actions:
+      backport:
+        branches:
+          - 2.23-maintenance
+        labels:
+          - merge-queue
+
+  - name: backport patches to 2.24
+    conditions:
+      - label=backport 2.24-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.24-maintenance"
+        labels:
+          - merge-queue

.shellcheckrc

@@ -0,0 +1,4 @@
+external-sources=true
+source-path=SCRIPTDIR
+# Hack for scripts in e.g. tests/functional/ca
+source-path=SCRIPTDIR/..

.version

@@ -1 +1 @@
-2.21.0
+2.24.8

CITATION.cff

@@ -0,0 +1,42 @@
+cff-version: 1.2.0
+title: Nix
+message: >-
+  If you use this software, please cite it using the
+  metadata from this file.
+type: software
+authors:
+  - given-names: Eelco
+    family-names: Dolstra
+    email: edolstra@gmail.com
+  - name: The Nix contributors
+    website: 'https://github.com/NixOS/nix'
+references:
+  - title: The Purely Functional Software Deployment Model
+    authors:
+    - family-names: Dolstra
+      given-names: Eelco
+    year: 2006
+    type: thesis
+    thesis-type: PhD thesis
+    isbn: 90-393-4130-3
+    url: https://dspace.library.uu.nl/handle/1874/7540
+    database-provider: Utrecht University Repository
+    institution:
+      name: Utrecht University
+    keywords:
+    - configuration management
+    - software deployment
+    - purely functional
+    - component-based software engineering
+repository-code: 'https://github.com/NixOS/nix'
+url: 'https://nixos.org/'
+abstract: >-
+  Nix, a purely functional package manager, is a powerful
+  package manager for Linux and other Unix systems that
+  makes package management reliable and reproducible.
+keywords:
+  - reproducibility
+  - open-source
+  - c++
+  - functional
+license: LGPL-2.1

CONTRIBUTING.md

@@ -27,6 +27,8 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 1. Search for related issues that cover what you're going to work on.
    It could help to mention there that you will work on the issue.
 
+   We strongly recommend first-time contributors not to propose new features but rather fix tightly-scoped problems in order to build trust and a working relationship with maintainers.
+
    Issues labeled [good first issue](https://github.com/NixOS/nix/labels/good%20first%20issue) should be relatively easy to fix and are likely to get merged quickly.
    Pull requests addressing issues labeled [idea approved](https://github.com/NixOS/nix/labels/idea%20approved) or [RFC](https://github.com/NixOS/nix/labels/RFC) are especially welcomed by maintainers and will receive prioritised review.
 
@@ -39,9 +41,9 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
    There are many open pull requests that might already do what you intend to work on.
    You can use [labels](https://github.com/NixOS/nix/labels) to filter for relevant topics.
 
-3. Check the [Nix reference manual](https://nixos.org/manual/nix/unstable/contributing/hacking.html) for information on building Nix and running its tests.
+3. Check the [Nix reference manual](https://nix.dev/manual/nix/development/development/building.html) for information on building Nix and running its tests.
 
-   For contributions to the command line interface, please check the [CLI guidelines](https://nixos.org/manual/nix/unstable/contributing/cli-guideline.html).
+   For contributions to the command line interface, please check the [CLI guidelines](https://nix.dev/manual/nix/development/development/cli-guideline.html).
 
 4. Make your change!
 
@@ -67,7 +69,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
    - [ ] API documentation in header files
    - [ ] Code and comments are self-explanatory
    - [ ] Commit message explains **why** the change was made
-   - [ ] New feature or incompatible change: updated [release notes](./doc/manual/src/release-notes/rl-next.md)
+   - [ ] New feature or incompatible change: [add a release note](https://nix.dev/manual/nix/development/development/contributing.html#add-a-release-note)
 
 7. If you need additional feedback or help to getting pull request into shape, ask other contributors using [@mentions](https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#mentioning-people-and-teams).
 
@@ -76,7 +78,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 The Nix reference manual is hosted on https://nixos.org/manual/nix.
 The underlying source files are located in [`doc/manual/src`](./doc/manual/src).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
-For larger changes see the [Nix reference manual](https://nixos.org/manual/nix/unstable/contributing/hacking.html).
+For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).
 
 ## Getting help
 

Makefile

@@ -7,6 +7,8 @@ clean-files += $(buildprefix)Makefile.config
 
 # List makefiles
 
+include mk/platform.mk
+
 ifeq ($(ENABLE_BUILD), yes)
 makefiles = \
   mk/precompiled-headers.mk \
@@ -16,10 +18,17 @@ makefiles = \
   src/libfetchers/local.mk \
   src/libmain/local.mk \
   src/libexpr/local.mk \
+  src/libflake/local.mk \
   src/libcmd/local.mk \
   src/nix/local.mk \
-  src/resolve-system-dependencies/local.mk \
+  src/libutil-c/local.mk \
+  src/libstore-c/local.mk \
+  src/libexpr-c/local.mk
+
+ifdef HOST_UNIX
+makefiles += \
   scripts/local.mk \
+  maintainers/local.mk \
   misc/bash/local.mk \
   misc/fish/local.mk \
   misc/zsh/local.mk \
@@ -27,6 +36,7 @@ makefiles = \
   misc/launchd/local.mk \
   misc/upstart/local.mk
 endif
+endif
 
 ifeq ($(ENABLE_UNIT_TESTS), yes)
 makefiles += \
@@ -34,18 +44,25 @@ makefiles += \
   tests/unit/libutil-support/local.mk \
   tests/unit/libstore/local.mk \
   tests/unit/libstore-support/local.mk \
+  tests/unit/libfetchers/local.mk \
   tests/unit/libexpr/local.mk \
-  tests/unit/libexpr-support/local.mk
+  tests/unit/libexpr-support/local.mk \
+  tests/unit/libflake/local.mk
 endif
 
 ifeq ($(ENABLE_FUNCTIONAL_TESTS), yes)
+ifdef HOST_UNIX
 makefiles += \
   tests/functional/local.mk \
+  tests/functional/flakes/local.mk \
   tests/functional/ca/local.mk \
+  tests/functional/git-hashing/local.mk \
   tests/functional/dyn-drv/local.mk \
+  tests/functional/local-overlay-store/local.mk \
   tests/functional/test-libstoreconsumer/local.mk \
   tests/functional/plugins/local.mk
 endif
+endif
 
 # Some makefiles require access to built programs and must be included late.
 makefiles-late =
@@ -54,10 +71,6 @@ ifeq ($(ENABLE_DOC_GEN), yes)
 makefiles-late += doc/manual/local.mk
 endif
 
-ifeq ($(ENABLE_INTERNAL_API_DOCS), yes)
-makefiles-late += doc/internal-api/local.mk
-endif
-
 # Miscellaneous global Flags
 
 OPTIMIZE = 1
@@ -67,10 +80,9 @@ ifeq ($(OPTIMIZE), 1)
   GLOBAL_LDFLAGS += $(CXXLTO)
 else
   GLOBAL_CXXFLAGS += -O0 -U_FORTIFY_SOURCE
+  unexport NIX_HARDENING_ENABLE
 endif
 
-include mk/platform.mk
-
 ifdef HOST_WINDOWS
   # Windows DLLs are stricter about symbol visibility than Unix shared
   # objects --- see https://gcc.gnu.org/wiki/Visibility for details.
@@ -81,7 +93,7 @@ ifdef HOST_WINDOWS
   GLOBAL_LDFLAGS += -Wl,--export-all-symbols
 endif
 
-GLOBAL_CXXFLAGS += -g -Wall -include $(buildprefix)config.h -std=c++2a -I src
+GLOBAL_CXXFLAGS += -g -Wall -Wdeprecated-copy -Wignored-qualifiers -Wimplicit-fallthrough -Werror=unused-result -Werror=suggest-override -include $(buildprefix)config.h -std=c++2a -I src
 
 # Include the main lib, causing rules to be defined
 
@@ -114,10 +126,3 @@ manual-html manpages:
 	@echo "Generated docs are disabled. Configure without '--disable-doc-gen', or avoid calling 'make manpages' and 'make manual-html'."
 	@exit 1
 endif
-
-ifneq ($(ENABLE_INTERNAL_API_DOCS), yes)
-.PHONY: internal-api-html
-internal-api-html:
-	@echo "Internal API docs are disabled. Configure with '--enable-internal-api-docs', or avoid calling 'make internal-api-html'."
-	@exit 1
-endif

Makefile.config.in

@@ -11,7 +11,6 @@ EDITLINE_LIBS = @EDITLINE_LIBS@
 ENABLE_BUILD = @ENABLE_BUILD@
 ENABLE_DOC_GEN = @ENABLE_DOC_GEN@
 ENABLE_FUNCTIONAL_TESTS = @ENABLE_FUNCTIONAL_TESTS@
-ENABLE_INTERNAL_API_DOCS = @ENABLE_INTERNAL_API_DOCS@
 ENABLE_S3 = @ENABLE_S3@
 ENABLE_UNIT_TESTS = @ENABLE_UNIT_TESTS@
 GTEST_LIBS = @GTEST_LIBS@

README.md

@@ -4,30 +4,34 @@
 [![Test](https://github.com/NixOS/nix/workflows/Test/badge.svg)](https://github.com/NixOS/nix/actions)
 
 Nix is a powerful package manager for Linux and other Unix systems that makes package
-management reliable and reproducible. Please refer to the [Nix manual](https://nixos.org/nix/manual)
+management reliable and reproducible. Please refer to the [Nix manual](https://nix.dev/reference/nix-manual)
 for more details.
 
 ## Installation and first steps
 
 Visit [nix.dev](https://nix.dev) for [installation instructions](https://nix.dev/tutorials/install-nix) and [beginner tutorials](https://nix.dev/tutorials/first-steps).
 
-Full reference documentation can be found in the [Nix manual](https://nixos.org/nix/manual).
+Full reference documentation can be found in the [Nix manual](https://nix.dev/reference/nix-manual).
 
-## Building And Developing
+## Building and developing
 
-See our [Hacking guide](https://nixos.org/manual/nix/unstable/contributing/hacking.html) in our manual for instruction on how to
- set up a development environment and build Nix from source.
+Follow instructions in the Nix reference manual to [set up a development environment and build Nix from source](https://nix.dev/manual/nix/development/building.html).
 
 ## Contributing
 
 Check the [contributing guide](./CONTRIBUTING.md) if you want to get involved with developing Nix.
 
-## Additional Resources
+## Additional resources
 
-- [Nix manual](https://nixos.org/nix/manual)
-- [Nix jobsets on hydra.nixos.org](https://hydra.nixos.org/project/nix)
-- [NixOS Discourse](https://discourse.nixos.org/)
-- [Matrix - #nix:nixos.org](https://matrix.to/#/#nix:nixos.org)
+Nix was created by Eelco Dolstra and developed as the subject of his PhD thesis [The Purely Functional Software Deployment Model](https://edolstra.github.io/pubs/phd-thesis.pdf), published 2006.
+Today, a world-wide developer community contributes to Nix and the ecosystem that has grown around it.
+
+- [The Nix, Nixpkgs, NixOS Community on nixos.org](https://nixos.org/)
+- [Official documentation on nix.dev](https://nix.dev)
+- [Nixpkgs](https://github.com/NixOS/nixpkgs) is [the largest, most up-to-date free software repository in the world](https://repology.org/repositories/graphs)
+- [NixOS](https://github.com/NixOS/nixpkgs/tree/master/nixos) is a Linux distribution that can be configured fully declaratively
+- [Discourse](https://discourse.nixos.org/)
+- [Matrix](https://matrix.to/#/#nix:nixos.org)
 
 ## License
 

build-utils-meson/deps-lists/meson.build

@@ -0,0 +1,36 @@
+# These are private dependencies with pkg-config files. What private
+# means is that the dependencies are used by the library but they are
+# *not* used (e.g. `#include`-ed) in any installed header file, and only
+# in regular source code (`*.cc`) or private, uninstalled headers. They
+# are thus part of the *implementation* of the library, but not its
+# *interface*.
+#
+# See `man pkg-config` for some details.
+deps_private = [ ]
+
+# These are public dependencies with pkg-config files. Public is the
+# opposite of private: these dependencies are used in installed header
+# files. They are part of the interface (and implementation) of the
+# library.
+#
+# N.B. This concept is mostly unrelated to our own concept of a public
+# (stable) API, for consumption outside of the Nix repository.
+# `libnixutil` is an unstable C++ library, whose public interface is
+# likewise unstable. `libutilc` conversely is a hopefully-soon stable
+# C library, whose public interface --- including public but not private
+# dependencies --- will also likewise soon be stable.
+#
+# N.B. For distributions that care about "ABI" stability and not just
+# "API" stability, the private dependencies also matter as they can
+# potentially affect the public ABI.
+deps_public = [ ]
+
+# These are subproject deps (type == "internal"). They are other
+# packages in `/src` in this repo. The private vs public distinction is
+# the same as above.
+deps_private_subproject = [ ]
+deps_public_subproject = [ ]
+
+# These are dependencencies without pkg-config files. Ideally they are
+# just private, but they may also be public (e.g. boost).
+deps_other = [ ]

build-utils-meson/diagnostics/meson.build

@@ -0,0 +1,11 @@
+add_project_arguments(
+  '-Wdeprecated-copy',
+  '-Werror=suggest-override',
+  '-Werror=switch',
+  '-Werror=switch-enum',
+  '-Werror=unused-result',
+  '-Wignored-qualifiers',
+  '-Wimplicit-fallthrough',
+  '-Wno-deprecated-declarations',
+  language : 'cpp',
+)

build-utils-meson/export-all-symbols/meson.build

@@ -0,0 +1,11 @@
+if host_machine.system() == 'cygwin' or host_machine.system() == 'windows'
+  # Windows DLLs are stricter about symbol visibility than Unix shared
+  # objects --- see https://gcc.gnu.org/wiki/Visibility for details.
+  # This is a temporary sledgehammer to export everything like on Unix,
+  # and not detail with this yet.
+  #
+  # TODO do not do this, and instead do fine-grained export annotations.
+  linker_export_flags = ['-Wl,--export-all-symbols']
+else
+  linker_export_flags = []
+endif

build-utils-meson/export/meson.build

@@ -0,0 +1,30 @@
+requires_private = []
+foreach dep : deps_private_subproject
+  requires_private  += dep.name()
+endforeach
+requires_private += deps_private
+
+requires_public  = []
+foreach dep : deps_public_subproject
+  requires_public  += dep.name()
+endforeach
+requires_public += deps_public
+
+import('pkgconfig').generate(
+  this_library,
+  filebase : meson.project_name(),
+  name : 'Nix',
+  description : 'Nix Package Manager',
+  subdirs : ['nix'],
+  extra_cflags : ['-std=c++2a'],
+  requires : requires_public,
+  requires_private : requires_private,
+  libraries_private : libraries_private,
+)
+
+meson.override_dependency(meson.project_name(), declare_dependency(
+  include_directories : include_dirs,
+  link_with : this_library,
+  compile_args : ['-std=c++2a'],
+  dependencies : deps_public_subproject + deps_public,
+))

build-utils-meson/generate-header/meson.build

@@ -0,0 +1,7 @@
+bash = find_program('bash', native: true)
+
+gen_header = generator(
+  bash,
+  arguments : [ '-c', '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"', '_ignored_argv0', '@OUTPUT@' ],
+  output : '@PLAINNAME@.gen.hh',
+)

build-utils-meson/subprojects/meson.build

@@ -0,0 +1,19 @@
+foreach maybe_subproject_dep : deps_private_maybe_subproject
+  if maybe_subproject_dep.type_name() == 'internal'
+    deps_private_subproject += maybe_subproject_dep
+    # subproject sadly no good for pkg-config module
+    deps_other += maybe_subproject_dep
+  else
+    deps_private += maybe_subproject_dep
+  endif
+endforeach
+
+foreach maybe_subproject_dep : deps_public_maybe_subproject
+  if maybe_subproject_dep.type_name() == 'internal'
+    deps_public_subproject += maybe_subproject_dep
+    # subproject sadly no good for pkg-config module
+    deps_other += maybe_subproject_dep
+  else
+    deps_public += maybe_subproject_dep
+  endif
+endforeach

build-utils-meson/threads/meson.build

@@ -0,0 +1,6 @@
+# This is only conditional to work around
+# https://github.com/mesonbuild/meson/issues/13293. It should be
+# unconditional.
+if not (host_machine.system() == 'windows' and cxx.get_id() == 'gcc')
+  deps_private += dependency('threads')
+endif

configure.ac

@@ -63,7 +63,6 @@ AC_SYS_LARGEFILE
 
 
 # Solaris-specific stuff.
-AC_STRUCT_DIRENT_D_TYPE
 case "$host_os" in
   solaris*)
     # Solaris requires -lsocket -lnsl for network functions
@@ -167,11 +166,6 @@ AS_IF(
   [test "$ENABLE_BUILD" == "no" && test "$ENABLE_DOC_GEN" == "yes"],
   [AC_MSG_ERROR([Cannot enable generated docs when building overall is disabled. Please do not pass '--enable-doc-gen' or do not pass '--disable-build'.])])
 
-# Building without API docs is the default as Nix' C++ interfaces are internal and unstable.
-AC_ARG_ENABLE(internal-api-docs, AS_HELP_STRING([--enable-internal-api-docs],[Build API docs for Nix's internal unstable C++ interfaces]),
-  ENABLE_INTERNAL_API_DOCS=$enableval, ENABLE_INTERNAL_API_DOCS=no)
-AC_SUBST(ENABLE_INTERNAL_API_DOCS)
-
 AS_IF(
   [test "$ENABLE_FUNCTIONAL_TESTS" == "yes" || test "$ENABLE_DOC_GEN" == "yes"],
   [NEED_PROG(jq, jq)])
@@ -305,9 +299,20 @@ case "$host_os" in
                                 ]))
     if test "x$enable_seccomp_sandboxing" != "xno"; then
       PKG_CHECK_MODULES([LIBSECCOMP], [libseccomp],
-                        [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS"])
+                        [CXXFLAGS="$LIBSECCOMP_CFLAGS $CXXFLAGS" CFLAGS="$LIBSECCOMP_CFLAGS $CFLAGS"])
       have_seccomp=1
       AC_DEFINE([HAVE_SECCOMP], [1], [Whether seccomp is available and should be used for sandboxing.])
+      AC_COMPILE_IFELSE([
+        AC_LANG_SOURCE([[
+          #include <seccomp.h>
+          #ifndef __SNR_fchmodat2
+          # error "Missing support for fchmodat2"
+          #endif
+        ]])
+      ], [], [
+        echo "libseccomp is missing __SNR_fchmodat2. Please provide libseccomp 2.5.5 or later"
+        exit 1
+      ])
     else
       have_seccomp=
     fi
@@ -335,13 +340,6 @@ AC_CHECK_HEADERS([aws/s3/S3Client.h],
 AC_SUBST(ENABLE_S3, [$enable_s3])
 AC_LANG_POP(C++)
 
-if test -n "$enable_s3"; then
-  declare -a aws_version_tokens=($(printf '#include <aws/core/VersionConfig.h>\nAWS_SDK_VERSION_STRING' | $CPP $CPPFLAGS - | grep -v '^#.*' | sed 's/"//g' | tr '.' ' '))
-  AC_DEFINE_UNQUOTED([AWS_VERSION_MAJOR], ${aws_version_tokens@<:@0@:>@}, [Major version of aws-sdk-cpp.])
-  AC_DEFINE_UNQUOTED([AWS_VERSION_MINOR], ${aws_version_tokens@<:@1@:>@}, [Minor version of aws-sdk-cpp.])
-  AC_DEFINE_UNQUOTED([AWS_VERSION_PATCH], ${aws_version_tokens@<:@2@:>@}, [Patch version of aws-sdk-cpp.])
-fi
-
 
 # Whether to use the Boehm garbage collector.
 AC_ARG_ENABLE(gc, AS_HELP_STRING([--enable-gc],[enable garbage collection in the Nix expression evaluator (requires Boehm GC) [default=yes]]),
@@ -350,6 +348,14 @@ if test "$gc" = yes; then
   PKG_CHECK_MODULES([BDW_GC], [bdw-gc])
   CXXFLAGS="$BDW_GC_CFLAGS $CXXFLAGS"
   AC_DEFINE(HAVE_BOEHMGC, 1, [Whether to use the Boehm garbage collector.])
+
+  # See `fixupBoehmStackPointer`, for the integration between Boehm GC
+  # and Boost coroutines.
+  old_CFLAGS="$CFLAGS"
+  # Temporary set `-pthread` just for the next check
+  CFLAGS="$CFLAGS -pthread"
+  AC_CHECK_FUNCS([pthread_attr_get_np pthread_getattr_np])
+  CFLAGS="$old_CFLAGS"
 fi
 
 AS_IF([test "$ENABLE_UNIT_TESTS" == "yes"],[
@@ -387,6 +393,11 @@ AS_CASE(["$enable_markdown"],
 PKG_CHECK_MODULES([LIBGIT2], [libgit2])
 
