Merge remote-tracking branch 'cve/fod-cves-2.28' into 2.28-maintenance

Make the repl test more robust (backport #13348)

.gitignore

@@ -14,7 +14,7 @@
 /tests/functional/lang/*.err
 /tests/functional/lang/*.ast
 
-outputs/
+/outputs
 
 *~
 

.mergify.yml

@@ -117,3 +117,14 @@ pull_request_rules:
         labels:
           - automatic backport
           - merge-queue
+
+  - name: backport patches to 2.27
+    conditions:
+      - label=backport 2.27-maintenance
+    actions:
+      backport:
+        branches:
+          - "2.27-maintenance"
+        labels:
+          - automatic backport
+          - merge-queue

.version

@@ -1 +1 @@
-2.27.0
+2.28.4

doc/manual/generate-deps.py

@@ -14,7 +14,7 @@ import sys
 # literally. since the rules for these aren't even the same for
 # all three we will just fail when we encounter any of them (if
 # asserts are off for some reason the depfile will likely point
-# to nonexistant paths, making everything phony and thus fine.)
+# to nonexistent paths, making everything phony and thus fine.)
 for path in glob.glob(sys.argv[1] + '/**', recursive=True):
     assert '\\' not in path
     assert ' ' not in path

doc/manual/meson.build

@@ -67,7 +67,7 @@ subdir('source/release-notes')
 subdir('source')
 
 # Hacky way to figure out if `nix` is an `ExternalProgram` or
-# `Exectuable`. Only the latter can occur in custom target input lists.
+# `Executable`. Only the latter can occur in custom target input lists.
 if nix.full_path().startswith(meson.build_root())
   nix_input = nix
 else

doc/manual/source/SUMMARY.md.in

@@ -22,7 +22,10 @@
   - [Store Object](store/store-object.md)
     - [Content-Addressing Store Objects](store/store-object/content-address.md)
   - [Store Path](store/store-path.md)
-  - [Store Derivation and Deriving Path](store/drv.md)
+  - [Store Derivation and Deriving Path](store/derivation/index.md)
+    - [Derivation Outputs and Types of Derivations](store/derivation/outputs/index.md)
+      - [Content-addressing derivation outputs](store/derivation/outputs/content-address.md)
+      - [Input-addressing derivation outputs](store/derivation/outputs/input-address.md)
   - [Building](store/building.md)
   - [Store Types](store/types/index.md)
 {{#include ./store/types/SUMMARY.md}}
@@ -132,6 +135,7 @@
   - [Contributing](development/contributing.md)
 - [Releases](release-notes/index.md)
 {{#include ./SUMMARY-rl-next.md}}
+  - [Release 2.28 (2025-04-02)](release-notes/rl-2.28.md)
   - [Release 2.27 (2025-03-03)](release-notes/rl-2.27.md)
   - [Release 2.26 (2025-01-22)](release-notes/rl-2.26.md)
   - [Release 2.25 (2024-11-07)](release-notes/rl-2.25.md)

doc/manual/source/advanced-topics/distributed-builds.md

@@ -20,14 +20,14 @@ For a local machine to forward a build to a remote machine, the remote machine m
 
 ## Testing
 
-To test connecting to a remote Nix instance (in this case `mac`), run:
+To test connecting to a remote [Nix instance] (in this case `mac`), run:
 
 ```console
 nix store info --store ssh://username@mac
 ```
 
 To specify an SSH identity file as part of the remote store URI add a
-query paramater, e.g.
+query parameter, e.g.
 
 ```console
 nix store info --store ssh://username@mac?ssh-key=/home/alice/my-key
@@ -106,3 +106,5 @@ file included in `builders` via the syntax `@/path/to/file`. For example,
 
 causes the list of machines in `/etc/nix/machines` to be included.
 (This is the default.)
+
+[Nix instance]: @docroot@/glossary.md#gloss-nix-instance

doc/manual/source/architecture/architecture.md

@@ -22,9 +22,9 @@ The following [concept map] shows its main components (rectangles), the objects
            |                   |
 +----------|-------------------|--------------------------------+
 | Nix      |                   V                                |
-|          |      +-------------------------+                   |
-|          |      | commmand line interface |------.            |
-|          |      +-------------------------+      |            |
+|          |       +------------------------+                   |
+|          |       | command line interface |------.            |
+|          |       +------------------------+      |            |
 |          |                   |                   |            |
 |    evaluated by            calls              manages         |
 |          |                   |                   |            |

doc/manual/source/command-ref/nix-env/delete-generations.md

@@ -27,7 +27,7 @@ This operation deletes the specified generations of the current profile.
   >
   > Older *and newer* generations will be deleted by this operation.
   >
-  > One might expect this to just delete older generations than the curent one, but that is only true if the current generation is also the latest.
+  > One might expect this to just delete older generations than the current one, but that is only true if the current generation is also the latest.
   > Because one can roll back to a previous generation, it is possible to have generations newer than the current one.
   > They will also be deleted.
 

doc/manual/source/development/building.md

@@ -195,19 +195,25 @@ Nix uses a string with the following format to identify the *system type* or *pl
 <cpu>-<os>[-<abi>]
 ```
 
-It is set when Nix is compiled for the given system, and based on the output of [`config.guess`](https://github.com/nixos/nix/blob/master/config/config.guess) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.guess)):
+It is set when Nix is compiled for the given system, and based on the output of Meson's [`host_machine` information](https://mesonbuild.com/Reference-manual_builtin_host_machine.html)>
 
 ```
 <cpu>-<vendor>-<os>[<version>][-<abi>]
 ```
 
-When Nix is built such that `./configure` is passed any of the `--host`, `--build`, `--target` options, the value is based on the output of [`config.sub`](https://github.com/nixos/nix/blob/master/config/config.sub) ([upstream](https://git.savannah.gnu.org/cgit/config.git/tree/config.sub)):
+When cross-compiling Nix with Meson for local development, you need to specify a [cross-file](https://mesonbuild.com/Cross-compilation.html) using the `--cross-file` option. Cross-files define the target architecture and toolchain. When cross-compiling Nix with Nix, Nixpkgs takes care of this for you.
+
+In the nix flake we also have some cross-compilation targets available:
 
 ```
-<cpu>-<vendor>[-<kernel>]-<os>
+nix build .#nix-everything-riscv64-unknown-linux-gnu
+nix build .#nix-everything-armv7l-unknown-linux-gnueabihf
+nix build .#nix-everything-armv7l-unknown-linux-gnueabihf
+nix build .#nix-everything-x86_64-unknown-freebsd
+nix build .#nix-everything-x86_64-w64-mingw32
 ```
 
-For historic reasons and backward-compatibility, some CPU and OS identifiers are translated from the GNU Autotools naming convention in [`configure.ac`](https://github.com/nixos/nix/blob/master/configure.ac) as follows:
+For historic reasons and backward-compatibility, some CPU and OS identifiers are translated as follows:
 
 | `config.guess`             | Nix                 |
 |----------------------------|---------------------|
@@ -230,18 +236,18 @@ Nix can be compiled using multiple environments:
 To build with one of those environments, you can use
 
 ```console
-$ nix build .#nix-ccacheStdenv
+$ nix build .#nix-cli-ccacheStdenv
 ```
 
 for flake-enabled Nix, or
 
 ```console
-$ nix-build --attr nix-ccacheStdenv
+$ nix-build --attr nix-cli-ccacheStdenv
 ```
 
 for classic Nix.
 
-You can use any of the other supported environments in place of `nix-ccacheStdenv`.
+You can use any of the other supported environments in place of `nix-cli-ccacheStdenv`.
 
 ## Editor integration
 

doc/manual/source/development/cli-guideline.md

@@ -170,9 +170,9 @@ sensitive.
 