 
+# Look for toml11, a required dependency.
+AC_LANG_PUSH(C++)
+AC_CHECK_HEADER([toml.hpp], [], [AC_MSG_ERROR([toml11 is not found.])])
+AC_LANG_POP(C++)
+
 # Setuid installations.
 AC_CHECK_FUNCS([setresuid setreuid lchown])
 

dep-patches/boehmgc-coroutine-sp-fallback.diff

@@ -1,99 +0,0 @@
-diff --git a/darwin_stop_world.c b/darwin_stop_world.c
-index 0468aaec..b348d869 100644
---- a/darwin_stop_world.c
-+++ b/darwin_stop_world.c
-@@ -356,6 +356,7 @@ GC_INNER void GC_push_all_stacks(void)
-   int nthreads = 0;
-   word total_size = 0;
-   mach_msg_type_number_t listcount = (mach_msg_type_number_t)THREAD_TABLE_SZ;
-+  size_t stack_limit;
-   if (!EXPECT(GC_thr_initialized, TRUE))
-     GC_thr_init();
- 
-@@ -411,6 +412,19 @@ GC_INNER void GC_push_all_stacks(void)
-             GC_push_all_stack_sections(lo, hi, p->traced_stack_sect);
-           }
-           if (altstack_lo) {
-+            // When a thread goes into a coroutine, we lose its original sp until
-+            // control flow returns to the thread.
-+            // While in the coroutine, the sp points outside the thread stack,
-+            // so we can detect this and push the entire thread stack instead,
-+            // as an approximation.
-+            // We assume that the coroutine has similarly added its entire stack.
-+            // This could be made accurate by cooperating with the application
-+            // via new functions and/or callbacks.
-+            stack_limit = pthread_get_stacksize_np(p->id);
-+            if (altstack_lo >= altstack_hi || altstack_lo < altstack_hi - stack_limit) { // sp outside stack
-+              altstack_lo = altstack_hi - stack_limit;
-+            }
-+
-             total_size += altstack_hi - altstack_lo;
-             GC_push_all_stack(altstack_lo, altstack_hi);
-           }
-diff --git a/include/gc.h b/include/gc.h
-index edab6c22..f2c61282 100644
---- a/include/gc.h
-+++ b/include/gc.h
-@@ -2172,6 +2172,11 @@ GC_API void GC_CALL GC_win32_free_heap(void);
-         (*GC_amiga_allocwrapper_do)(a,GC_malloc_atomic_ignore_off_page)
- #endif /* _AMIGA && !GC_AMIGA_MAKINGLIB */
- 
-+#if !__APPLE__
-+/* Patch doesn't work on apple */
-+#define NIX_BOEHM_PATCH_VERSION 1
-+#endif
-+
- #ifdef __cplusplus
-   } /* extern "C" */
- #endif
-diff --git a/pthread_stop_world.c b/pthread_stop_world.c
-index b5d71e62..aed7b0bf 100644
---- a/pthread_stop_world.c
-+++ b/pthread_stop_world.c
-@@ -768,6 +768,8 @@ STATIC void GC_restart_handler(int sig)
- /* world is stopped.  Should not fail if it isn't.                      */
- GC_INNER void GC_push_all_stacks(void)
- {
-+    size_t stack_limit;
-+    pthread_attr_t pattr;
-     GC_bool found_me = FALSE;
-     size_t nthreads = 0;
-     int i;
-@@ -851,6 +853,37 @@ GC_INNER void GC_push_all_stacks(void)
-           hi = p->altstack + p->altstack_size;
-           /* FIXME: Need to scan the normal stack too, but how ? */
-           /* FIXME: Assume stack grows down */
-+        } else {
-+#ifdef HAVE_PTHREAD_ATTR_GET_NP
-+          if (!pthread_attr_init(&pattr)
-+              || !pthread_attr_get_np(p->id, &pattr))
-+#else /* HAVE_PTHREAD_GETATTR_NP */
-+          if (pthread_getattr_np(p->id, &pattr))
-+#endif
-+          {
-+            ABORT("GC_push_all_stacks: pthread_getattr_np failed!");
-+          }
-+          if (pthread_attr_getstacksize(&pattr, &stack_limit)) {
-+            ABORT("GC_push_all_stacks: pthread_attr_getstacksize failed!");
-+          }
-+          if (pthread_attr_destroy(&pattr)) {
-+            ABORT("GC_push_all_stacks: pthread_attr_destroy failed!");
-+          }
-+          // When a thread goes into a coroutine, we lose its original sp until
-+          // control flow returns to the thread.
-+          // While in the coroutine, the sp points outside the thread stack,
-+          // so we can detect this and push the entire thread stack instead,
-+          // as an approximation.
-+          // We assume that the coroutine has similarly added its entire stack.
-+          // This could be made accurate by cooperating with the application
-+          // via new functions and/or callbacks.
-+          #ifndef STACK_GROWS_UP
-+            if (lo >= hi || lo < hi - stack_limit) { // sp outside stack
-+              lo = hi - stack_limit;
-+            }
-+          #else
-+          #error "STACK_GROWS_UP not supported in boost_coroutine2 (as of june 2021), so we don't support it in Nix."
-+          #endif
-         }
-         GC_push_all_stack_sections(lo, hi, traced_stack_sect);
- #       ifdef STACK_GROWS_UP

dep-patches/boehmgc-traceable_allocator-public.diff

@@ -1,12 +0,0 @@
-diff --git a/include/gc_allocator.h b/include/gc_allocator.h
-index 597c7f13..587286be 100644
---- a/include/gc_allocator.h
-+++ b/include/gc_allocator.h
-@@ -312,6 +312,7 @@ public:
- 
- template<>
- class traceable_allocator<void> {
-+public:
-   typedef size_t      size_type;
-   typedef ptrdiff_t   difference_type;
-   typedef void*       pointer;

doc/internal-api/local.mk

@@ -1,7 +0,0 @@
-$(docdir)/internal-api/html/index.html $(docdir)/internal-api/latex: $(d)/doxygen.cfg
-	mkdir -p $(docdir)/internal-api
-	{ cat $< ; echo "OUTPUT_DIRECTORY=$(docdir)/internal-api" ; } | doxygen -
-
-# Generate the HTML API docs for Nix's unstable internal interfaces.
-.PHONY: internal-api-html
-internal-api-html: $(docdir)/internal-api/html/index.html

doc/manual/book.toml

@@ -6,8 +6,6 @@ additional-css = ["custom.css"]
 additional-js = ["redirects.js"]
 edit-url-template = "https://github.com/NixOS/nix/tree/master/doc/manual/{path}"
 git-repository-url = "https://github.com/NixOS/nix"
-fold.enable = true
-fold.level = 1
 
 [preprocessor.anchors]
 renderers = ["html"]

doc/manual/custom.css

@@ -1,3 +1,25 @@
+:root {
+    --sidebar-width: 23em;
+}
+
+h1.menu-title::before {
+  content: "";
+  background-image: url("./favicon.svg");
+  padding: 1.25em;
+  background-position: center center;
+  background-size: 2em;
+  background-repeat: no-repeat;
+}
+
+
+h1.menu-title {
+  padding: 0.5em;
+}
+
+.sidebar .sidebar-scrollbox {
+  padding: 1em;
+}
+
 h1:not(:first-of-type) {
     margin-top: 1.3em;
 }

doc/manual/generate-builtin-constants.nix

@@ -1,31 +0,0 @@
-let
-  inherit (builtins) concatStringsSep attrValues mapAttrs;
-  inherit (import <nix/utils.nix>) optionalString squash;
-in
-
-builtinsInfo:
-let
-  showBuiltin = name: { doc, type, impure-only }:
-    let
-      type' = optionalString (type != null) " (${type})";
-
-      impureNotice = optionalString impure-only ''
-        > **Note**
-        >
-        > Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).
-      '';
-    in
-    squash ''
-      <dt id="builtins-${name}">
-        <a href="#builtins-${name}"><code>${name}</code></a>${type'}
-      </dt>
-      <dd>
-
-      ${doc}
-
-      ${impureNotice}
-
-      </dd>
-    '';
-in
-concatStringsSep "\n" (attrValues (mapAttrs showBuiltin builtinsInfo))

doc/manual/generate-builtins.nix

@@ -5,12 +5,14 @@ in
 
 builtinsInfo:
 let
-  showBuiltin = name: { doc, args, arity, experimental-feature }:
+  showBuiltin = name: { doc, type ? null, args ? [ ], experimental-feature ? null, impure-only ? false }:
     let
+      type' = optionalString (type != null) " (${type})";
+
       experimentalNotice = optionalString (experimental-feature != null) ''
         > **Note**
         >
-        > This function is only available if the [`${experimental-feature}` experimental feature](@docroot@/contributing/experimental-features.md#xp-feature-${experimental-feature}) is enabled.
+        > This function is only available if the [`${experimental-feature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimental-feature}) is enabled.
         >
         > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
         >
@@ -18,18 +20,26 @@ let
         > extra-experimental-features = ${experimental-feature}
         > ```
       '';
+
+      impureNotice = optionalString impure-only ''
+        > **Note**
+        >
+        > Not available in [pure evaluation mode](@docroot@/command-ref/conf-file.md#conf-pure-eval).
+      '';
     in
     squash ''
       <dt id="builtins-${name}">
-        <a href="#builtins-${name}"><code>${name} ${listArgs args}</code></a>
+        <a href="#builtins-${name}"><code>${name}${listArgs args}</code></a>${type'}
       </dt>
       <dd>
 
       ${experimentalNotice}
 
       ${doc}
+
+      ${impureNotice}
       </dd>
     '';
-  listArgs = args: concatStringsSep " " (map (s: "<var>${s}</var>") args);
+  listArgs = args: concatStringsSep "" (map (s: " <var>${s}</var>") args);
 in
 concatStringsSep "\n" (attrValues (mapAttrs showBuiltin builtinsInfo))

doc/manual/generate-manpage.nix

@@ -38,7 +38,7 @@ let
       result = ''
         > **Warning** \
         > This program is
-        > [**experimental**](@docroot@/contributing/experimental-features.md#xp-feature-nix-command)
+        > [**experimental**](@docroot@/development/experimental-features.md#xp-feature-nix-command)
         > and its interface is subject to change.
 
         # Name
@@ -116,9 +116,12 @@ let
             storeInfo = commandInfo.stores;
             inherit inlineHTML;
           };
+          hasInfix = infix: content:
+            builtins.stringLength content != builtins.stringLength (replaceStrings [ infix ] [ "" ] content);
         in
         optionalString (details ? doc) (
-          if match ".*@store-types@.*" details.doc != null
+          # An alternate implementation with builtins.match stack overflowed on some systems.
+          if hasInfix "@store-types@" details.doc
           then help-stores
           else details.doc
         );

doc/manual/generate-settings.nix

@@ -33,10 +33,10 @@ let
           > **Warning**
           >
           > This setting is part of an
-          > [experimental feature](@docroot@/contributing/experimental-features.md).
+          > [experimental feature](@docroot@/development/experimental-features.md).
           >
           > To change this setting, make sure the
-          > [`${experimentalFeature}` experimental feature](@docroot@/contributing/experimental-features.md#xp-feature-${experimentalFeature})
+          > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
           > is enabled.
           > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
           >

doc/manual/generate-store-info.nix

@@ -32,10 +32,10 @@ let
         > **Warning**
         >
         > This store is part of an
-        > [experimental feature](@docroot@/contributing/experimental-features.md).
+        > [experimental feature](@docroot@/development/experimental-features.md).
         >
         > To use this store, make sure the
-        > [`${experimentalFeature}` experimental feature](@docroot@/contributing/experimental-features.md#xp-feature-${experimentalFeature})
+        > [`${experimentalFeature}` experimental feature](@docroot@/development/experimental-features.md#xp-feature-${experimentalFeature})
         > is enabled.
         > For example, include the following in [`nix.conf`](@docroot@/command-ref/conf-file.md):
         >

doc/manual/generate-xp-features-shortlist.nix

@@ -4,6 +4,6 @@ with import <nix/utils.nix>;
 let
   showExperimentalFeature = name: doc:
     ''
-      - [`${name}`](@docroot@/contributing/experimental-features.md#xp-feature-${name})
+      - [`${name}`](@docroot@/development/experimental-features.md#xp-feature-${name})
     '';
 in xps: indent "  " (concatStrings (attrValues (mapAttrs showExperimentalFeature xps)))

doc/manual/local.mk

@@ -95,7 +95,7 @@ $(d)/nix-profiles.5: $(d)/src/command-ref/files/profiles.md
 	$(trace-gen) lowdown -sT man --nroff-nolinks -M section=5 $^.tmp -o $@
 	@rm $^.tmp
 
-$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/SUMMARY-rl-next.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md
+$(d)/src/SUMMARY.md: $(d)/src/SUMMARY.md.in $(d)/src/SUMMARY-rl-next.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md
 	@cp $< $@
 	@$(call process-includes,$@,$@)
 
@@ -124,7 +124,7 @@ $(d)/conf-file.json: $(doc_nix)
 	$(trace-gen) $(dummy-env) $(doc_nix) config show --json --experimental-features nix-command > $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/contributing/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(doc_nix)
+$(d)/src/development/experimental-feature-descriptions.md: $(d)/xp-features.json $(d)/utils.nix $(d)/generate-xp-features.nix $(doc_nix)
 	@rm -rf $@ $@.tmp
 	$(trace-gen) $(nix-eval) --write-to $@.tmp --expr 'import doc/manual/generate-xp-features.nix (builtins.fromJSON (builtins.readFile $<))'
 	@mv $@.tmp $@
@@ -140,16 +140,10 @@ $(d)/xp-features.json: $(doc_nix)
 
 $(d)/src/language/builtins.md: $(d)/language.json $(d)/generate-builtins.nix $(d)/src/language/builtins-prefix.md $(doc_nix)
 	@cat doc/manual/src/language/builtins-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<)).builtins' >> $@.tmp;
+	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtins.nix (builtins.fromJSON (builtins.readFile $<))' >> $@.tmp;
 	@cat doc/manual/src/language/builtins-suffix.md >> $@.tmp
 	@mv $@.tmp $@
 
-$(d)/src/language/builtin-constants.md: $(d)/language.json $(d)/generate-builtin-constants.nix $(d)/src/language/builtin-constants-prefix.md $(doc_nix)
-	@cat doc/manual/src/language/builtin-constants-prefix.md > $@.tmp
-	$(trace-gen) $(nix-eval) --expr 'import doc/manual/generate-builtin-constants.nix (builtins.fromJSON (builtins.readFile $<)).constants' >> $@.tmp;
-	@cat doc/manual/src/language/builtin-constants-suffix.md >> $@.tmp
-	@mv $@.tmp $@
-
 $(d)/language.json: $(doc_nix)
 	$(trace-gen) $(dummy-env) $(doc_nix) __dump-language > $@.tmp
 	@mv $@.tmp $@
@@ -175,6 +169,16 @@ $(d)/src/SUMMARY-rl-next.md: $(d)/src/release-notes/rl-next.md
 # Generate the HTML manual.
 .PHONY: manual-html
 manual-html: $(docdir)/manual/index.html
+
+# Open the built HTML manual in the default browser.
+manual-html-open: $(docdir)/manual/index.html
+	@echo "  OPEN  " $<; \
+	  xdg-open $< \
+		  || open $< \
+			|| { \
+		echo "Could not open the manual in a browser. Please open '$<'" >&2; \
+		false; \
+		}
 install: $(docdir)/manual/index.html
 
 # Generate 'nix' manpages.
@@ -203,11 +207,11 @@ doc/manual/generated/man1/nix3-manpages: $(d)/src/command-ref/new-cli
 	done
 	@touch $@
 
-# the `! -name 'contributing.md'` filter excludes the one place where
+# the `! -name 'documentation.md'` filter excludes the one place where
 # `@docroot@` is to be preserved for documenting the mechanism
 # FIXME: maybe contributing guides should live right next to the code
 # instead of in the manual
-$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/contributing/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/language/builtin-constants.md $(d)/src/release-notes/rl-next.md
+$(docdir)/manual/index.html: $(MANUAL_SRCS) $(d)/book.toml $(d)/anchors.jq $(d)/custom.css $(d)/src/SUMMARY.md $(d)/src/store/types $(d)/src/command-ref/new-cli $(d)/src/development/experimental-feature-descriptions.md $(d)/src/command-ref/conf-file.md $(d)/src/language/builtins.md $(d)/src/release-notes/rl-next.md $(d)/src/figures $(d)/src/favicon.png $(d)/src/favicon.svg
 	$(trace-gen) \
 		tmp="$$(mktemp -d)"; \
 		cp -r doc/manual "$$tmp"; \

doc/manual/redirects.js

@@ -1,7 +1,7 @@
 // redirect rules for URL fragments (client-side) to prevent link rot.
 // this must be done on the client side, as web servers do not see the fragment part of the URL.
 // it will only work with JavaScript enabled in the browser, but this is the best we can do here.
-// see ./_redirects for path redirects (client-side)
+// see src/_redirects for path redirects (server-side)
 
 // redirects are declared as follows:
 // each entry has as its key a path matching the requested URL path, relative to the mdBook document root.
@@ -14,7 +14,7 @@
 
 const redirects = {
  "index.html": {
-    "part-advanced-topics": "advanced-topics/advanced-topics.html",
+    "part-advanced-topics": "advanced-topics/index.html",
     "chap-tuning-cores-and-jobs": "advanced-topics/cores-vs-jobs.html",
     "chap-diff-hook": "advanced-topics/diff-hook.html",
     "check-dirs-are-unregistered": "advanced-topics/diff-hook.html#check-dirs-are-unregistered",
@@ -22,7 +22,7 @@ const redirects = {
     "chap-post-build-hook": "advanced-topics/post-build-hook.html",
     "chap-post-build-hook-caveats": "advanced-topics/post-build-hook.html#implementation-caveats",
     "chap-writing-nix-expressions": "language/index.html",
-    "part-command-ref": "command-ref/command-ref.html",
+    "part-command-ref": "command-ref/index.html",
     "conf-allow-import-from-derivation": "command-ref/conf-file.html#conf-allow-import-from-derivation",
     "conf-allow-new-privileges": "command-ref/conf-file.html#conf-allow-new-privileges",
     "conf-allowed-uris": "command-ref/conf-file.html#conf-allowed-uris",
@@ -143,7 +143,7 @@ const redirects = {
     "opt-timeout": "command-ref/opt-common.html#opt-timeout",
     "sec-common-options": "command-ref/opt-common.html",
     "ch-utilities": "command-ref/utilities.html",
-    "chap-hacking": "contributing/hacking.html",
+    "chap-hacking": "development/building.html",
     "adv-attr-allowSubstitutes": "language/advanced-attributes.html#adv-attr-allowSubstitutes",
     "adv-attr-allowedReferences": "language/advanced-attributes.html#adv-attr-allowedReferences",
     "adv-attr-allowedRequisites": "language/advanced-attributes.html#adv-attr-allowedRequisites",
@@ -238,12 +238,12 @@ const redirects = {
     "attr-system": "language/derivations.html#attr-system",
     "ssec-derivation": "language/derivations.html",
     "ch-expression-language": "language/index.html",
-    "sec-constructs": "language/constructs.html",
-    "sect-let-language": "language/constructs.html#let-language",
-    "ss-functions": "language/constructs.html#functions",
+    "sec-constructs": "language/syntax.html",
+    "sect-let-language": "language/syntax.html#let-expressions",
+    "ss-functions": "language/syntax.html#functions",
     "sec-language-operators": "language/operators.html",
     "table-operators": "language/operators.html",
-    "ssec-values": "language/values.html",
+    "ssec-values": "language/types.html",
     "gloss-closure": "glossary.html#gloss-closure",
     "gloss-derivation": "glossary.html#gloss-derivation",
     "gloss-deriver": "glossary.html#gloss-deriver",
@@ -261,7 +261,7 @@ const redirects = {
     "sec-installer-proxy-settings": "installation/env-variables.html#proxy-environment-variables",
     "sec-nix-ssl-cert-file": "installation/env-variables.html#nix_ssl_cert_file",
     "sec-nix-ssl-cert-file-with-nix-daemon-and-macos": "installation/env-variables.html#nix_ssl_cert_file-with-macos-and-the-nix-daemon",
-    "chap-installation": "installation/installation.html",
+    "chap-installation": "installation/index.html",
     "ch-installing-binary": "installation/installing-binary.html",
     "sect-macos-installation": "installation/installing-binary.html#macos-installation",
     "sect-macos-installation-change-store-prefix": "installation/installing-binary.html#macos-installation",
@@ -285,19 +285,19 @@ const redirects = {
     "ch-basic-package-mgmt": "package-management/basic-package-mgmt.html",
     "ssec-binary-cache-substituter": "package-management/binary-cache-substituter.html",
     "sec-channels": "command-ref/nix-channel.html",
-    "ssec-copy-closure": "package-management/copy-closure.html",
+    "ssec-copy-closure": "command-ref/nix-copy-closure.html",
     "sec-garbage-collection": "package-management/garbage-collection.html",
     "ssec-gc-roots": "package-management/garbage-collector-roots.html",
-    "chap-package-management": "package-management/package-management.html",
+    "chap-package-management": "package-management/index.html",
     "sec-profiles": "package-management/profiles.html",
-    "ssec-s3-substituter": "package-management/s3-substituter.html",
-    "ssec-s3-substituter-anonymous-reads": "package-management/s3-substituter.html#anonymous-reads-to-your-s3-compatible-binary-cache",
-    "ssec-s3-substituter-authenticated-reads": "package-management/s3-substituter.html#authenticated-reads-to-your-s3-binary-cache",
-    "ssec-s3-substituter-authenticated-writes": "package-management/s3-substituter.html#authenticated-writes-to-your-s3-compatible-binary-cache",
+    "ssec-s3-substituter": "store/types/s3-substituter.html",
+    "ssec-s3-substituter-anonymous-reads": "store/types/s3-substituter.html#anonymous-reads-to-your-s3-compatible-binary-cache",
+    "ssec-s3-substituter-authenticated-reads": "store/types/s3-substituter.html#authenticated-reads-to-your-s3-binary-cache",
+    "ssec-s3-substituter-authenticated-writes": "store/types/s3-substituter.html#authenticated-writes-to-your-s3-compatible-binary-cache",
     "sec-sharing-packages": "package-management/sharing-packages.html",
     "ssec-ssh-substituter": "package-management/ssh-substituter.html",
     "chap-quick-start": "quick-start.html",
-    "sec-relnotes": "release-notes/release-notes.html",
+    "sec-relnotes": "release-notes/index.html",
     "ch-relnotes-0.10.1": "release-notes/rl-0.10.1.html",
     "ch-relnotes-0.10": "release-notes/rl-0.10.html",
     "ssec-relnotes-0.11": "release-notes/rl-0.11.html",
@@ -335,18 +335,22 @@ const redirects = {
     "ssec-relnotes-2.2": "release-notes/rl-2.2.html",
     "ssec-relnotes-2.3": "release-notes/rl-2.3.html",
   },
-  "language/values.html": {
+  "language/types.html": {
     "simple-values": "#primitives",
     "lists": "#list",
     "strings": "#string",
     "attribute-sets": "#attribute-set",
+    "type-number": "#type-int",
+  },
+  "language/syntax.html": {
+    "scoping-rules": "scoping.html",
   },
   "installation/installing-binary.html": {
     "linux": "uninstall.html#linux",
     "macos": "uninstall.html#macos",
     "uninstalling": "uninstall.html",
   },
-  "contributing/hacking.html": {
+  "development/building.html": {
     "nix-with-flakes": "#building-nix-with-flakes",
     "classic-nix": "#building-nix",
     "running-tests": "testing.html#running-tests",
@@ -357,7 +361,12 @@ const redirects = {
     "installer-tests": "testing.html#installer-tests",
     "one-time-setup": "testing.html#one-time-setup",
     "using-the-ci-generated-installer-for-manual-testing": "testing.html#using-the-ci-generated-installer-for-manual-testing",
-    "characterization-testing": "#characterisation-testing-unit",
+    "characterization-testing": "testing.html#characterisation-testing-unit",
+    "add-a-release-note": "contributing.html#add-a-release-note",
+    "add-an-entry": "contributing.html#add-an-entry",
+    "build-process": "contributing.html#build-process",
+    "reverting": "contributing.html#reverting",
+    "branches": "contributing.html#branches",
   },
   "glossary.html": {
     "gloss-local-store": "store/types/local-store.html",

doc/manual/rl-next/better-errors-in-nix-repl.md

@@ -1,40 +0,0 @@
----
-synopsis: Concise error printing in `nix repl`
-prs: 9928
----
-
-Previously, if an element of a list or attribute set threw an error while
-evaluating, `nix repl` would print the entire error (including source location
-information) inline. This output was clumsy and difficult to parse:
-
-```
-nix-repl> { err = builtins.throw "uh oh!"; }
-{ err = «error:
-       … while calling the 'throw' builtin
-         at «string»:1:9:
-            1| { err = builtins.throw "uh oh!"; }
-             |         ^
-
-       error: uh oh!»; }
-```
-
-Now, only the error message is displayed, making the output much more readable.
-```
-nix-repl> { err = builtins.throw "uh oh!"; }
-{ err = «error: uh oh!»; }
-```
-
-However, if the whole expression being evaluated throws an error, source
-locations and (if applicable) a stack trace are printed, just like you'd expect:
-
-```
-nix-repl> builtins.throw "uh oh!"
-error:
-       … while calling the 'throw' builtin
-         at «string»:1:1:
-            1| builtins.throw "uh oh!"
-             | ^
-
-       error: uh oh!
-```
-

doc/manual/rl-next/debugger-locals-for-let-expressions.md

@@ -1,9 +0,0 @@
----
-synopsis: "`--debugger` can now access bindings from `let` expressions"
-prs: 9918
-issues: 8827.
----
-
-Breakpoints and errors in the bindings of a `let` expression can now access
-those bindings in the debugger. Previously, only the body of `let` expressions
-could access those bindings.

doc/manual/rl-next/enter-debugger-more-reliably-in-let-and-calls.md

@@ -1,25 +0,0 @@
----
-synopsis: The `--debugger` will start more reliably in `let` expressions and function calls
-prs: 9917
-issues: 6649
----
-
-Previously, if you attempted to evaluate this file with the debugger:
-
-```nix
-let
-  a = builtins.trace "before inner break" (
-    builtins.break "hello"
-  );
-  b = builtins.trace "before outer break" (
-    builtins.break a
-  );
-in
-  b
-```
-
-Nix would correctly enter the debugger at `builtins.break a`, but if you asked
-it to `:continue`, it would skip over the `builtins.break "hello"` expression
-entirely.
-
-Now, Nix will correctly enter the debugger at both breakpoints.