 
 ```shell
-$ nix init --template=template#pyton
+$ nix init --template=template#python
 ------------------------------------------------------------------------
-  Error! Template `template#pyton` not found.
+  Error! Template `template#python` not found.
 ------------------------------------------------------------------------
 Initializing Nix project at `/path/to/here`.
       Select a template for you new project:

doc/manual/source/development/testing.md

@@ -30,7 +30,7 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > src
 > ├── libexpr
 > │   ├── meson.build
-> │   ├── value/context.hh
+> │   ├── include/nix/expr/value/context.hh
 > │   ├── value/context.cc
 > │   …
 > │
@@ -46,8 +46,12 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > │   │
 > │   ├── libexpr-test-support
 > │   │   ├── meson.build
+> │   │   ├── include/nix/expr
+> │   │   │   ├── meson.build
+> │   │   │   └── tests
+> │   │   │       ├── value/context.hh
+> │   │   │       …
 > │   │   └── tests
-> │   │       ├── value/context.hh
 > │   │       ├── value/context.cc
 > │   │       …
 > │   │
@@ -59,7 +63,7 @@ The unit tests are defined using the [googletest] and [rapidcheck] frameworks.
 > ```
 
 The tests for each Nix library (`libnixexpr`, `libnixstore`, etc..) live inside a directory `src/${library_name_without-nix}-test`.
-Given an interface (header) and implementation pair in the original library, say, `src/libexpr/value/context.{hh,cc}`, we write tests for it in `src/libexpr-tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `src/libexpr-test-support/tests/value/context.{hh,cc}`.
+Given an interface (header) and implementation pair in the original library, say, `src/libexpr/include/nix/expr/value/context.hh` and `src/libexpr/value/context.cc`, we write tests for it in `src/libexpr-tests/value/context.cc`, and (possibly) declare/define additional interfaces for testing purposes in `src/libexpr-test-support/include/nix/expr/tests/value/context.hh` and `src/libexpr-test-support/tests/value/context.cc`.
 
 Data for unit tests is stored in a `data` subdir of the directory for each unit test executable.
 For example, `libnixstore` code is in `src/libstore`, and its test data is in `src/libstore-tests/data`.
@@ -67,7 +71,7 @@ The path to the `src/${library_name_without-nix}-test/data` directory is passed
 Note that each executable only gets the data for its tests.
 
 The unit test libraries are in `src/${library_name_without-nix}-test-support`.
-All headers are in a `tests` subdirectory so they are included with `#include "tests/"`.
+All headers are in a `tests` subdirectory so they are included with `#include "nix/tests/"`.
 
 The use of all these separate directories for the unit tests might seem inconvenient, as for example the tests are not "right next to" the part of the code they are testing.
 But organizing the tests this way has one big benefit:

doc/manual/source/glossary.md

@@ -1,5 +1,13 @@
 # Glossary
 
+- [build system]{#gloss-build-system}
+
+  Generic term for software that facilitates the building of software by automating the invocation of compilers, linkers, and other tools.
+
+  Nix can be used as a generic build system.
+  It has no knowledge of any particular programming language or toolchain.
+  These details are specified in [derivation expressions](#gloss-derivation-expression).
+
 - [content address]{#gloss-content-address}
 
   A
@@ -19,10 +27,14 @@
 
   Besides content addressing, the Nix store also uses [input addressing](#gloss-input-addressed-store-object).
 
+- [content-addressed storage]{#gloss-content-addressed-store}
+
+  The industry term for storage and retrieval systems using [content addressing](#gloss-content-address). A Nix store also has [input addressing](#gloss-input-addressed-store-object), and metadata.
+
 - [store derivation]{#gloss-store-derivation}
 
   A single build task.
-  See [Store Derivation](@docroot@/store/drv.md#store-derivation) for details.
+  See [Store Derivation](@docroot@/store/derivation/index.md#store-derivation) for details.
 
   [store derivation]: #gloss-store-derivation
 
@@ -30,7 +42,7 @@
 
   A [store path] which uniquely identifies a [store derivation].
 
-  See [Referencing Store Derivations](@docroot@/store/drv.md#derivation-path) for details.
+  See [Referencing Store Derivations](@docroot@/store/derivation/index.md#derivation-path) for details.
 
   Not to be confused with [deriving path].
 
@@ -88,6 +100,12 @@
 
   [store]: #gloss-store
 
+- [Nix instance]{#gloss-nix-instance}
+  <!-- ambiguous -->
+  1. An installation of Nix, which includes the presence of a [store], and the Nix package manager which operates on that store.
+     A local Nix installation and a [remote builder](@docroot@/advanced-topics/distributed-builds.md) are two examples of Nix instances.
+  2. A running Nix process, such as the `nix` command.
+
 - [binary cache]{#gloss-binary-cache}
 
   A *binary cache* is a Nix store which uses a different format: its
@@ -220,7 +238,7 @@
   directly or indirectly “reachable” from that store path; that is,
   it’s the closure of the path under the *references* relation. For
   a package, the closure of its derivation is equivalent to the
-  build-time dependencies, while the closure of its output path is
+  build-time dependencies, while the closure of its [output path] is
   equivalent to its runtime dependencies. For correct deployment it
   is necessary to deploy whole closures, since otherwise at runtime
   files could be missing. The command `nix-store --query --requisites ` prints out
@@ -252,7 +270,7 @@
 
   Deriving paths are a way to refer to [store objects][store object] that might not yet be [realised][realise].
 
-  See [Deriving Path](./store/drv.md#deriving-path) for details.
+  See [Deriving Path](./store/derivation/index.md#deriving-path) for details.
 
   Not to be confused with [derivation path].
 
@@ -302,7 +320,7 @@
 
   See [Nix Archive](store/file-system-object/content-address.html#serial-nix-archive) for details.
 
-- [`∅`]{#gloss-emtpy-set}
+- [`∅`]{#gloss-empty-set}
 
   The empty set symbol. In the context of profile history, this denotes a package is not present in a particular version of the profile.
 

doc/manual/source/language/advanced-attributes.md

@@ -2,6 +2,83 @@
 
 Derivations can declare some infrequently used optional attributes.
 
+## Inputs
+
+  - [`exportReferencesGraph`]{#adv-attr-exportReferencesGraph}\
+    This attribute allows builders access to the references graph of
+    their inputs. The attribute is a list of inputs in the Nix store
+    whose references graph the builder needs to know. The value of
+    this attribute should be a list of pairs `[ name1 path1 name2
+    path2 ...  ]`. The references graph of each *pathN* will be stored
+    in a text file *nameN* in the temporary build directory. The text
+    files have the format used by `nix-store --register-validity`
+    (with the deriver fields left empty). For example, when the
+    following derivation is built:
+
+    ```nix
+    derivation {
+      ...
+      exportReferencesGraph = [ "libfoo-graph" libfoo ];
+    };
+    ```
+
+    the references graph of `libfoo` is placed in the file
+    `libfoo-graph` in the temporary build directory.
+
+    `exportReferencesGraph` is useful for builders that want to do
+    something with the closure of a store path. Examples include the
+    builders in NixOS that generate the initial ramdisk for booting
+    Linux (a `cpio` archive containing the closure of the boot script)
+    and the ISO-9660 image for the installation CD (which is populated
+    with a Nix store containing the closure of a bootable NixOS
+    configuration).
+
+  - [`passAsFile`]{#adv-attr-passAsFile}\
+    A list of names of attributes that should be passed via files rather
+    than environment variables. For example, if you have
+
+    ```nix
+    passAsFile = ["big"];
+    big = "a very long string";
+    ```
+
+    then when the builder runs, the environment variable `bigPath`
+    will contain the absolute path to a temporary file containing `a
+    very long string`. That is, for any attribute *x* listed in
+    `passAsFile`, Nix will pass an environment variable `xPath`
+    holding the path of the file containing the value of attribute
+    *x*. This is useful when you need to pass large strings to a
+    builder, since most operating systems impose a limit on the size
+    of the environment (typically, a few hundred kilobyte).
+
+  - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
+    If the special attribute `__structuredAttrs` is set to `true`, the other derivation
+    attributes are serialised into a file in JSON format. The environment variable
+    `NIX_ATTRS_JSON_FILE` points to the exact location of that file both in a build
+    and a [`nix-shell`](../command-ref/nix-shell.md). This obviates the need for
+    [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions,
+    unlike process environments.
+
+    It also makes it possible to tweak derivation settings in a structured way; see
+    [`outputChecks`](#adv-attr-outputChecks) for example.
+
+    As a convenience to Bash builders,
+    Nix writes a script that initialises shell variables
+    corresponding to all attributes that are representable in Bash. The
+    environment variable `NIX_ATTRS_SH_FILE` points to the exact
+    location of the script, both in a build and a
+    [`nix-shell`](../command-ref/nix-shell.md). This includes non-nested
+    (associative) arrays. For example, the attribute `hardening.format = true`
+    ends up as the Bash associative array element `${hardening[format]}`.
+
+    > **Warning**
+    >
+    > If set to `true`, other advanced attributes such as [`allowedReferences`](#adv-attr-allowedReferences), [`allowedRequisites`](#adv-attr-allowedRequisites),
+    [`disallowedReferences`](#adv-attr-disallowedReferences) and [`disallowedRequisites`](#adv-attr-disallowedRequisites), maxSize, and maxClosureSize.
+    will have no effect.
+
+## Output checks
+
   - [`allowedReferences`]{#adv-attr-allowedReferences}\
     The optional attribute `allowedReferences` specifies a list of legal
     references (dependencies) of the output of the builder. For example,
@@ -55,259 +132,6 @@ Derivations can declare some infrequently used optional attributes.
     dependency on `foobar` or any other derivation depending recursively
     on `foobar`.
 
-  - [`exportReferencesGraph`]{#adv-attr-exportReferencesGraph}\
-    This attribute allows builders access to the references graph of
-    their inputs. The attribute is a list of inputs in the Nix store
-    whose references graph the builder needs to know. The value of
-    this attribute should be a list of pairs `[ name1 path1 name2
-    path2 ...  ]`. The references graph of each *pathN* will be stored
-    in a text file *nameN* in the temporary build directory. The text
-    files have the format used by `nix-store --register-validity`
-    (with the deriver fields left empty). For example, when the
-    following derivation is built:
-
-    ```nix
-    derivation {
-      ...
-      exportReferencesGraph = [ "libfoo-graph" libfoo ];
-    };
-    ```
-
-    the references graph of `libfoo` is placed in the file
-    `libfoo-graph` in the temporary build directory.
-
-    `exportReferencesGraph` is useful for builders that want to do
-    something with the closure of a store path. Examples include the
-    builders in NixOS that generate the initial ramdisk for booting
-    Linux (a `cpio` archive containing the closure of the boot script)
-    and the ISO-9660 image for the installation CD (which is populated
-    with a Nix store containing the closure of a bootable NixOS
-    configuration).
-
-  - [`impureEnvVars`]{#adv-attr-impureEnvVars}\
-    This attribute allows you to specify a list of environment variables
-    that should be passed from the environment of the calling user to
-    the builder. Usually, the environment is cleared completely when the
-    builder is executed, but with this attribute you can allow specific
-    environment variables to be passed unmodified. For example,
-    `fetchurl` in Nixpkgs has the line
-
-    ```nix
-    impureEnvVars = [ "http_proxy" "https_proxy" ... ];
-    ```
-
-    to make it use the proxy server configuration specified by the user
-    in the environment variables `http_proxy` and friends.
-
-    This attribute is only allowed in *fixed-output derivations* (see
-    below), where impurities such as these are okay since (the hash
-    of) the output is known in advance. It is ignored for all other
-    derivations.
-
-    > **Warning**
-    >
-    > `impureEnvVars` implementation takes environment variables from
-    > the current builder process. When a daemon is building its
-    > environmental variables are used. Without the daemon, the
-    > environmental variables come from the environment of the
-    > `nix-build`.
-
-    If the [`configurable-impure-env` experimental
-    feature](@docroot@/development/experimental-features.md#xp-feature-configurable-impure-env)
-    is enabled, these environment variables can also be controlled
-    through the
-    [`impure-env`](@docroot@/command-ref/conf-file.md#conf-impure-env)
-    configuration setting.
-
-  - [`outputHash`]{#adv-attr-outputHash}; [`outputHashAlgo`]{#adv-attr-outputHashAlgo}; [`outputHashMode`]{#adv-attr-outputHashMode}\
-    These attributes declare that the derivation is a so-called *fixed-output derivation* (FOD), which means that a cryptographic hash of the output is already known in advance.
-
-    As opposed to regular derivations, the [`builder`] executable of a fixed-output derivation has access to the network.
-    Nix computes a cryptographic hash of its output and compares that to the hash declared with these attributes.
-    If there is a mismatch, the derivation fails.
-
-    The rationale for fixed-output derivations is derivations such as
-    those produced by the `fetchurl` function. This function downloads a
-    file from a given URL. To ensure that the downloaded file has not
-    been modified, the caller must also specify a cryptographic hash of
-    the file. For example,
-
-    ```nix
-    fetchurl {
-      url = "http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz";
-      sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
-    }
-    ```
-
-    It sometimes happens that the URL of the file changes, e.g., because
-    servers are reorganised or no longer available. We then must update
-    the call to `fetchurl`, e.g.,
-
-    ```nix
-    fetchurl {
-      url = "ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz";
-      sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
-    }
-    ```
-
-    If a `fetchurl` derivation was treated like a normal derivation, the
-    output paths of the derivation and *all derivations depending on it*
-    would change. For instance, if we were to change the URL of the
-    Glibc source distribution in Nixpkgs (a package on which almost all
-    other packages depend) massive rebuilds would be needed. This is
-    unfortunate for a change which we know cannot have a real effect as
-    it propagates upwards through the dependency graph.
-
-    For fixed-output derivations, on the other hand, the name of the
-    output path only depends on the `outputHash*` and `name` attributes,
-    while all other attributes are ignored for the purpose of computing
-    the output path. (The `name` attribute is included because it is
-    part of the path.)
-
-    As an example, here is the (simplified) Nix expression for
-    `fetchurl`:
-
-    ```nix
-    { stdenv, curl }: # The curl program is used for downloading.
-
-    { url, sha256 }:
-
-    stdenv.mkDerivation {
-      name = baseNameOf (toString url);
-      builder = ./builder.sh;
-      buildInputs = [ curl ];
-
-      # This is a fixed-output derivation; the output must be a regular
-      # file with SHA256 hash sha256.
-      outputHashMode = "flat";
-      outputHashAlgo = "sha256";
-      outputHash = sha256;
-
-      inherit url;
-    }
-    ```
-
-    The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
-    The "nix32" encoding is an adaptation of base-32 encoding.
-    The [`convertHash`](@docroot@/language/builtins.md#builtins-convertHash) function shows how to convert between different encodings, and the [`nix-hash` command](../command-ref/nix-hash.md) has information about obtaining the hash for some contents, as well as converting to and from encodings.
-
-    The `outputHashAlgo` attribute specifies the hash algorithm used to compute the hash.
-    It can currently be `"blake3", "sha1"`, `"sha256"`, `"sha512"`, or `null`.
-    `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format.
-
-    The `outputHashMode` attribute determines how the hash is computed.
-    It must be one of the following values:
-
-      - [`"flat"`](@docroot@/store/store-object/content-address.md#method-flat)
-
-        This is the default.
-
-      - [`"recursive"` or `"nar"`](@docroot@/store/store-object/content-address.md#method-nix-archive)
-
-        > **Compatibility**
-        >
-        > `"recursive"` is the traditional way of indicating this,
-        > and is supported since 2005 (virtually the entire history of Nix).
-        > `"nar"` is more clear, and consistent with other parts of Nix (such as the CLI),
-        > however support for it is only added in Nix version 2.21.
-
-      - [`"text"`](@docroot@/store/store-object/content-address.md#method-text)
-
-        > **Warning**
-        >
-        > The use of this method for derivation outputs is part of the [`dynamic-derivations`][xp-feature-dynamic-derivations] experimental feature.
-
-      - [`"git"`](@docroot@/store/store-object/content-address.md#method-git)
-
-        > **Warning**
-        >
-        > This method is part of the [`git-hashing`][xp-feature-git-hashing] experimental feature.
-
-  - [`__contentAddressed`]{#adv-attr-__contentAddressed}
-
-    > **Warning**
-    > This attribute is part of an [experimental feature](@docroot@/development/experimental-features.md).
-    >
-    > To use this attribute, you must enable the
-    > [`ca-derivations`][xp-feature-ca-derivations] experimental feature.
-    > For example, in [nix.conf](../command-ref/conf-file.md) you could add:
-    >
-    > ```
-    > extra-experimental-features = ca-derivations
-    > ```
-
-    If this attribute is set to `true`, then the derivation
-    outputs will be stored in a content-addressed location rather than the
-    traditional input-addressed one.
-
-    Setting this attribute also requires setting
-    [`outputHashMode`](#adv-attr-outputHashMode)
-    and
-    [`outputHashAlgo`](#adv-attr-outputHashAlgo)
-    like for *fixed-output derivations* (see above).
-
-    It also implicitly requires that the machine to build the derivation must have the `ca-derivations` [system feature](@docroot@/command-ref/conf-file.md#conf-system-features).
-
-  - [`passAsFile`]{#adv-attr-passAsFile}\
-    A list of names of attributes that should be passed via files rather
-    than environment variables. For example, if you have
-
-    ```nix
-    passAsFile = ["big"];
-    big = "a very long string";
-    ```
-
-    then when the builder runs, the environment variable `bigPath`
-    will contain the absolute path to a temporary file containing `a
-    very long string`. That is, for any attribute *x* listed in
-    `passAsFile`, Nix will pass an environment variable `xPath`
-    holding the path of the file containing the value of attribute
-    *x*. This is useful when you need to pass large strings to a
-    builder, since most operating systems impose a limit on the size
-    of the environment (typically, a few hundred kilobyte).
-
-  - [`preferLocalBuild`]{#adv-attr-preferLocalBuild}\
-    If this attribute is set to `true` and [distributed building is enabled](@docroot@/command-ref/conf-file.md#conf-builders), then, if possible, the derivation will be built locally instead of being forwarded to a remote machine.
-    This is useful for derivations that are cheapest to build locally.
-
-  - [`allowSubstitutes`]{#adv-attr-allowSubstitutes}\
-    If this attribute is set to `false`, then Nix will always build this derivation (locally or remotely); it will not try to substitute its outputs.
-    This is useful for derivations that are cheaper to build than to substitute.
-
-    This attribute can be ignored by setting [`always-allow-substitutes`](@docroot@/command-ref/conf-file.md#conf-always-allow-substitutes) to `true`.
-
-    > **Note**
-    >
-    > If set to `false`, the [`builder`] should be able to run on the system type specified in the [`system` attribute](./derivations.md#attr-system), since the derivation cannot be substituted.
-
-    [`builder`]: ./derivations.md#attr-builder
-
-  - [`__structuredAttrs`]{#adv-attr-structuredAttrs}\
-    If the special attribute `__structuredAttrs` is set to `true`, the other derivation
-    attributes are serialised into a file in JSON format. The environment variable
-    `NIX_ATTRS_JSON_FILE` points to the exact location of that file both in a build
-    and a [`nix-shell`](../command-ref/nix-shell.md). This obviates the need for
-    [`passAsFile`](#adv-attr-passAsFile) since JSON files have no size restrictions,
-    unlike process environments.
-
-    It also makes it possible to tweak derivation settings in a structured way; see
-    [`outputChecks`](#adv-attr-outputChecks) for example.
-
-    As a convenience to Bash builders,
-    Nix writes a script that initialises shell variables
-    corresponding to all attributes that are representable in Bash. The
-    environment variable `NIX_ATTRS_SH_FILE` points to the exact
-    location of the script, both in a build and a
-    [`nix-shell`](../command-ref/nix-shell.md). This includes non-nested
-    (associative) arrays. For example, the attribute `hardening.format = true`
-    ends up as the Bash associative array element `${hardening[format]}`.
-
-    > **Warning**
-    >
-    > If set to `true`, other advanced attributes such as [`allowedReferences`](#adv-attr-allowedReferences), [`allowedReferences`](#adv-attr-allowedReferences), [`allowedRequisites`](#adv-attr-allowedRequisites),
-    [`disallowedReferences`](#adv-attr-disallowedReferences) and [`disallowedRequisites`](#adv-attr-disallowedRequisites), maxSize, and maxClosureSize.
-    will have no effect.
-
   - [`outputChecks`]{#adv-attr-outputChecks}\
     When using [structured attributes](#adv-attr-structuredAttrs), the `outputChecks`
     attribute allows defining checks per-output.
@@ -341,6 +165,8 @@ Derivations can declare some infrequently used optional attributes.
     };
     ```
 
+## Other output modifications
+
   - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
 
     When using [structured attributes](#adv-attr-structuredAttrs), the
@@ -358,6 +184,24 @@ Derivations can declare some infrequently used optional attributes.
     their own embedded Nix store: hashes found inside such an image refer
     to the embedded store and not to the host's Nix store.
 
+## Build scheduling
+
+  - [`preferLocalBuild`]{#adv-attr-preferLocalBuild}\
+    If this attribute is set to `true` and [distributed building is enabled](@docroot@/command-ref/conf-file.md#conf-builders), then, if possible, the derivation will be built locally instead of being forwarded to a remote machine.
+    This is useful for derivations that are cheapest to build locally.
+
+  - [`allowSubstitutes`]{#adv-attr-allowSubstitutes}\
+    If this attribute is set to `false`, then Nix will always build this derivation (locally or remotely); it will not try to substitute its outputs.
+    This is useful for derivations that are cheaper to build than to substitute.
+
+    This attribute can be ignored by setting [`always-allow-substitutes`](@docroot@/command-ref/conf-file.md#conf-always-allow-substitutes) to `true`.
+
+    > **Note**
+    >
+    > If set to `false`, the [`builder`] should be able to run on the system type specified in the [`system` attribute](./derivations.md#attr-system), since the derivation cannot be substituted.
+
+    [`builder`]: ./derivations.md#attr-builder
+
 - [`requiredSystemFeatures`]{#adv-attr-requiredSystemFeatures}\
 
   If a derivation has the `requiredSystemFeatures` attribute, then Nix will only build it on a machine that has the corresponding features set in its [`system-features` configuration](@docroot@/command-ref/conf-file.md#conf-system-features).
@@ -370,6 +214,171 @@ Derivations can declare some infrequently used optional attributes.
 
   ensures that the derivation can only be built on a machine with the `kvm` feature.
 
-[xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
+# Impure builder configuration
+
+  - [`impureEnvVars`]{#adv-attr-impureEnvVars}\
+    This attribute allows you to specify a list of environment variables
+    that should be passed from the environment of the calling user to
+    the builder. Usually, the environment is cleared completely when the
+    builder is executed, but with this attribute you can allow specific
+    environment variables to be passed unmodified. For example,
+    `fetchurl` in Nixpkgs has the line
+
+    ```nix
+    impureEnvVars = [ "http_proxy" "https_proxy" ... ];
+    ```
+
+    to make it use the proxy server configuration specified by the user
+    in the environment variables `http_proxy` and friends.
+
+    This attribute is only allowed in [fixed-output derivations][fixed-output derivation],
+    where impurities such as these are okay since (the hash
+    of) the output is known in advance. It is ignored for all other
+    derivations.
+
+    > **Warning**
+    >
+    > `impureEnvVars` implementation takes environment variables from
+    > the current builder process. When a daemon is building its
+    > environmental variables are used. Without the daemon, the
+    > environmental variables come from the environment of the
+    > `nix-build`.
+
+    If the [`configurable-impure-env` experimental
+    feature](@docroot@/development/experimental-features.md#xp-feature-configurable-impure-env)
+    is enabled, these environment variables can also be controlled
+    through the
+    [`impure-env`](@docroot@/command-ref/conf-file.md#conf-impure-env)
+    configuration setting.
+
+## Setting the derivation type
+
+As discussed in [Derivation Outputs and Types of Derivations](@docroot@/store/derivation/outputs/index.md), there are multiples kinds of derivations / kinds of derivation outputs.
+The choice of the following attributes determines which kind of derivation we are making.
+
+- [`__contentAddressed`]
+
+- [`outputHash`]
+
+- [`outputHashAlgo`]
+
+- [`outputHashMode`]
+
+The three types of derivations are chosen based on the following combinations of these attributes.
+All other combinations are invalid.
+
+- [Input-addressing derivations](@docroot@/store/derivation/outputs/input-address.md)
+
+  This is the default for `builtins.derivation`.
+  Nix only currently supports one kind of input-addressing, so no other information is needed.
+
+  `__contentAddressed = false;` may also be included, but is not needed, and will trigger the experimental feature check.
+
+- [Fixed-output derivations][fixed-output derivation]
+
+  All of [`outputHash`], [`outputHashAlgo`], and [`outputHashMode`].
+
+  <!--
+
+  `__contentAddressed` is ignored, because fixed-output derivations always content-address their outputs, by definition.
+
+  **TODO CHECK**
+
+  -->
+
+- [(Floating) content-addressing derivations](@docroot@/store/derivation/outputs/content-address.md)
+
+  Both [`outputHashAlgo`] and [`outputHashMode`], `__contentAddressed = true;`, and *not* `outputHash`.
+
+  If an output hash was given, then the derivation output would be "fixed" not "floating".
+
+Here is more information on the `output*` attributes, and what values they may be set to:
+
+  - [`outputHashMode`]{#adv-attr-outputHashMode}
+
+    This specifies how the files of a content-addressing derivation output are digested to produce a content address.
+
+    This works in conjunction with [`outputHashAlgo`](#adv-attr-outputHashAlgo).
+    Specifying one without the other is an error (unless [`outputHash` is also specified and includes its own hash algorithm as described below).
+
+    The `outputHashMode` attribute determines how the hash is computed.
+    It must be one of the following values:
+
+      - [`"flat"`](@docroot@/store/store-object/content-address.md#method-flat)
+
+        This is the default.
+
+      - [`"recursive"` or `"nar"`](@docroot@/store/store-object/content-address.md#method-nix-archive)
+
+        > **Compatibility**
+        >
+        > `"recursive"` is the traditional way of indicating this,
+        > and is supported since 2005 (virtually the entire history of Nix).
+        > `"nar"` is more clear, and consistent with other parts of Nix (such as the CLI),
+        > however support for it is only added in Nix version 2.21.
+
+      - [`"text"`](@docroot@/store/store-object/content-address.md#method-text)
+
+        > **Warning**
+        >
+        > The use of this method for derivation outputs is part of the [`dynamic-derivations`][xp-feature-dynamic-derivations] experimental feature.
+
+      - [`"git"`](@docroot@/store/store-object/content-address.md#method-git)
+
+        > **Warning**
+        >
+        > This method is part of the [`git-hashing`][xp-feature-git-hashing] experimental feature.
+
+    See [content-addressing store objects](@docroot@/store/store-object/content-address.md) for more information about the process this flag controls.
+
+  - [`outputHashAlgo`]{#adv-attr-outputHashAlgo}
+
+    This specifies the hash algorithm used to digest the [file system object] data of a content-addressing derivation output.
+
+    This works in conjunction with [`outputHashMode`](#adv-attr-outputHashAlgo).
+    Specifying one without the other is an error (unless `outputHash` is also specified and includes its own hash algorithm as described below).
+
+    The `outputHashAlgo` attribute specifies the hash algorithm used to compute the hash.
+    It can currently be `"blake3"`, `"sha1"`, `"sha256"`, `"sha512"`, or `null`.
+
+    `outputHashAlgo` can only be `null` when `outputHash` follows the SRI format, because in that case the choice of hash algorithm is determined by `outputHash`.
+
+  - [`outputHash`]{#adv-attr-outputHashAlgo}; [`outputHash`]{#adv-attr-outputHashMode}
+
+    This will specify the output hash of the single output of a [fixed-output derivation].
+
+    The `outputHash` attribute must be a string containing the hash in either hexadecimal or "nix32" encoding, or following the format for integrity metadata as defined by [SRI](https://www.w3.org/TR/SRI/).
+    The "nix32" encoding is an adaptation of base-32 encoding.
+
+    > **Note**
+    >
+    > The [`convertHash`](@docroot@/language/builtins.md#builtins-convertHash) function shows how to convert between different encodings.
+    > The [`nix-hash` command](../command-ref/nix-hash.md) has information about obtaining the hash for some contents, as well as converting to and from encodings.
+
+  - [`__contentAddressed`]{#adv-attr-__contentAddressed}
+
+    > **Warning**
+    >
+    > This attribute is part of an [experimental feature](@docroot@/development/experimental-features.md).
+    >
+    > To use this attribute, you must enable the
+    > [`ca-derivations`][xp-feature-ca-derivations] experimental feature.
+    > For example, in [nix.conf](../command-ref/conf-file.md) you could add:
+    >
+    > ```
+    > extra-experimental-features = ca-derivations
+    > ```
+
+    This is a boolean with a default of `false`.
+    It determines whether the derivation is floating content-addressing.
+
+[`__contentAddressed`]: #adv-attr-__contentAddressed
+[`outputHash`]: #adv-attr-outputHash
+[`outputHashAlgo`]: #adv-attr-outputHashAlgo
+[`outputHashMode`]: #adv-attr-outputHashMode
+
+[fixed-output derivation]: @docroot@/glossary.md#gloss-fixed-output-derivation
+[file system object]: @docroot@/store/file-system-object.md
+[store object]: @docroot@/store/store-object.md
 [xp-feature-dynamic-derivations]: @docroot@/development/experimental-features.md#xp-feature-dynamic-derivations
 [xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing

doc/manual/source/language/derivations.md

@@ -1,7 +1,7 @@
 # Derivations
 
 The most important built-in function is `derivation`, which is used to describe a single store-layer [store derivation].
-Consult the [store chapter](@docroot@/store/drv.md) for what a store derivation is;
+Consult the [store chapter](@docroot@/store/derivation/index.md) for what a store derivation is;
 this section just concerns how to create one from the Nix language.
 
 This builtin function takes as input an attribute set, the attributes of which specify the inputs to the process.
@@ -16,7 +16,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 - [`name`]{#attr-name} ([String](@docroot@/language/types.md#type-string))
 
   A symbolic name for the derivation.
-  See [derivation outputs](@docroot@/store/drv.md#outputs) for what this is affects.
+  See [derivation outputs](@docroot@/store/derivation/index.md#outputs) for what this is affects.
 
   [store path]: @docroot@/store/store-path.md
 
@@ -34,7 +34,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 
 - [`system`]{#attr-system} ([String](@docroot@/language/types.md#type-string))
 
-  See [system](@docroot@/store/drv.md#system).
+  See [system](@docroot@/store/derivation/index.md#system).
 
   > **Example**
   >
@@ -64,7 +64,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 
 - [`builder`]{#attr-builder} ([Path](@docroot@/language/types.md#type-path) | [String](@docroot@/language/types.md#type-string))
 
-  See [builder](@docroot@/store/drv.md#builder).
+  See [builder](@docroot@/store/derivation/index.md#builder).
 
   > **Example**
   >
@@ -113,7 +113,7 @@ It outputs an attribute set, and produces a [store derivation] as a side effect
 
   Default: `[ ]`
 
-  See [args](@docroot@/store/drv.md#args).
+  See [args](@docroot@/store/derivation/index.md#args).
 
   > **Example**
   >

doc/manual/source/language/string-context.md

@@ -115,7 +115,7 @@ It creates an [attribute set] representing the string context, which can be insp
 
 ## Clearing string contexts
 
-[`buitins.unsafeDiscardStringContext`](./builtins.md#builtins-unsafeDiscardStringContext) will make a copy of a string, but with an empty string context.
+[`builtins.unsafeDiscardStringContext`](./builtins.md#builtins-unsafeDiscardStringContext) will make a copy of a string, but with an empty string context.
 The returned string can be used in more ways, e.g. by operators that require the string context to be empty.
 The requirement to explicitly discard the string context in such use cases helps ensure that string context elements are not lost by mistake.
 The "unsafe" marker is only there to remind that Nix normally guarantees that dependencies are tracked, whereas the returned string has lost them.

doc/manual/source/language/syntax.md

@@ -443,7 +443,7 @@ three kinds of patterns:
     This works on any set that contains at least the three named
     attributes.
 
-    It is possible to provide *default values* for attributes, in
+  - It is possible to provide *default values* for attributes, in
     which case they are allowed to be missing. A default value is
     specified by writing `name ?  e`, where *e* is an arbitrary
     expression. For example,
@@ -503,6 +503,45 @@ three kinds of patterns:
     > [ 23 {} ]
     > ```
 
+  - All bindings introduced by the function are in scope in the entire function expression; not just in the body.
+    It can therefore be used in default values.
+
+    > **Example**
+    >
+    > A parameter (`x`), is used in the default value for another parameter (`y`):
+    >
+    > ```nix
+    > let
+    >   f = { x, y ? [x] }: { inherit y; };
+    > in
+    >   f { x = 3; }
+    > ```
+    >
+    > This evaluates to:
+    >
+    > ```nix
+    > {
+    >   y = [ 3 ];
+    > }
+    > ```
+
+    > **Example**
+    >
+    > The binding of an `@` pattern, `args`, is used in the default value for a parameter, `x`:
+    >
+    > ```nix
+    > let
+    >   f = args@{ x ? args.a, ... }: x;
+    > in
+    >   f { a = 1; }
+    > ```
+    >
+    > This evaluates to:
+    >
+    > ```nix
+    > 1
+    > ```
+
 Note that functions do not have names. If you want to give them a name,
 you can bind them to an attribute, e.g.,
 

doc/manual/source/protocols/json/derivation.md

@@ -24,7 +24,7 @@ is a JSON object with the following fields:
 
 
   * `method`:
-    For an output which will be [content addresed], a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
+    For an output which will be [content addressed], a string representing the [method](@docroot@/store/store-object/content-address.md) of content addressing that is chosen.
     Valid method strings are:
 
     - [`flat`](@docroot@/store/store-object/content-address.md#method-flat)
@@ -35,7 +35,7 @@ is a JSON object with the following fields:
     Otherwise, `null`.
 
   * `hashAlgo`:
-    For an output which will be [content addresed], the name of the hash algorithm used.
+    For an output which will be [content addressed], the name of the hash algorithm used.
     Valid algorithm strings are:
 
     - `blake3`

doc/manual/source/protocols/store-path.md

@@ -7,7 +7,7 @@ The format of this specification is close to [Extended Backus–Naur form](https
 Regular users do *not* need to know this information --- store paths can be treated as black boxes computed from the properties of the store objects they refer to.
 But for those interested in exactly how Nix works, e.g. if they are reimplementing it, this information can be useful.
 
-[store path](@docroot@/store/store-path.md)
+[store path]: @docroot@/store/store-path.md
 
 ## Store path proper
 
@@ -20,14 +20,17 @@ where
 
 - `store-dir` = the [store directory](@docroot@/store/store-path.md#store-directory)
 
-- `digest` = base-32 representation of the first 160 bits of a [SHA-256] hash of `fingerprint`
+- `digest` = base-32 representation of the compressed to 160 bits [SHA-256] hash of `fingerprint`
 
-  This the hash part of the store name
+For the definition of the hash compression algorithm, please refer to the section 5.1 of
+the [Nix thesis](https://edolstra.github.io/pubs/phd-thesis.pdf), which also defines the
+specifics of base-32 encoding. Note that base-32 encoding processes the hash bytestring from
+the end, while base-16 processes in from the beginning.
 
 ## Fingerprint
 