doc/manual/rl-next/filesystem-errors.md

@@ -0,0 +1,14 @@
+---
+synopsis: wrap filesystem exceptions more correctly
+issues: []
+prs: [11378]
+---
+
+
+With the switch to `std::filesystem` in different places, Nix started to throw `std::filesystem::filesystem_error` in many places instead of its own exceptions.
+
+This lead to no longer generating error traces, for example when listing a non-existing directory.
+
+This version catches these types of exception correctly and wrap them into Nix's own exeception type.
+
+Author: [**@Mic92**](https://github.com/Mic92)

doc/manual/rl-next/leading-period.md

@@ -1,10 +0,0 @@
----
-synopsis: Store paths are allowed to start with `.`
-issues: 912
-prs: 9867 9091 9095 9120 9121 9122 9130 9219 9224
----
-
-Leading periods were allowed by accident in Nix 2.4. The Nix team has considered this to be a bug, but this behavior has since been relied on by users, leading to unnecessary difficulties.
-From now on, leading periods are officially, definitively supported. The names `.` and `..` are disallowed, as well as those starting with `.-` or `..-`.
-
-Nix versions that denied leading periods are documented [in the issue](https://github.com/NixOS/nix/issues/912#issuecomment-1919583286).

doc/manual/rl-next/reduce-debugger-clutter.md

@@ -1,37 +0,0 @@
----
-synopsis: "Visual clutter in `--debugger` is reduced"
-prs: 9919
----
-
-Before:
-```
-info: breakpoint reached
-
-
-Starting REPL to allow you to inspect the current state of the evaluator.
-
-Welcome to Nix 2.20.0pre20231222_dirty. Type :? for help.
-
-nix-repl> :continue
-error: uh oh
-
-
-Starting REPL to allow you to inspect the current state of the evaluator.
-
-Welcome to Nix 2.20.0pre20231222_dirty. Type :? for help.
-
-nix-repl>
-```
-
-After:
-
-```
-info: breakpoint reached
-
-Nix 2.20.0pre20231222_dirty debugger
-Type :? for help.
-nix-repl> :continue
-error: uh oh
-
-nix-repl>
-```

doc/manual/rl-next/verify-tls.md

@@ -0,0 +1,8 @@
+---
+synopsis: "`<nix/fetchurl.nix>` uses TLS verification"
+prs: [11585]
+---
+
+Previously `<nix/fetchurl.nix>` did not do TLS verification. This was because the Nix sandbox in the past did not have access to TLS certificates, and Nix checks the hash of the fetched file anyway. However, this can expose authentication data from `netrc` and URLs to man-in-the-middle attackers. In addition, Nix now in some cases (such as when using impure derivations) does *not* check the hash. Therefore we have now enabled TLS verification. This means that downloads by `<nix/fetchurl.nix>` will now fail if you're fetching from a HTTPS server that does not have a valid certificate.
+
+`<nix/fetchurl.nix>` is also known as the builtin derivation builder `builtin:fetchurl`. It's not to be confused with the evaluation-time function `builtins.fetchurl`, which was not affected by this issue.

doc/manual/src/SUMMARY.md.in

@@ -18,21 +18,25 @@
   - [Uninstalling Nix](installation/uninstall.md)
 - [Nix Store](store/index.md)
   - [File System Object](store/file-system-object.md)
+    - [Content-Addressing File System Objects](store/file-system-object/content-address.md)
   - [Store Object](store/store-object.md)
+    - [Content-Addressing Store Objects](store/store-object/content-address.md)
   - [Store Path](store/store-path.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
 - [Nix Language](language/index.md)
-  - [Data Types](language/values.md)
-  - [Language Constructs](language/constructs.md)
+  - [Data Types](language/types.md)
+    - [String context](language/string-context.md)
+  - [Syntax and semantics](language/syntax.md)
+    - [Identifiers](language/identifiers.md)
+    - [Scoping rules](language/scope.md)
     - [String interpolation](language/string-interpolation.md)
     - [Lookup path](language/constructs/lookup-path.md)
   - [Operators](language/operators.md)
-  - [Derivations](language/derivations.md)
-    - [Advanced Attributes](language/advanced-attributes.md)
-    - [Import From Derivation](language/import-from-derivation.md)
-  - [Built-in Constants](language/builtin-constants.md)
-  - [Built-in Functions](language/builtins.md)
+  - [Built-ins](language/builtins.md)
+    - [Derivations](language/derivations.md)
+      - [Advanced Attributes](language/advanced-attributes.md)
+      - [Import From Derivation](language/import-from-derivation.md)
 - [Package Management](package-management/index.md)
   - [Profiles](package-management/profiles.md)
   - [Garbage Collection](package-management/garbage-collection.md)
@@ -40,9 +44,7 @@
 - [Advanced Topics](advanced-topics/index.md)
   - [Sharing Packages Between Machines](package-management/sharing-packages.md)
     - [Serving a Nix store via HTTP](package-management/binary-cache-substituter.md)
-    - [Copying Closures via SSH](package-management/copy-closure.md)
     - [Serving a Nix store via SSH](package-management/ssh-substituter.md)
-    - [Serving a Nix store via S3](package-management/s3-substituter.md)
   - [Remote Builds](advanced-topics/distributed-builds.md)
   - [Tuning Cores and Jobs](advanced-topics/cores-vs-jobs.md)
   - [Verifying Build Reproducibility](advanced-topics/diff-hook.md)
@@ -110,17 +112,25 @@
     - [Derivation](protocols/json/derivation.md)
   - [Serving Tarball Flakes](protocols/tarball-fetcher.md)
   - [Store Path Specification](protocols/store-path.md)
+  - [Nix Archive (NAR) Format](protocols/nix-archive.md)
   - [Derivation "ATerm" file format](protocols/derivation-aterm.md)
+- [C API](c-api.md)
 - [Glossary](glossary.md)
-- [Contributing](contributing/index.md)
-  - [Hacking](contributing/hacking.md)
-  - [Testing](contributing/testing.md)
-  - [Documentation](contributing/documentation.md)
-  - [Experimental Features](contributing/experimental-features.md)
-  - [CLI guideline](contributing/cli-guideline.md)
-  - [C++ style guide](contributing/cxx.md)
-- [Release Notes](release-notes/index.md)
+- [Development](development/index.md)
+  - [Building](development/building.md)
+  - [Testing](development/testing.md)
+  - [Documentation](development/documentation.md)
+  - [CLI guideline](development/cli-guideline.md)
+  - [JSON guideline](development/json-guideline.md)
+  - [C++ style guide](development/cxx.md)
+  - [Experimental Features](development/experimental-features.md)
+  - [Contributing](development/contributing.md)
+- [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.24 (2024-07-31)](release-notes/rl-2.24.md)
+  - [Release 2.23 (2024-06-03)](release-notes/rl-2.23.md)
+  - [Release 2.22 (2024-04-23)](release-notes/rl-2.22.md)
+  - [Release 2.21 (2024-03-11)](release-notes/rl-2.21.md)
   - [Release 2.20 (2024-01-29)](release-notes/rl-2.20.md)
   - [Release 2.19 (2023-11-17)](release-notes/rl-2.19.md)
   - [Release 2.18 (2023-09-20)](release-notes/rl-2.18.md)

doc/manual/src/_redirects

@@ -1,5 +1,5 @@
 # redirect rules for paths (server-side) to prevent link rot.
-# see ./redirects.js for redirects based on URL fragments (client-side)
+# see ../redirects.js for redirects based on URL fragments (client-side)
 #
 # concrete user story this supports:
 # - user finds URL to the manual for Nix x.y
@@ -20,13 +20,24 @@
 
 /command-ref/command-ref /command-ref 301!
 
-/contributing/contributing /contributing 301!
+/contributing/contributing /development 301!
+/contributing /development 301!
+/contributing/hacking /development/building 301!
+/contributing/testing /development/testing 301!
+/contributing/documentation /development/documentation 301!
+/contributing/experimental-features /development/experimental-features 301!
+/contributing/cli-guideline /development/cli-guideline 301!
+/contributing/json-guideline /development/json-guideline 301!
+/contributing/cxx /development/cxx 301!
 
 /expressions/expression-language /language/ 301!
 /expressions/language-constructs /language/constructs 301!
 /expressions/language-operators /language/operators 301!
 /expressions/language-values /language/values 301!
 /expressions/* /language/:splat 301!
+/language/values /language/types 301!
+/language/constructs /language/syntax 301!
+/language/builtin-constants /language/builtins 301!
 
 /installation/installation /installation 301!
 
@@ -39,3 +50,5 @@
 /json/* /protocols/json/:splat 301!
 
 /release-notes/release-notes /release-notes 301!
+
+/package-management/copy-closure /command-ref/nix-copy-closure 301!

doc/manual/src/advanced-topics/distributed-builds.md

@@ -12,14 +12,14 @@ machine is accessible via SSH and that it has Nix installed. You can
 test whether connecting to the remote Nix instance works, e.g.
 
 ```console
-$ nix store info --store ssh://mac
+$ nix store ping --store ssh://mac
 ```
 
 will try to connect to the machine named `mac`. It is possible to
 specify an SSH identity file as part of the remote store URI, e.g.
 
 ```console
-$ nix store info --store ssh://mac?ssh-key=/home/alice/my-key
+$ nix store ping --store ssh://mac?ssh-key=/home/alice/my-key
 ```
 
 Since builds should be non-interactive, the key should not have a

doc/manual/src/architecture/architecture.md

@@ -69,7 +69,7 @@ It can also execute build plans to produce new data, which are made available to
 A build plan itself is a series of *build tasks*, together with their build inputs.
 
 > **Important**
-> A build task in Nix is called [derivation](../glossary.md#gloss-derivation).
+> A build task in Nix is called [derivation](@docroot@/glossary.md#gloss-derivation).
 
 Each build task has a special build input executed as *build instructions* in order to perform the build.
 The result of a build task can be input to another build task.

doc/manual/src/c-api.md

@@ -0,0 +1,16 @@
+# C API
+
+Nix provides a C API with the intent of [_becoming_](https://github.com/NixOS/nix/milestone/52) a stable API, which it is currently not.
+It is in development.
+
+See:
+- C API documentation for a recent build of master
+  - [Getting Started]
+  - [Index]
+- [Matrix Room *Nix Bindings*](https://matrix.to/#/#nix-bindings:nixos.org) for discussion and questions.
+- [Stabilisation Milestone](https://github.com/NixOS/nix/milestone/52)
+- [Other C API PRs and issues](https://github.com/NixOS/nix/labels/c%20api)
+- [Contributing C API Documentation](development/documentation.md#c-api-documentation), including how to build it locally.
+
+[Getting Started]: https://hydra.nixos.org/job/nix/master/external-api-docs/latest/download-by-type/doc/external-api-docs
+[Index]: https://hydra.nixos.org/job/nix/master/external-api-docs/latest/download-by-type/doc/external-api-docs/globals.html

doc/manual/src/command-ref/conf-file-prefix.md

@@ -66,5 +66,12 @@ Configuration options can be set on the command line, overriding the values set
 
 The `extra-` prefix is supported for settings that take a list of items (e.g. `--extra-trusted users alice` or `--option extra-trusted-users alice`).
 
+## Integer settings
+
+Settings that have an integer type support the suffixes `K`, `M`, `G`
+and `T`. These cause the specified value to be multiplied by 2^10,
+2^20, 2^30 and 2^40, respectively. For instance, `--min-free 1M` is
+equivalent to `--min-free 1048576`.
+
 # Available settings
 

doc/manual/src/command-ref/env-common.md

@@ -9,22 +9,26 @@ Most Nix commands interpret the following environment variables:
 
 - <span id="env-NIX_PATH">[`NIX_PATH`](#env-NIX_PATH)</span>
 
-  A colon-separated list of directories used to look up the location of Nix
-  expressions using [paths](@docroot@/language/values.md#type-path)
-  enclosed in angle brackets (i.e., `<path>`),
-  e.g. `/home/eelco/Dev:/etc/nixos`. It can be extended using the
-  [`-I` option](@docroot@/command-ref/opt-common.md#opt-I).
+  A colon-separated list of search path entries used to resolve [lookup paths](@docroot@/language/constructs/lookup-path.md).
 
-  If `NIX_PATH` is not set at all, Nix will fall back to the following list in [impure](@docroot@/command-ref/conf-file.md#conf-pure-eval) and [unrestricted](@docroot@/command-ref/conf-file.md#conf-restrict-eval) evaluation mode:
+  This environment variable overrides the value of the [`nix-path` configuration setting](@docroot@/command-ref/conf-file.md#conf-nix-path).
 
-  1. `$HOME/.nix-defexpr/channels`
-  2. `nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs`
-  3. `/nix/var/nix/profiles/per-user/root/channels`
+  It can be extended using the [`-I` option](@docroot@/command-ref/opt-common.md#opt-I).
+
+  > **Example**
+  >
+  > ```bash
+  > $ export NIX_PATH=`/home/eelco/Dev:nixos-config=/etc/nixos
+  > ```
 
   If `NIX_PATH` is set to an empty string, resolving search paths will always fail.
-  For example, attempting to use `<nixpkgs>` will produce:
 
-      error: file 'nixpkgs' was not found in the Nix search path
+  > **Example**
+  >
+  > ```bash
+  > $ NIX_PATH= nix-instantiate --eval '<nixpkgs>'
+  > error: file 'nixpkgs' was not found in the Nix search path (add it using $NIX_PATH or -I)
+  > ```
 
 - <span id="env-NIX_IGNORE_SYMLINK_STORE">[`NIX_IGNORE_SYMLINK_STORE`](#env-NIX_IGNORE_SYMLINK_STORE)</span>
 

doc/manual/src/command-ref/experimental-commands.md

@@ -1,6 +1,6 @@
 # Experimental Commands
 
-This section lists [experimental commands](@docroot@/contributing/experimental-features.md#xp-feature-nix-command).
+This section lists [experimental commands](@docroot@/development/experimental-features.md#xp-feature-nix-command).
 
 > **Warning**
 >

doc/manual/src/command-ref/nix-build.md

@@ -41,7 +41,7 @@ expression to a low-level [store derivation]) and [`nix-store
 --realise`](@docroot@/command-ref/nix-store/realise.md) (to build the store
 derivation).
 
-[store derivation]: ../glossary.md#gloss-store-derivation
+[store derivation]: @docroot@/glossary.md#gloss-store-derivation
 
 > **Warning**
 >
@@ -55,20 +55,20 @@ All options not listed here are passed to
 [`nix-store --realise`](nix-store/realise.md),
 except for `--arg` and `--attr` / `-A` which are passed to [`nix-instantiate`](nix-instantiate.md).
 
-  - <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
+- <span id="opt-no-out-link">[`--no-out-link`](#opt-no-out-link)<span>
 
-    Do not create a symlink to the output path. Note that as a result
-    the output does not become a root of the garbage collector, and so
-    might be deleted by `nix-store --gc`.
+  Do not create a symlink to the output path. Note that as a result
+  the output does not become a root of the garbage collector, and so
+  might be deleted by `nix-store --gc`.
 
-  - <span id="opt-dry-run">[`--dry-run`](#opt-dry-run)</span>
+- <span id="opt-dry-run">[`--dry-run`](#opt-dry-run)</span>
 
-    Show what store paths would be built or downloaded.
+  Show what store paths would be built or downloaded.
 
-  - <span id="opt-out-link">[`--out-link`](#opt-out-link)</span> / `-o` *outlink*
+- <span id="opt-out-link">[`--out-link`](#opt-out-link)</span> / `-o` *outlink*
 
-    Change the name of the symlink to the output path created from
-    `result` to *outlink*.
+  Change the name of the symlink to the output path created from
+  `result` to *outlink*.
 
 {{#include ./status-build-failure.md}}
 

doc/manual/src/command-ref/nix-channel.md

@@ -27,40 +27,46 @@ The moving parts of channels are:
 
 This command has the following operations:
 
-  - `--add` *url* \[*name*\]\
-    Add a channel *name* located at *url* to the list of subscribed channels.
-    If *name* is omitted, default to the last component of *url*, with the suffixes `-stable` or `-unstable` removed.
+- `--add` *url* \[*name*\]
 
-    > **Note**
-    >
-    > `--add` does not automatically perform an update.
-    > Use `--update` explicitly.
+  Add a channel *name* located at *url* to the list of subscribed channels.
+  If *name* is omitted, default to the last component of *url*, with the suffixes `-stable` or `-unstable` removed.
 
-    A channel URL must point to a directory containing a file `nixexprs.tar.gz`.
-    At the top level, that tarball must contain a single directory with a `default.nix` file that serves as the channel’s entry point.
+  > **Note**
+  >
+  > `--add` does not automatically perform an update.
+  > Use `--update` explicitly.
 
-  - `--remove` *name*\
-    Remove the channel *name* from the list of subscribed channels.
+  A channel URL must point to a directory containing a file `nixexprs.tar.gz`.
+  At the top level, that tarball must contain a single directory with a `default.nix` file that serves as the channel’s entry point.
 
-  - `--list`\
-    Print the names and URLs of all subscribed channels on standard output.
+- `--remove` *name*
 
-  - `--update` \[*names*…\]\
-    Download the Nix expressions of subscribed channels and create a new generation.
-    Update all channels if none is specified, and only those included in *names* otherwise.
+  Remove the channel *name* from the list of subscribed channels.
 
-  - `--list-generations`\
-    Prints a list of all the current existing generations for the
-    channel profile.
+- `--list`
 
-    Works the same way as
-    ```
-    nix-env --profile /nix/var/nix/profiles/per-user/$USER/channels --list-generations
-    ```
+  Print the names and URLs of all subscribed channels on standard output.
 
-  - `--rollback` \[*generation*\]\
-    Revert channels to the state before the last call to `nix-channel --update`.
-    Optionally, you can specify a specific channel *generation* number to restore.
+- `--update` \[*names*…\]
+
+  Download the Nix expressions of subscribed channels and create a new generation.
+  Update all channels if none is specified, and only those included in *names* otherwise.
+
+- `--list-generations`
+
+  Prints a list of all the current existing generations for the
+  channel profile.
+
+  Works the same way as
+  ```
+  nix-env --profile /nix/var/nix/profiles/per-user/$USER/channels --list-generations
+  ```
+
+- `--rollback` \[*generation*\]
+
+  Revert channels to the state before the last call to `nix-channel --update`.
+  Optionally, you can specify a specific channel *generation* number to restore.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-collect-garbage.md

@@ -48,12 +48,14 @@ Instead, it looks in a few locations, and acts on all profiles it finds there:
 
 These options are for deleting old [profiles] prior to deleting unreachable [store objects].
 
-- <span id="opt-delete-old">[`--delete-old`](#opt-delete-old)</span> / `-d`\
+- <span id="opt-delete-old">[`--delete-old`](#opt-delete-old)</span> / `-d`
+
   Delete all old generations of profiles.
 
   This is the equivalent of invoking [`nix-env --delete-generations old`](@docroot@/command-ref/nix-env/delete-generations.md#generations-old) on each found profile.
 
-- <span id="opt-delete-older-than">[`--delete-older-than`](#opt-delete-older-than)</span> *period*\
+- <span id="opt-delete-older-than">[`--delete-older-than`](#opt-delete-older-than)</span> *period*
+
   Delete all generations of profiles older than the specified amount (except for the generations that were active at that point in time).
   *period* is a value such as `30d`, which would mean 30 days.
 