 - ```ebnf
-  fingerprint = type ":" sha256 ":" inner-digest ":" store ":" name
+  fingerprint = type ":sha256:" inner-digest ":" store ":" name
   ```
 
   Note that it includes the location of the store as well as the name to make sure that changes to either of those are reflected in the hash
@@ -53,7 +56,7 @@ where
     method of content addressing store objects,
     if the hash algorithm is [SHA-256].
     Just like in the "Text" case, we can have the store objects referenced by their paths.
-    Additionally, we can have an optional `:self` label to denote self reference.
+    Additionally, we can have an optional `:self` label to denote self-reference.
 
   - ```ebnf
     | "output:" id
@@ -70,7 +73,8 @@ where
     `id` is the name of the output (usually, "out").
     For content-addressed store objects, `id`, is always "out".
 
-- `inner-digest` = base-16 representation of a SHA-256 hash of `inner-fingerprint`
+- `inner-digest` = base-16 representation of a SHA-256 hash of `inner-fingerprint`.
+  The base-16 encoding uses lower-cased hex digits.
 
 ## Inner fingerprint
 
@@ -82,7 +86,7 @@ where
 
   - if `type` = `"source:" ...`:
 
-    the hash of the [Nix Archive (NAR)] serialization of the [file system object](@docroot@/store/file-system-object.md) of the store object.
+    the [Nix Archive (NAR)] serialization of the [file system object](@docroot@/store/file-system-object.md) of the store object.
 
   - if `type` = `"output:" id`:
 

doc/manual/source/protocols/tarball-fetcher.md

@@ -46,7 +46,7 @@ defined as the timestamp of the newest file inside the tarball.
 This protocol is supported by Gitea since v1.22.1 and by Forgejo since v7.0.4/v8.0.0 and can be used with the following flake URL schema:
 
 ```
-https://<domain name>/<owner>/<repo>/archive/<reference or revison>.tar.gz
+https://<domain name>/<owner>/<repo>/archive/<reference or revision>.tar.gz
 ```
 
 > **Example**

doc/manual/source/release-notes/rl-2.19.md

@@ -31,7 +31,7 @@
     - To operate on a flake outside the current directory, you must now pass `--flake path/to/flake`.
 
   - The flake-specific flags `--recreate-lock-file` and `--update-input` have been removed from all commands operating on installables.
-    They are superceded by `nix flake update`.
+    They are superseded by `nix flake update`.
 
 - Commit signature verification for the [`builtins.fetchGit`](@docroot@/language/builtins.md#builtins-fetchGit) is added as the new [`verified-fetches` experimental feature](@docroot@/development/experimental-features.md#xp-feature-verified-fetches).
 

doc/manual/source/release-notes/rl-2.23.md

@@ -15,7 +15,7 @@
 - Modify `nix derivation {add,show}` JSON format [#9866](https://github.com/NixOS/nix/issues/9866) [#10722](https://github.com/NixOS/nix/pull/10722)
 
   The JSON format for derivations has been slightly revised to better conform to our [JSON guidelines](@docroot@/development/cli-guideline.md#returning-future-proof-json).
-  In particular, the hash algorithm and content addressing method of content-addresed derivation outputs are now separated into two fields `hashAlgo` and `method`,
+  In particular, the hash algorithm and content addressing method of content-addressed derivation outputs are now separated into two fields `hashAlgo` and `method`,
   rather than one field with an arcane `:`-separated format.
 
   This JSON format is only used by the experimental `nix derivation` family of commands, at this time.

doc/manual/source/release-notes/rl-2.24.md

@@ -173,7 +173,7 @@
   **Deprecation**: Use `nix32` instead of `base32` as `toHashFormat`
 
   For the builtin `convertHash`, the `toHashFormat` parameter now accepts the same hash formats as the `--to`/`--from`
-  parameters of the `nix hash conert` command: `"base16"`, `"nix32"`, `"base64"`, and `"sri"`. The former `"base32"` value
+  parameters of the `nix hash convert` command: `"base16"`, `"nix32"`, `"base64"`, and `"sri"`. The former `"base32"` value
   remains as a deprecated alias for `"nix32"`. Please convert your code from:
 
   ```nix

doc/manual/source/release-notes/rl-2.27.md

@@ -30,14 +30,23 @@
 
   The evaluator now presents a "union" filesystem view of the `/nix/store` in the host and the chroot.
 
-  This change also removes some hacks that broke `builtins.{path,filterSource}` in chroot stores [#11503](https://github.com/NixOS/nix/issue/11503).
+  This change also removes some hacks that broke `builtins.{path,filterSource}` in chroot stores [#11503](https://github.com/NixOS/nix/issues/11503).
 
-- `nix flake prefetch` now has a `--out-link` option [#12443](https://github.com/NixOS/nix/issue/12443)
+- `nix flake prefetch` now has a `--out-link` option [#12443](https://github.com/NixOS/nix/pull/12443)
 
 - Set `FD_CLOEXEC` on sockets created by curl [#12439](https://github.com/NixOS/nix/pull/12439)
 
   Curl created sockets without setting `FD_CLOEXEC`/`SOCK_CLOEXEC`. This could previously cause connections to remain open forever when using commands like `nix shell`. This change sets the `FD_CLOEXEC` flag using a `CURLOPT_SOCKOPTFUNCTION` callback.
 
+- Add BLAKE3 hash algorithm [#12379](https://github.com/NixOS/nix/pull/12379)
+
+  Nix now supports the BLAKE3 hash algorithm as an experimental feature (`blake3-hashes`):
+
+  ```console
+  # nix hash file ./file --type blake3 --extra-experimental-features blake3-hashes
+  blake3-34P4p+iZXcbbyB1i4uoF7eWCGcZHjmaRn6Y7QdynLwU=
+  ```
+
 # Contributors
 
 This release was made possible by the following 21 contributors:

doc/manual/source/release-notes/rl-2.28.md

@@ -0,0 +1,105 @@
+# Release 2.28.0 (2025-04-02)
+
+This is an atypical release, and for almost all intents and purposes, it is just a continuation of 2.27; not a feature release.
+
+We had originally set the goal of making 2.27 the Nixpkgs default for NixOS 25.05, but dependents that link to Nix need certain _interface breaking_ changes in the C++ headers. This is not something we should do in a patch release, so this is why we branched 2.28 right off 2.27 instead of `master`.
+
+This completes the infrastructure overhaul for the [RFC 132](https://github.com/NixOS/rfcs/blob/master/rfcs/0132-meson-builds-nix.md) switchover to meson as our build system.
+
+## Major changes
+
+- Unstable C++ API reworked
+  [#12836](https://github.com/NixOS/nix/pull/12836)
+  [#12798](https://github.com/NixOS/nix/pull/12798)
+  [#12773](https://github.com/NixOS/nix/pull/12773)
+
+  Now the C++ interface confirms to common conventions much better than before:
+
+  - All headers are expected to be included with the initial `nix/`, e.g. as `#include "nix/....hh"` (what Nix's headers now do) or `#include <nix/....hh>` (what downstream projects may choose to do).
+    Likewise, the pkg-config files have `-I${includedir}` not `-I${includedir}/nix` or similar.
+
+    Including without the `nix/` like before sometimes worked because of how for `#include` C pre-process checks the directory containing the current file, not just the lookup path, but this was not reliable.
+
+  - All configuration headers are included explicitly by the (regular) headers that need them.
+    There is no more need to pass `-include` to force additional files to be included.
+
+  - The public, installed configuration headers no longer contain implementation-specific details that are not relevant to the API.
+    The vast majority of definitions that were previously in there are now moved to new headers that are not installed, but used during Nix's own compilation only.
+    The remaining macro definitions are renamed to have `NIX_` as a prefix.
+
+  - The name of the Nix component the header comes from
+    (e.g. `util`, `store`, `expr`, `flake`, etc.)
+    is now part of the path to the header, coming after `nix` and before the header name
+    (or rest of the header path, if it is already in a directory).
+
+  Here is a contrived diff showing a few of these changes at once:
+
+  ```diff
+  @@ @@
+  -#include "derived-path.hh"
+  +#include "nix/store/derived-path.hh"
+  @@ @@
+  +// Would include for the variables used before. But when other headers
+  +// need these variables. those will include these config themselves.
+  +#include "nix/store/config.hh"
+  +#include "nix/expr/config.hh"
+  @@ @@
+  -#include "config.hh"
+  +// Additionally renamed to distinguish from components' config headers.
+  +#include "nix/util/configuration.hh"
+  @@ @@
+  -#if HAVE_ACL_SUPPORT
+  +#if NIX_SUPPORT_ACL
+  @@ @@
+  -#if HAVE_BOEHMGC
+  +#if NIX_USE_BOEHMGC
+  @@ @@
+   #endif
+   #endif
+  @@ @@
+  -const char *s = "hi from " SYSTEM;
+  +const char *s = "hi from " NIX_LOCAL_SYSTEM;
+  ```
+
+- C API `nix_flake_init_global` removed [#5638](https://github.com/NixOS/nix/issues/5638) [#12759](https://github.com/NixOS/nix/pull/12759)
+
+  In order to improve the modularity of the code base, we are removing a use of global state, and therefore the `nix_flake_init_global` function.
+
+  Instead, use `nix_flake_settings_add_to_eval_state_builder`.
+  For example:
+
+  ```diff
+  -    nix_flake_init_global(ctx, settings);
+  -    HANDLE_ERROR(ctx);
+  -
+       nix_eval_state_builder * builder = nix_eval_state_builder_new(ctx, store);
+       HANDLE_ERROR(ctx);
+
+  +    nix_flake_settings_add_to_eval_state_builder(ctx, settings, builder);
+  +    HANDLE_ERROR(ctx);
+  ```
+
+  Although this change is not as critical, we figured it would be good to do this API change at the same time, also.
+  Also note that we try to keep the C API compatible, but we decided to break this function because it was young and likely not in widespread use yet. This frees up time to make important progress on the rest of the C API.
+
+# Contributors
+
+This earlier-than-usual release was made possible by the following 16 contributors:
+
+- Farid Zakaria [**(@fzakaria)**](https://github.com/fzakaria)
+- Jörg Thalheim [**(@Mic92)**](https://github.com/Mic92)
+- Eelco Dolstra [**(@edolstra)**](https://github.com/edolstra)
+- Graham Christensen [**(@grahamc)**](https://github.com/grahamc)
+- Thomas Miedema [**(@thomie)**](https://github.com/thomie)
+- Brian McKenna [**(@puffnfresh)**](https://github.com/puffnfresh)
+- Sergei Trofimovich [**(@trofi)**](https://github.com/trofi)
+- Dmitry Bogatov [**(@KAction)**](https://github.com/KAction)
+- Erik Nygren [**(@Kirens)**](https://github.com/Kirens)
+- John Ericson [**(@Ericson2314)**](https://github.com/Ericson2314)
+- Sergei Zimmerman [**(@xokdvium)**](https://github.com/xokdvium)
+- Ruby Rose [**(@oldshensheep)**](https://github.com/oldshensheep)
+- Robert Hensing [**(@roberth)**](https://github.com/roberth)
+- jade [**(@lf-)**](https://github.com/lf-)
+- Félix [**(@picnoir)**](https://github.com/picnoir)
+- Valentin Gagarin [**(@fricklerhandwerk)**](https://github.com/fricklerhandwerk)
+- Dmitry Bogatov

doc/manual/source/release-notes/rl-2.6.md

@@ -13,7 +13,7 @@
 * New command `nix store copy-log` to copy build logs from one store
   to another.
 * The `commit-lockfile-summary` option can be set to a non-empty
-  string to override the commit summary used when commiting an updated
+  string to override the commit summary used when committing an updated
   lockfile.  This may be used in conjunction with the `nixConfig`
   attribute in `flake.nix` to better conform to repository
   conventions.

doc/manual/source/store/building.md

@@ -10,7 +10,7 @@
 
 ## Builder Execution
 
-The [`builder`](./drv.md#builder) is executed as follows:
+The [`builder`](./derivation/index.md#builder) is executed as follows:
 
 - A temporary directory is created under the directory specified by
   `TMPDIR` (default `/tmp`) where the build will take place. The
@@ -54,7 +54,7 @@ The [`builder`](./drv.md#builder) is executed as follows:
     it’s `out`.)
 
 - If an output path already exists, it is removed. Also, locks are
-  acquired to prevent multiple Nix instances from performing the same
+  acquired to prevent multiple [Nix instances][Nix instance] from performing the same
   build at the same time.
 
 - A log of the combined standard output and error is written to
@@ -95,3 +95,6 @@ If the builder exited successfully, the following steps happen in order to turn
 
   Nix also scans for references to other outputs' paths in the same way, because outputs are allowed to refer to each other.
   If the outputs' references to each other form a cycle, this is an error, because the references of store objects much be acyclic.
+
+
+[Nix instance]: @docroot@/glossary.md#gloss-nix-instance

doc/manual/source/store/derivation/index.md

@@ -1,7 +1,7 @@
 # Store Derivation and Deriving Path
 
-Besides functioning as a [content addressed store] the Nix store layer works as a [build system].
-Other system (like Git or IPFS) also store and transfer immutable data, but they don't concern themselves with *how* that data was created.
+Besides functioning as a [content-addressed store], the Nix store layer works as a [build system].
+Other systems (like Git or IPFS) also store and transfer immutable data, but they don't concern themselves with *how* that data was created.
 
 This is where Nix distinguishes itself.
 *Derivations* represent individual build steps, and *deriving paths* are needed to refer to the *outputs* of those build steps before they are built.
@@ -9,15 +9,24 @@ This is where Nix distinguishes itself.
 
 ## Store Derivation {#store-derivation}
 
-A derivation is a specification for running an executable on precisely defined input files to repeatably produce output files at uniquely determined file system paths.
+A derivation is a specification for running an executable on precisely defined input to produce on more [store objects][store object].
+These store objects are known as the derivation's *outputs*.
+
+Derivations are *built*, in which case the process is spawned according to the spec, and when it exits, required to leave behind files which will (after post-processing) become the outputs of the derivation.
+This process is described in detail in [Building](@docroot@/store/building.md).
+
+<!--
+Some of these things are described directly below, but we envision with more material the exposition will probably want to migrate to separate pages benough this.
+See outputs spec for an example of this one that migrated to its own page.
+-->
 
 A derivation consists of:
 
  - A name
 
- - A set of [*inputs*][inputs], a set of [deriving paths][deriving path]
+ - An [inputs specification][inputs], a set of [deriving paths][deriving path]
 
- - A map of [*outputs*][outputs], from names to other data
+ - An [outputs specification][outputs], specifying which outputs should be produced, and various metadata about them.
 
  - The ["system" type][system] (e.g. `x86_64-linux`) where the executable is to run.
 
@@ -26,13 +35,15 @@ A derivation consists of:
 [store derivation]: #store-derivation
 [inputs]: #inputs
 [input]: #inputs
-[outputs]: #outputs
-[output]: #outputs
+[outputs]: ./outputs/index.md
+[output]: ./outputs/index.md
 [process creation fields]: #process-creation-fields
 [builder]: #builder
 [args]: #args
 [env]: #env
 [system]: #system
+[content-addressed store]: @docroot@/glossary.md#gloss-content-addressed-store
+[build system]: @docroot@/glossary.md#gloss-build-system
 
 ### Referencing derivations {#derivation-path}
 
@@ -69,7 +80,7 @@ type DerivingPath = ConstantPath | OutputPath;
 ```
 