@@ -74,4 +76,4 @@ $ nix-collect-garbage -d
 ```
 
 [profiles]: @docroot@/command-ref/files/profiles.md
-[store objects]: @docroot@/glossary.md#gloss-store-object
+[store objects]: @docroot@/store/store-object.md

doc/manual/src/command-ref/nix-copy-closure.md

@@ -1,91 +1,91 @@
 # Name
 
-`nix-copy-closure` - copy a closure to or from a remote machine via SSH
+`nix-copy-closure` - copy store objects to or from a remote machine via SSH
 
 # Synopsis
 
 `nix-copy-closure`
-  [`--to` | `--from`]
+  [`--to` | `--from` ]
   [`--gzip`]
   [`--include-outputs`]
   [`--use-substitutes` | `-s`]
   [`-v`]
-  _user@machine_ _paths_
+  [_user_@]_machine_[:_port_] _paths_
 
 # Description
 
-`nix-copy-closure` gives you an easy and efficient way to exchange
-software between machines.  Given one or more Nix store _paths_ on the
-local machine, `nix-copy-closure` computes the closure of those paths
-(i.e. all their dependencies in the Nix store), and copies all paths
-in the closure to the remote machine via the `ssh` (Secure Shell)
-command.  With the `--from` option, the direction is reversed: the
-closure of _paths_ on a remote machine is copied to the Nix store on
-the local machine.
+Given _paths_ from one machine, `nix-copy-closure` computes the [closure](@docroot@/glossary.md#gloss-closure) of those paths (i.e. all their dependencies in the Nix store), and copies [store objects](@docroot@/glossary.md#gloss-store-object) in that closure to another machine via SSH.
+It doesn’t copy store objects that are already present on the other machine.
 
-This command is efficient because it only sends the store paths
-that are missing on the target machine.
+> **Note**
+>
+> While the Nix store to use on the local machine can be specified on the command line with the [`--store`](@docroot@/command-ref/conf-file.md#conf-store) option, the Nix store to be accessed on the remote machine can only be [configured statically](@docroot@/command-ref/conf-file.md#configuration-file) on that remote machine.
 
-Since `nix-copy-closure` calls `ssh`, you may be asked to type in the
-appropriate password or passphrase.  In fact, you may be asked _twice_
-because `nix-copy-closure` currently connects twice to the remote
-machine, first to get the set of paths missing on the target machine,
-and second to send the dump of those paths.  When using public key
-authentication, you can avoid typing the passphrase with `ssh-agent`.
+Since `nix-copy-closure` calls `ssh`, you may need to authenticate with the remote machine.
+In fact, you may be asked for authentication _twice_ because `nix-copy-closure` currently connects twice to the remote machine: first to get the set of paths missing on the target machine, and second to send the dump of those paths.
+When using public key authentication, you can avoid typing the passphrase with `ssh-agent`.
 
 # Options
 
-  - `--to`\
-    Copy the closure of _paths_ from the local Nix store to the Nix
-    store on _machine_. This is the default.
+- `--to`
 
-  - `--from`\
-    Copy the closure of _paths_ from the Nix store on _machine_ to the
-    local Nix store.
+  Copy the closure of _paths_ from a Nix store accessible from the local machine to the Nix store on the remote _machine_.
+  This is the default behavior.
 
-  - `--gzip`\
-    Enable compression of the SSH connection.
+- `--from`
 
-  - `--include-outputs`\
-    Also copy the outputs of [store derivation]s included in the closure.
+  Copy the closure of _paths_ from the Nix store on the remote _machine_ to the local machine's specified Nix store.
 
-    [store derivation]: ../glossary.md#gloss-store-derivation
+- `--gzip`
 
-  - `--use-substitutes` / `-s`\
-    Attempt to download missing paths on the target machine using Nix’s
-    substitute mechanism.  Any paths that cannot be substituted on the
-    target are still copied normally from the source.  This is useful,
-    for instance, if the connection between the source and target
-    machine is slow, but the connection between the target machine and
-    `nixos.org` (the default binary cache server) is
-    fast.
+  Enable compression of the SSH connection.
 
-  - `-v`\
-    Show verbose output.
+- `--include-outputs`
+
+  Also copy the outputs of [store derivation]s included in the closure.
+
+  [store derivation]: @docroot@/glossary.md#gloss-store-derivation
+
+- `--use-substitutes` / `-s`
+
+  Attempt to download missing store objects on the target from [substituters](@docroot@/command-ref/conf-file.md#conf-substituters).
+  Any store objects that cannot be substituted on the target are still copied normally from the source.
+  This is useful, for instance, if the connection between the source and target machine is slow, but the connection between the target machine and `cache.nixos.org` (the default binary cache server) is fast.
 
 {{#include ./opt-common.md}}
 
 # Environment variables
 
-  - `NIX_SSHOPTS`\
-    Additional options to be passed to `ssh` on the command
-    line.
+- `NIX_SSHOPTS`
+
+  Additional options to be passed to `ssh` on the command line.
 
 {{#include ./env-common.md}}
 
 # Examples
 
-Copy Firefox with all its dependencies to a remote machine:
+> **Example**
+>
+> Copy GNU Hello with all its dependencies to a remote machine:
+>
+> ```shell-session
+> $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
+> $ nix-copy-closure --to alice@itchy.example.org "$storePath"
+> copying 5 paths...
+> copying path '/nix/store/nrwkk6ak3rgkrxbqhsscb01jpzmslf2r-xgcc-13.2.0-libgcc' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/gm61h1y42pqyl6178g90x8zm22n6pyy5-libunistring-1.1' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/ddfzjdykw67s20c35i7a6624by3iz5jv-libidn2-2.3.7' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/apab5i73dqa09wx0q27b6fbhd1r18ihl-glibc-2.39-31' to 'ssh://alice@itchy.example.org'...
+> copying path '/nix/store/g1n2vryg06amvcc1avb2mcq36faly0mh-hello-2.12.1' to 'ssh://alice@itchy.example.org'...
+> ```
 
-```console
-$ nix-copy-closure --to alice@itchy.labs $(type -tP firefox)
-```
-
-Copy Subversion from a remote machine and then install it into a user
-environment:
-
-```console
-$ nix-copy-closure --from alice@itchy.labs \
-    /nix/store/0dj0503hjxy5mbwlafv1rsbdiyx1gkdy-subversion-1.4.4
-$ nix-env --install /nix/store/0dj0503hjxy5mbwlafv1rsbdiyx1gkdy-subversion-1.4.4
-```
+> **Example**
+>
+> Copy GNU Hello from a remote machine using a known store path, and run it:
+>
+> ```shell-session
+> $ storePath="$(nix-instantiate --eval '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello.outPath | tr -d '"')"
+> $ nix-copy-closure --from alice@itchy.example.org "$storePath"
+> $ "$storePath"/bin/hello
+> Hello, world!
+> ```

doc/manual/src/command-ref/nix-env.md

@@ -47,39 +47,83 @@ These pages can be viewed offline:
 
   Example: `nix-env --help --install`
 
+# Package sources
+
+`nix-env` can obtain packages from multiple sources:
+
+- An attribute set of derivations from:
+  - The [default Nix expression](@docroot@/command-ref/files/default-nix-expression.md) (by default)
+  - A Nix file, specified via `--file`
+  - A [profile](@docroot@/command-ref/files/profiles.md), specified via `--from-profile`
+  - A Nix expression that is a function which takes default expression as argument, specified via `--from-expression`
+- A [store path](@docroot@/store/store-path.md)
+
 # Selectors
 
-Several commands, such as `nix-env --query ` and `nix-env --install `, take a list of
-arguments that specify the packages on which to operate. These are
-extended regular expressions that must match the entire name of the
-package. (For details on regular expressions, see **regex**(7).) The match is
-case-sensitive. The regular expression can optionally be followed by a
-dash and a version number; if omitted, any version of the package will
-match. Here are some examples:
+Several operations, such as [`nix-env --query`](./nix-env/query.md) and [`nix-env --install`](./nix-env/install.md), take a list of *arguments* that specify the packages on which to operate.
 
-  - `firefox`\
-    Matches the package name `firefox` and any version.
+Packages are identified based on a `name` part and a `version` part of a [symbolic derivation name](@docroot@/language/derivations.md#attr-names):
 
-  - `firefox-32.0`\
-    Matches the package name `firefox` and version `32.0`.
+- `name`: Everything up to but not including the first dash (`-`) that is *not* followed by a letter.
+- `version`: The rest, excluding the separating dash.
 
-  - `gtk\\+`\
-    Matches the package name `gtk+`. The `+` character must be escaped
-    using a backslash to prevent it from being interpreted as a
-    quantifier, and the backslash must be escaped in turn with another
-    backslash to ensure that the shell passes it on.
+> **Example**
+>
+> `nix-env` parses the symbolic derivation name `apache-httpd-2.0.48` as:
+>
+> ```json
+> {
+>   "name": "apache-httpd",
+>   "version": "2.0.48"
+> }
+> ```
 
-  - `.\*`\
-    Matches any package name. This is the default for most commands.
+> **Example**
+>
+> `nix-env` parses the symbolic derivation name `firefox.*` as:
+>
+> ```json
+> {
+>   "name": "firefox.*",
+>   "version": ""
+> }
+> ```
 
-  - `'.*zip.*'`\
-    Matches any package name containing the string `zip`. Note the dots:
-    `'*zip*'` does not work, because in a regular expression, the
-    character `*` is interpreted as a quantifier.
+The `name` parts of the *arguments* to `nix-env` are treated as extended regular expressions and matched against the `name` parts of derivation names in the package source.
+The match is case-sensitive.
+The regular expression can optionally be followed by a dash (`-`) and a version number; if omitted, any version of the package will match.
+For details on regular expressions, see [**regex**(7)](https://linux.die.net/man/7/regex).
 
-  - `'.*(firefox|chromium).*'`\
-    Matches any package name containing the strings `firefox` or
-    `chromium`.
+> **Example**
+>
+> Common patterns for finding package names with `nix-env`:
+>
+> - `firefox`
+>
+>   Matches the package name `firefox` and any version.
+>
+> - `firefox-32.0`
+>
+>   Matches the package name `firefox` and version `32.0`.
+>
+> - `gtk\\+`
+>
+>   Matches the package name `gtk+`.
+>   The `+` character must be escaped using a backslash (`\`) to prevent it from being interpreted as a quantifier, and the backslash must be escaped in turn with another backslash to ensure that the shell passes it on.
+>
+> - `.\*`
+>
+>   Matches any package name.
+>   This is the default for most commands.
+>
+> - `'.*zip.*'`
+>
+>   Matches any package name containing the string `zip`.
+>   Note the dots: `'*zip*'` does not work, because in a regular expression, the character `*` is interpreted as a quantifier.
+>
+> - `'.*(firefox|chromium).*'`
+>
+>   Matches any package name containing the strings `firefox` or `chromium`.
 
 # Files
 

doc/manual/src/command-ref/nix-env/delete-generations.md

@@ -12,7 +12,8 @@ This operation deletes the specified generations of the current profile.
 
 *generations* can be a one of the following:
 
-- <span id="generations-list">[`<number>...`](#generations-list)</span>:\
+- <span id="generations-list">[`<number>...`](#generations-list)</span>
+
   A list of generation numbers, each one a separate command-line argument.
 
   Delete exactly the profile generations given by their generation number.
@@ -30,7 +31,8 @@ This operation deletes the specified generations of the current profile.
   > Because one can roll back to a previous generation, it is possible to have generations newer than the current one.
   > They will also be deleted.
 
-- <span id="generations-time">[`<number>d`](#generations-time)</span>:\
+- <span id="generations-time">[`<number>d`](#generations-time)</span>
+
   The last *number* days
 
   *Example*: `30d`
@@ -38,7 +40,8 @@ This operation deletes the specified generations of the current profile.
   Delete all generations created more than *number* days ago, except the most recent one of them.
   This allows rolling back to generations that were available within the specified period.
 
-- <span id="generations-count">[`+<number>`](#generations-count)</span>:\
+- <span id="generations-count">[`+<number>`](#generations-count)</span>
+
   The last *number* generations up to the present
 
   *Example*: `+5`
@@ -49,7 +52,7 @@ Periodically deleting old generations is important to make garbage collection
 effective.
 The is because profiles are also garbage collection roots — any [store object] reachable from a profile is "alive" and ineligible for deletion.
 
-[store object]: @docroot@/glossary.md#gloss-store-object
+[store object]: @docroot@/store/store-object.md
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-env/env-common.md

@@ -1,6 +1,7 @@
 # Environment variables
 
-- `NIX_PROFILE`\
+- `NIX_PROFILE`
+
   Location of the Nix profile. Defaults to the target of the symlink
   `~/.nix-profile`, if it exists, or `/nix/var/nix/profiles/default`
   otherwise.

doc/manual/src/command-ref/nix-env/install.md

@@ -14,133 +14,132 @@
 
 # Description
 
-The install operation creates a new user environment.
+The `--install` operation creates a new user environment.
 It is based on the current generation of the active [profile](@docroot@/command-ref/files/profiles.md), to which a set of [store paths] described by *args* is added.
 
-[store paths]: @docroot@/glossary.md#gloss-store-path
+[store paths]: @docroot@/store/store-path.md
 
 The arguments *args* map to store paths in a number of possible ways:
 
+- By default, *args* is a set of [derivation] names denoting derivations in the [default Nix expression].
+  These are [realised], and the resulting output paths are installed.
+  Currently installed derivations with a name equal to the name of a derivation being added are removed unless the option `--preserve-installed` is specified.
 
-  - By default, *args* is a set of [derivation] names denoting derivations in the [default Nix expression].
-    These are [realised], and the resulting output paths are installed.
-    Currently installed derivations with a name equal to the name of a derivation being added are removed unless the option `--preserve-installed` is specified.
+  [derivation]: @docroot@/glossary.md#gloss-derivation
+  [default Nix expression]: @docroot@/command-ref/files/default-nix-expression.md
+  [realised]: @docroot@/glossary.md#gloss-realise
 
-    [derivation]: @docroot@/glossary.md#gloss-derivation
-    [default Nix expression]: @docroot@/command-ref/files/default-nix-expression.md
-    [realised]: @docroot@/glossary.md#gloss-realise
+  If there are multiple derivations matching a name in *args* that
+  have the same name (e.g., `gcc-3.3.6` and `gcc-4.1.1`), then the
+  derivation with the highest *priority* is used. A derivation can
+  define a priority by declaring the `meta.priority` attribute. This
+  attribute should be a number, with a higher value denoting a lower
+  priority. The default priority is `5`.
 
-    If there are multiple derivations matching a name in *args* that
-    have the same name (e.g., `gcc-3.3.6` and `gcc-4.1.1`), then the
-    derivation with the highest *priority* is used. A derivation can
-    define a priority by declaring the `meta.priority` attribute. This
-    attribute should be a number, with a higher value denoting a lower
-    priority. The default priority is `5`.
+  If there are multiple matching derivations with the same priority,
+  then the derivation with the highest version will be installed.
 
-    If there are multiple matching derivations with the same priority,
-    then the derivation with the highest version will be installed.
+  You can force the installation of multiple derivations with the same
+  name by being specific about the versions. For instance, `nix-env --install
+  gcc-3.3.6 gcc-4.1.1` will install both version of GCC (and will
+  probably cause a user environment conflict\!).
 
-    You can force the installation of multiple derivations with the same
-    name by being specific about the versions. For instance, `nix-env --install
-    gcc-3.3.6 gcc-4.1.1` will install both version of GCC (and will
-    probably cause a user environment conflict\!).
+- If [`--attr`](#opt-attr) / `-A` is specified, the arguments are *attribute paths* that select attributes from the [default Nix expression].
+  This is faster than using derivation names and unambiguous.
+  Show the attribute paths of available packages with [`nix-env --query`](./query.md):
 
-  - If [`--attr`](#opt-attr) / `-A` is specified, the arguments are *attribute paths* that select attributes from the [default Nix expression].
-    This is faster than using derivation names and unambiguous.
-    Show the attribute paths of available packages with [`nix-env --query`](./query.md):
+  ```console
+  nix-env --query --available --attr-path
+  ```
 
-    ```console
-    nix-env --query --available --attr-path`
-    ```
+- If `--from-profile` *path* is given, *args* is a set of names
+  denoting installed [store paths] in the profile *path*. This is an
+  easy way to copy user environment elements from one profile to
+  another.
 
-  - If `--from-profile` *path* is given, *args* is a set of names
-    denoting installed [store paths] in the profile *path*. This is an
-    easy way to copy user environment elements from one profile to
-    another.
+- If `--from-expression` is given, *args* are [Nix language functions](@docroot@/language/syntax.md#functions) that are called with the [default Nix expression] as their single argument.
+  The derivations returned by those function calls are installed.
+  This allows derivations to be specified in an unambiguous way, which is necessary if there are multiple derivations with the same name.
 
-  - If `--from-expression` is given, *args* are [Nix language functions](@docroot@/language/constructs.md#functions) that are called with the [default Nix expression] as their single argument.
-    The derivations returned by those function calls are installed.
-    This allows derivations to be specified in an unambiguous way, which is necessary if there are multiple derivations with the same name.
+- If *args* are [store derivations](@docroot@/glossary.md#gloss-store-derivation), then these are [realised], and the resulting output paths are installed.
 
-  - If *args* are [store derivations](@docroot@/glossary.md#gloss-store-derivation), then these are [realised], and the resulting output paths are installed.
+- If *args* are [store paths] that are not store derivations, then these are [realised] and installed.
 
-  - If *args* are [store paths] that are not store derivations, then these are [realised] and installed.
+- By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [derivation].
+  This can be overridden by adding a `meta.outputsToInstall` attribute on the derivation listing a subset of the output names.
 
-  - By default all [outputs](@docroot@/language/derivations.md#attr-outputs) are installed for each [derivation].
-    This can be overridden by adding a `meta.outputsToInstall` attribute on the derivation listing a subset of the output names.
+  Example:
 
-    Example:
+  The file `example.nix` defines a derivation with two outputs `foo` and `bar`, each containing a file.
 
-    The file `example.nix` defines a derivation with two outputs `foo` and `bar`, each containing a file.
+  ```nix
+  # example.nix
+  let
+    pkgs = import <nixpkgs> {};
+    command = ''
+      ${pkgs.coreutils}/bin/mkdir -p $foo $bar
+      echo foo > $foo/foo-file
+      echo bar > $bar/bar-file
+    '';
+  in
+  derivation {
+    name = "example";
+    builder = "${pkgs.bash}/bin/bash";
+    args = [ "-c" command ];
+    outputs = [ "foo" "bar" ];
+    system = builtins.currentSystem;
+  }
+  ```
 
-    ```nix
-    # example.nix
-    let
-      pkgs = import <nixpkgs> {};
-      command = ''
-        ${pkgs.coreutils}/bin/mkdir -p $foo $bar
-        echo foo > $foo/foo-file
-        echo bar > $bar/bar-file
-      '';
-    in
-    derivation {
-      name = "example";
-      builder = "${pkgs.bash}/bin/bash";
-      args = [ "-c" command ];
-      outputs = [ "foo" "bar" ];
-      system = builtins.currentSystem;
-    }
-    ```
+  Installing from this Nix expression will make files from both outputs appear in the current profile.
 
-    Installing from this Nix expression will make files from both outputs appear in the current profile.
+  ```console
+  $ nix-env --install --file example.nix
+  installing 'example'
+  $ ls ~/.nix-profile
+  foo-file
+  bar-file
+  manifest.nix
+  ```
 
-    ```console
-    $ nix-env --install --file example.nix
-    installing 'example'
-    $ ls ~/.nix-profile
-    foo-file
-    bar-file
-    manifest.nix
-    ```
+  Adding `meta.outputsToInstall` to that derivation will make `nix-env` only install files from the specified outputs.
 
-    Adding `meta.outputsToInstall` to that derivation will make `nix-env` only install files from the specified outputs.
+  ```nix
+  # example-outputs.nix
+  import ./example.nix // { meta.outputsToInstall = [ "bar" ]; }
+  ```
 
-    ```nix
-    # example-outputs.nix
-    import ./example.nix // { meta.outputsToInstall = [ "bar" ]; }
-    ```
-
-    ```console
-    $ nix-env --install --file example-outputs.nix
-    installing 'example'
-    $ ls ~/.nix-profile
-    bar-file
-    manifest.nix
-    ```
+  ```console
+  $ nix-env --install --file example-outputs.nix
+  installing 'example'
+  $ ls ~/.nix-profile
+  bar-file
+  manifest.nix
+  ```
 
 # Options
 
-  - `--prebuilt-only` / `-b`
+- `--prebuilt-only` / `-b`
 
-    Use only derivations for which a substitute is registered, i.e.,
-    there is a pre-built binary available that can be downloaded in lieu
-    of building the derivation. Thus, no packages will be built from
-    source.
+  Use only derivations for which a substitute is registered, i.e.,
+  there is a pre-built binary available that can be downloaded in lieu
+  of building the derivation. Thus, no packages will be built from
+  source.
 
-  - `--preserve-installed` / `-P`
+- `--preserve-installed` / `-P`
 
-    Do not remove derivations with a name matching one of the
-    derivations being installed. Usually, trying to have two versions of
-    the same package installed in the same generation of a profile will
-    lead to an error in building the generation, due to file name
-    clashes between the two versions. However, this is not the case for
-    all packages.
+  Do not remove derivations with a name matching one of the
+  derivations being installed. Usually, trying to have two versions of
+  the same package installed in the same generation of a profile will
+  lead to an error in building the generation, due to file name
+  clashes between the two versions. However, this is not the case for
+  all packages.
 
-  - `--remove-all` / `-r`
+- `--remove-all` / `-r`
 
-    Remove all previously installed packages first. This is equivalent
-    to running `nix-env --uninstall '.*'` first, except that everything happens
-    in a single transaction.
+  Remove all previously installed packages first. This is equivalent
+  to running `nix-env --uninstall '.*'` first, except that everything happens
+  in a single transaction.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-env/opt-common.md

@@ -2,34 +2,37 @@
 
 The following options are allowed for all `nix-env` operations, but may not always have an effect.
 
-  - `--file` / `-f` *path*\
-    Specifies the Nix expression (designated below as the *active Nix
-    expression*) used by the `--install`, `--upgrade`, and `--query
-    --available` operations to obtain derivations. The default is
-    `~/.nix-defexpr`.
+- `--file` / `-f` *path*
 
-    If the argument starts with `http://` or `https://`, it is
-    interpreted as the URL of a tarball that will be downloaded and
-    unpacked to a temporary location. The tarball must include a single
-    top-level directory containing at least a file named `default.nix`.
+  Specifies the Nix expression (designated below as the *active Nix
+  expression*) used by the `--install`, `--upgrade`, and `--query
+  --available` operations to obtain derivations. The default is
+  `~/.nix-defexpr`.
 
-  - `--profile` / `-p` *path*\
-    Specifies the profile to be used by those operations that operate on
-    a profile (designated below as the *active profile*). A profile is a
-    sequence of user environments called *generations*, one of which is
-    the *current generation*.
+  If the argument starts with `http://` or `https://`, it is
+  interpreted as the URL of a tarball that will be downloaded and
+  unpacked to a temporary location. The tarball must include a single
+  top-level directory containing at least a file named `default.nix`.
 
-  - `--dry-run`\
-    For the `--install`, `--upgrade`, `--uninstall`,
-    `--switch-generation`, `--delete-generations` and `--rollback`
-    operations, this flag will cause `nix-env` to print what *would* be
-    done if this flag had not been specified, without actually doing it.
+- `--profile` / `-p` *path*
 
-    `--dry-run` also prints out which paths will be
-    [substituted](@docroot@/glossary.md) (i.e., downloaded) and which paths
-    will be built from source (because no substitute is available).
+  Specifies the profile to be used by those operations that operate on
+  a profile (designated below as the *active profile*). A profile is a
+  sequence of user environments called *generations*, one of which is
+  the *current generation*.
 
-  - `--system-filter` *system*\
-    By default, operations such as `--query
-                    --available` show derivations matching any platform. This option
-    allows you to use derivations for the specified platform *system*.
+- `--dry-run`
+
+  For the `--install`, `--upgrade`, `--uninstall`,
+  `--switch-generation`, `--delete-generations` and `--rollback`
+  operations, this flag will cause `nix-env` to print what *would* be
+  done if this flag had not been specified, without actually doing it.
+
+  `--dry-run` also prints out which paths will be
+  [substituted](@docroot@/glossary.md) (i.e., downloaded) and which paths
+  will be built from source (because no substitute is available).
+
+- `--system-filter` *system*
+
+  By default, operations such as `--query --available` show derivations matching any platform. This option
+  allows you to use derivations for the specified platform *system*.

doc/manual/src/command-ref/nix-env/query.md

@@ -35,11 +35,13 @@ The derivations are sorted by their `name` attributes.
 The following flags specify the set of things on which the query
 operates.
 
-  - `--installed`\
+  - `--installed`
+
     The query operates on the store paths that are installed in the
     current generation of the active profile. This is the default.
 
-  - `--available`; `-a`\
+  - `--available` / `-a`
+
     The query operates on the derivations that are available in the
     active Nix expression.
 
@@ -50,24 +52,28 @@ selected derivations. Multiple flags may be specified, in which case the
 information is shown in the order given here. Note that the name of the
 derivation is shown unless `--no-name` is specified.
 
-  - `--xml`\
+  - `--xml`
+
     Print the result in an XML representation suitable for automatic
     processing by other tools. The root element is called `items`, which
     contains a `item` element for each available or installed
     derivation. The fields discussed below are all stored in attributes
     of the `item` elements.
 
-  - `--json`\
+  - `--json`
+
     Print the result in a JSON representation suitable for automatic
     processing by other tools.
 
-  - `--prebuilt-only` / `-b`\
+  - `--prebuilt-only` / `-b`
+
     Show only derivations for which a substitute is registered, i.e.,
     there is a pre-built binary available that can be downloaded in lieu
     of building the derivation. Thus, this shows all packages that
     probably can be installed quickly.
 
-  - `--status`; `-s`\
+  - `--status` / `-s`
+
     Print the *status* of the derivation. The status consists of three
     characters. The first is `I` or `-`, indicating whether the
     derivation is currently installed in the current generation of the
@@ -78,49 +84,61 @@ derivation is shown unless `--no-name` is specified.
     derivation to be built. The third is `S` or `-`, indicating whether
     a substitute is available for the derivation.
 
-  - `--attr-path`; `-P`\
+  - `--attr-path` / `-P`
+
     Print the *attribute path* of the derivation, which can be used to
     unambiguously select it using the `--attr` option available in
     commands that install derivations like `nix-env --install`. This
     option only works together with `--available`
 
-  - `--no-name`\
+  - `--no-name`
+
     Suppress printing of the `name` attribute of each derivation.
 
-  - `--compare-versions` / `-c`\
+  - `--compare-versions` / `-c`
+
     Compare installed versions to available versions, or vice versa (if
     `--available` is given). This is useful for quickly seeing whether
     upgrades for installed packages are available in a Nix expression. A
     column is added with the following meaning:
 
-      - `<` *version*\
+      - `<` *version*
+
         A newer version of the package is available or installed.
 
-      - `=` *version*\
+      - `=` *version*
+
         At most the same version of the package is available or
         installed.
 
-      - `>` *version*\
+      - `>` *version*
+
         Only older versions of the package are available or installed.
 
-      - `- ?`\
+      - `- ?`
+
         No version of the package is available or installed.
 
-  - `--system`\
+  - `--system`
+
     Print the `system` attribute of the derivation.
 
-  - `--drv-path`\
+  - `--drv-path`
+
     Print the path of the [store derivation](@docroot@/glossary.md#gloss-store-derivation).
 
-  - `--out-path`\
+  - `--out-path`
+
     Print the output path of the derivation.
 
-  - `--description`\
+  - `--description`
+
     Print a short (one-line) description of the derivation, if
     available. The description is taken from the `meta.description`
     attribute of the derivation.
 
-  - `--meta`\
+  - `--meta`
+
     Print all of the meta-attributes of the derivation. This option is
     only available with `--xml` or `--json`.
 

doc/manual/src/command-ref/nix-env/set-flag.md

@@ -13,24 +13,24 @@ to be modified. There are several attributes that can be usefully
 modified, because they affect the behaviour of `nix-env` or the user
 environment build script:
 
-  - `priority` can be changed to resolve filename clashes. The user
-    environment build script uses the `meta.priority` attribute of
-    derivations to resolve filename collisions between packages. Lower
-    priority values denote a higher priority. For instance, the GCC
-    wrapper package and the Binutils package in Nixpkgs both have a file
-    `bin/ld`, so previously if you tried to install both you would get a
-    collision. Now, on the other hand, the GCC wrapper declares a higher
-    priority than Binutils, so the former’s `bin/ld` is symlinked in the
-    user environment.
+- `priority` can be changed to resolve filename clashes. The user
+  environment build script uses the `meta.priority` attribute of
+  derivations to resolve filename collisions between packages. Lower
+  priority values denote a higher priority. For instance, the GCC
+  wrapper package and the Binutils package in Nixpkgs both have a file
+  `bin/ld`, so previously if you tried to install both you would get a
+  collision. Now, on the other hand, the GCC wrapper declares a higher
+  priority than Binutils, so the former’s `bin/ld` is symlinked in the
+  user environment.
 
-  - `keep` can be set to `true` to prevent the package from being
-    upgraded or replaced. This is useful if you want to hang on to an
-    older version of a package.
+- `keep` can be set to `true` to prevent the package from being
+  upgraded or replaced. This is useful if you want to hang on to an
+  older version of a package.
 
-  - `active` can be set to `false` to “disable” the package. That is, no
-    symlinks will be generated to the files of the package, but it
-    remains part of the profile (so it won’t be garbage-collected). It
-    can be set back to `true` to re-enable the package.
+- `active` can be set to `false` to “disable” the package. That is, no
+  symlinks will be generated to the files of the package, but it
+  remains part of the profile (so it won’t be garbage-collected). It
+  can be set back to `true` to re-enable the package.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-env/upgrade.md

@@ -28,42 +28,48 @@ version is installed.
 
 # Flags
 
-  - `--lt`\
-    Only upgrade a derivation to newer versions. This is the default.
+- `--lt`
 
-  - `--leq`\
-    In addition to upgrading to newer versions, also “upgrade” to
-    derivations that have the same version. Version are not a unique
-    identification of a derivation, so there may be many derivations
-    that have the same version. This flag may be useful to force
-    “synchronisation” between the installed and available derivations.
+  Only upgrade a derivation to newer versions. This is the default.
 
-  - `--eq`\
-    *Only* “upgrade” to derivations that have the same version. This may
-    not seem very useful, but it actually is, e.g., when there is a new
-    release of Nixpkgs and you want to replace installed applications
-    with the same versions built against newer dependencies (to reduce
-    the number of dependencies floating around on your system).
+- `--leq`
 
-  - `--always`\
-    In addition to upgrading to newer versions, also “upgrade” to
-    derivations that have the same or a lower version. I.e., derivations
-    may actually be downgraded depending on what is available in the
-    active Nix expression.
+  In addition to upgrading to newer versions, also “upgrade” to
+  derivations that have the same version. Version are not a unique
+  identification of a derivation, so there may be many derivations
+  that have the same version. This flag may be useful to force
+  “synchronisation” between the installed and available derivations.
 
-  - `--prebuilt-only` / `-b`\
-    Use only derivations for which a substitute is registered, i.e.,
-    there is a pre-built binary available that can be downloaded in lieu
-    of building the derivation. Thus, no packages will be built from
-    source.
+- `--eq`
 
-  - `--preserve-installed` / `-P`\
-    Do not remove derivations with a name matching one of the
-    derivations being installed. Usually, trying to have two versions of
-    the same package installed in the same generation of a profile will
-    lead to an error in building the generation, due to file name
-    clashes between the two versions. However, this is not the case for
-    all packages.
+  *Only* “upgrade” to derivations that have the same version. This may
+  not seem very useful, but it actually is, e.g., when there is a new
+  release of Nixpkgs and you want to replace installed applications
+  with the same versions built against newer dependencies (to reduce
+  the number of dependencies floating around on your system).
+
+- `--always`
+
+  In addition to upgrading to newer versions, also “upgrade” to
+  derivations that have the same or a lower version. I.e., derivations
+  may actually be downgraded depending on what is available in the
+  active Nix expression.
+
+- `--prebuilt-only` / `-b`
+
+  Use only derivations for which a substitute is registered, i.e.,
+  there is a pre-built binary available that can be downloaded in lieu
+  of building the derivation. Thus, no packages will be built from
+  source.
+
+- `--preserve-installed` / `-P`
+
+  Do not remove derivations with a name matching one of the
+  derivations being installed. Usually, trying to have two versions of
+  the same package installed in the same generation of a profile will
+  lead to an error in building the generation, due to file name
+  clashes between the two versions. However, this is not the case for
+  all packages.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-hash.md

@@ -20,58 +20,74 @@ an example.
 The hash is computed over a *serialisation* of each path: a dump of
 the file system tree rooted at the path. This allows directories and
 symlinks to be hashed as well as regular files. The dump is in the
-*NAR format* produced by [`nix-store
+*[Nix Archive (NAR)][Nix Archive] format* produced by [`nix-store
 --dump`](@docroot@/command-ref/nix-store/dump.md).  Thus, `nix-hash path`
 yields the same cryptographic hash as `nix-store --dump path |
 md5sum`.
 
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
+
 # Options
 
-  - `--flat`\
-    Print the cryptographic hash of the contents of each regular file
-    *path*. That is, do not compute the hash over the dump of *path*.
-    The result is identical to that produced by the GNU commands
-    `md5sum` and `sha1sum`.
+- `--flat`
 
-  - `--base16`\
-    Print the hash in a hexadecimal representation (default).
+  Print the cryptographic hash of the contents of each regular file *path*.
+  That is, instead of computing
+  the hash of the [Nix Archive (NAR)](@docroot@/store/file-system-object/content-address.md#serial-nix-archive) of *path*,
+  just [directly hash]((@docroot@/store/file-system-object/content-address.md#serial-flat) *path* as is.
+  This requires *path* to resolve to a regular file rather than directory.
+  The result is identical to that produced by the GNU commands
+  `md5sum` and `sha1sum`.
 
-  - `--base32`\
-    Print the hash in a base-32 representation rather than hexadecimal.
-    This base-32 representation is more compact and can be used in Nix
-    expressions (such as in calls to `fetchurl`).
+- `--base16`
 
-  - `--base64`\
-    Similar to --base32, but print the hash in a base-64 representation,
-    which is more compact than the base-32 one.
+  Print the hash in a hexadecimal representation (default).
 
-  - `--sri`\
-    Print the hash in SRI format with base-64 encoding.
-    The type of hash algorithm will be prepended to the hash string,
-    followed by a hyphen (-) and the base-64 hash body.
+- `--base32`
 
-  - `--truncate`\
-    Truncate hashes longer than 160 bits (such as SHA-256) to 160 bits.
+  Print the hash in a base-32 representation rather than hexadecimal.
+  This base-32 representation is more compact and can be used in Nix
+  expressions (such as in calls to `fetchurl`).
 
-  - `--type` *hashAlgo*\
-    Use the specified cryptographic hash algorithm, which can be one of
-    `md5`, `sha1`, `sha256`, and `sha512`.
+- `--base64`
 
-  - `--to-base16`\
-    Don’t hash anything, but convert the base-32 hash representation
-    *hash* to hexadecimal.
+  Similar to --base32, but print the hash in a base-64 representation,
+  which is more compact than the base-32 one.
 
-  - `--to-base32`\
-    Don’t hash anything, but convert the hexadecimal hash representation
-    *hash* to base-32.
+- `--sri`
 
-  - `--to-base64`\
-    Don’t hash anything, but convert the hexadecimal hash representation
-    *hash* to base-64.
+  Print the hash in SRI format with base-64 encoding.
+  The type of hash algorithm will be prepended to the hash string,
+  followed by a hyphen (-) and the base-64 hash body.
 
-  - `--to-sri`\
-    Don’t hash anything, but convert the hexadecimal hash representation
-    *hash* to SRI.
+- `--truncate`
+
+  Truncate hashes longer than 160 bits (such as SHA-256) to 160 bits.
+
+- `--type` *hashAlgo*
+
+  Use the specified cryptographic hash algorithm, which can be one of
+  `md5`, `sha1`, `sha256`, and `sha512`.
+
+- `--to-base16`
+
+  Don’t hash anything, but convert the base-32 hash representation
+  *hash* to hexadecimal.
+
+- `--to-base32`
+
+  Don’t hash anything, but convert the hexadecimal hash representation
+  *hash* to base-32.
+
+- `--to-base64`
+
+  Don’t hash anything, but convert the hexadecimal hash representation
+  *hash* to base-64.
+
+- `--to-sri`
+
+  Don’t hash anything, but convert the hexadecimal hash representation
+  *hash* to SRI.
 
 # Examples
 

doc/manual/src/command-ref/nix-instantiate.md

@@ -23,96 +23,104 @@ It evaluates the Nix expressions in each of *files* (which defaults to
 derivation, a list of derivations, or a set of derivations. The paths
 of the resulting store derivations are printed on standard output.
 
-[store derivation]: ../glossary.md#gloss-store-derivation
+[store derivation]: @docroot@/glossary.md#gloss-store-derivation
 
 If *files* is the character `-`, then a Nix expression will be read from
 standard input.
 
 # Options
 
-  - `--add-root` *path*\
-    See the [corresponding option](nix-store.md) in `nix-store`.
+- `--add-root` *path*
 
-  - `--parse`\
-    Just parse the input files, and print their abstract syntax trees on
-    standard output as a Nix expression.
+  See the [corresponding option](nix-store.md) in `nix-store`.
 
-  - `--eval`\
-    Just parse and evaluate the input files, and print the resulting
-    values on standard output. No instantiation of store derivations
-    takes place.
+- `--parse`
 
-    > **Warning**
-    >
-    > This option produces output which can be parsed as a Nix expression which
-    > will produce a different result than the input expression when evaluated.
-    > For example, these two Nix expressions print the same result despite
-    > having different meaning:
-    >
-    > ```console
-    > $ nix-instantiate --eval --expr '{ a = {}; }'
-    > { a = <CODE>; }
-    > $ nix-instantiate --eval --expr '{ a = <CODE>; }'
-    > { a = <CODE>; }
-    > ```
-    >
-    > For human-readable output, `nix eval` (experimental) is more informative:
-    >
-    > ```console
-    > $ nix-instantiate --eval --expr 'a: a'
-    > <LAMBDA>
-    > $ nix eval --expr 'a: a'
-    > «lambda @ «string»:1:1»
-    > ```
-    >
-    > For machine-readable output, the `--xml` option produces unambiguous
-    > output:
-    >
-    > ```console
-    > $ nix-instantiate --eval --xml --expr '{ foo = <CODE>; }'
-    > <?xml version='1.0' encoding='utf-8'?>
-    > <expr>
-    >   <attrs>
-    >     <attr column="3" line="1" name="foo">
-    >       <unevaluated />
-    >     </attr>
-    >   </attrs>
-    > </expr>
-    > ```
+  Just parse the input files, and print their abstract syntax trees on
+  standard output as a Nix expression.
 
-  - `--find-file`\
-    Look up the given files in Nix’s search path (as specified by the
-    `NIX_PATH` environment variable). If found, print the corresponding
-    absolute paths on standard output. For instance, if `NIX_PATH` is
-    `nixpkgs=/home/alice/nixpkgs`, then `nix-instantiate --find-file
-    nixpkgs/default.nix` will print `/home/alice/nixpkgs/default.nix`.
+- `--eval`
 
-  - `--strict`\
-    When used with `--eval`, recursively evaluate list elements and
-    attributes. Normally, such sub-expressions are left unevaluated
-    (since the Nix language is lazy).
+  Just parse and evaluate the input files, and print the resulting
+  values on standard output. No instantiation of store derivations
+  takes place.
 
-    > **Warning**
-    >
-    > This option can cause non-termination, because lazy data
-    > structures can be infinitely large.
+  > **Warning**
+  >
+  > This option produces output which can be parsed as a Nix expression which
+  > will produce a different result than the input expression when evaluated.
+  > For example, these two Nix expressions print the same result despite
+  > having different meaning:
+  >
+  > ```console
+  > $ nix-instantiate --eval --expr '{ a = {}; }'
+  > { a = <CODE>; }
+  > $ nix-instantiate --eval --expr '{ a = <CODE>; }'
+  > { a = <CODE>; }
+  > ```
+  >
+  > For human-readable output, `nix eval` (experimental) is more informative:
+  >
+  > ```console
+  > $ nix-instantiate --eval --expr 'a: a'
+  > <LAMBDA>
+  > $ nix eval --expr 'a: a'
+  > «lambda @ «string»:1:1»
+  > ```
+  >
+  > For machine-readable output, the `--xml` option produces unambiguous
+  > output:
+  >
+  > ```console
+  > $ nix-instantiate --eval --xml --expr '{ foo = <CODE>; }'
+  > <?xml version='1.0' encoding='utf-8'?>
+  > <expr>
+  >   <attrs>
+  >     <attr column="3" line="1" name="foo">
+  >       <unevaluated />
+  >     </attr>
+  >   </attrs>
+  > </expr>
+  > ```
 
-  - `--json`\
-    When used with `--eval`, print the resulting value as an JSON
-    representation of the abstract syntax tree rather than as a Nix expression.
+- `--find-file`
 
-  - `--xml`\
-    When used with `--eval`, print the resulting value as an XML
-    representation of the abstract syntax tree rather than as a Nix expression.
-    The schema is the same as that used by the [`toXML`
-    built-in](../language/builtins.md).
+  Look up the given files in Nix’s search path (as specified by the
+  `NIX_PATH` environment variable). If found, print the corresponding
+  absolute paths on standard output. For instance, if `NIX_PATH` is
+  `nixpkgs=/home/alice/nixpkgs`, then `nix-instantiate --find-file
+  nixpkgs/default.nix` will print `/home/alice/nixpkgs/default.nix`.
 
-  - `--read-write-mode`\
-    When used with `--eval`, perform evaluation in read/write mode so
-    nix language features that require it will still work (at the cost
-    of needing to do instantiation of every evaluated derivation). If
-    this option is not enabled, there may be uninstantiated store paths
-    in the final output.
+- `--strict`
+
+  When used with `--eval`, recursively evaluate list elements and
+  attributes. Normally, such sub-expressions are left unevaluated
+  (since the Nix language is lazy).
+
+  > **Warning**
+  >
+  > This option can cause non-termination, because lazy data
+  > structures can be infinitely large.
+
+- `--json`
+
+  When used with `--eval`, print the resulting value as an JSON
+  representation of the abstract syntax tree rather than as a Nix expression.
+
+- `--xml`
+
+  When used with `--eval`, print the resulting value as an XML
+  representation of the abstract syntax tree rather than as a Nix expression.
+  The schema is the same as that used by the [`toXML`
+  built-in](../language/builtins.md).
+
+- `--read-write-mode`
+
+  When used with `--eval`, perform evaluation in read/write mode so
+  nix language features that require it will still work (at the cost
+  of needing to do instantiation of every evaluated derivation). If
+  this option is not enabled, there may be uninstantiated store paths
+  in the final output.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-prefetch-url.md

@@ -39,27 +39,32 @@ the path of the downloaded file in the Nix store is also printed.
 
 # Options
 
-  - `--type` *hashAlgo*\
-    Use the specified cryptographic hash algorithm,
-    which can be one of `md5`, `sha1`, `sha256`, and `sha512`.
-    The default is `sha256`.
+- `--type` *hashAlgo*
 
-  - `--print-path`\
-    Print the store path of the downloaded file on standard output.
+  Use the specified cryptographic hash algorithm,
+  which can be one of `md5`, `sha1`, `sha256`, and `sha512`.
+  The default is `sha256`.
 
-  - `--unpack`\
-    Unpack the archive (which must be a tarball or zip file) and add the
-    result to the Nix store. The resulting hash can be used with
-    functions such as Nixpkgs’s `fetchzip` or `fetchFromGitHub`.
+- `--print-path`
 
-  - `--executable`\
-    Set the executable bit on the downloaded file.
+  Print the store path of the downloaded file on standard output.
 
-  - `--name` *name*\
-    Override the name of the file in the Nix store. By default, this is
-    `hash-basename`, where *basename* is the last component of *url*.
-    Overriding the name is necessary when *basename* contains characters
-    that are not allowed in Nix store paths.
+- `--unpack`
+
+  Unpack the archive (which must be a tarball or zip file) and add the
+  result to the Nix store. The resulting hash can be used with
+  functions such as Nixpkgs’s `fetchzip` or `fetchFromGitHub`.
+
+- `--executable`
+
+  Set the executable bit on the downloaded file.
+
+- `--name` *name*
+
+  Override the name of the file in the Nix store. By default, this is
+  `hash-basename`, where *basename* is the last component of *url*.
+  Overriding the name is necessary when *basename* contains characters
+  that are not allowed in Nix store paths.
 
 # Examples
 

doc/manual/src/command-ref/nix-shell.md

@@ -60,55 +60,63 @@ All options not listed here are passed to `nix-store
 --realise`, except for `--arg` and `--attr` / `-A` which are passed to
 `nix-instantiate`.
 
-  - `--command` *cmd*\
-    In the environment of the derivation, run the shell command *cmd*.
-    This command is executed in an interactive shell. (Use `--run` to
-    use a non-interactive shell instead.) However, a call to `exit` is
-    implicitly added to the command, so the shell will exit after
-    running the command. To prevent this, add `return` at the end;
-    e.g.  `--command "echo Hello; return"` will print `Hello` and then
-    drop you into the interactive shell. This can be useful for doing
-    any additional initialisation.
+- `--command` *cmd*
 
-  - `--run` *cmd*\
-    Like `--command`, but executes the command in a non-interactive
-    shell. This means (among other things) that if you hit Ctrl-C while
-    the command is running, the shell exits.
+  In the environment of the derivation, run the shell command *cmd*.
+  This command is executed in an interactive shell. (Use `--run` to
+  use a non-interactive shell instead.) However, a call to `exit` is
+  implicitly added to the command, so the shell will exit after
+  running the command. To prevent this, add `return` at the end;
+  e.g.  `--command "echo Hello; return"` will print `Hello` and then
+  drop you into the interactive shell. This can be useful for doing
+  any additional initialisation.
 
-  - `--exclude` *regexp*\
-    Do not build any dependencies whose store path matches the regular
-    expression *regexp*. This option may be specified multiple times.
+- `--run` *cmd*
 
-  - `--pure`\
-    If this flag is specified, the environment is almost entirely
-    cleared before the interactive shell is started, so you get an
-    environment that more closely corresponds to the “real” Nix build. A
-    few variables, in particular `HOME`, `USER` and `DISPLAY`, are
-    retained.
+  Like `--command`, but executes the command in a non-interactive
+  shell. This means (among other things) that if you hit Ctrl-C while
+  the command is running, the shell exits.
 
-  - `--packages` / `-p` *packages*…\
-    Set up an environment in which the specified packages are present.
-    The command line arguments are interpreted as attribute names inside
-    the Nix Packages collection. Thus, `nix-shell --packages libjpeg openjdk`
-    will start a shell in which the packages denoted by the attribute
-    names `libjpeg` and `openjdk` are present.
+- `--exclude` *regexp*
 
-  - `-i` *interpreter*\
-    The chained script interpreter to be invoked by `nix-shell`. Only
-    applicable in `#!`-scripts (described below).
+  Do not build any dependencies whose store path matches the regular
+  expression *regexp*. This option may be specified multiple times.
 
-  - `--keep` *name*\
-    When a `--pure` shell is started, keep the listed environment
-    variables.
+- `--pure`
+
+  If this flag is specified, the environment is almost entirely
+  cleared before the interactive shell is started, so you get an
+  environment that more closely corresponds to the “real” Nix build. A
+  few variables, in particular `HOME`, `USER` and `DISPLAY`, are
+  retained.
+
+- `--packages` / `-p` *packages*…
+
+  Set up an environment in which the specified packages are present.
+  The command line arguments are interpreted as attribute names inside
+  the Nix Packages collection. Thus, `nix-shell --packages libjpeg openjdk`
+  will start a shell in which the packages denoted by the attribute
+  names `libjpeg` and `openjdk` are present.
+
+- `-i` *interpreter*
+
+  The chained script interpreter to be invoked by `nix-shell`. Only
+  applicable in `#!`-scripts (described below).
+
+- `--keep` *name*
+
+  When a `--pure` shell is started, keep the listed environment
+  variables.
 
 {{#include ./opt-common.md}}
 
 # Environment variables
 
-  - `NIX_BUILD_SHELL`\
-    Shell used to start the interactive environment. Defaults to the
-    `bash` found in `<nixpkgs>`, falling back to the `bash` found in
-    `PATH` if not found.
+- `NIX_BUILD_SHELL`
+
+  Shell used to start the interactive environment. Defaults to the
+  `bash` found in `<nixpkgs>`, falling back to the `bash` found in
+  `PATH` if not found.
 
 {{#include ./env-common.md}}
 
@@ -202,14 +210,14 @@ For example, here is a Python script that depends on Python and the
 
 ```python
 #! /usr/bin/env nix-shell
-#! nix-shell -i python --packages python pythonPackages.prettytable
+#! nix-shell -i python3 --packages python3 python3Packages.prettytable
 
 import prettytable
 
 # Print a simple table.
 t = prettytable.PrettyTable(["N", "N^2"])
 for n in range(1, 10): t.add_row([n, n * n])
-print t
+print(t)
 ```
 
 Similarly, the following is a Perl script that specifies that it
@@ -289,3 +297,8 @@ with import <nixpkgs> {};
 
 runCommand "dummy" { buildInputs = [ python pythonPackages.prettytable ]; } ""
 ```
+
+The script's file name is passed as the first argument to the interpreter specified by the `-i` flag.
+
+Aside from the very first line, which is a directive to the operating system, the additional `#! nix-shell` lines do not need to be at the beginning of the file.
+This allows wrapping them in block comments for languages where `#` does not start a comment, such as ECMAScript, Erlang, PHP, or Ruby.

doc/manual/src/command-ref/nix-store/add-fixed.md

@@ -16,9 +16,10 @@ public url or broke since the download expression was written.
 
 This operation has the following options:
 
-  - `--recursive`\
-    Use recursive instead of flat hashing mode, used when adding
-    directories to the store.
+- `--recursive`
+
+  Use recursive instead of flat hashing mode, used when adding
+  directories to the store.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-store/dump.md

@@ -1,6 +1,6 @@
 # Name
 
-`nix-store --dump` - write a single path to a Nix Archive
+`nix-store --dump` - write a single path to a [Nix Archive]
 
 ## Synopsis
 
@@ -8,7 +8,7 @@
 
 ## Description
 
-The operation `--dump` produces a NAR (Nix ARchive) file containing the
+The operation `--dump` produces a [Nix archive](@docroot@/glossary.md#gloss-nar) (NAR) file containing the
 contents of the file system tree rooted at *path*. The archive is
 written to standard output.
 
@@ -30,8 +30,9 @@ NAR archives support filenames of unlimited length and 64-bit file
 sizes. They can contain regular files, directories, and symbolic links,
 but not other types of files (such as device nodes).
 
-A Nix archive can be unpacked using `nix-store
---restore`.
+A Nix archive can be unpacked using [`nix-store --restore`](@docroot@/command-ref/nix-store/restore.md).
+
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-store/export.md

@@ -1,6 +1,6 @@
 # Name
 
-`nix-store --export` - export store paths to a Nix Archive
+`nix-store --export` - export store paths to a [Nix Archive]
 
 ## Synopsis
 
@@ -8,16 +8,22 @@
 
 ## Description
 
-The operation `--export` writes a serialisation of the specified store
-paths to standard output in a format that can be imported into another
-Nix store with `nix-store --import`. This is like `nix-store
---dump`, except that the NAR archive produced by that command doesn’t
-contain the necessary meta-information to allow it to be imported into
-another Nix store (namely, the set of references of the path).
+The operation `--export` writes a serialisation of the given [store objects](@docroot@/glossary.md#gloss-store-object) to standard output in a format that can be imported into another [Nix store](@docroot@/store/index.md) with [`nix-store --import`](./import.md).
 