 Deriving paths are necessary because, in general and particularly for [content-addressing derivations][content-addressing derivation], the [store path] of an [output] is not known in advance.
-We can use an output deriving path to refer to such an out, instead of the store path which we do not yet know.
+We can use an output deriving path to refer to such an output, instead of the store path which we do not yet know.
 
 [deriving path]: #deriving-path
 [validity]: @docroot@/glossary.md#gloss-validity
@@ -80,47 +91,26 @@ A derivation is constructed from the parts documented in the following subsectio
 
 ### Inputs {#inputs}
 
-The inputs are a set of [deriving paths][deriving path], refering to all store objects needed in order to perform this build step.
+The inputs are a set of [deriving paths][deriving path], referring to all store objects needed in order to perform this build step.
 
 The [process creation fields] will presumably include many [store paths][store path]:
 
  - The path to the executable normally starts with a store path
  - The arguments and environment variables likely contain many other store paths.
 
-But rather than somehow scanning all the other fields for inputs, Nix requires that all inputs be explicitly collected in the inputs field. It is instead the responsibility of the creator of a derivation (e.g. the evaluator) to  ensure that every store object referenced in another field (e.g. referenced by store path) is included in this inputs field.
-
-### Outputs {#outputs}
-
-The outputs are the derivations are the [store objects][store object] it is obligated to produce.
-
-Outputs are assigned names, and also consistent of other information based on the type of derivation.
-
-Output names can be any string which is also a valid [store path] name.
-The store path of the output store object (also called an [output path] for short), has a name based on the derivation name and the output name.
-In the general case, store paths have name `derivationName + "-" + outputName`.
-However, an output named "out" has a store path with name is just the derivation name.
-This is to allow derivations with a single output to avoid a superfluous `"-${outputName}"` in their single output's name when no disambiguation is needed.
-
-> **Example**
->
-> A derivation is named `hello`, and has two outputs, `out`, and `dev`
->
-> - The derivation's path will be: `/nix/store/<hash>-hello.drv`.
->
-> - The store path of `out` will be: `/nix/store/<hash>-hello`.
->
-> - The store path of `dev` will be: `/nix/store/<hash>-hello-dev`.
+But rather than somehow scanning all the other fields for inputs, Nix requires that all inputs be explicitly collected in the inputs field. It is instead the responsibility of the creator of a derivation (e.g. the evaluator) to ensure that every store object referenced in another field (e.g. referenced by store path) is included in this inputs field.
 
 ### System {#system}
 
 The system type on which the [`builder`](#attr-builder) executable is meant to be run.
 
-A necessary condition for Nix to schedule a given derivation on some Nix instance is for the "system" of that derivation to match that instance's [`system` configuration option].
+A necessary condition for Nix to schedule a given derivation on some [Nix instance] is for the "system" of that derivation to match that instance's [`system` configuration option] or [`extra-platforms` configuration option].
 
 By putting the `system` in each derivation, Nix allows *heterogenous* build plans, where not all steps can be run on the same machine or same sort of machine.
 Nix can schedule builds such that it automatically builds on other platforms by [forwarding build requests](@docroot@/advanced-topics/distributed-builds.md) to other Nix instances.
 
 [`system` configuration option]: @docroot@/command-ref/conf-file.md#conf-system
+[`extra-platforms` configuration option]: @docroot@/command-ref/conf-file.md#conf-extra-platforms
 
 [content-addressing derivation]: @docroot@/glossary.md#gloss-content-addressing-derivation
 [realise]: @docroot@/glossary.md#gloss-realise
@@ -253,14 +243,14 @@ That works because we've implicitly assumed that all derivations are created *st
 But what if derivations could also be created dynamically within Nix?
 In other words, what if derivations could be the outputs of other derivations?
 
-:::{.note}
-In the parlance of "Build Systems à la carte", we are generalizing the Nix store layer to be a "Monadic" instead of "Applicative" build system.
-:::
+> **Note**
+>
+> In the parlance of "Build Systems à la carte", we are generalizing the Nix store layer to be a "Monadic" instead of "Applicative" build system.
 