-This command does not produce a *closure* of the specified paths, so if
-a store path references other store paths that are missing in the target
-Nix store, the import will fail.
+> **Warning**
+>
+> This command *does not* produce a [closure](@docroot@/glossary.md#gloss-closure) of the specified store paths.
+> Trying to import a store object that refers to store paths not available in the target Nix store will fail.
+>
+> Use [`nix-store --query`](@docroot@/command-ref/nix-store/query.md) to obtain the closure of a store path.
+
+This command is different from [`nix-store --dump`](./dump.md), which produces a [Nix archive](@docroot@/glossary.md#gloss-nar) that *does not* contain the set of [references](@docroot@/glossary.md#gloss-reference) of a given store path.
+
+> **Note**
+>
+> For efficient transfer of closures to remote machines over SSH, use [`nix-copy-closure`](@docroot@/command-ref/nix-copy-closure.md).
+
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
 
 {{#include ./opt-common.md}}
 
@@ -27,15 +33,21 @@ Nix store, the import will fail.
 
 # Examples
 
-To copy a whole closure, do something
-like:
-
-```console
-$ nix-store --export $(nix-store --query --requisites paths) > out
-```
-
-To import the whole closure again, run:
-
-```console
-$ nix-store --import < out
-```
+> **Example**
+>
+> Deploy GNU Hello to an airgapped machine via USB stick.
+>
+> Write the closure to the block device on a machine with internet connection:
+>
+> ```shell-session
+> [alice@itchy]$ storePath=$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)
+> [alice@itchy]$ nix-store --export $(nix-store --query --requisites $storePath) | sudo dd of=/dev/usb
+> ```
+>
+> Read the closure from the block device on the machine without internet connection:
+>
+> ```shell-session
+> [bob@scratchy]$ hello=$(sudo dd if=/dev/usb | nix-store --import | tail -1)
+> [bob@scratchy]$ $hello/bin/hello
+> Hello, world!
+> ```

doc/manual/src/command-ref/nix-store/gc.md

@@ -14,30 +14,34 @@ reachable via file system references from a set of “roots”, are deleted.
 
 The following suboperations may be specified:
 
-  - `--print-roots`\
-    This operation prints on standard output the set of roots used by
-    the garbage collector.
+- `--print-roots`
 
-  - `--print-live`\
-    This operation prints on standard output the set of “live” store
-    paths, which are all the store paths reachable from the roots. Live
-    paths should never be deleted, since that would break consistency —
-    it would become possible that applications are installed that
-    reference things that are no longer present in the store.
+  This operation prints on standard output the set of roots used by
+  the garbage collector.
 
-  - `--print-dead`\
-    This operation prints out on standard output the set of “dead” store
-    paths, which is just the opposite of the set of live paths: any path
-    in the store that is not live (with respect to the roots) is dead.
+- `--print-live`
+
+  This operation prints on standard output the set of “live” store
+  paths, which are all the store paths reachable from the roots. Live
+  paths should never be deleted, since that would break consistency —
+  it would become possible that applications are installed that
+  reference things that are no longer present in the store.
+
+- `--print-dead`
+
+  This operation prints out on standard output the set of “dead” store
+  paths, which is just the opposite of the set of live paths: any path
+  in the store that is not live (with respect to the roots) is dead.
 
 By default, all unreachable paths are deleted. The following options
 control what gets deleted and in what order:
 
-  - `--max-freed` *bytes*\
-    Keep deleting paths until at least *bytes* bytes have been deleted,
-    then stop. The argument *bytes* can be followed by the
-    multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
-    or TiB units.
+- `--max-freed` *bytes*
+
+  Keep deleting paths until at least *bytes* bytes have been deleted,
+  then stop. The argument *bytes* can be followed by the
+  multiplicative suffix `K`, `M`, `G` or `T`, denoting KiB, MiB, GiB
+  or TiB units.
 
 The behaviour of the collector is also influenced by the
 `keep-outputs` and `keep-derivations` settings in the Nix

doc/manual/src/command-ref/nix-store/import.md

@@ -1,6 +1,8 @@
 # Name
 
-`nix-store --import` - import Nix Archive into the store
+`nix-store --import` - import [Nix Archive] into the store
+
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
 
 # Synopsis
 
@@ -8,14 +10,34 @@
 
 # Description
 
-The operation `--import` reads a serialisation of a set of store paths
-produced by `nix-store --export` from standard input and adds those
-store paths to the Nix store. Paths that already exist in the Nix store
-are ignored. If a path refers to another path that doesn’t exist in the
-Nix store, the import fails.
+The operation `--import` reads a serialisation of a set of [store objects](@docroot@/glossary.md#gloss-store-object) produced by [`nix-store --export`](./export.md) from standard input, and adds those store objects to the specified [Nix store](@docroot@/store/index.md).
+Paths that already exist in the target Nix store are ignored.
+If a path [refers](@docroot@/glossary.md#gloss-reference) to another path that doesn’t exist in the target Nix store, the import fails.
+
+> **Note**
+>
+> For efficient transfer of closures to remote machines over SSH, use [`nix-copy-closure`](@docroot@/command-ref/nix-copy-closure.md).
 
 {{#include ./opt-common.md}}
 
 {{#include ../opt-common.md}}
 
 {{#include ../env-common.md}}
+
+# Examples
+
+> **Example**
+>
+> Given a closure of GNU Hello as a file:
+>
+> ```shell-session
+> $ storePath="$(nix-build '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable -A hello --no-out-link)"
+> $ nix-store --export $(nix-store --query --requisites $storePath) > hello.closure
+> ```
+>
+> Import the closure into a [remote SSH store](@docroot@/store/types/ssh-store.md) using the [`--store`](@docroot@/command-ref/conf-file.md#conf-store) option:
+>
+> ```console
+> $ nix-store --import --store ssh://alice@itchy.example.org < hello.closure
+> ```
+

doc/manual/src/command-ref/nix-store/optimise.md

@@ -12,7 +12,7 @@ The operation `--optimise` reduces Nix store disk space usage by finding
 identical files in the store and hard-linking them to each other. It
 typically reduces the size of the store by something like 25-35%. Only
 regular files and symlinks are hard-linked in this manner. Files are
-considered identical when they have the same NAR archive serialisation:
+considered identical when they have the same [Nix Archive (NAR)][Nix Archive] serialisation:
 that is, regular files must have the same contents and permission
 (executable or non-executable), and symlinks must have the same
 contents.
@@ -38,3 +38,4 @@ hashing files in `/nix/store/qhqx7l2f1kmwihc9bnxs7rc159hsxnf3-gcc-4.1.1'
 there are 114486 files with equal contents out of 215894 files in total
 ```
 
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive

doc/manual/src/command-ref/nix-store/query.md

@@ -24,122 +24,138 @@ symlink.
 
 # Common query options
 
-  - `--use-output`; `-u`\
-    For each argument to the query that is a [store derivation], apply the
-    query to the output path of the derivation instead.
+- `--use-output` / `-u`
 
-  - `--force-realise`; `-f`\
-    Realise each argument to the query first (see [`nix-store --realise`](./realise.md)).
+  For each argument to the query that is a [store derivation], apply the
+  query to the output path of the derivation instead.
+
+- `--force-realise` / `-f`
+
+  Realise each argument to the query first (see [`nix-store --realise`](./realise.md)).
 
 [store derivation]: @docroot@/glossary.md#gloss-store-derivation
 
 # Queries
 
-  - `--outputs`\
-    Prints out the [output paths] of the store
-    derivations *paths*. These are the paths that will be produced when
-    the derivation is built.
+- `--outputs`
 
-    [output paths]: ../../glossary.md#gloss-output-path
+  Prints out the [output paths] of the store
+  derivations *paths*. These are the paths that will be produced when
+  the derivation is built.
 
-  - `--requisites`; `-R`\
-    Prints out the [closure] of the store path *paths*.
+  [output paths]: @docroot@/glossary.md#gloss-output-path
 
-    [closure]: ../../glossary.md#gloss-closure
+- `--requisites` / `-R`
 
-    This query has one option:
+  Prints out the [closure] of the store path *paths*.
 
-      - `--include-outputs`
-        Also include the existing output paths of [store derivation]s,
-        and their closures.
+  [closure]: @docroot@/glossary.md#gloss-closure
 
-    This query can be used to implement various kinds of deployment. A
-    *source deployment* is obtained by distributing the closure of a
-    store derivation. A *binary deployment* is obtained by distributing
-    the closure of an output path. A *cache deployment* (combined
-    source/binary deployment, including binaries of build-time-only
-    dependencies) is obtained by distributing the closure of a store
-    derivation and specifying the option `--include-outputs`.
+  This query has one option:
 
-  - `--references`\
-    Prints the set of [references] of the store paths
-    *paths*, that is, their immediate dependencies. (For *all*
-    dependencies, use `--requisites`.)
+    - `--include-outputs`
+      Also include the existing output paths of [store derivation]s,
+      and their closures.
 
-    [references]: ../../glossary.md#gloss-reference
+  This query can be used to implement various kinds of deployment. A
+  *source deployment* is obtained by distributing the closure of a
+  store derivation. A *binary deployment* is obtained by distributing
+  the closure of an output path. A *cache deployment* (combined
+  source/binary deployment, including binaries of build-time-only
+  dependencies) is obtained by distributing the closure of a store
+  derivation and specifying the option `--include-outputs`.
 
-  - `--referrers`\
-    Prints the set of *referrers* of the store paths *paths*, that is,
-    the store paths currently existing in the Nix store that refer to
-    one of *paths*. Note that contrary to the references, the set of
-    referrers is not constant; it can change as store paths are added or
-    removed.
+- `--references`
 
-  - `--referrers-closure`\
-    Prints the closure of the set of store paths *paths* under the
-    referrers relation; that is, all store paths that directly or
-    indirectly refer to one of *paths*. These are all the path currently
-    in the Nix store that are dependent on *paths*.
+  Prints the set of [references] of the store paths
+  *paths*, that is, their immediate dependencies. (For *all*
+  dependencies, use `--requisites`.)
 
-  - `--deriver`; `-d`\
-    Prints the [deriver] that was used to build the store paths *paths*. If
-    the path has no deriver (e.g., if it is a source file), or if the
-    deriver is not known (e.g., in the case of a binary-only
-    deployment), the string `unknown-deriver` is printed.
-    The returned deriver is not guaranteed to exist in the local store, for
-    example when *paths* were substituted from a binary cache.
-    Use `--valid-derivers` instead to obtain valid paths only.
+  [references]: @docroot@/glossary.md#gloss-reference
 
-    [deriver]: ../../glossary.md#gloss-deriver
+- `--referrers`
 
-  - `--valid-derivers`\
-    Prints a set of derivation files (`.drv`) which are supposed produce
-    said paths when realized. Might print nothing, for example for source paths
-    or paths subsituted from a binary cache.
+  Prints the set of *referrers* of the store paths *paths*, that is,
+  the store paths currently existing in the Nix store that refer to
+  one of *paths*. Note that contrary to the references, the set of
+  referrers is not constant; it can change as store paths are added or
+  removed.
 
-  - `--graph`\
-    Prints the references graph of the store paths *paths* in the format
-    of the `dot` tool of AT\&T's [Graphviz
-    package](http://www.graphviz.org/). This can be used to visualise
-    dependency graphs. To obtain a build-time dependency graph, apply
-    this to a store derivation. To obtain a runtime dependency graph,
-    apply it to an output path.
+- `--referrers-closure`
 
-  - `--tree`\
-    Prints the references graph of the store paths *paths* as a nested
-    ASCII tree. References are ordered by descending closure size; this
-    tends to flatten the tree, making it more readable. The query only
-    recurses into a store path when it is first encountered; this
-    prevents a blowup of the tree representation of the graph.
+  Prints the closure of the set of store paths *paths* under the
+  referrers relation; that is, all store paths that directly or
+  indirectly refer to one of *paths*. These are all the path currently
+  in the Nix store that are dependent on *paths*.
 
-  - `--graphml`\
-    Prints the references graph of the store paths *paths* in the
-    [GraphML](http://graphml.graphdrawing.org/) file format. This can be
-    used to visualise dependency graphs. To obtain a build-time
-    dependency graph, apply this to a [store derivation]. To obtain a
-    runtime dependency graph, apply it to an output path.
+- `--deriver` / `-d`
 
-  - `--binding` *name*; `-b` *name*\
-    Prints the value of the attribute *name* (i.e., environment
-    variable) of the [store derivation]s *paths*. It is an error for a
-    derivation to not have the specified attribute.
+  Prints the [deriver] that was used to build the store paths *paths*. If
+  the path has no deriver (e.g., if it is a source file), or if the
+  deriver is not known (e.g., in the case of a binary-only
+  deployment), the string `unknown-deriver` is printed.
+  The returned deriver is not guaranteed to exist in the local store, for
+  example when *paths* were substituted from a binary cache.
+  Use `--valid-derivers` instead to obtain valid paths only.
 
-  - `--hash`\
-    Prints the SHA-256 hash of the contents of the store paths *paths*
-    (that is, the hash of the output of `nix-store --dump` on the given
-    paths). Since the hash is stored in the Nix database, this is a fast
-    operation.
+  [deriver]: @docroot@/glossary.md#gloss-deriver
 
-  - `--size`\
-    Prints the size in bytes of the contents of the store paths *paths*
-    — to be precise, the size of the output of `nix-store --dump` on
-    the given paths. Note that the actual disk space required by the
-    store paths may be higher, especially on filesystems with large
-    cluster sizes.
+- `--valid-derivers`
 
-  - `--roots`\
-    Prints the garbage collector roots that point, directly or
-    indirectly, at the store paths *paths*.
+  Prints a set of derivation files (`.drv`) which are supposed produce
+  said paths when realized. Might print nothing, for example for source paths
+  or paths subsituted from a binary cache.
+
+- `--graph`
+
+  Prints the references graph of the store paths *paths* in the format
+  of the `dot` tool of AT\&T's [Graphviz
+  package](http://www.graphviz.org/). This can be used to visualise
+  dependency graphs. To obtain a build-time dependency graph, apply
+  this to a store derivation. To obtain a runtime dependency graph,
+  apply it to an output path.
+
+- `--tree`
+
+  Prints the references graph of the store paths *paths* as a nested
+  ASCII tree. References are ordered by descending closure size; this
+  tends to flatten the tree, making it more readable. The query only
+  recurses into a store path when it is first encountered; this
+  prevents a blowup of the tree representation of the graph.
+
+- `--graphml`
+
+  Prints the references graph of the store paths *paths* in the
+  [GraphML](http://graphml.graphdrawing.org/) file format. This can be
+  used to visualise dependency graphs. To obtain a build-time
+  dependency graph, apply this to a [store derivation]. To obtain a
+  runtime dependency graph, apply it to an output path.
+
+- `--binding` *name* / `-b` *name*
+
+  Prints the value of the attribute *name* (i.e., environment
+  variable) of the [store derivation]s *paths*. It is an error for a
+  derivation to not have the specified attribute.
+
+- `--hash`
+
+  Prints the SHA-256 hash of the contents of the store paths *paths*
+  (that is, the hash of the output of `nix-store --dump` on the given
+  paths). Since the hash is stored in the Nix database, this is a fast
+  operation.
+
+- `--size`
+
+  Prints the size in bytes of the contents of the store paths *paths*
+  — to be precise, the size of the output of `nix-store --dump` on
+  the given paths. Note that the actual disk space required by the
+  store paths may be higher, especially on filesystems with large
+  cluster sizes.
+
+- `--roots`
+
+  Prints the garbage collector roots that point, directly or
+  indirectly, at the store paths *paths*.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-store/realise.md

@@ -25,14 +25,14 @@ Each of *paths* is processed as follows:
 
 If no substitutes are available and no store derivation is given, realisation fails.
 
-[store paths]: @docroot@/glossary.md#gloss-store-path
+[store paths]: @docroot@/store/store-path.md
 [valid]: @docroot@/glossary.md#gloss-validity
 [store derivation]: @docroot@/glossary.md#gloss-store-derivation
 [output paths]: @docroot@/glossary.md#gloss-output-path
-[store objects]: @docroot@/glossary.md#gloss-store-object
+[store objects]: @docroot@/store/store-object.md
 [closure]: @docroot@/glossary.md#gloss-closure
 [substituters]: @docroot@/command-ref/conf-file.md#conf-substituters
-[content-addressed derivations]: @docroot@/contributing/experimental-features.md#xp-feature-ca-derivations
+[content-addressed derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
 [Nix database]: @docroot@/glossary.md#gloss-nix-database
 
 The resulting paths are printed on standard output.
@@ -42,23 +42,26 @@ For non-derivation arguments, the argument itself is printed.
 
 # Options
 
-  - `--dry-run`\
-    Print on standard error a description of what packages would be
-    built or downloaded, without actually performing the operation.
+- `--dry-run`
 
-  - `--ignore-unknown`\
-    If a non-derivation path does not have a substitute, then silently
-    ignore it.
+  Print on standard error a description of what packages would be
+  built or downloaded, without actually performing the operation.
 
-  - `--check`\
-    This option allows you to check whether a derivation is
-    deterministic. It rebuilds the specified derivation and checks
-    whether the result is bitwise-identical with the existing outputs,
-    printing an error if that’s not the case. The outputs of the
-    specified derivation must already exist. When used with `-K`, if an
-    output path is not identical to the corresponding output from the
-    previous build, the new output path is left in
-    `/nix/store/name.check.`
+- `--ignore-unknown`
+
+  If a non-derivation path does not have a substitute, then silently
+  ignore it.
+
+- `--check`
+
+  This option allows you to check whether a derivation is
+  deterministic. It rebuilds the specified derivation and checks
+  whether the result is bitwise-identical with the existing outputs,
+  printing an error if that’s not the case. The outputs of the
+  specified derivation must already exist. When used with `-K`, if an
+  output path is not identical to the corresponding output from the
+  previous build, the new output path is left in
+  `/nix/store/name.check.`
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-store/restore.md

@@ -8,9 +8,11 @@
 
 ## Description
 
-The operation `--restore` unpacks a NAR archive to *path*, which must
+The operation `--restore` unpacks a [Nix Archive (NAR)][Nix Archive] to *path*, which must
 not already exist. The archive is read from standard input.
 
+[Nix Archive]: @docroot@/store/file-system-object/content-address.md#serial-nix-archive
+
 {{#include ./opt-common.md}}
 
 {{#include ../opt-common.md}}

doc/manual/src/command-ref/nix-store/serve.md

@@ -14,10 +14,11 @@ access to a restricted ssh user.
 
 The following flags are available:
 
-  - `--write`\
-    Allow the connected client to request the realization of
-    derivations. In effect, this can be used to make the host act as a
-    remote builder.
+- `--write`
+
+  Allow the connected client to request the realization of
+  derivations. In effect, this can be used to make the host act as a
+  remote builder.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/nix-store/verify.md

@@ -16,18 +16,20 @@ being modified by non-Nix tools, or of bugs in Nix itself.
 
 This operation has the following options:
 
-  - `--check-contents`\
-    Checks that the contents of every valid store path has not been
-    altered by computing a SHA-256 hash of the contents and comparing it
-    with the hash stored in the Nix database at build time. Paths that
-    have been modified are printed out. For large stores,
-    `--check-contents` is obviously quite slow.
+- `--check-contents`
 
-  - `--repair`\
-    If any valid path is missing from the store, or (if
-    `--check-contents` is given) the contents of a valid path has been
-    modified, then try to repair the path by redownloading it. See
-    `nix-store --repair-path` for details.
+  Checks that the contents of every valid store path has not been
+  altered by computing a SHA-256 hash of the contents and comparing it
+  with the hash stored in the Nix database at build time. Paths that
+  have been modified are printed out. For large stores,
+  `--check-contents` is obviously quite slow.
+
+- `--repair`
+
+  If any valid path is missing from the store, or (if
+  `--check-contents` is given) the contents of a valid path has been
+  modified, then try to repair the path by redownloading it. See
+  `nix-store --repair-path` for details.
 
 {{#include ./opt-common.md}}
 

doc/manual/src/command-ref/opt-common.md

@@ -37,7 +37,7 @@ Most Nix commands accept the following command-line options:
     Print even more informational messages.
 
   - `4` “Debug”
-   
+
     Print debug information.
 
   - `5` “Vomit”
@@ -143,7 +143,7 @@ Most Nix commands accept the following command-line options:
 
   This option is accepted by `nix-env`, `nix-instantiate`, `nix-shell` and `nix-build`.
   When evaluating Nix expressions, the expression evaluator will automatically try to call functions that it encounters.
-  It can automatically call functions for which every argument has a [default value](@docroot@/language/constructs.md#functions) (e.g., `{ argName ?  defaultValue }: ...`).
+  It can automatically call functions for which every argument has a [default value](@docroot@/language/syntax.md#functions) (e.g., `{ argName ?  defaultValue }: ...`).
 
   With `--arg`, you can also call functions that have arguments without a default value (or override a default value).
   That is, if the evaluator encounters a function with an argument named *name*, it will call it with value *value*.
@@ -187,11 +187,12 @@ Most Nix commands accept the following command-line options:
   For `nix-shell`, this option is commonly used to give you a shell in which you can build the packages returned by the expression.
   If you want to get a shell which contain the *built* packages ready for use, give your expression to the `nix-shell --packages ` convenience flag instead.
 
-- <span id="opt-I">[`-I`](#opt-I)</span> *path*
+- <span id="opt-I">[`-I` / `--include`](#opt-I)</span> *path*
 
-  Add an entry to the [Nix expression search path](@docroot@/command-ref/conf-file.md#conf-nix-path).
+  Add an entry to the list of search paths used to resolve [lookup paths](@docroot@/language/constructs/lookup-path.md).
   This option may be given multiple times.
-  Paths added through `-I` take precedence over [`NIX_PATH`](@docroot@/command-ref/env-common.md#env-NIX_PATH).
+
+  Paths added through `-I` take precedence over the [`nix-path` configuration setting](@docroot@/command-ref/conf-file.md#conf-nix-path) and the [`NIX_PATH` environment variable](@docroot@/command-ref/env-common.md#env-NIX_PATH).
 
 - <span id="opt-option">[`--option`](#opt-option)</span> *name* *value*
 

doc/manual/src/development/building.md

@@ -1,24 +1,67 @@
-# Hacking
+# Building Nix
 
-This section provides some notes on how to hack on Nix. To get the
-latest version of Nix from GitHub:
+This section provides some notes on how to start hacking on Nix.
+To get the latest version of Nix from GitHub:
 
 ```console
 $ git clone https://github.com/NixOS/nix.git
 $ cd nix
 ```
 
-The following instructions assume you already have some version of Nix installed locally, so that you can use it to set up the development environment. If you don't have it installed, follow the [installation instructions].
+> **Note**
+>
+> The following instructions assume you already have some version of Nix installed locally, so that you can use it to set up the development environment.
+> If you don't have it installed, follow the [installation instructions](../installation/index.md).
 
-[installation instructions]: ../installation/index.md
+
+To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
+
+```console
+$ nix-shell
+```
+
+To get a shell with one of the other [supported compilation environments](#compilation-environments):
+
+```console
+$ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
+```
+
+> **Note**
+>
+> You can use `native-ccacheStdenvPackages` to drastically improve rebuild time.
+> By default, [ccache](https://ccache.dev) keeps artifacts in `~/.cache/ccache/`.
+
+To build Nix itself in this shell:
+
+```console
+[nix-shell]$ autoreconfPhase
+[nix-shell]$ ./configure $configureFlags --prefix=$(pwd)/outputs/out
+[nix-shell]$ make -j $NIX_BUILD_CORES
+```
+
+To install it in `$(pwd)/outputs` and test it:
+
+```console
+[nix-shell]$ make install
+[nix-shell]$ make installcheck -j $NIX_BUILD_CORES
+[nix-shell]$ ./outputs/out/bin/nix --version
+nix (Nix) 2.12
+```
+
+To build a release version of Nix for the current operating system and CPU architecture:
+
+```console
+$ nix-build
+```
+
+You can also build Nix for one of the [supported platforms](#platforms).
 
 ## Building Nix with flakes
 
 This section assumes you are using Nix with the [`flakes`] and [`nix-command`] experimental features enabled.
-See the [Building Nix](#building-nix) section for equivalent instructions using stable Nix interfaces.
 
-[`flakes`]: @docroot@/contributing/experimental-features.md#xp-feature-flakes
-[`nix-command`]: @docroot@/contributing/experimental-features.md#xp-nix-command
+[`flakes`]: @docroot@/development/experimental-features.md#xp-feature-flakes
+[`nix-command`]: @docroot@/development/experimental-features.md#xp-nix-command
 
 To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
 
@@ -67,50 +110,6 @@ $ nix build
 
 You can also build Nix for one of the [supported platforms](#platforms).
 
-## Building Nix
-
-To build all dependencies and start a shell in which all environment variables are set up so that those dependencies can be found:
-
-```console
-$ nix-shell
-```
-
-To get a shell with one of the other [supported compilation environments](#compilation-environments):
-
-```console
-$ nix-shell --attr devShells.x86_64-linux.native-clangStdenvPackages
-```
-
-> **Note**
->
-> You can use `native-ccacheStdenvPackages` to drastically improve rebuild time.
-> By default, [ccache](https://ccache.dev) keeps artifacts in `~/.cache/ccache/`.
-
-To build Nix itself in this shell:
-
-```console
-[nix-shell]$ autoreconfPhase
-[nix-shell]$ ./configure $configureFlags --prefix=$(pwd)/outputs/out
-[nix-shell]$ make -j $NIX_BUILD_CORES
-```
-
-To install it in `$(pwd)/outputs` and test it:
-
-```console
-[nix-shell]$ make install
-[nix-shell]$ make installcheck -j $NIX_BUILD_CORES
-[nix-shell]$ ./outputs/out/bin/nix --version
-nix (Nix) 2.12
-```
-
-To build a release version of Nix for the current operating system and CPU architecture:
-
-```console
-$ nix-build
-```
-
-You can also build Nix for one of the [supported platforms](#platforms).
-
 ## Makefile variables
 
 You may need `profiledir=$out/etc/profile.d` and `sysconfdir=$out/etc` to run `make install`.
@@ -122,7 +121,6 @@ Run `make` with [`-e` / `--environment-overrides`](https://www.gnu.org/software/
 
   The docs can take a while to build, so you may want to disable this for local development.
 - `ENABLE_FUNCTIONAL_TESTS=yes` to enable building the functional tests.
-- `ENABLE_UNIT_TESTS=yes` to enable building the unit tests.
 - `OPTIMIZE=1` to enable optimizations.
 - `libraries=libutil programs=` to only build a specific library.
 
@@ -144,6 +142,7 @@ Nix can be built for various platforms, as specified in [`flake.nix`]:
 - `aarch64-darwin`
 - `armv6l-linux`
 - `armv7l-linux`
+- `riscv64-linux`
 
 In order to build Nix for a different platform than the one you're currently
 on, you need a way for your current Nix installation to build code for that
@@ -166,7 +165,10 @@ or for Nix with the [`flakes`] and [`nix-command`] experimental features enabled
 $ nix build .#packages.aarch64-linux.default
 ```
 
-Cross-compiled builds are available for ARMv6 (`armv6l-linux`) and ARMv7 (`armv7l-linux`).
+Cross-compiled builds are available for:
+- `armv6l-linux`
+- `armv7l-linux`
+- `riscv64-linux`
 Add more [system types](#system-type) to `crossSystems` in `flake.nix` to bootstrap Nix on unsupported platforms.
 
 ### Building for multiple platforms at once
@@ -196,7 +198,7 @@ In order to facilitate this, Nix has some support for being built out of tree
 
 ## System type
 
-Nix uses a string with he following format to identify the *system type* or *platform* it runs on:
+Nix uses a string with the following format to identify the *system type* or *platform* it runs on:
 
 ```
 <cpu>-<os>[-<abi>]
@@ -258,10 +260,10 @@ See [supported compilation environments](#compilation-environments) and instruct
 To use the LSP with your editor, you first need to [set up `clangd`](https://clangd.llvm.org/installation#project-setup) by running:
 
 ```console
-make clean && bear -- make -j$NIX_BUILD_CORES default check install
+make compile_commands.json
 ```
 
-Configure your editor to use the `clangd` from the shell, either by running it inside the development shell, or by using [nix-direnv](https://github.com/nix-community/nix-direnv) and [the appropriate editor plugin](https://github.com/direnv/direnv/wiki#editor-integration).
+Configure your editor to use the `clangd` from the `.#native-clangStdenvPackages` shell. You can do that either by running it inside the development shell, or by using [nix-direnv](https://github.com/nix-community/nix-direnv) and [the appropriate editor plugin](https://github.com/direnv/direnv/wiki#editor-integration).
 
 > **Note**
 >
@@ -269,80 +271,25 @@ Configure your editor to use the `clangd` from the shell, either by running it i
 > Some other editors (e.g. Emacs, Vim) need a plugin to support LSP servers in general (e.g. [lsp-mode](https://github.com/emacs-lsp/lsp-mode) for Emacs and [vim-lsp](https://github.com/prabirshrestha/vim-lsp) for vim).
 > Editor-specific setup is typically opinionated, so we will not cover it here in more detail.
 
-## Add a release note
+## Formatting and pre-commit hooks
 
-`doc/manual/rl-next` contains release notes entries for all unreleased changes.
+You may run the formatters as a one-off using:
 
-User-visible changes should come with a release note.
-
-### Add an entry
-
-Here's what a complete entry looks like. The file name is not incorporated in the document.
-
-```
----
-synopsis: Basically a title
-issues: 1234
-prs: 1238
----
-
-Here's one or more paragraphs that describe the change.
-
-- It's markdown
-- Add references to the manual using @docroot@
+```console
+make format
 ```
 
-Significant changes should add the following header, which moves them to the top.
+If you'd like to run the formatters before every commit, install the hooks:
 
 ```
-significance: significant
+pre-commit-hooks-install
 ```
 
-<!-- Keep an eye on https://codeberg.org/fgaz/changelog-d/issues/1 -->
-See also the [format documentation](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#changelog).
+This installs [pre-commit](https://pre-commit.com) using [cachix/git-hooks.nix](https://github.com/cachix/git-hooks.nix).
 
-### Build process
+When making a commit, pay attention to the console output.
+If it fails, run `git add --patch` to approve the suggestions _and commit again_.
 
-Releases have a precomputed `rl-MAJOR.MINOR.md`, and no `rl-next.md`.
-
-## Branches
-
-- [`master`](https://github.com/NixOS/nix/commits/master)
-
-  The main development branch. All changes are approved and merged here.
-  When developing a change, create a branch based on the latest `master`.
-
-  Maintainers try to [keep it in a release-worthy state](#reverting).
-
-- [`maintenance-*.*`](https://github.com/NixOS/nix/branches/all?query=maintenance)
-
-  These branches are the subject of backports only, and are
-  also [kept](#reverting) in a release-worthy state.
-
-  See [`maintainers/backporting.md`](https://github.com/NixOS/nix/blob/master/maintainers/backporting.md)
-
-- [`latest-release`](https://github.com/NixOS/nix/tree/latest-release)
-
-  The latest patch release of the latest minor version.
-
-  See [`maintainers/release-process.md`](https://github.com/NixOS/nix/blob/master/maintainers/release-process.md)
-
-- [`backport-*-to-*`](https://github.com/NixOS/nix/branches/all?query=backport)
-
-  Generally branches created by the backport action.
-
-  See [`maintainers/backporting.md`](https://github.com/NixOS/nix/blob/master/maintainers/backporting.md)
-
-- [_other_](https://github.com/NixOS/nix/branches/all)
-
-  Branches that do not conform to the above patterns should be feature branches.
-
-## Reverting
-
-If a change turns out to be merged by mistake, or contain a regression, it may be reverted.
-A revert is not a rejection of the contribution, but merely part of an effective development process.
-It makes sure that development keeps running smoothly, with minimal uncertainty, and less overhead.
-If maintainers have to worry too much about avoiding reverts, they would not be able to merge as much.
-By embracing reverts as a good part of the development process, everyone wins.
-
-However, taking a step back may be frustrating, so maintainers will be extra supportive on the next try.
+To refresh pre-commit hook's config file, do the following:
+1. Exit the development shell and start it again by running `nix develop`.
+2. If you also use the pre-commit hook, also run `pre-commit-hooks-install` again.

doc/manual/src/development/cli-guideline.md

@@ -389,88 +389,6 @@ colors, no emojis and using ASCII instead of Unicode symbols). The same should
 happen when TTY is not detected on STDERR. We should not display progress /
 status section, but only print warnings and errors.
 
-## Returning future proof JSON
-
-The schema of JSON output should allow for backwards compatible extension. This section explains how to achieve this.
-
-Two definitions are helpful here, because while JSON only defines one "key-value"
-object type, we use it to cover two use cases:
-
- - **dictionary**: a map from names to value that all have the same type. In
-   C++ this would be a `std::map` with string keys.
- - **record**: a fixed set of attributes each with their own type. In C++, this
-   would be represented by a `struct`.
-
-It is best not to mix these use cases, as that may lead to incompatibilities when the schema changes. For example, adding a record field to a dictionary breaks consumers that assume all JSON object fields to have the same meaning and type.
-
-This leads to the following guidelines:
-
- - The top-level (root) value must be a record.
-
-   Otherwise, one can not change the structure of a command's output.
-
- - The value of a dictionary item must be a record.
-
-   Otherwise, the item type can not be extended.
-
- - List items should be records.
-
-   Otherwise, one can not change the structure of the list items.
-
-   If the order of the items does not matter, and each item has a unique key that is a string, consider representing the list as a dictionary instead. If the order of the items needs to be preserved, return a list of records.
-
- - Streaming JSON should return records.
-
-   An example of a streaming JSON format is [JSON lines](https://jsonlines.org/), where each line represents a JSON value. These JSON values can be considered top-level values or list items, and they must be records.
-
-### Examples
-
-
-This is bad, because all keys must be assumed to be store types:
-
-```json
-{
-  "local": { ... },
-  "remote": { ... },
-  "http": { ... }
-}
-```
-
-This is good, because the it is extensible at the root, and is somewhat self-documenting:
-
-```json
-{
-  "storeTypes": { "local": { ... }, ... },
-  "pluginSupport": true
-}
-```
-
-While the dictionary of store types seems like a very complete response at first, a use case may arise that warrants returning additional information.
-For example, the presence of plugin support may be crucial information for a client to proceed when their desired store type is missing.
-
-
-
-The following representation is bad because it is not extensible:
-
-```json
-{ "outputs": [ "out" "bin" ] }
-```
-
-However, simply converting everything to records is not enough, because the order of outputs must be preserved:
-
-```json
-{ "outputs": { "bin": {}, "out": {} } }
-```
-
-The first item is the default output. Deriving this information from the outputs ordering is not great, but this is how Nix currently happens to work.
-While it is possible for a JSON parser to preserve the order of fields, we can not rely on this capability to be present in all JSON libraries.
-
-This representation is extensible and preserves the ordering:
-
-```json
-{ "outputs": [ { "outputName": "out" }, { "outputName": "bin" } ] }
-```
-
 ## Dialog with the user
 
 CLIs don't always make it clear when an action has taken place. For every

doc/manual/src/development/contributing.md

@@ -0,0 +1,79 @@
+# Contributing
+
+## Add a release note
+
+`doc/manual/rl-next` contains release notes entries for all unreleased changes.
+
+User-visible changes should come with a release note.
+
+### Add an entry
+
+Here's what a complete entry looks like. The file name is not incorporated in the document.
+
+```
+---
+synopsis: Basically a title
+issues: 1234
+prs: 1238
+---
+
+Here's one or more paragraphs that describe the change.
+
+- It's markdown
+- Add references to the manual using @docroot@
+```
+
+Significant changes should add the following header, which moves them to the top.
+
+```
+significance: significant
+```
+
+<!-- Keep an eye on https://codeberg.org/fgaz/changelog-d/issues/1 -->
+See also the [format documentation](https://github.com/haskell/cabal/blob/master/CONTRIBUTING.md#changelog).
+
+### Build process
+
+Releases have a precomputed `rl-MAJOR.MINOR.md`, and no `rl-next.md`.
+
+## Branches
+
+- [`master`](https://github.com/NixOS/nix/commits/master)
+
+  The main development branch. All changes are approved and merged here.
+  When developing a change, create a branch based on the latest `master`.
+
+  Maintainers try to [keep it in a release-worthy state](#reverting).
+
+- [`maintenance-*.*`](https://github.com/NixOS/nix/branches/all?query=maintenance)
+
+  These branches are the subject of backports only, and are
+  also [kept](#reverting) in a release-worthy state.
+
+  See [`maintainers/backporting.md`](https://github.com/NixOS/nix/blob/master/maintainers/backporting.md)
+
+- [`latest-release`](https://github.com/NixOS/nix/tree/latest-release)
+
+  The latest patch release of the latest minor version.
+
+  See [`maintainers/release-process.md`](https://github.com/NixOS/nix/blob/master/maintainers/release-process.md)
+
+- [`backport-*-to-*`](https://github.com/NixOS/nix/branches/all?query=backport)
+
+  Generally branches created by the backport action.
+
+  See [`maintainers/backporting.md`](https://github.com/NixOS/nix/blob/master/maintainers/backporting.md)
+
+- [_other_](https://github.com/NixOS/nix/branches/all)
+
+  Branches that do not conform to the above patterns should be feature branches.
+
+## Reverting
+
+If a change turns out to be merged by mistake, or contain a regression, it may be reverted.
+A revert is not a rejection of the contribution, but merely part of an effective development process.
+It makes sure that development keeps running smoothly, with minimal uncertainty, and less overhead.
+If maintainers have to worry too much about avoiding reverts, they would not be able to merge as much.
+By embracing reverts as a good part of the development process, everyone wins.
+
+However, taking a step back may be frustrating, so maintainers will be extra supportive on the next try.

doc/manual/src/development/documentation.md

@@ -24,14 +24,12 @@ nix build .#^doc
 
 and open `./result-doc/share/doc/nix/manual/index.html`.
 
-To build the manual incrementally, [enter the development shell](./hacking.md) and run:
+To build the manual incrementally, [enter the development shell](./building.md) and run:
 
 ```console
-make manual-html -j $NIX_BUILD_CORES
+make manual-html-open -j $NIX_BUILD_CORES
 ```
 
-and open `./outputs/out/share/doc/nix/manual/language/index.html`.
-
 In order to reflect changes to the [Makefile for the manual], clear all generated files before re-building:
 
 [Makefile for the manual]: https://github.com/NixOS/nix/blob/master/doc/manual/local.mk
@@ -149,7 +147,7 @@ Please observe these guidelines to ease reviews:
   ```
   A [store object] contains a [file system object] and [references] to other store objects.
 
-  [store object]: @docroot@/glossary.md#gloss-store-object
+  [store object]: @docroot@/store/store-object.md
   [file system object]: @docroot@/architecture/file-system-object.md
   [references]: @docroot@/glossary.md#gloss-reference
   ```
@@ -198,13 +196,35 @@ You can also build and view it yourself:
 [Doxygen API documentation]: https://hydra.nixos.org/job/nix/master/internal-api-docs/latest/download-by-type/doc/internal-api-docs
 
 ```console
-# nix build .#hydraJobs.internal-api-docs
-# xdg-open ./result/share/doc/nix/internal-api/html/index.html
+$ nix build .#hydraJobs.internal-api-docs
+$ xdg-open ./result/share/doc/nix/internal-api/html/index.html
+```
+
+or inside `nix-shell` or `nix develop`:
+
+```console
+$ mesonConfigurePhase
+$ ninja src/internal-api-docs/html
+$ xdg-open src/internal-api-docs/html/index.html
+```
+
+## C API documentation
+
+Note that the C API is not yet stable.
+[C API documentation] is available online.
+You can also build and view it yourself:
+
+[C API documentation]: https://hydra.nixos.org/job/nix/master/external-api-docs/latest/download-by-type/doc/external-api-docs
+
+```console
+$ nix build .#hydraJobs.external-api-docs
+$ xdg-open ./result/share/doc/nix/external-api/html/index.html
 ```
 
 or inside `nix-shell` or `nix develop`:
 
 ```
-# make internal-api-html
-# xdg-open ./outputs/doc/share/doc/nix/internal-api/html/index.html
+$ mesonConfigurePhase
+$ ninja src/external-api-docs/html
+$ xdg-open src/external-api-docs/html/index.html
 ```

doc/manual/src/development/index.md

@@ -5,4 +5,4 @@ Check the [contributing guide](https://github.com/NixOS/nix/blob/master/CONTRIBU
 
 This chapter is a collection of guides for making changes to the code and documentation.
 
-If you're not sure where to start, try to [compile Nix from source](./hacking.md) and consider [making improvements to documentation](./documentation.md).
+If you're not sure where to start, try to [compile Nix from source](./building.md) and consider [making improvements to documentation](./documentation.md).

doc/manual/src/development/json-guideline.md

@@ -0,0 +1,128 @@
+# JSON guideline
+
+Nix consumes and produces JSON in a variety of contexts.
+These guidelines ensure consistent practices for all our JSON interfaces, for ease of use, and so that experience in one part carries over to another.
+
+## Extensibility
+
+The schema of JSON input and output should allow for backwards compatible extension.
+This section explains how to achieve this.
+
+Two definitions are helpful here, because while JSON only defines one "key-value" object type, we use it to cover two use cases:
+
+ - **dictionary**: a map from names to value that all have the same type.
+   In C++ this would be a `std::map` with string keys.
+
+ - **record**: a fixed set of attributes each with their own type.
+   In C++, this would be represented by a `struct`.
+
+It is best not to mix these use cases, as that may lead to incompatibilities when the schema changes.
+For example, adding a record field to a dictionary breaks consumers that assume all JSON object fields to have the same meaning and type, and dictionary items with a colliding name can not be represented anymore.
+
+This leads to the following guidelines:
+
+ - The top-level (root) value must be a record.
+
+   Otherwise, one can not change the structure of a command's output.
+
+ - The value of a dictionary item must be a record.
+
+   Otherwise, the item type can not be extended.
+
+ - List items should be records.
+
+   Otherwise, one can not change the structure of the list items.
+
+   If the order of the items does not matter, and each item has a unique key that is a string, consider representing the list as a dictionary instead.
+   If the order of the items needs to be preserved, return a list of records.
+
+ - Streaming JSON should return records.
+
+   An example of a streaming JSON format is [JSON lines](https://jsonlines.org/), where each line represents a JSON value.
+   These JSON values can be considered top-level values or list items, and they must be records.
+
+### Examples
+
+This is bad, because all keys must be assumed to be store types:
+
+```json
+{
+  "local": { ... },
+  "remote": { ... },
+  "http": { ... }
+}
+```
+
+This is good, because the it is extensible at the root, and is somewhat self-documenting:
+
+```json
+{
+  "storeTypes": { "local": { ... }, ... },
+  "pluginSupport": true
+}
+```
+
+While the dictionary of store types seems like a very complete response at first, a use case may arise that warrants returning additional information.
+For example, the presence of plugin support may be crucial information for a client to proceed when their desired store type is missing.
+
+
+
+The following representation is bad because it is not extensible:
+
+```json
+{ "outputs": [ "out" "bin" ] }
+```
+
+However, simply converting everything to records is not enough, because the order of outputs must be preserved:
+
+```json
+{ "outputs": { "bin": {}, "out": {} } }
+```
+
+The first item is the default output. Deriving this information from the outputs ordering is not great, but this is how Nix currently happens to work.
+While it is possible for a JSON parser to preserve the order of fields, we can not rely on this capability to be present in all JSON libraries.
+
+This representation is extensible and preserves the ordering:
+
+```json
+{ "outputs": [ { "outputName": "out" }, { "outputName": "bin" } ] }
+```
+
+## Self-describing values
+
+As described in the previous section, it's crucial that schemas can be extended with with new fields without breaking compatibility.
+However, that should *not* mean we use the presence/absence of fields to indicate optional information *within* a version of the schema.
+Instead, always include the field, and use `null` to indicate the "nothing" case.
+
+### Examples
+
+Here are two JSON objects:
+
+```json
+{
+  "foo": {}
+}
+```
+```json
+{
+  "foo": {},
+  "bar": {}
+}
+```
+
+Since they differ in which fields they contain, they should *not* both be valid values of the same schema.
+At most, they can match two different schemas where the second (with `foo` and `bar`) is considered a newer version of the first (with just `foo`).
+Within each version, all fields are mandatory (always `foo`, and always `foo` and `bar`).
+Only *between* each version, `bar` gets added as a new mandatory field.
+
+Here are another two JSON objects:
+
+```json
+{ "foo": null }
+```
+```json
+{ "foo": { "bar": 1 } }
+```
+
+Since they both contain a `foo` field, they could be valid values of the same schema.
+The schema would have `foo` has an optional field, which is either `null` or an object where `bar` is an integer.

doc/manual/src/development/testing.md

@@ -59,15 +59,15 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > …
 > ```
 
-The tests for each Nix library (`libnixexpr`, `libnixstore`, etc..) live inside a directory `tests/unit/${library_name_without-nix}`.
-Given a interface (header) and implementation pair in the original library, say, `src/libexpr/value/context.{hh,cc}`, we write tests for it in `tests/unit/libexpr/tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `tests/unit/libexpr-support/tests/value/context.{hh,cc}`.
+The tests for each Nix library (`libnixexpr`, `libnixstore`, etc..) live inside a directory `src/${library_name_without-nix}-test`.
+Given an interface (header) and implementation pair in the original library, say, `src/libexpr/value/context.{hh,cc}`, we write tests for it in `src/nix-expr-tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `src/nix-expr-test-support/tests/value/context.{hh,cc}`.
 
 Data for unit tests is stored in a `data` subdir of the directory for each unit test executable.
-For example, `libnixstore` code is in `src/libstore`, and its test data is in `tests/unit/libstore/data`.
-The path to the `tests/unit/data` directory is passed to the unit test executable with the environment variable `_NIX_TEST_UNIT_DATA`.
+For example, `libnixstore` code is in `src/libstore`, and its test data is in `src/nix-store-tests/data`.
+The path to the `src/${library_name_without-nix}-test/data` directory is passed to the unit test executable with the environment variable `_NIX_TEST_UNIT_DATA`.
 Note that each executable only gets the data for its tests.
 
-The unit test libraries are in `tests/unit/${library_name_without-nix}-lib`.
+The unit test libraries are in `src/${library_name_without-nix}-test-support`.
 All headers are in a `tests` subdirectory so they are included with `#include "tests/"`.
 
 The use of all these separate directories for the unit tests might seem inconvenient, as for example the tests are not "right next to" the part of the code they are testing.
@@ -76,8 +76,25 @@ there is no risk of any build-system wildcards for the library accidentally pick
 
 ### Running tests
 
-You can run the whole testsuite with `make check`, or the tests for a specific component with `make libfoo-tests_RUN`.
-Finer-grained filtering is also possible using the [--gtest_filter](https://google.github.io/googletest/advanced.html#running-a-subset-of-the-tests) command-line option, or the `GTEST_FILTER` environment variable, e.g. `GTEST_FILTER='ErrorTraceTest.*' make check`.
+You can run the whole testsuite with `meson test` from the Meson build directory, or the tests for a specific component with `meson test nix-store-tests`.
+A environment variables that Google Test accepts are also worth knowing:
+
+1. [`GTEST_FILTER`](https://google.github.io/googletest/advanced.html#running-a-subset-of-the-tests)
+
+   This is used for finer-grained filtering of which tests to run.
+
+
+2. [`GTEST_BRIEF`](https://google.github.io/googletest/advanced.html#suppressing-test-passes)
+
+   This is used to avoid logging passing tests.
+
+Putting the two together, one might run
+
+```bash
+GTEST_BRIEF=1 GTEST_FILTER='ErrorTraceTest.*' meson test nix-expr-tests -v
+```
+
+for short but comprensive output.
 