 How should we refer to such derivations?
 A deriving path works, the same as how we refer to other derivation outputs.
 But what about a dynamic derivations output?
-(i.e. how do we refer to the output of an output of a derivation?)
+(i.e. how do we refer to the output of a derivation, which is itself an output of a derivation?)
 For that we need to generalize the definition of deriving path, replacing the store path used to refer to the derivation with a nested deriving path:
 
 ```diff
@@ -308,3 +298,5 @@ The result of this is that it is possible to have a chain of `^<output-name>` at
 > |------------------------------------------------------------| |-----|
 > innermost constant store path (usual encoding)                 output name
 > ```
+
+[Nix instance]: @docroot@/glossary.md#gloss-nix-instance

doc/manual/source/store/derivation/outputs/content-address.md

@@ -0,0 +1,192 @@
+# Content-addressing derivation outputs
+
+The content-addressing of an output only depends on that store object itself, not any other information external (such has how it was made, when it was made, etc.).
+As a consequence, a store object will be content-addressed the same way regardless of whether it was manually inserted into the store, outputted by some derivation, or outputted by a some other derivation.
+
+The output spec for a content-addressed output must contains the following field:
+
+- *method*: how the data of the store object is digested into a content address
+
+The possible choices of *method* are described in the [section on content-addressing store objects](@docroot@/store/store-object/content-address.md).
+Given the method, the output's name (computed from the derivation name and output spec mapping as described above), and the data of the store object, the output's store path will be computed as described in that section.
+
+## Fixed-output content-addressing {#fixed}
+
+In this case the content address of the *fixed* in advanced by the derivation itself.
+In other words, when the derivation has finished [building](@docroot@/store/building.md), and the provisional output' content-address is computed as part of the process to turn it into a *bona fide* store object, the calculated content address must much that given in the derivation, or the build of that derivation will be deemed a failure.
+
+The output spec for an output with a fixed content addresses additionally contains:
+
+- *hash*, the hash expected from digesting the store object's file system objects.
+  This hash may be of a freely-chosen hash algorithm (that Nix supports)
+
+> **Design note**
+>
+> In principle, the output spec could also specify the references the store object should have, since the references and file system objects are equally parts of a content-addressed store object proper that contribute to its content-addressed.
+> However, at this time, the references are not done because all fixed content-addressed outputs are required to have no references (including no self-reference).
+>
+> Also in principle, rather than specifying the references and file system object data with separate hashes, a single hash that constraints both could be used.
+> This could be done with the final store path's digest, or better yet, the hash that will become the store path's digest before it is truncated.
+>
+> These possible future extensions are included to elucidate the core property of fixed-output content addressing --- that all parts of the output must be cryptographically fixed with one or more hashes --- separate from the particulars of the currently-supported store object content-addressing schemes.
+
+### Design rationale
+
+What is the purpose of fixing an output's content address in advanced?
+In abstract terms, the answer is carefully controlled impurity.
+Unlike a regular derivation, the [builder] executable of a derivation that produced fixed outputs has access to the network.
+The outputs' guaranteed content-addresses are supposed to mitigate the risk of the builder being given these capabilities;
+regardless of what the builder does *during* the build, it cannot influence downstream builds in unanticipated ways because all information it passed downstream flows through the outputs whose content-addresses are fixed.
+
+[builder]: @docroot@/store/derivation/index.md#builder
+
+In concrete terms, the purpose of this feature is fetching fixed input data like source code from the network.
+For example, consider a family of "fetch URL" derivations.
+These derivations download files from given URL.
+To ensure that the downloaded file has not been modified, each derivation must also specify a cryptographic hash of the file.
+For example,
+
+```jsonc
+{
+  "outputs: {
+    "out": {
+      "method": "nar",
+      "hashAlgo": "sha256",
+      "hash: "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465",
+    },
+  },
+  "env": {
+    "url": "http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz"
+    // ...
+  },
+  // ...
+}
+```
+
+It sometimes happens that the URL of the file changes,
+e.g., because servers are reorganised or no longer available.
+In these cases, we then must update the call to `fetchurl`, e.g.,
+
+```diff
+   "env": {
+-    "url": "http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz"
++    "url": "ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz"
+     // ...
+   },
+```
+
+If a `fetchurl` derivation's outputs were [input-addressed][input addressing], the output paths of the derivation and of *all derivations depending on it* would change.
+For instance, if we were to change the URL of the Glibc source distribution in Nixpkgs (a package on which almost all other packages depend on Linux) massive rebuilds would be needed.
+This is unfortunate for a change which we know cannot have a real effect as it propagates upwards through the dependency graph.
+
+For content-addressed outputs (fixed or floating), on the other hand, the outputs' store path only depends on the derivation's name, data, and the `method` of the outputs' specs.
+The rest of the derivation is ignored for the purpose of computing the output path.
+
+> **History Note**
+>
+> Fixed content-addressing is especially important both today and historically as the *only* form of content-addressing that is stabilized.
+> This is why the rationale above contrasts it with [input addressing].
+
+## (Floating) Content-Addressing {#floating}
+
+> **Warning**
+> This is part of an [experimental feature](@docroot@/development/experimental-features.md).
+>
+> To use this type of output addressing, you must enable the
+> [`ca-derivations`][xp-feature-ca-derivations] experimental feature.
+> For example, in [nix.conf](@docroot@/command-ref/conf-file.md) you could add:
+>
+> ```
+> extra-experimental-features = ca-derivations
+> ```
+
+With this experimemental feature enabled, derivation outputs can also be content-addressed *without* fixing in the output spec what the outputs' content address must be.
+
+### Purity
+
+Because the derivation output is not fixed (just like with [input addressing]), the [builder] is not given any impure capabilities [^purity].
+
+> **Configuration note**
+>
+> Strictly speaking, the extent to which sandboxing and deprivilaging is possible varies with the environment Nix is running in.
+> Nix's configuration settings indicate what level of sandboxing is required or enabled.
+> Builds of derivations will fail if they request an absence of sandboxing which is not allowed.
+> Builds of derivations will also fail if the level of sandboxing specified in the configure exceeds what is possible in the given environment.
+>
+> (The "environment", in this case, consists of attributes such as the Operating System Nix runs atop, along with the operating-system-specific privileges that Nix has been granted.
+> Because of how conventional operating systems like macos, Linux, etc. work, granting builders *fewer* privileges may ironically require that Nix be run with *more* privileges.)
+
+That said, derivations producing floating content-addressed outputs may declare their builders as impure (like the builders of derivations producing fixed outputs).
+This is provisionally supported as part of the [`impure-derivations`][xp-feature-impure-derivations] experimental feature.
+
+### Compatibility negotiation
+
+Any derivation producing a floating content-addressed output implicitly requires the `ca-derivations` [system feature](@docroot@/command-ref/conf-file.md#conf-system-features).
+This prevents scheduling the building of the derivation on a machine without the experimental feature enabled.
+Even once the experimental feature is stabilized, this is still useful in order to be allow using remote builder running odler versions of Nix, or alternative implementations that do not support floating content addressing.
+
+### Determinism
+
+In the earlier [discussion of how self-references are handled when content-addressing store objects](@docroot@/store/store-object/content-address.html#self-references), it was pointed out that methods of producing store objects ought to be deterministic regardless of the choice of provisional store path.
+For store objects produced by manually inserting into the store to create a store object, the "method of production" is an informally concept --- formally, Nix has no idea where the store object came from, and content-addressing is crucial in order to ensure that the derivation is *intrinsically* tamper-proof.
+But for store objects produced by derivation, the "method is quite formal" --- the whole point of derivations is to be a formal notion of building, after all.
+In this case, we can elevate this informal property to a formal one.
+
+A *deterministic* content-addressing derivation should produce outputs with the same content addresses:
+
+1. Every time the builder is run
+
+  This is because either the builder is completely sandboxed, or because all any remaining impurities that leak inside the build sandbox are ignored by the builder and do not influence its behavior.
+
+2. Regardless of the choice of any provisional outputs paths
+
+  Provisional store paths must be chosen for any output that has a self-reference.
+  The choice of provisional store path can be thought of as an impurity, since it is an arbitrary choice.
+
+  If provisional outputs paths are deterministically chosen, we are in the first branch of part (1).
+  The builder the data it produces based on it in arbitrary ways, but this gets us closer to [input addressing].
+  Deterministically choosing the provisional path may be considered "complete sandboxing" by removing an impurity, but this is unsatisfactory
+
+  <!--
+
+  TODO
+  (Both these points will be expanded-upon below.)
+
+  -->
+
+  If provisional outputs paths are randomly chosen, we are in the second branch of part (1).
+  The builder *must* not let the random input affect the final outputs it produces, and multiple builds may be performed and the compared in order to ensure that this is in fact the case.
+
+### Floating versus Fixed
+
+While the distinction between content- and input-addressing is one of *mechanism*, the distinction between fixed and floating content addressing is more one of *policy*.
+A fixed output that passes its content address check is just like a floating output.
+It is only in the potential for that check to fail that they are different.
+
+> **Design Note**
+>
+> In a future world where floating content-addressing is also stable, we in principle no longer need separate [fixed](#fixed) content-addressing.
+> Instead, we could always use floating content-addressing, and separately assert the precise value content address of a given store object to be used as an input (of another derivation).
+> A stand-alone assertion object of this sort is not yet implemented, but its possible creation is tracked in [Issue #11955](https://github.com/NixOS/nix/issues/11955).
+>
+> In the current version of Nix, fixed outputs which fail their hash check are still registered as valid store objects, just not registered as outputs of the derivation which produced them.
+> This is an optimization that means if the wrong output hash is specified in a derivation, and then the derivation is recreated with the right output hash, derivation does not need to be rebuilt --- avoiding downloading potentially large amounts of data twice.
+> This optimisation prefigures the design above:
+> If the output hash assertion was removed outside the derivation itself, Nix could additionally not only register that outputted store object like today, but could also make note that derivation did in fact successfully download some data.
+For example, for the "fetch URL" example above, making such a note is tantamount to recording what data is available at the time of download at the given URL.
+> It would only be when Nix subsequently tries to build something with that (refining our example) downloaded source code that Nix would be forced to check the output hash assertion, preventing it from e.g. building compromised malware.
+>
+> Recapping, Nix would
+>
+> 1. successfully download data
+> 2. insert that data into the store
+> 3. associate (presumably with some sort of expiration policy) the downloaded data with the derivation that downloaded it
+>
+> But only use the downloaded store object in subsequent derivations that depended upon the assertion if the assertion passed.
+>
+> This possible future extension is included to illustrate this distinction:
+
+[input addressing]: ./input-address.md
+[xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
+[xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing
+[xp-feature-impure-derivations]: @docroot@/development/experimental-features.md#xp-feature-impure-derivations

doc/manual/source/store/derivation/outputs/index.md

@@ -0,0 +1,97 @@
+# Derivation Outputs and Types of Derivations
+
+As stated on the [main pages on derivations](../index.md#store-derivation),
+a derivation produces [store objects](@docroot@/store/store-object.md), which are known as the *outputs* of the derivation.
+Indeed, the entire point of derivations is to produce these outputs, and to reliably and reproducibly produce these derivations each time the derivation is run.
+
+One of the parts of a derivation is its *outputs specification*, which specifies certain information about the outputs the derivation produces when run.
+The outputs specification is a map, from names to specifications for individual outputs.
+
+## Output Names {#outputs}
+
+Output names can be any string which is also a valid [store path](@docroot@/store/store-path.md) name.
+The name mapped to each output specification is not actually the name of the output.
+In the general case, the output store object has name `derivationName + "-" + outputSpecName`, not any other metadata about it.
+However, an output spec named "out" describes and output store object whose name is just the derivation name.
+
+> **Example**
+>
+> A derivation is named `hello`, and has two outputs, `out`, and `dev`
+>
+> - The derivation's path will be: `/nix/store/<hash>-hello.drv`.
+>
+> - The store path of `out` will be: `/nix/store/<hash>-hello`.
+>
+> - The store path of `dev` will be: `/nix/store/<hash>-hello-dev`.
+
+The outputs are the derivations are the [store objects](@docroot@/store/store-object.md) it is obligated to produce.
+
+> **Note**
+>
+> The formal terminology here is somewhat at odds with everyday communication in the Nix community today.
+> "output" in casual usage tends to refer to either to the actual output store object, or the notional output spec, depending on context.
+>
+> For example "hello's `dev` output" means the store object referred to by the store path `/nix/store/<hash>-hello-dev`.
+> It is unusual to call this the "`hello-dev` output", even though `hello-dev` is the actual name of that store object.
+
+## Types of output addressing
+
+The main information contained in an output specification is how the derivation output is addressed.
+In particular, the specification decides:
+
+- whether the output is [content-addressed](./content-address.md) or [input-addressed](./input-address.md)
+
+- if the content is content-addressed, how is it content addressed
+
+- if the content is content-addressed, [what is its content address](./content-address.md#fixed-content-addressing) (and thus what is its [store path])
+
+## Types of derivations
+
+The sections on each type of derivation output addressing ended up discussing other attributes of the derivation besides its outputs, such as purity, scheduling, determinism, etc.
+This is no concidence; for the type of a derivation is in fact one-for-one with the type of its outputs:
+
+- A derivation that produces *xyz-addressed* outputs is an *xyz-addressing* derivations.
+
+The rules for this are fairly concise:
+
+- All the outputs must be of the same type / use the same addressing
+
+  - The derivation must have at least one output
+
+  - Additionally, if the outputs are fixed content-addressed, there must be exactly one output, whose specification is mapped from the name `out`.
+    (The name `out` is special, according to the rules described above.
+    Having only one output and calling its specification `out` means the single output is effectively anonymous; the store path just has the derivation name.)
+
+    (This is an arbitrary restriction that could be lifted.)
+
+- The output is either *fixed* or *floating*, indicating whether the store path is known prior to building it.
+
+  - With fixed content-addressing it is fixed.
+
+    > A *fixed content-addressing* derivation is also called a *fixed-output derivation*, since that is the only currently-implemented form of fixed-output addressing
+
+  - With floating content-addressing or input-addressing it is floating.
+
+  > Thus, historically with Nix, with no experimental features enabled, *all* outputs are fixed.
+
+- The derivation may be *pure* or *impure*, indicating what read access to the outside world the [builder](../index.md#builder) has.
+
+  - An input-addressing derivation *must* be pure.
+
+    > If it is impure, we would have a large problem, because an input-addressed derivation always produces outputs with the same paths.
+
+
+  - A content-addressing derivation may be pure or impure
+
+   - If it is impure, it may be fixed (typical), or it may be floating if the additional [`impure-derivations`][xp-feature-impure-derivations] experimental feature is enabled.
+
+   - If it is pure, it must be floating.
+
+   - Pure, fixed content-addressing derivations are not supported
+
+     > There is no use for this forth combination.
+     > The sole purpose of an output's store path being fixed is to support the derivation being impure.
+
+[xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
+[xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing
+[xp-feature-impure-derivations]: @docroot@/development/experimental-features.md#xp-feature-impure-derivations

doc/manual/source/store/derivation/outputs/input-address.md

@@ -0,0 +1,31 @@
+# Input-addressing derivation outputs
+
+[input addressing]: #input-addressing
+
+"Input addressing" means the address the store object by the *way it was made* rather than *what it is*.
+That is to say, an input-addressed output's store path is a function not of the output itself, but of the derivation that produced it.
+Even if two store paths have the same contents, if they are produced in different ways, and one is input-addressed, then they will have different store paths, and thus guaranteed to not be the same store object.
+
+<!---
+
+### Modulo fixed-output derivations
+
+**TODO hash derivation modulo.**
+
+So how do we compute the hash part of the output path of a derivation?
+This is done by the function `hashDrv`, shown in Figure 5.10.
+It distinguishes between two cases.
+If the derivation is a fixed-output derivation, then it computes a hash over just the `outputHash` attributes.
+
+If the derivation is not a fixed-output derivation, we replace each element in the derivation’s inputDrvs with the result of a call to `hashDrv` for that element.
+(The derivation at each store path in `inputDrvs` is converted from its on-disk ATerm representation back to a `StoreDrv` by the function `parseDrv`.) In essence, `hashDrv` partitions store derivations into equivalence classes, and for hashing purpose it replaces each store path in a derivation graph with its equivalence class.
+
+The recursion in Figure 5.10 is inefficient:
+it will call itself once for each path by which a subderivation can be reached, i.e., `O(V k)` times for a derivation graph with `V` derivations and with out-degree of at most `k`.
+In the actual implementation, memoisation is used to reduce this to `O(V + E)` complexity for a graph with E edges.
+
+-->
+
+[xp-feature-ca-derivations]: @docroot@/development/experimental-features.md#xp-feature-ca-derivations
+[xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing
+[xp-feature-impure-derivations]: @docroot@/development/experimental-features.md#xp-feature-impure-derivations

doc/manual/source/store/file-system-object/content-address.md

@@ -46,7 +46,7 @@ be many different serialisations.
 For these reasons, Nix has its very own archive format—the Nix Archive (NAR) format,
 which is carefully designed to avoid the problems described above.
 
-The exact specification of the Nix Archive format is in `protocols/nix-archive.md`
+The exact specification of the Nix Archive format is in [specified here](../../protocols/nix-archive.md).
 
 ## Content addressing File System Objects beyond a single serialisation pass
 
@@ -80,6 +80,7 @@ Thus, Git can encode some, but not all of Nix's "File System Objects", and this
 
 In the future, we may support a Git-like hash for such file system objects, or we may adopt another Merkle DAG format which is capable of representing all Nix file system objects.
 
+
 [file system object]: ../file-system-object.md
 [store object]: ../store-object.md
 [xp-feature-git-hashing]: @docroot@/development/experimental-features.md#xp-feature-git-hashing

doc/manual/source/store/store-object/content-address.md

@@ -24,13 +24,17 @@ For the full specification of the algorithms involved, see the [specification of
 
 ### File System Objects
 
-With all currently supported store object content addressing methods, the file system object is always [content-addressed][fso-ca] first, and then that hash is incorporated into content address computation for the store object.
+With all currently-supported store object content-addressing methods, the file system object is always [content-addressed][fso-ca] first, and then that hash is incorporated into content address computation for the store object.
 
 ### References
 
+#### References to other store objects
+
 With all currently supported store object content addressing methods,
 other objects are referred to by their regular (string-encoded-) [store paths][Store Path].
 
+#### Self-references
+
 Self-references however cannot be referred to by their path, because we are in the midst of describing how to compute that path!
 
 > The alternative would require finding as hash function fixed point, i.e. the solution to an equation in the form
@@ -40,7 +44,28 @@ Self-references however cannot be referred to by their path, because we are in t
 > which is computationally infeasible.
 > As far as we know, this is equivalent to finding a hash collision.
 
-Instead we just have a "has self reference" boolean, which will end up affecting the digest.
+Instead we have a "has self-reference" boolean, which ends up affecting the digest:
+In all currently-supported store object content-addressing methods, when hashing the file system object data, any occurrence of store object's own store path in the digested data is replaced with a [sentinel value](https://en.wikipedia.org/wiki/Sentinel_value).
+The hashes of these modified input streams are used instead.
+
+When validating the content address of a store object after the fact, the above process works as written.
+However, when first creating the store object we don't know the store object's store path, as explained just above.
+We therefore, strictly speaking, do not know what value we will be replacing with the sentinel value in the inputs to hash functions.
+What instead happens is that the provisional store object --- the data from which we wish to create a store object --- is paired with a provisional "scratch" store path (that presumably was chosen when the data was created).
+That provisional store path is instead what is replaced with the sentinel value, rather than the final store object which we do not yet know.
+
+> **Design note**
+>
+> It is an informal property of content-addressed store objects that the choice of provisional store path should not matter.
+> In other words, if a provisional store object is prepared in the same way except for the choice of provision store path, the provisional data need not be identical.
+> But, after the sentinel value is substituted in place of each provisional store object's provision store path, the final so-normalized data *should* be identical.
+>
+> If, conversely, the data after this normalization process is still different, we'll compute a different content-address.
+> The method of preparing the provisional self-referenced data has *failed* to be deterministic in the sense of not *leaking* the choice of provisional store path --- a choice which is supposed to be arbitrary --- into the final store object.
+>
+> This property is informal because at this stage, we are just described store objects, which have no formal notion of their origin.
+> Without such a formal notion, there is nothing to formally accuse of being insufficiently deterministic.
+> Where we cover [derivations](@docroot@/store/derivation/index.md), we will have a chance to make this a formal property, not of content-addressed store objects themselves, but of derivations that *produce* content-addressed store objects.
 
 ### Name and Store Directory
 
@@ -63,7 +88,7 @@ References are not supported: store objects with flat hashing *and* references c
 
 This also uses the corresponding [Flat](../file-system-object/content-address.md#serial-flat) method of file system object content addressing.
 
-References to other store objects are supported, but self references are not.
+References to other store objects are supported, but self-references are not.
 
 This is the only store-object content-addressing method that is not named identically with a corresponding file system object method.
 It is somewhat obscure, mainly used for "drv files"
@@ -74,7 +99,7 @@ Prefer another method if possible.
 
 This uses the corresponding [Nix Archive](../file-system-object/content-address.md#serial-nix-archive) method of file system object content addressing.
 
-References (to other store objects and self references alike) are supported so long as the hash algorithm is SHA-256, but not (neither kind) otherwise.
+References (to other store objects and self-references alike) are supported so long as the hash algorithm is SHA-256, but not (neither kind) otherwise.
 
 ### Git { #method-git }
 

flake.nix

@@ -32,7 +32,7 @@
     let
       inherit (nixpkgs) lib;
 
-      officialRelease = false;
+      officialRelease = true;
 
       linux32BitSystems = [ "i686-linux" ];
       linux64BitSystems = [
@@ -143,39 +143,42 @@
           # without "polluting" the top level "`pkgs`" attrset.
           # This also has the benefit of providing us with a distinct set of packages
           # we can iterate over.
-          nixComponents =
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixComponents2 =
             lib.makeScopeWithSplicing'
               {
                 inherit (final) splicePackages;
-                inherit (final.nixDependencies) newScope;
+                inherit (final.nixDependencies2) newScope;
               }
               {
-                otherSplices = final.generateSplicesForMkScope "nixComponents";
+                otherSplices = final.generateSplicesForMkScope "nixComponents2";
                 f = import ./packaging/components.nix {
                   inherit (final) lib;
                   inherit officialRelease;
                   pkgs = final;
                   src = self;
+                  maintainers = [ ];
                 };
               };
 
           # The dependencies are in their own scope, so that they don't have to be
-          # in Nixpkgs top level `pkgs` or `nixComponents`.
-          nixDependencies =
+          # in Nixpkgs top level `pkgs` or `nixComponents2`.
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixDependencies2 =
             lib.makeScopeWithSplicing'
               {
                 inherit (final) splicePackages;
-                inherit (final) newScope; # layered directly on pkgs, unlike nixComponents above
+                inherit (final) newScope; # layered directly on pkgs, unlike nixComponents2 above
               }
               {
-                otherSplices = final.generateSplicesForMkScope "nixDependencies";
+                otherSplices = final.generateSplicesForMkScope "nixDependencies2";
                 f = import ./packaging/dependencies.nix {
                   inherit inputs stdenv;
                   pkgs = final;
                 };
               };
 
-          nix = final.nixComponents.nix-cli;
+          nix = final.nixComponents2.nix-cli;
 
           # See https://github.com/NixOS/nixpkgs/pull/214409
           # Remove when fixed in this flake's nixpkgs
@@ -230,24 +233,28 @@
             This shouldn't build anything significant; just check that things
             (including derivations) are _set up_ correctly.
           */
-          packaging-overriding =
-            let
-              pkgs = nixpkgsFor.${system}.native;
-              nix = self.packages.${system}.nix;
-            in
-            assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
-            if pkgs.stdenv.buildPlatform.isDarwin then
-              lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
-            else
-              # If this fails, something might be wrong with how we've wired the scope,
-              # or something could be broken in Nixpkgs.
-              pkgs.testers.testEqualContents {
-                assertion = "trivial patch does not change source contents";
-                expected = "${./.}";
-                actual =
-                  # Same for all components; nix-util is an arbitrary pick
-                  (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
-              };
+          # Disabled due to a bug in `testEqualContents` (see
+          # https://github.com/NixOS/nix/issues/12690).
+          /*
+            packaging-overriding =
+              let
+                pkgs = nixpkgsFor.${system}.native;
+                nix = self.packages.${system}.nix;
+              in
+              assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+              if pkgs.stdenv.buildPlatform.isDarwin then
+                lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+              else
+                # If this fails, something might be wrong with how we've wired the scope,
+                # or something could be broken in Nixpkgs.
+                pkgs.testers.testEqualContents {
+                  assertion = "trivial patch does not change source contents";
+                  expected = "${./.}";
+                  actual =
+                    # Same for all components; nix-util is an arbitrary pick
+                    (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+                };
+          */
         }
         // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
           dockerImage = self.hydraJobs.dockerImage.${system};
@@ -263,18 +270,46 @@
           flatMapAttrs
             (
               {
-                "" = nixpkgsFor.${system}.native;
+                # Run all tests with UBSAN enabled. Running both with ubsan and
+                # without doesn't seem to have much immediate benefit for doubling
+                # the GHA CI workaround.
+                #
+                # TODO: Work toward enabling "address,undefined" if it seems feasible.
+                # This would maybe require dropping Boost coroutines and ignoring intentional
+                # memory leaks with detect_leaks=0.
+                "" = rec {
+                  nixpkgs = nixpkgsFor.${system}.native;
+                  nixComponents = nixpkgs.nixComponents2.overrideScope (
+                    nixCompFinal: nixCompPrev: {
+                      mesonComponentOverrides = _finalAttrs: prevAttrs: {
+                        mesonFlags =
+                          (prevAttrs.mesonFlags or [ ])
+                          # TODO: Macos builds instrumented with ubsan take very long
+                          # to run functional tests.
+                          ++ lib.optionals (!nixpkgs.stdenv.hostPlatform.isDarwin) [
+                            (lib.mesonOption "b_sanitize" "undefined")
+                          ];
+                      };
+                    }
+                  );
+                };
               }
               // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
                 # TODO: enable static builds for darwin, blocked on:
                 #       https://github.com/NixOS/nixpkgs/issues/320448
                 # TODO: disabled to speed up GHA CI.
-                #"static-" = nixpkgsFor.${system}.native.pkgsStatic;
+                # "static-" = {
+                #   nixpkgs = nixpkgsFor.${system}.native.pkgsStatic;
+                # };
               }
             )
             (
-              nixpkgsPrefix: nixpkgs:
-              flatMapAttrs nixpkgs.nixComponents (
+              nixpkgsPrefix:
+              {
+                nixpkgs,
+                nixComponents ? nixpkgs.nixComponents2,
+              }:
+              flatMapAttrs nixComponents (
                 pkgName: pkg:
                 flatMapAttrs pkg.tests or { } (
                   testName: test: {
@@ -283,7 +318,7 @@
                 )
               )
               // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
-                "${nixpkgsPrefix}nix-functional-tests" = nixpkgs.nixComponents.nix-functional-tests;
+                "${nixpkgsPrefix}nix-functional-tests" = nixComponents.nix-functional-tests;
               }
             )
         // devFlake.checks.${system} or { }
@@ -302,9 +337,9 @@
           binaryTarball = self.hydraJobs.binaryTarball.${system};
           # TODO probably should be `nix-cli`
           nix = self.packages.${system}.nix-everything;
-          nix-manual = nixpkgsFor.${system}.native.nixComponents.nix-manual;
-          nix-internal-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-internal-api-docs;
-          nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents.nix-external-api-docs;
+          nix-manual = nixpkgsFor.${system}.native.nixComponents2.nix-manual;
+          nix-internal-api-docs = nixpkgsFor.${system}.native.nixComponents2.nix-internal-api-docs;
+          nix-external-api-docs = nixpkgsFor.${system}.native.nixComponents2.nix-external-api-docs;
         }
         # We need to flatten recursive attribute sets of derivations to pass `flake check`.
         //
@@ -356,9 +391,9 @@
               }:
               {
                 # These attributes go right into `packages.<system>`.
-                "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
-                "${pkgName}-static" = nixpkgsFor.${system}.native.pkgsStatic.nixComponents.${pkgName};
-                "${pkgName}-llvm" = nixpkgsFor.${system}.native.pkgsLLVM.nixComponents.${pkgName};
+                "${pkgName}" = nixpkgsFor.${system}.native.nixComponents2.${pkgName};
+                "${pkgName}-static" = nixpkgsFor.${system}.native.pkgsStatic.nixComponents2.${pkgName};
+                "${pkgName}-llvm" = nixpkgsFor.${system}.native.pkgsLLVM.nixComponents2.${pkgName};
               }
               // lib.optionalAttrs supportsCross (
                 flatMapAttrs (lib.genAttrs crossSystems (_: { })) (
@@ -366,7 +401,7 @@
                   { }:
                   {
                     # These attributes go right into `packages.<system>`.
-                    "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName};
+                    "${pkgName}-${crossSystem}" = nixpkgsFor.${system}.cross.${crossSystem}.nixComponents2.${pkgName};
                   }
                 )
               )
@@ -376,7 +411,7 @@
                 {
                   # These attributes go right into `packages.<system>`.
                   "${pkgName}-${stdenvName}" =
-                    nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.nixComponents.${pkgName};
+                    nixpkgsFor.${system}.nativeForStdenv.${stdenvName}.nixComponents2.${pkgName};
                 }
               )
             )

maintainers/data/release-credits-email-to-handle.json

@@ -145,5 +145,12 @@
     "thebenmachine+git@gmail.com": "bmillwood",
     "leandro@kip93.net": "kip93",
     "hello@briancamacho.me": "b-camacho",
-    "bcamacho@anduril.com": "bcamacho2"
+    "bcamacho@anduril.com": "bcamacho2",
+    "oldshensheep@gmail.com": "oldshensheep",
+    "thomasmiedema@gmail.com": "thomie",
+    "xokdvium@proton.me": "xokdvium",
+    "kaction@disroot.org": "KAction",
+    "serenity@kaction.cc": null,
+    "dev@erik.work": "Kirens",
+    "felix@alternativebit.fr": "picnoir"
 }

maintainers/data/release-credits-handle-to-name.json

@@ -129,5 +129,9 @@
     "SomeoneSerge": "Someone",
     "b-camacho": "Brian Camacho",
     "MaxHearnden": null,
-    "kip93": "Leandro Emmanuel Reina Kiperman"
+    "kip93": "Leandro Emmanuel Reina Kiperman",
+    "oldshensheep": "Ruby Rose",
+    "KAction": "Dmitry Bogatov",
+    "thomie": "Thomas Miedema",
+    "Kirens": "Erik Nygren"
 }

maintainers/flake-module.nix

@@ -84,342 +84,340 @@
               ''^precompiled-headers\.h$''
               ''^src/build-remote/build-remote\.cc$''
               ''^src/libcmd/built-path\.cc$''
-              ''^src/libcmd/built-path\.hh$''
+              ''^src/libcmd/include/nix/cmd/built-path\.hh$''
               ''^src/libcmd/common-eval-args\.cc$''
-              ''^src/libcmd/common-eval-args\.hh$''
+              ''^src/libcmd/include/nix/cmd/common-eval-args\.hh$''
               ''^src/libcmd/editor-for\.cc$''
               ''^src/libcmd/installable-attr-path\.cc$''
-              ''^src/libcmd/installable-attr-path\.hh$''
+              ''^src/libcmd/include/nix/cmd/installable-attr-path\.hh$''
               ''^src/libcmd/installable-derived-path\.cc$''
-              ''^src/libcmd/installable-derived-path\.hh$''
+              ''^src/libcmd/include/nix/cmd/installable-derived-path\.hh$''
               ''^src/libcmd/installable-flake\.cc$''
-              ''^src/libcmd/installable-flake\.hh$''
+              ''^src/libcmd/include/nix/cmd/installable-flake\.hh$''
               ''^src/libcmd/installable-value\.cc$''
-              ''^src/libcmd/installable-value\.hh$''
+              ''^src/libcmd/include/nix/cmd/installable-value\.hh$''
               ''^src/libcmd/installables\.cc$''
-              ''^src/libcmd/installables\.hh$''
-              ''^src/libcmd/legacy\.hh$''
+              ''^src/libcmd/include/nix/cmd/installables\.hh$''
+              ''^src/libcmd/include/nix/cmd/legacy\.hh$''
               ''^src/libcmd/markdown\.cc$''
               ''^src/libcmd/misc-store-flags\.cc$''
               ''^src/libcmd/repl-interacter\.cc$''
-              ''^src/libcmd/repl-interacter\.hh$''
+              ''^src/libcmd/include/nix/cmd/repl-interacter\.hh$''
               ''^src/libcmd/repl\.cc$''
-              ''^src/libcmd/repl\.hh$''
+              ''^src/libcmd/include/nix/cmd/repl\.hh$''
               ''^src/libexpr-c/nix_api_expr\.cc$''
               ''^src/libexpr-c/nix_api_external\.cc$''
               ''^src/libexpr/attr-path\.cc$''
-              ''^src/libexpr/attr-path\.hh$''
+              ''^src/libexpr/include/nix/expr/attr-path\.hh$''
               ''^src/libexpr/attr-set\.cc$''
-              ''^src/libexpr/attr-set\.hh$''
+              ''^src/libexpr/include/nix/expr/attr-set\.hh$''
               ''^src/libexpr/eval-cache\.cc$''
-              ''^src/libexpr/eval-cache\.hh$''
+              ''^src/libexpr/include/nix/expr/eval-cache\.hh$''
               ''^src/libexpr/eval-error\.cc$''
-              ''^src/libexpr/eval-inline\.hh$''
+              ''^src/libexpr/include/nix/expr/eval-inline\.hh$''
               ''^src/libexpr/eval-settings\.cc$''
-              ''^src/libexpr/eval-settings\.hh$''
+              ''^src/libexpr/include/nix/expr/eval-settings\.hh$''
               ''^src/libexpr/eval\.cc$''
-              ''^src/libexpr/eval\.hh$''
+              ''^src/libexpr/include/nix/expr/eval\.hh$''
               ''^src/libexpr/function-trace\.cc$''
-              ''^src/libexpr/gc-small-vector\.hh$''
+              ''^src/libexpr/include/nix/expr/gc-small-vector\.hh$''
               ''^src/libexpr/get-drvs\.cc$''
-              ''^src/libexpr/get-drvs\.hh$''
+              ''^src/libexpr/include/nix/expr/get-drvs\.hh$''
               ''^src/libexpr/json-to-value\.cc$''
               ''^src/libexpr/nixexpr\.cc$''
-              ''^src/libexpr/nixexpr\.hh$''
-              ''^src/libexpr/parser-state\.hh$''
-              ''^src/libexpr/pos-table\.hh$''
+              ''^src/libexpr/include/nix/expr/nixexpr\.hh$''
+              ''^src/libexpr/include/nix/expr/parser-state\.hh$''
               ''^src/libexpr/primops\.cc$''
-              ''^src/libexpr/primops\.hh$''
+              ''^src/libexpr/include/nix/expr/primops\.hh$''
               ''^src/libexpr/primops/context\.cc$''
               ''^src/libexpr/primops/fetchClosure\.cc$''
               ''^src/libexpr/primops/fetchMercurial\.cc$''
               ''^src/libexpr/primops/fetchTree\.cc$''
               ''^src/libexpr/primops/fromTOML\.cc$''
               ''^src/libexpr/print-ambiguous\.cc$''
-              ''^src/libexpr/print-ambiguous\.hh$''
-              ''^src/libexpr/print-options\.hh$''
+              ''^src/libexpr/include/nix/expr/print-ambiguous\.hh$''
+              ''^src/libexpr/include/nix/expr/print-options\.hh$''
               ''^src/libexpr/print\.cc$''
-              ''^src/libexpr/print\.hh$''
+              ''^src/libexpr/include/nix/expr/print\.hh$''
               ''^src/libexpr/search-path\.cc$''