 ### Characterisation testing { #characaterisation-testing-unit }
 
@@ -86,7 +103,7 @@ See [functional characterisation testing](#characterisation-testing-functional)
 Like with the functional characterisation, `_NIX_TEST_ACCEPT=1` is also used.
 For example:
 ```shell-session
-$ _NIX_TEST_ACCEPT=1 make libstore-tests_RUN
+$ _NIX_TEST_ACCEPT=1 meson test nix-store-tests -v
 ...
 [  SKIPPED ] WorkerProtoTest.string_read
 [  SKIPPED ] WorkerProtoTest.string_write
@@ -114,6 +131,8 @@ On other platforms they wouldn't be run at all.
 The functional tests reside under the `tests/functional` directory and are listed in `tests/functional/local.mk`.
 Each test is a bash script.
 
+Functional tests are run during `installCheck` in the `nix` package build, as well as separately from the build, in VM tests.
+
 ### Running the whole test suite
 
 The whole test suite can be run with:
@@ -162,14 +181,14 @@ ran test tests/functional/${testName}.sh... [PASS]
 or without `make`:
 
 ```shell-session
-$ ./mk/run-test.sh tests/functional/${testName}.sh tests/functional/init.sh
+$ ./mk/run-test.sh tests/functional/${testName}.sh
 ran test tests/functional/${testName}.sh... [PASS]
 ```
 
 To see the complete output, one can also run:
 
 ```shell-session
-$ ./mk/debug-test.sh tests/functional/${testName}.sh tests/functional/init.sh
+$ ./mk/debug-test.sh tests/functional/${testName}.sh
 +(${testName}.sh:1) foo
 output from foo
 +(${testName}.sh:2) bar
@@ -204,7 +223,7 @@ edit it like so:
 Then, running the test with `./mk/debug-test.sh` will drop you into GDB once the script reaches that point:
 
 ```shell-session
-$ ./mk/debug-test.sh tests/functional/${testName}.sh tests/functional/init.sh
+$ ./mk/debug-test.sh tests/functional/${testName}.sh
 ...
 + gdb blash blub
 GNU gdb (GDB) 12.1
@@ -252,13 +271,30 @@ Regressions are caught, and improvements always show up in code review.
 
 To ensure that characterisation testing doesn't make it harder to intentionally change these interfaces, there always must be an easy way to regenerate the expected output, as we do with `_NIX_TEST_ACCEPT=1`.
 
+### Running functional tests on NixOS
+
+We run the functional tests not just in the build, but also in VM tests.
+This helps us ensure that Nix works correctly on NixOS, and environments that have similar characteristics that are hard to reproduce in a build environment.
+
+The recommended way to run these tests during development is:
+
+```shell
+nix build .#hydraJobs.tests.functional_user.quickBuild
+```
+
+The `quickBuild` attribute configures the test to use a `nix` package that's built without integration tests, so that you can iterate on the tests without performing recompilations due to the changed sources for `installCheck`.
+
+Generally, this build is sufficient, but in nightly or CI we also test the attributes `functional_root` and `functional_trusted`, in which the test suite is run with different levels of authorization.
+
 ## Integration tests
 
 The integration tests are defined in the Nix flake under the `hydraJobs.tests` attribute.
 These tests include everything that needs to interact with external services or run Nix in a non-trivial distributed setup.
 Because these tests are expensive and require more than what the standard github-actions setup provides, they only run on the master branch (on <https://hydra.nixos.org/jobset/nix/master>).
 
-You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
+You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`.
+
+If you are testing a build of `nix` that you haven't compiled yet, you may iterate faster by appending the `quickBuild` attribute: `nix build .#hydraJobs.tests.{testName}.quickBuild`.
 
 ## Installer tests
 

doc/manual/src/favicon.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="587.11" height="516.604" viewBox="0 0 550.416 484.317"><defs><linearGradient id="a"><stop offset="0" style="stop-color:#699ad7;stop-opacity:1"/><stop offset=".243" style="stop-color:#7eb1dd;stop-opacity:1"/><stop offset="1" style="stop-color:#7ebae4;stop-opacity:1"/></linearGradient><linearGradient id="b"><stop offset="0" style="stop-color:#415e9a;stop-opacity:1"/><stop offset=".232" style="stop-color:#4a6baf;stop-opacity:1"/><stop offset="1" style="stop-color:#5277c3;stop-opacity:1"/></linearGradient><linearGradient xlink:href="#a" id="c" x1="200.597" x2="290.087" y1="351.411" y2="506.188" gradientTransform="translate(70.65 -1055.151)" gradientUnits="userSpaceOnUse"/><linearGradient xlink:href="#b" id="e" x1="-584.199" x2="-496.297" y1="782.336" y2="937.714" gradientTransform="translate(864.696 -1491.34)" gradientUnits="userSpaceOnUse"/></defs><g style="display:inline;opacity:1" transform="translate(-132.651 958.04)"><path id="d" d="m309.549-710.388 122.197 211.675-56.157.527-32.624-56.87-32.856 56.566-27.903-.011-14.29-24.69 46.81-80.49-33.23-57.826z" style="opacity:1;fill:url(#c);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:3;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(60 407.112 -715.787)"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(-60 407.312 -715.7)"/><use xlink:href="#d" width="100%" height="100%" transform="rotate(180 407.419 -715.756)"/><path id="f" d="m309.549-710.388 122.197 211.675-56.157.527-32.624-56.87-32.856 56.566-27.903-.011-14.29-24.69 46.81-80.49-33.23-57.826z" style="color:#000;clip-rule:nonzero;display:inline;overflow:visible;visibility:visible;opacity:1;isolation:auto;mix-blend-mode:normal;color-interpolation:sRGB;color-interpolation-filters:linearRGB;solid-color:#000;solid-opacity:1;fill:url(#e);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:3;stroke-linecap:butt;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1;color-rendering:auto;image-rendering:auto;shape-rendering:auto;text-rendering:auto;enable-background:accumulate"/><use xlink:href="#f" width="100%" height="100%" style="display:inline" transform="rotate(120 407.34 -716.084)"/><use xlink:href="#f" width="100%" height="100%" style="display:inline" transform="rotate(-120 407.288 -715.87)"/></g></svg>

doc/manual/src/glossary.md

@@ -1,5 +1,24 @@
 # Glossary
 
+- [content address]{#gloss-content-address}
+
+  A
+  [*content address*](https://en.wikipedia.org/wiki/Content-addressable_storage)
+  is a secure way to reference immutable data.
+  The reference is calculated directly from the content of the data being referenced, which means the reference is
+  [*tamper proof*](https://en.wikipedia.org/wiki/Tamperproofing)
+  --- variations of the data should always calculate to distinct content addresses.
+
+  For how Nix uses content addresses, see:
+
+    - [Content-Addressing File System Objects](@docroot@/store/file-system-object/content-address.md)
+    - [Content-Addressing Store Objects](@docroot@/store/store-object/content-address.md)
+    - [content-addressed derivation](#gloss-content-addressed-derivation)
+
+  Software Heritage's writing on [*Intrinsic and Extrinsic identifiers*](https://www.softwareheritage.org/2020/07/09/intrinsic-vs-extrinsic-identifiers) is also a good introduction to the value of content-addressing over other referencing schemes.
+
+  Besides content addressing, the Nix store also uses [input addressing](#gloss-input-addressed-store-object).
+
 - [derivation]{#gloss-derivation}
 
   A description of a build task. The result of a derivation is a
@@ -52,10 +71,9 @@
   [`__contentAddressed`](./language/advanced-attributes.md#adv-attr-__contentAddressed)
   attribute set to `true`.
 
-- [fixed-output derivation]{#gloss-fixed-output-derivation}
+- [fixed-output derivation]{#gloss-fixed-output-derivation} (FOD)
 
-  A derivation which includes the
-  [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute.
+  A [derivation] where a cryptographic hash of the [output] is determined in advance using the [`outputHash`](./language/advanced-attributes.md#adv-attr-outputHash) attribute, and where the [`builder`](@docroot@/language/derivations.md#attr-builder) executable has access to the network.
 
 - [store]{#gloss-store}
 
@@ -86,7 +104,7 @@
 
   [store path]: #gloss-store-path
 
-- [file system object]{#gloss-store-object}
+- [file system object]{#gloss-file-system-object}
 
   The Nix data model for representing simplified file system data.
 
@@ -118,9 +136,12 @@
 
 - [content-addressed store object]{#gloss-content-addressed-store-object}
 
-  A [store object] whose [store path] is determined by its contents.
+  A [store object] which is [content-addressed](#gloss-content-address),
+  i.e. whose [store path] is determined by its contents.
   This includes derivations, the outputs of [content-addressed derivations](#gloss-content-addressed-derivation), and the outputs of [fixed-output derivations](#gloss-fixed-output-derivation).
 
+  See [Content-Addressing Store Objects](@docroot@/store/store-object/content-address.md) for details.
+
 - [substitute]{#gloss-substitute}
 
   A substitute is a command invocation stored in the [Nix database] that
@@ -147,7 +168,7 @@
 
 - [impure derivation]{#gloss-impure-derivation}
 
-  [An experimental feature](#@docroot@/contributing/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
+  [An experimental feature](#@docroot@/development/experimental-features.md#xp-feature-impure-derivations) that allows derivations to be explicitly marked as impure,
   so that they are always rebuilt, and their outputs not reused by subsequent calls to realise them.
 
 - [Nix database]{#gloss-nix-database}
@@ -215,6 +236,20 @@
 
   [output path]: #gloss-output-path
 
+- [output closure]{#gloss-output-closure}\
+  The [closure] of an [output path]. It only contains what is [reachable] from the output.
+
+- [deriving path]{#gloss-deriving-path}
+
+  Deriving paths are a way to refer to [store objects][store object] that ar not yet [realised][realise].
+  This is necessary because, in general and particularly for [content-addressed derivations][content-addressed derivation], the [output path] of an [output] is not known in advance.
+  There are two forms:
+
+  - *constant*: just a [store path]
+    It can be made [valid][validity] by copying it into the store: from the evaluator, command line interface or another store.
+
+  - *output*: a pair of a [store path] to a [derivation] and an [output] name.
+
 - [deriver]{#gloss-deriver}
 
   The [store derivation] that produced an [output path].
@@ -252,13 +287,15 @@
 
   See [installables](./command-ref/new-cli/nix.md#installables) for [`nix` commands](./command-ref/new-cli/nix.md) (experimental) for details.
 
-- [NAR]{#gloss-nar}
+- [Nix Archive (NAR)]{#gloss-nar}
 
   A *N*ix *AR*chive. This is a serialisation of a path in the Nix
   store. It can contain regular files, directories and symbolic
   links.  NARs are generated and unpacked using `nix-store --dump`
   and `nix-store --restore`.
 
+  See [Nix Archive](store/file-system-object/content-address.html#serial-nix-archive) for details.
+
 - [`∅`]{#gloss-emtpy-set}
 
   The empty set symbol. In the context of profile history, this denotes a package is not present in a particular version of the profile.
@@ -275,7 +312,7 @@
 
 - [package attribute set]{#package-attribute-set}
 
-  An [attribute set](@docroot@/language/values.md#attribute-set) containing the attribute `type = "derivation";` (derivation for historical reasons), as well as other attributes, such as
+  An [attribute set](@docroot@/language/types.md#attribute-set) containing the attribute `type = "derivation";` (derivation for historical reasons), as well as other attributes, such as
   - attributes that refer to the files of a [package], typically in the form of [derivation outputs](#output),
   - attributes that declare something about how the package is supposed to be installed or used,
   - other metadata or arbitrary attributes.
@@ -288,16 +325,35 @@
 
   See [String interpolation](./language/string-interpolation.md) for details.
 
-  [string]: ./language/values.md#type-string
-  [path]: ./language/values.md#type-path
-  [attribute name]: ./language/values.md#attribute-set
+  [string]: ./language/types.md#type-string
+  [path]: ./language/types.md#type-path
+  [attribute name]: ./language/types.md#attribute-set
+
+- [base directory]{#gloss-base-directory}
+
+  The location from which relative paths are resolved.
+
+  - For expressions in a file, the base directory is the directory containing that file.
+    This is analogous to the directory of a [base URL](https://datatracker.ietf.org/doc/html/rfc1808#section-3.3).
+    <!-- which is sufficient for resolving non-empty URLs -->
+
+  <!--
+    The wording here may look awkward, but it's for these reasons:
+      * "with --expr": it's a flag, and not an option with an accompanying value
+      * "written in": the expression itself must be written as an argument,
+        whereas the more natural "passed as an argument" allows an interpretation
+        where the expression could be passed by file name.
+    -->
+  - For expressions written in command line arguments with [`--expr`](@docroot@/command-ref/opt-common.html#opt-expr), the base directory is the current working directory.
+
+  [base directory]: #gloss-base-directory
 
 - [experimental feature]{#gloss-experimental-feature}
 
   Not yet stabilized functionality guarded by named experimental feature flags.
   These flags are enabled or disabled with the [`experimental-features`](./command-ref/conf-file.html#conf-experimental-features) setting.
 
-  See the contribution guide on the [purpose and lifecycle of experimental feaures](@docroot@/contributing/experimental-features.md).
+  See the contribution guide on the [purpose and lifecycle of experimental feaures](@docroot@/development/experimental-features.md).
 
 
 [Nix language]: ./language/index.md

doc/manual/src/installation/env-variables.md

@@ -53,7 +53,8 @@ ssl-cert-file = /etc/ssl/my-certificate-bundle.crt
 
 The Nix installer has special handling for these proxy-related
 environment variables: `http_proxy`, `https_proxy`, `ftp_proxy`,
-`no_proxy`, `HTTP_PROXY`, `HTTPS_PROXY`, `FTP_PROXY`, `NO_PROXY`.
+`all_proxy`, `no_proxy`, `HTTP_PROXY`, `HTTPS_PROXY`, `FTP_PROXY`,
+`ALL_PROXY`, `NO_PROXY`.
 
 If any of these variables are set when running the Nix installer, then
 the installer will create an override file at

doc/manual/src/installation/index.md

@@ -14,6 +14,14 @@ This option requires either:
 * Linux running systemd, with SELinux disabled
 * MacOS
 
+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
 ```console
 $ bash <(curl -L https://nixos.org/nix/install) --daemon
 ```

doc/manual/src/installation/installing-binary.md

@@ -1,5 +1,13 @@
 # Installing a Binary Distribution
 
+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
 To install the latest version Nix, run the following command:
 
 ```console
@@ -50,7 +58,7 @@ Supported systems:
 To explicitly instruct the installer to perform a multi-user installation on your system:
 
 ```console
-$ curl -L https://nixos.org/nix/install | sh -s -- --daemon
+$ bash <(curl -L https://nixos.org/nix/install) --daemon
 ```
 
 You can run this under your usual user account or `root`.
@@ -61,7 +69,7 @@ The script will invoke `sudo` as needed.
 To explicitly select a single-user installation on your system:
 
 ```console
-$ curl -L https://nixos.org/nix/install | sh -s -- --no-daemon
+$ bash <(curl -L https://nixos.org/nix/install) --no-daemon
 ```
 
 In a single-user installation, `/nix` is owned by the invoking user.
@@ -77,7 +85,7 @@ $ su root
 # Installing from a binary tarball
 
 You can also download a binary tarball that contains Nix and all its dependencies:
-- Choose a [version](https://releases.nixos.org/?prefix=nix/) and [system type](../contributing/hacking.md#platforms)
+- Choose a [version](https://releases.nixos.org/?prefix=nix/) and [system type](../development/building.md#platforms)
 - Download and unpack the tarball
 - Run the installer
 

doc/manual/src/installation/prerequisites-source.md

@@ -39,8 +39,6 @@
     `pkgconfig` and the Boehm garbage collector, and pass the flag
     `--enable-gc` to `configure`.
 
-    For `bdw-gc` <= 8.2.4 Nix needs a [small patch](https://github.com/NixOS/nix/blob/ac4d2e7b857acdfeac35ac8a592bdecee2d29838/boehmgc-traceable_allocator-public.diff) to be applied.
-
   - The `boost` library of version 1.66.0 or higher. It can be obtained
     from the official web site <https://www.boost.org/>.
 

doc/manual/src/installation/uninstall.md

@@ -1,16 +1,8 @@
 # Uninstalling Nix
 
-## Single User
-
-If you have a [single-user installation](./installing-binary.md#single-user-installation) of Nix, uninstall it by running:
-
-```console
-$ rm -rf /nix
-```
-
 ## Multi User
 
-Removing a [multi-user installation](./installing-binary.md#multi-user-installation) of Nix is more involved, and depends on the operating system.
+Removing a [multi-user installation](./installing-binary.md#multi-user-installation) depends on the operating system.
 
 ### Linux
 
@@ -51,7 +43,23 @@ which you may remove.
 
 ### macOS
 
-1. Edit `/etc/zshrc`, `/etc/bashrc`, and `/etc/bash.bashrc` to remove the lines sourcing `nix-daemon.sh`, which should look like this:
+> **Updating to macOS 15 Sequoia**
+>
+> If you recently updated to macOS 15 Sequoia and are getting
+> ```console
+> error: the user '_nixbld1' in the group 'nixbld' does not exist
+> ```
+> when running Nix commands, refer to GitHub issue [NixOS/nix#10892](https://github.com/NixOS/nix/issues/10892) for instructions to fix your installation without reinstalling.
+
+1. If system-wide shell initialisation files haven't been altered since installing Nix, use the backups made by the installer:
+
+   ```console
+   sudo mv /etc/zshrc.backup-before-nix /etc/zshrc
+   sudo mv /etc/bashrc.backup-before-nix /etc/bashrc
+   sudo mv /etc/bash.bashrc.backup-before-nix /etc/bash.bashrc
+   ```
+
+   Otherwise, edit `/etc/zshrc`, `/etc/bashrc`, and `/etc/bash.bashrc` to remove the lines sourcing `nix-daemon.sh`, which should look like this:
 
    ```bash
    # Nix
@@ -61,18 +69,6 @@ which you may remove.
    # End Nix
    ```
 
-   If these files haven't been altered since installing Nix you can simply put
-   the backups back in place:
-
-   ```console
-   sudo mv /etc/zshrc.backup-before-nix /etc/zshrc
-   sudo mv /etc/bashrc.backup-before-nix /etc/bashrc
-   sudo mv /etc/bash.bashrc.backup-before-nix /etc/bash.bashrc
-   ```
-
-   This will stop shells from sourcing the file and bringing everything you
-   installed using Nix in scope.
-
 2. Stop and remove the Nix daemon services:
 
    ```console
@@ -82,8 +78,7 @@ which you may remove.
    sudo rm /Library/LaunchDaemons/org.nixos.darwin-store.plist
    ```
 
-   This stops the Nix daemon and prevents it from being started next time you
-   boot the system.
+   This stops the Nix daemon and prevents it from being started next time you boot the system.
 
 3. Remove the `nixbld` group and the `_nixbuildN` users:
 
@@ -94,25 +89,42 @@ which you may remove.
 
    This will remove all the build users that no longer serve a purpose.
 
-4. Edit fstab using `sudo vifs` to remove the line mounting the Nix Store
-   volume on `/nix`, which looks like
-   `UUID=<uuid> /nix apfs rw,noauto,nobrowse,suid,owners` or
-   `LABEL=Nix\040Store /nix apfs rw,nobrowse`. This will prevent automatic
-   mounting of the Nix Store volume.
+4. Edit fstab using `sudo vifs` to remove the line mounting the Nix Store volume on `/nix`, which looks like
 
-5. Edit `/etc/synthetic.conf` to remove the `nix` line. If this is the only
-   line in the file you can remove it entirely, `sudo rm /etc/synthetic.conf`.
-   This will prevent the creation of the empty `/nix` directory to provide a
-   mountpoint for the Nix Store volume.
+   ```
+   UUID=<uuid> /nix apfs rw,noauto,nobrowse,suid,owners
+   ```
+   or
 
-6. Remove the files Nix added to your system:
+   ```
+   LABEL=Nix\040Store /nix apfs rw,nobrowse
+   ```
+
+   by setting the cursor on the respective line using the error keys, and pressing `dd`, and then `:wq` to save the file.
+
+   This will prevent automatic mounting of the Nix Store volume.
+
+5. Edit `/etc/synthetic.conf` to remove the `nix` line.
+   If this is the only line in the file you can remove it entirely:
+
+   ```bash
+   if [ -f /etc/synthetic.conf ]; then
+     if [ "$(cat /etc/synthetic.conf)" = "nix" ]; then
+       sudo rm /etc/synthetic.conf
+     else
+       sudo vi /etc/synthetic.conf
+     fi
+   fi
+   ```
+
+   This will prevent the creation of the empty `/nix` directory.
+
+6. Remove the files Nix added to your system, except for the store:
 
    ```console
    sudo rm -rf /etc/nix /var/root/.nix-profile /var/root/.nix-defexpr /var/root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels
    ```
 
-   This gets rid of any data Nix may have created except for the store which is
-   removed next.
 
 7. Remove the Nix Store volume:
 
@@ -120,29 +132,32 @@ which you may remove.
    sudo diskutil apfs deleteVolume /nix
    ```
 
-   This will remove the Nix Store volume and everything that was added to the
-   store.
+   This will remove the Nix Store volume and everything that was added to the store.
 
-   If the output indicates that the command couldn't remove the volume, you should
-   make sure you don't have an _unmounted_ Nix Store volume. Look for a
-   "Nix Store" volume in the output of the following command:
+   If the output indicates that the command couldn't remove the volume, you should make sure you don't have an _unmounted_ Nix Store volume.
+   Look for a "Nix Store" volume in the output of the following command:
 
    ```console
    diskutil list
    ```
 
-   If you _do_ see a "Nix Store" volume, delete it by re-running the diskutil
-   deleteVolume command, but replace `/nix` with the store volume's `diskXsY`
-   identifier.
+   If you _do_ find a "Nix Store" volume, delete it by running `diskutil deleteVolume` with the store volume's `diskXsY` identifier.
 
 > **Note**
 >
-> After you complete the steps here, you will still have an empty `/nix`
-> directory. This is an expected sign of a successful uninstall. The empty
-> `/nix` directory will disappear the next time you reboot.
+> After you complete the steps here, you will still have an empty `/nix` directory.
+> This is an expected sign of a successful uninstall.
+> The empty `/nix` directory will disappear the next time you reboot.
 >
-> You do not have to reboot to finish uninstalling Nix. The uninstall is
-> complete. macOS (Catalina+) directly controls root directories and its
-> read-only root will prevent you from manually deleting the empty `/nix`
-> mountpoint.
+> You do not have to reboot to finish uninstalling Nix.
+> The uninstall is complete.
+> macOS (Catalina+) directly controls root directories, and its read-only root will prevent you from manually deleting the empty `/nix` mountpoint.
 
+## Single User
+
+To remove a [single-user installation](./installing-binary.md#single-user-installation) of Nix, run:
+
+```console
+$ rm -rf /nix ~/.nix-channels ~/.nix-defexpr ~/.nix-profile
+```
+You might also want to manually remove references to Nix from your `~/.profile`.

doc/manual/src/installation/upgrading.md

@@ -28,7 +28,7 @@ $ sudo su
 ## macOS multi-user
 
 ```console
-$ sudo nix-env --install --file '<nixpkgs>' --attr nix -I nixpkgs=channel:nixpkgs-unstable
+$ sudo nix-env --install --file '<nixpkgs>' --attr nix cacert -I nixpkgs=channel:nixpkgs-unstable
 $ sudo launchctl remove org.nixos.nix-daemon
 $ sudo launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist
 ```