-              ''^src/libexpr/symbol-table\.hh$''
+              ''^src/libexpr/include/nix/expr/symbol-table\.hh$''
               ''^src/libexpr/value-to-json\.cc$''
-              ''^src/libexpr/value-to-json\.hh$''
+              ''^src/libexpr/include/nix/expr/value-to-json\.hh$''
               ''^src/libexpr/value-to-xml\.cc$''
-              ''^src/libexpr/value-to-xml\.hh$''
-              ''^src/libexpr/value\.hh$''
+              ''^src/libexpr/include/nix/expr/value-to-xml\.hh$''
+              ''^src/libexpr/include/nix/expr/value\.hh$''
               ''^src/libexpr/value/context\.cc$''
-              ''^src/libexpr/value/context\.hh$''
+              ''^src/libexpr/include/nix/expr/value/context\.hh$''
               ''^src/libfetchers/attrs\.cc$''
               ''^src/libfetchers/cache\.cc$''
-              ''^src/libfetchers/cache\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/cache\.hh$''
               ''^src/libfetchers/fetch-settings\.cc$''
-              ''^src/libfetchers/fetch-settings\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/fetch-settings\.hh$''
               ''^src/libfetchers/fetch-to-store\.cc$''
               ''^src/libfetchers/fetchers\.cc$''
-              ''^src/libfetchers/fetchers\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/fetchers\.hh$''
               ''^src/libfetchers/filtering-source-accessor\.cc$''
-              ''^src/libfetchers/filtering-source-accessor\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/filtering-source-accessor\.hh$''
               ''^src/libfetchers/fs-source-accessor\.cc$''
-              ''^src/libfetchers/fs-source-accessor\.hh$''
+              ''^src/libfetchers/include/nix/fs-source-accessor\.hh$''
               ''^src/libfetchers/git-utils\.cc$''
-              ''^src/libfetchers/git-utils\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/git-utils\.hh$''
               ''^src/libfetchers/github\.cc$''
               ''^src/libfetchers/indirect\.cc$''
               ''^src/libfetchers/memory-source-accessor\.cc$''
               ''^src/libfetchers/path\.cc$''
               ''^src/libfetchers/registry\.cc$''
-              ''^src/libfetchers/registry\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/registry\.hh$''
               ''^src/libfetchers/tarball\.cc$''
-              ''^src/libfetchers/tarball\.hh$''
+              ''^src/libfetchers/include/nix/fetchers/tarball\.hh$''
               ''^src/libfetchers/git\.cc$''
               ''^src/libfetchers/mercurial\.cc$''
-              ''^src/libflake/flake/config\.cc$''
-              ''^src/libflake/flake/flake\.cc$''
-              ''^src/libflake/flake/flake\.hh$''
-              ''^src/libflake/flake/flakeref\.cc$''
-              ''^src/libflake/flake/flakeref\.hh$''
-              ''^src/libflake/flake/lockfile\.cc$''
-              ''^src/libflake/flake/lockfile\.hh$''
-              ''^src/libflake/flake/url-name\.cc$''
+              ''^src/libflake/config\.cc$''
+              ''^src/libflake/flake\.cc$''
+              ''^src/libflake/include/nix/flake/flake\.hh$''
+              ''^src/libflake/flakeref\.cc$''
+              ''^src/libflake/include/nix/flake/flakeref\.hh$''
+              ''^src/libflake/lockfile\.cc$''
+              ''^src/libflake/include/nix/flake/lockfile\.hh$''
+              ''^src/libflake/url-name\.cc$''
               ''^src/libmain/common-args\.cc$''
-              ''^src/libmain/common-args\.hh$''
+              ''^src/libmain/include/nix/main/common-args\.hh$''
               ''^src/libmain/loggers\.cc$''
-              ''^src/libmain/loggers\.hh$''
+              ''^src/libmain/include/nix/main/loggers\.hh$''
               ''^src/libmain/progress-bar\.cc$''
               ''^src/libmain/shared\.cc$''
-              ''^src/libmain/shared\.hh$''
+              ''^src/libmain/include/nix/main/shared\.hh$''
               ''^src/libmain/unix/stack\.cc$''
               ''^src/libstore/binary-cache-store\.cc$''
-              ''^src/libstore/binary-cache-store\.hh$''
-              ''^src/libstore/build-result\.hh$''
-              ''^src/libstore/builtins\.hh$''
+              ''^src/libstore/include/nix/store/binary-cache-store\.hh$''
+              ''^src/libstore/include/nix/store/build-result\.hh$''
+              ''^src/libstore/include/nix/store/builtins\.hh$''
               ''^src/libstore/builtins/buildenv\.cc$''
-              ''^src/libstore/builtins/buildenv\.hh$''
-              ''^src/libstore/common-protocol-impl\.hh$''
+              ''^src/libstore/include/nix/store/builtins/buildenv\.hh$''
+              ''^src/libstore/include/nix/store/common-protocol-impl\.hh$''
               ''^src/libstore/common-protocol\.cc$''
-              ''^src/libstore/common-protocol\.hh$''
-              ''^src/libstore/common-ssh-store-config\.hh$''
+              ''^src/libstore/include/nix/store/common-protocol\.hh$''
+              ''^src/libstore/include/nix/store/common-ssh-store-config\.hh$''
               ''^src/libstore/content-address\.cc$''
-              ''^src/libstore/content-address\.hh$''
+              ''^src/libstore/include/nix/store/content-address\.hh$''
               ''^src/libstore/daemon\.cc$''
-              ''^src/libstore/daemon\.hh$''
+              ''^src/libstore/include/nix/store/daemon\.hh$''
               ''^src/libstore/derivations\.cc$''
-              ''^src/libstore/derivations\.hh$''
+              ''^src/libstore/include/nix/store/derivations\.hh$''
               ''^src/libstore/derived-path-map\.cc$''
-              ''^src/libstore/derived-path-map\.hh$''
+              ''^src/libstore/include/nix/store/derived-path-map\.hh$''
               ''^src/libstore/derived-path\.cc$''
-              ''^src/libstore/derived-path\.hh$''
+              ''^src/libstore/include/nix/store/derived-path\.hh$''
               ''^src/libstore/downstream-placeholder\.cc$''
-              ''^src/libstore/downstream-placeholder\.hh$''
+              ''^src/libstore/include/nix/store/downstream-placeholder\.hh$''
               ''^src/libstore/dummy-store\.cc$''
               ''^src/libstore/export-import\.cc$''
               ''^src/libstore/filetransfer\.cc$''
-              ''^src/libstore/filetransfer\.hh$''
-              ''^src/libstore/gc-store\.hh$''
+              ''^src/libstore/include/nix/store/filetransfer\.hh$''
+              ''^src/libstore/include/nix/store/gc-store\.hh$''
               ''^src/libstore/globals\.cc$''
-              ''^src/libstore/globals\.hh$''
+              ''^src/libstore/include/nix/store/globals\.hh$''
               ''^src/libstore/http-binary-cache-store\.cc$''
               ''^src/libstore/legacy-ssh-store\.cc$''
-              ''^src/libstore/legacy-ssh-store\.hh$''
-              ''^src/libstore/length-prefixed-protocol-helper\.hh$''
+              ''^src/libstore/include/nix/store/legacy-ssh-store\.hh$''
+              ''^src/libstore/include/nix/store/length-prefixed-protocol-helper\.hh$''
               ''^src/libstore/linux/personality\.cc$''
-              ''^src/libstore/linux/personality\.hh$''
+              ''^src/libstore/linux/include/nix/store/personality\.hh$''
               ''^src/libstore/local-binary-cache-store\.cc$''
               ''^src/libstore/local-fs-store\.cc$''
-              ''^src/libstore/local-fs-store\.hh$''
+              ''^src/libstore/include/nix/store/local-fs-store\.hh$''
               ''^src/libstore/log-store\.cc$''
-              ''^src/libstore/log-store\.hh$''
+              ''^src/libstore/include/nix/store/log-store\.hh$''
               ''^src/libstore/machines\.cc$''
-              ''^src/libstore/machines\.hh$''
+              ''^src/libstore/include/nix/store/machines\.hh$''
               ''^src/libstore/make-content-addressed\.cc$''
-              ''^src/libstore/make-content-addressed\.hh$''
+              ''^src/libstore/include/nix/store/make-content-addressed\.hh$''
               ''^src/libstore/misc\.cc$''
               ''^src/libstore/names\.cc$''
-              ''^src/libstore/names\.hh$''
+              ''^src/libstore/include/nix/store/names\.hh$''
               ''^src/libstore/nar-accessor\.cc$''
-              ''^src/libstore/nar-accessor\.hh$''
+              ''^src/libstore/include/nix/store/nar-accessor\.hh$''
               ''^src/libstore/nar-info-disk-cache\.cc$''
-              ''^src/libstore/nar-info-disk-cache\.hh$''
+              ''^src/libstore/include/nix/store/nar-info-disk-cache\.hh$''
               ''^src/libstore/nar-info\.cc$''
-              ''^src/libstore/nar-info\.hh$''
+              ''^src/libstore/include/nix/store/nar-info\.hh$''
               ''^src/libstore/outputs-spec\.cc$''
-              ''^src/libstore/outputs-spec\.hh$''
+              ''^src/libstore/include/nix/store/outputs-spec\.hh$''
               ''^src/libstore/parsed-derivations\.cc$''
               ''^src/libstore/path-info\.cc$''
-              ''^src/libstore/path-info\.hh$''
+              ''^src/libstore/include/nix/store/path-info\.hh$''
               ''^src/libstore/path-references\.cc$''
-              ''^src/libstore/path-regex\.hh$''
+              ''^src/libstore/include/nix/store/path-regex\.hh$''
               ''^src/libstore/path-with-outputs\.cc$''
               ''^src/libstore/path\.cc$''
-              ''^src/libstore/path\.hh$''
+              ''^src/libstore/include/nix/store/path\.hh$''
               ''^src/libstore/pathlocks\.cc$''
-              ''^src/libstore/pathlocks\.hh$''
+              ''^src/libstore/include/nix/store/pathlocks\.hh$''
               ''^src/libstore/profiles\.cc$''
-              ''^src/libstore/profiles\.hh$''
+              ''^src/libstore/include/nix/store/profiles\.hh$''
               ''^src/libstore/realisation\.cc$''
-              ''^src/libstore/realisation\.hh$''
+              ''^src/libstore/include/nix/store/realisation\.hh$''
               ''^src/libstore/remote-fs-accessor\.cc$''
-              ''^src/libstore/remote-fs-accessor\.hh$''
-              ''^src/libstore/remote-store-connection\.hh$''
+              ''^src/libstore/include/nix/store/remote-fs-accessor\.hh$''
+              ''^src/libstore/include/nix/store/remote-store-connection\.hh$''
               ''^src/libstore/remote-store\.cc$''
-              ''^src/libstore/remote-store\.hh$''
+              ''^src/libstore/include/nix/store/remote-store\.hh$''
               ''^src/libstore/s3-binary-cache-store\.cc$''
-              ''^src/libstore/s3\.hh$''
+              ''^src/libstore/include/nix/store/s3\.hh$''
               ''^src/libstore/serve-protocol-impl\.cc$''
-              ''^src/libstore/serve-protocol-impl\.hh$''
+              ''^src/libstore/include/nix/store/serve-protocol-impl\.hh$''
               ''^src/libstore/serve-protocol\.cc$''
-              ''^src/libstore/serve-protocol\.hh$''
+              ''^src/libstore/include/nix/store/serve-protocol\.hh$''
               ''^src/libstore/sqlite\.cc$''
-              ''^src/libstore/sqlite\.hh$''
+              ''^src/libstore/include/nix/store/sqlite\.hh$''
               ''^src/libstore/ssh-store\.cc$''
               ''^src/libstore/ssh\.cc$''
-              ''^src/libstore/ssh\.hh$''
+              ''^src/libstore/include/nix/store/ssh\.hh$''
               ''^src/libstore/store-api\.cc$''
-              ''^src/libstore/store-api\.hh$''
-              ''^src/libstore/store-dir-config\.hh$''
+              ''^src/libstore/include/nix/store/store-api\.hh$''
+              ''^src/libstore/include/nix/store/store-dir-config\.hh$''
               ''^src/libstore/build/derivation-goal\.cc$''
-              ''^src/libstore/build/derivation-goal\.hh$''
+              ''^src/libstore/include/nix/store/build/derivation-goal\.hh$''
               ''^src/libstore/build/drv-output-substitution-goal\.cc$''
-              ''^src/libstore/build/drv-output-substitution-goal\.hh$''
+              ''^src/libstore/include/nix/store/build/drv-output-substitution-goal\.hh$''
               ''^src/libstore/build/entry-points\.cc$''
               ''^src/libstore/build/goal\.cc$''
-              ''^src/libstore/build/goal\.hh$''
+              ''^src/libstore/include/nix/store/build/goal\.hh$''
               ''^src/libstore/unix/build/hook-instance\.cc$''
               ''^src/libstore/unix/build/local-derivation-goal\.cc$''
-              ''^src/libstore/unix/build/local-derivation-goal\.hh$''
+              ''^src/libstore/unix/include/nix/store/build/local-derivation-goal\.hh$''
               ''^src/libstore/build/substitution-goal\.cc$''
-              ''^src/libstore/build/substitution-goal\.hh$''
+              ''^src/libstore/include/nix/store/build/substitution-goal\.hh$''
               ''^src/libstore/build/worker\.cc$''
-              ''^src/libstore/build/worker\.hh$''
+              ''^src/libstore/include/nix/store/build/worker\.hh$''
               ''^src/libstore/builtins/fetchurl\.cc$''
               ''^src/libstore/builtins/unpack-channel\.cc$''
               ''^src/libstore/gc\.cc$''
               ''^src/libstore/local-overlay-store\.cc$''
-              ''^src/libstore/local-overlay-store\.hh$''
+              ''^src/libstore/include/nix/store/local-overlay-store\.hh$''
               ''^src/libstore/local-store\.cc$''
-              ''^src/libstore/local-store\.hh$''
+              ''^src/libstore/include/nix/store/local-store\.hh$''
               ''^src/libstore/unix/user-lock\.cc$''
-              ''^src/libstore/unix/user-lock\.hh$''
+              ''^src/libstore/unix/include/nix/store/user-lock\.hh$''
               ''^src/libstore/optimise-store\.cc$''
               ''^src/libstore/unix/pathlocks\.cc$''
               ''^src/libstore/posix-fs-canonicalise\.cc$''
-              ''^src/libstore/posix-fs-canonicalise\.hh$''
+              ''^src/libstore/include/nix/store/posix-fs-canonicalise\.hh$''
               ''^src/libstore/uds-remote-store\.cc$''
-              ''^src/libstore/uds-remote-store\.hh$''
+              ''^src/libstore/include/nix/store/uds-remote-store\.hh$''
               ''^src/libstore/windows/build\.cc$''
-              ''^src/libstore/worker-protocol-impl\.hh$''
+              ''^src/libstore/include/nix/store/worker-protocol-impl\.hh$''
               ''^src/libstore/worker-protocol\.cc$''
-              ''^src/libstore/worker-protocol\.hh$''
+              ''^src/libstore/include/nix/store/worker-protocol\.hh$''
               ''^src/libutil-c/nix_api_util_internal\.h$''
               ''^src/libutil/archive\.cc$''
-              ''^src/libutil/archive\.hh$''
+              ''^src/libutil/include/nix/util/archive\.hh$''
               ''^src/libutil/args\.cc$''
-              ''^src/libutil/args\.hh$''
-              ''^src/libutil/args/root\.hh$''
-              ''^src/libutil/callback\.hh$''
+              ''^src/libutil/include/nix/util/args\.hh$''
+              ''^src/libutil/include/nix/util/args/root\.hh$''
+              ''^src/libutil/include/nix/util/callback\.hh$''
               ''^src/libutil/canon-path\.cc$''
-              ''^src/libutil/canon-path\.hh$''
-              ''^src/libutil/chunked-vector\.hh$''
-              ''^src/libutil/closure\.hh$''
-              ''^src/libutil/comparator\.hh$''
+              ''^src/libutil/include/nix/util/canon-path\.hh$''
+              ''^src/libutil/include/nix/util/chunked-vector\.hh$''
+              ''^src/libutil/include/nix/util/closure\.hh$''
+              ''^src/libutil/include/nix/util/comparator\.hh$''
               ''^src/libutil/compute-levels\.cc$''
-              ''^src/libutil/config-impl\.hh$''
-              ''^src/libutil/config\.cc$''
-              ''^src/libutil/config\.hh$''
+              ''^src/libutil/include/nix/util/config-impl\.hh$''
+              ''^src/libutil/configuration\.cc$''
+              ''^src/libutil/include/nix/util/configuration\.hh$''
               ''^src/libutil/current-process\.cc$''
-              ''^src/libutil/current-process\.hh$''
+              ''^src/libutil/include/nix/util/current-process\.hh$''
               ''^src/libutil/english\.cc$''
-              ''^src/libutil/english\.hh$''
+              ''^src/libutil/include/nix/util/english\.hh$''
               ''^src/libutil/error\.cc$''
-              ''^src/libutil/error\.hh$''
-              ''^src/libutil/exit\.hh$''
+              ''^src/libutil/include/nix/util/error\.hh$''
+              ''^src/libutil/include/nix/util/exit\.hh$''
               ''^src/libutil/experimental-features\.cc$''
-              ''^src/libutil/experimental-features\.hh$''
+              ''^src/libutil/include/nix/util/experimental-features\.hh$''
               ''^src/libutil/file-content-address\.cc$''
-              ''^src/libutil/file-content-address\.hh$''
+              ''^src/libutil/include/nix/util/file-content-address\.hh$''
               ''^src/libutil/file-descriptor\.cc$''
-              ''^src/libutil/file-descriptor\.hh$''
-              ''^src/libutil/file-path-impl\.hh$''
-              ''^src/libutil/file-path\.hh$''
+              ''^src/libutil/include/nix/util/file-descriptor\.hh$''
+              ''^src/libutil/include/nix/util/file-path-impl\.hh$''
+              ''^src/libutil/include/nix/util/file-path\.hh$''
               ''^src/libutil/file-system\.cc$''
-              ''^src/libutil/file-system\.hh$''
-              ''^src/libutil/finally\.hh$''
-              ''^src/libutil/fmt\.hh$''
+              ''^src/libutil/include/nix/util/file-system\.hh$''
+              ''^src/libutil/include/nix/util/finally\.hh$''
+              ''^src/libutil/include/nix/util/fmt\.hh$''
               ''^src/libutil/fs-sink\.cc$''
-              ''^src/libutil/fs-sink\.hh$''
+              ''^src/libutil/include/nix/util/fs-sink\.hh$''
               ''^src/libutil/git\.cc$''
-              ''^src/libutil/git\.hh$''
+              ''^src/libutil/include/nix/util/git\.hh$''
               ''^src/libutil/hash\.cc$''
-              ''^src/libutil/hash\.hh$''
+              ''^src/libutil/include/nix/util/hash\.hh$''
               ''^src/libutil/hilite\.cc$''
-              ''^src/libutil/hilite\.hh$''
+              ''^src/libutil/include/nix/util/hilite\.hh$''
               ''^src/libutil/source-accessor\.hh$''
-              ''^src/libutil/json-impls\.hh$''
+              ''^src/libutil/include/nix/util/json-impls\.hh$''
               ''^src/libutil/json-utils\.cc$''
-              ''^src/libutil/json-utils\.hh$''
+              ''^src/libutil/include/nix/util/json-utils\.hh$''
               ''^src/libutil/linux/cgroup\.cc$''
               ''^src/libutil/linux/namespaces\.cc$''
               ''^src/libutil/logging\.cc$''
-              ''^src/libutil/logging\.hh$''
-              ''^src/libutil/lru-cache\.hh$''
+              ''^src/libutil/include/nix/util/logging\.hh$''
+              ''^src/libutil/include/nix/util/lru-cache\.hh$''
               ''^src/libutil/memory-source-accessor\.cc$''
-              ''^src/libutil/memory-source-accessor\.hh$''
-              ''^src/libutil/pool\.hh$''
+              ''^src/libutil/include/nix/util/memory-source-accessor\.hh$''
+              ''^src/libutil/include/nix/util/pool\.hh$''
               ''^src/libutil/position\.cc$''
-              ''^src/libutil/position\.hh$''
+              ''^src/libutil/include/nix/util/position\.hh$''
               ''^src/libutil/posix-source-accessor\.cc$''
-              ''^src/libutil/posix-source-accessor\.hh$''
-              ''^src/libutil/processes\.hh$''
-              ''^src/libutil/ref\.hh$''
+              ''^src/libutil/include/nix/util/posix-source-accessor\.hh$''
+              ''^src/libutil/include/nix/util/processes\.hh$''
+              ''^src/libutil/include/nix/util/ref\.hh$''
               ''^src/libutil/references\.cc$''
-              ''^src/libutil/references\.hh$''
+              ''^src/libutil/include/nix/util/references\.hh$''
               ''^src/libutil/regex-combinators\.hh$''
               ''^src/libutil/serialise\.cc$''
-              ''^src/libutil/serialise\.hh$''
-              ''^src/libutil/signals\.hh$''
+              ''^src/libutil/include/nix/util/serialise\.hh$''
+              ''^src/libutil/include/nix/util/signals\.hh$''
               ''^src/libutil/signature/local-keys\.cc$''
-              ''^src/libutil/signature/local-keys\.hh$''
+              ''^src/libutil/include/nix/util/signature/local-keys\.hh$''
               ''^src/libutil/signature/signer\.cc$''
-              ''^src/libutil/signature/signer\.hh$''
+              ''^src/libutil/include/nix/util/signature/signer\.hh$''
               ''^src/libutil/source-accessor\.cc$''
-              ''^src/libutil/source-accessor\.hh$''
+              ''^src/libutil/include/nix/util/source-accessor\.hh$''
               ''^src/libutil/source-path\.cc$''
-              ''^src/libutil/source-path\.hh$''
-              ''^src/libutil/split\.hh$''
+              ''^src/libutil/include/nix/util/source-path\.hh$''
+              ''^src/libutil/include/nix/util/split\.hh$''
               ''^src/libutil/suggestions\.cc$''
-              ''^src/libutil/suggestions\.hh$''
-              ''^src/libutil/sync\.hh$''
+              ''^src/libutil/include/nix/util/suggestions\.hh$''
+              ''^src/libutil/include/nix/util/sync\.hh$''
               ''^src/libutil/terminal\.cc$''
-              ''^src/libutil/terminal\.hh$''
+              ''^src/libutil/include/nix/util/terminal\.hh$''
               ''^src/libutil/thread-pool\.cc$''
-              ''^src/libutil/thread-pool\.hh$''
-              ''^src/libutil/topo-sort\.hh$''
-              ''^src/libutil/types\.hh$''
+              ''^src/libutil/include/nix/util/thread-pool\.hh$''
+              ''^src/libutil/include/nix/util/topo-sort\.hh$''
+              ''^src/libutil/include/nix/util/types\.hh$''
               ''^src/libutil/unix/file-descriptor\.cc$''
               ''^src/libutil/unix/file-path\.cc$''
-              ''^src/libutil/unix/monitor-fd\.hh$''
               ''^src/libutil/unix/processes\.cc$''
-              ''^src/libutil/unix/signals-impl\.hh$''
+              ''^src/libutil/unix/include/nix/util/signals-impl\.hh$''
               ''^src/libutil/unix/signals\.cc$''
               ''^src/libutil/unix-domain-socket\.cc$''
               ''^src/libutil/unix/users\.cc$''
-              ''^src/libutil/url-parts\.hh$''
+              ''^src/libutil/include/nix/util/url-parts\.hh$''
               ''^src/libutil/url\.cc$''
-              ''^src/libutil/url\.hh$''
+              ''^src/libutil/include/nix/util/url\.hh$''
               ''^src/libutil/users\.cc$''
-              ''^src/libutil/users\.hh$''
+              ''^src/libutil/include/nix/util/users\.hh$''
               ''^src/libutil/util\.cc$''
-              ''^src/libutil/util\.hh$''
-              ''^src/libutil/variant-wrapper\.hh$''
+              ''^src/libutil/include/nix/util/util\.hh$''
+              ''^src/libutil/include/nix/util/variant-wrapper\.hh$''
               ''^src/libutil/widecharwidth/widechar_width\.h$'' # vendored source
               ''^src/libutil/windows/file-descriptor\.cc$''
               ''^src/libutil/windows/file-path\.cc$''
               ''^src/libutil/windows/processes\.cc$''
               ''^src/libutil/windows/users\.cc$''
               ''^src/libutil/windows/windows-error\.cc$''
-              ''^src/libutil/windows/windows-error\.hh$''
+              ''^src/libutil/windows/include/nix/util/windows-error\.hh$''
               ''^src/libutil/xml-writer\.cc$''
-              ''^src/libutil/xml-writer\.hh$''
+              ''^src/libutil/include/nix/util/xml-writer\.hh$''
               ''^src/nix-build/nix-build\.cc$''
               ''^src/nix-channel/nix-channel\.cc$''
               ''^src/nix-collect-garbage/nix-collect-garbage\.cc$''
@@ -483,9 +481,9 @@
               ''^tests/nixos/ca-fd-leak/sender\.c''
               ''^tests/nixos/ca-fd-leak/smuggler\.c''
               ''^tests/nixos/user-sandboxing/attacker\.c''
-              ''^src/libexpr-test-support/tests/libexpr\.hh''
+              ''^src/libexpr-test-support/include/nix/expr/tests/libexpr\.hh''
               ''^src/libexpr-test-support/tests/value/context\.cc''
-              ''^src/libexpr-test-support/tests/value/context\.hh''
+              ''^src/libexpr-test-support/include/nix/expr/tests/value/context\.hh''
               ''^src/libexpr-tests/derived-path\.cc''
               ''^src/libexpr-tests/error_traces\.cc''
               ''^src/libexpr-tests/eval\.cc''
@@ -500,13 +498,13 @@
               ''^src/libflake-tests/flakeref\.cc''
               ''^src/libflake-tests/url-name\.cc''
               ''^src/libstore-test-support/tests/derived-path\.cc''
-              ''^src/libstore-test-support/tests/derived-path\.hh''
-              ''^src/libstore-test-support/tests/nix_api_store\.hh''
+              ''^src/libstore-test-support/include/nix/store/tests/derived-path\.hh''
+              ''^src/libstore-test-support/include/nix/store/tests/nix_api_store\.hh''
               ''^src/libstore-test-support/tests/outputs-spec\.cc''
-              ''^src/libstore-test-support/tests/outputs-spec\.hh''
-              ''^src/libstore-test-support/tests/path\.cc''
-              ''^src/libstore-test-support/tests/path\.hh''
-              ''^src/libstore-test-support/tests/protocol\.hh''
+              ''^src/libstore-test-support/include/nix/store/tests/outputs-spec\.hh''
+              ''^src/libstore-test-support/path\.cc''
+              ''^src/libstore-test-support/include/nix/store/tests/path\.hh''
+              ''^src/libstore-test-support/include/nix/store/tests/protocol\.hh''
               ''^src/libstore-tests/common-protocol\.cc''
               ''^src/libstore-tests/content-address\.cc''
               ''^src/libstore-tests/derivation\.cc''
@@ -520,9 +518,9 @@
               ''^src/libstore-tests/path\.cc''
               ''^src/libstore-tests/serve-protocol\.cc''
               ''^src/libstore-tests/worker-protocol\.cc''
-              ''^src/libutil-test-support/tests/characterization\.hh''
-              ''^src/libutil-test-support/tests/hash\.cc''
-              ''^src/libutil-test-support/tests/hash\.hh''
+              ''^src/libutil-test-support/include/nix/util/tests/characterization\.hh''
+              ''^src/libutil-test-support/hash\.cc''
+              ''^src/libutil-test-support/include/nix/util/tests/hash\.hh''
               ''^src/libutil-tests/args\.cc''
               ''^src/libutil-tests/canon-path\.cc''
               ''^src/libutil-tests/chunked-vector\.cc''

maintainers/link-headers

@@ -0,0 +1,83 @@
+#!/usr/bin/env python3
+
+# This script must be run from the root of the Nix repository.
+#
+# For include path hygiene, we need to put headers in a separate
+# directory than sources. But during development, it is nice to paths
+# that are similar for headers and source files, e.g.
+# `foo/bar/baz.{cc,hh}`, e.g. for less typing when opening one file, and
+# then opening the other file.
+#
+# This script symlinks the headers next to the source files to
+# facilitate such a development workflows. It also updates
+# `.git/info/exclude` so that the symlinks are not accidentally committed
+# by mistake.
+
+from pathlib import Path
+import subprocess
+import os
+
+
+def main() -> None:
+    # Path to the source directory
+    GIT_TOPLEVEL = Path(
+        subprocess.run(
+            ["git", "rev-parse", "--show-toplevel"],
+            text=True,
+            stdout=subprocess.PIPE,
+            check=True,
+        ).stdout.strip()
+    )
+
+    # Get header files from git
+    result = subprocess.run(
+        ["git", "-C", str(GIT_TOPLEVEL), "ls-files", "*/include/nix/**.hh"],
+        text=True,
+        stdout=subprocess.PIPE,
+        check=True,
+    )
+    header_files = result.stdout.strip().split("\n")
+    header_files.sort()
+
+    links = []
+    for file_str in header_files:
+        project_str, header_str = file_str.split("/include/nix/", 1)
+        project = Path(project_str)
+        header = Path(header_str)
+
+        # Reconstruct the full path (relative to SRC_DIR) to the header file.
+        file = project / "include" / "nix" / header
+
+        # The symlink should be created at "project/header", i.e. next to the project's sources.
+        link = project / header
+
+        # Compute a relative path from the symlink's parent directory to the actual header file.
+        relative_source = os.path.relpath(
+            GIT_TOPLEVEL / file, GIT_TOPLEVEL / link.parent
+        )
+
+        # Create the symbolic link.
+        full_link_path = GIT_TOPLEVEL / link
+        full_link_path.parent.mkdir(parents=True, exist_ok=True)
+        if full_link_path.is_symlink():
+            full_link_path.unlink()
+        full_link_path.symlink_to(relative_source)
+        links.append(link)
+
+    # Generate .gitignore file
+    gitignore_path = GIT_TOPLEVEL / ".git" / "info" / "exclude"
+    gitignore_path.parent.mkdir(parents=True, exist_ok=True)
+    with gitignore_path.open("w") as gitignore:
+        gitignore.write("# DO NOT EDIT! Autogenerated\n")
+        gitignore.write(
+            "# Symlinks for headers to be next to sources for development\n"
+        )
+        gitignore.write('# Run "maintainers/link-headers" to regenerate\n\n')
+        gitignore.write('# Run "maintainers/link-headers" to regenerate\n\n')
+
+        for link in links:
+            gitignore.write(f"/{link}\n")
+
+
+if __name__ == "__main__":
+    main()

maintainers/release-credits

@@ -109,15 +109,15 @@ for sample in samples:
     s = samples[sample]
     email = s["email"]
     if not email in email_to_handle_cache.values:
-        print(f"Querying GitHub API for {s['hash']}, to get handle for {s['email']}")
+        print(f"Querying GitHub API for {s['hash']}, to get handle for {s['email']}", file=sys.stderr)
         ghc = get_github_commit(samples[sample])
         gha = ghc["author"]
         if gha and gha["login"]:
             handle = gha["login"]
-            print(f"Handle: {handle}")
+            print(f"Handle: {handle}", file=sys.stderr)
             email_to_handle_cache.values[email] = handle
         else:
-            print(f"Found no handle for {s['email']}")
+            print(f"Found no handle for {s['email']}", file=sys.stderr)
             email_to_handle_cache.values[email] = None
     handle = email_to_handle_cache.values[email]
     if handle is not None:

maintainers/release-notes

@@ -2,6 +2,8 @@
 # vim: set filetype=bash:
 #!nix shell .#changelog-d --command bash
 
+set -euo pipefail
+
 # --- CONFIGURATION ---
 
 # This does double duty for

nix-meson-build-support/common/meson.build

@@ -10,6 +10,7 @@ add_project_arguments(
   '-Werror=suggest-override',
   '-Werror=switch',
   '-Werror=switch-enum',
+  '-Werror=undef',
   '-Werror=unused-result',
   '-Wignored-qualifiers',
   '-Wimplicit-fallthrough',

nix-meson-build-support/export/meson.build

@@ -16,7 +16,6 @@ import('pkgconfig').generate(
   filebase : meson.project_name(),
   name : 'Nix',
   description : 'Nix Package Manager',
-  subdirs : ['nix'],
   extra_cflags : ['-std=c++2a'],
   requires : requires_public,
   requires_private : requires_private,

packaging/components.nix

@@ -3,6 +3,7 @@
   pkgs,
   src,
   officialRelease,
+  maintainers,
 }:
 
 scope:
@@ -51,7 +52,7 @@ let
 
   setVersionLayer = finalAttrs: prevAttrs: {
     preConfigure =
-      prevAttrs.prevAttrs or ""
+      prevAttrs.preConfigure or ""
       +
         # Update the repo-global .version file.
         # Symlink ./.version points there, but by default only workDir is writable.
@@ -110,7 +111,7 @@ let
         let
           n = lib.length finalScope.patches;
         in
-        if n == 0 then finalAttrs.version else finalAttrs.version + "+${toString n}";
+        if n == 0 then prevAttrs.version else prevAttrs.version + "+${toString n}";
 
       # Clear what `derivation` can't/shouldn't serialize; see prevAttrs.workDir.
       fileset = null;
@@ -180,9 +181,24 @@ let
       mesonFlags = [ (lib.mesonBool "b_asneeded" false) ] ++ prevAttrs.mesonFlags or [ ];
     };
 
-  miscGoodPractice = finalAttrs: prevAttrs: {
+  nixDefaultsLayer = finalAttrs: prevAttrs: {
     strictDeps = prevAttrs.strictDeps or true;
     enableParallelBuilding = true;
+    pos = builtins.unsafeGetAttrPos "pname" prevAttrs;
+    meta = prevAttrs.meta or { } // {
+      homepage = prevAttrs.meta.homepage or "https://nixos.org/nix";
+      longDescription =
+        prevAttrs.longDescription or ''
+          Nix is a powerful package manager for mainly Linux and other Unix systems that
+          makes package management reliable and reproducible. It provides atomic
+          upgrades and rollbacks, side-by-side installation of multiple versions of
+          a package, multi-user package management and easy setup of build
+          environments.
+        '';
+      license = prevAttrs.meta.license or lib.licenses.lgpl21Plus;
+      maintainers = prevAttrs.meta.maintainers or [ ] ++ scope.maintainers;
+      platforms = prevAttrs.meta.platforms or (lib.platforms.unix ++ lib.platforms.windows);
+    };
   };
 
   /**
@@ -202,6 +218,7 @@ in
 {
   version = baseVersion + versionSuffix;
   inherit versionSuffix;
+  inherit maintainers;
 
   inherit filesetToSource;
 
@@ -237,6 +254,10 @@ in
     but it does make the build non-granular; all components will use a complete source.
 
     Packaging expressions will be ignored.
+
+    Single argument: the source to use.
+
+    See also `appendPatches`
   */
   overrideSource =
     src:
@@ -265,6 +286,7 @@ in
               }
             );
         resolvePath = p: finalScope.patchedSrc + "/${resolveRelPath p}";
+        filesetToSource = { root, fileset }: finalScope.resolvePath root;
         appendPatches = appendPatches finalScope;
       }
     );
@@ -281,14 +303,14 @@ in
     (scope.overrideSource "${./..}").appendPatches patches;
 
   mkMesonDerivation = mkPackageBuilder [
-    miscGoodPractice
+    nixDefaultsLayer
     scope.sourceLayer
     setVersionLayer
     mesonLayer
     scope.mesonComponentOverrides
   ];
   mkMesonExecutable = mkPackageBuilder [
-    miscGoodPractice
+    nixDefaultsLayer
     bsdNoLinkAsNeeded
     scope.sourceLayer
     setVersionLayer
@@ -297,7 +319,7 @@ in
     scope.mesonComponentOverrides
   ];
   mkMesonLibrary = mkPackageBuilder [
-    miscGoodPractice
+    nixDefaultsLayer
     bsdNoLinkAsNeeded
     scope.sourceLayer
     mesonLayer
@@ -347,7 +369,7 @@ in
   nix-perl-bindings = callPackage ../src/perl/package.nix { };
 
   nix-everything = callPackage ../packaging/everything.nix { } // {
-    # Note: no `passthru.overrideAllMesonComponents`
+    # Note: no `passthru.overrideAllMesonComponents` etc
     #       This would propagate into `nix.overrideAttrs f`, but then discard
     #       `f` when `.overrideAllMesonComponents` is used.
     #       Both "methods" should be views on the same fixpoint overriding mechanism
@@ -355,6 +377,8 @@ in
     #       two-fixpoint solution.
     /**
       Apply an extension function (i.e. overlay-shaped) to all component derivations, and return the nix package.
+
+      Single argument: the extension function to apply (finalAttrs: prevAttrs: { ... })
     */
     overrideAllMesonComponents = f: (scope.overrideAllMesonComponents f).nix-everything;
 
@@ -363,6 +387,10 @@ in
       This affects all components.
 
       Changes to the packaging expressions will be ignored.
+
+      Single argument: list of patches to apply
+
+      See also `overrideSource`
     */
     appendPatches = ps: (scope.appendPatches ps).nix-everything;
 
@@ -371,8 +399,26 @@ in
       but it does make the build non-granular; all components will use a complete source.
 
       Packaging expressions will be ignored.
+
+      Filesets in the packaging expressions will be ignored.
+
+      Single argument: the source to use.
+
+      See also `appendPatches`
     */
     overrideSource = src: (scope.overrideSource src).nix-everything;
 
+    /**
+      Override any internals of the Nix package set.
+
+      Single argument: the extension function to apply to the package set (finalScope: prevScope: { ... })
+
+      Example:
+      ```
+      overrideScope (finalScope: prevScope: { aws-sdk-cpp = null; })
+      ```
+    */
+    overrideScope = f: (scope.overrideScope f).nix-everything;
+
   };
 }

packaging/dependencies.nix

@@ -26,6 +26,9 @@ let
   # Despite the use of the 10.13 deployment target here, the aligned
   # allocation function Clang uses with this setting actually works
   # all the way back to 10.6.
+  # NOTE: this is not just a version constraint, but a request to make Darwin
+  #       provide this version level of support. Removing this minimum version
+  #       request will regress the above error.
   darwinStdenv = pkgs.overrideSDK prevStdenv { darwinMinVersion = "10.13"; };
 
 in
@@ -65,39 +68,37 @@ scope: {
         installPhase = lib.replaceStrings [ "--without-python" ] [ "" ] old.installPhase;
       });
 
-  libgit2 = pkgs.libgit2.overrideAttrs (
-    attrs:
-    {
-      cmakeFlags = attrs.cmakeFlags or [ ] ++ [ "-DUSE_SSH=exec" ];
-    }
-    # libgit2: Nixpkgs 24.11 has < 1.9.0, which needs our patches
-    // lib.optionalAttrs (!lib.versionAtLeast pkgs.libgit2.version "1.9.0") {
-      nativeBuildInputs =
-        attrs.nativeBuildInputs or [ ]
-        # gitMinimal does not build on Windows. See packbuilder patch.
-        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-          # Needed for `git apply`; see `prePatch`
-          pkgs.buildPackages.gitMinimal
-        ];
-      # Only `git apply` can handle git binary patches
-      prePatch =
-        attrs.prePatch or ""
-        + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
-          patch() {
-            git apply
-          }
-        '';
-      patches =
-        attrs.patches or [ ]
-        ++ [
-          ./patches/libgit2-mempack-thin-packfile.patch
-        ]
-        # gitMinimal does not build on Windows, but fortunately this patch only
-        # impacts interruptibility
-        ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
-          # binary patch; see `prePatch`
-          ./patches/libgit2-packbuilder-callback-interruptible.patch
-        ];
-    }
-  );
+  libgit2 =
+    if lib.versionAtLeast pkgs.libgit2.version "1.9.0" then
+      pkgs.libgit2
+    else
+      pkgs.libgit2.overrideAttrs (attrs: {
+        # libgit2: Nixpkgs 24.11 has < 1.9.0, which needs our patches
+        nativeBuildInputs =
+          attrs.nativeBuildInputs or [ ]
+          # gitMinimal does not build on Windows. See packbuilder patch.
+          ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+            # Needed for `git apply`; see `prePatch`
+            pkgs.buildPackages.gitMinimal
+          ];
+        # Only `git apply` can handle git binary patches
+        prePatch =
+          attrs.prePatch or ""
+          + lib.optionalString (!stdenv.hostPlatform.isWindows) ''
+            patch() {
+              git apply
+            }
+          '';
+        patches =
+          attrs.patches or [ ]
+          ++ [
+            ./patches/libgit2-mempack-thin-packfile.patch
+          ]
+          # gitMinimal does not build on Windows, but fortunately this patch only
+          # impacts interruptibility
+          ++ lib.optionals (!stdenv.hostPlatform.isWindows) [
+            # binary patch; see `prePatch`
+            ./patches/libgit2-packbuilder-callback-interruptible.patch
+          ];
+      });
 }

packaging/dev-shell.nix

@@ -5,11 +5,11 @@
 
 { pkgs }:
 
-pkgs.nixComponents.nix-util.overrideAttrs (
+pkgs.nixComponents2.nix-util.overrideAttrs (
   attrs:
 
   let
-    stdenv = pkgs.nixDependencies.stdenv;
+    stdenv = pkgs.nixDependencies2.stdenv;
     buildCanExecuteHost = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
     modular = devFlake.getSystem stdenv.buildPlatform.system;
     transformFlag =
@@ -72,10 +72,6 @@ pkgs.nixComponents.nix-util.overrideAttrs (
     src = null;
 
     env = {
-      # Needed for Meson to find Boost.
-      # https://github.com/NixOS/nixpkgs/issues/86131.
-      BOOST_INCLUDEDIR = "${lib.getDev pkgs.nixDependencies.boost}/include";
-      BOOST_LIBRARYDIR = "${lib.getLib pkgs.nixDependencies.boost}/lib";
       # For `make format`, to work without installing pre-commit
       _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
         modular.pre-commit.settings.rawConfig
@@ -83,26 +79,26 @@ pkgs.nixComponents.nix-util.overrideAttrs (
     };
 
     mesonFlags =
-      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents.nix-util.mesonFlags)
-      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents.nix-store.mesonFlags)
-      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents.nix-fetchers.mesonFlags)
+      map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
+      ++ map (transformFlag "libstore") (ignoreCrossFile pkgs.nixComponents2.nix-store.mesonFlags)
+      ++ map (transformFlag "libfetchers") (ignoreCrossFile pkgs.nixComponents2.nix-fetchers.mesonFlags)
       ++ lib.optionals havePerl (
-        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents.nix-perl-bindings.mesonFlags)
+        map (transformFlag "perl") (ignoreCrossFile pkgs.nixComponents2.nix-perl-bindings.mesonFlags)
       )
-      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents.nix-expr.mesonFlags)
-      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents.nix-cmd.mesonFlags);
+      ++ map (transformFlag "libexpr") (ignoreCrossFile pkgs.nixComponents2.nix-expr.mesonFlags)
+      ++ map (transformFlag "libcmd") (ignoreCrossFile pkgs.nixComponents2.nix-cmd.mesonFlags);
 
     nativeBuildInputs =
       attrs.nativeBuildInputs or [ ]
-      ++ pkgs.nixComponents.nix-util.nativeBuildInputs
-      ++ pkgs.nixComponents.nix-store.nativeBuildInputs
-      ++ pkgs.nixComponents.nix-fetchers.nativeBuildInputs
-      ++ pkgs.nixComponents.nix-expr.nativeBuildInputs
-      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.nativeBuildInputs
-      ++ lib.optionals buildCanExecuteHost pkgs.nixComponents.nix-manual.externalNativeBuildInputs
-      ++ pkgs.nixComponents.nix-internal-api-docs.nativeBuildInputs
-      ++ pkgs.nixComponents.nix-external-api-docs.nativeBuildInputs
-      ++ pkgs.nixComponents.nix-functional-tests.externalNativeBuildInputs
+      ++ pkgs.nixComponents2.nix-util.nativeBuildInputs
+      ++ pkgs.nixComponents2.nix-store.nativeBuildInputs
+      ++ pkgs.nixComponents2.nix-fetchers.nativeBuildInputs
+      ++ pkgs.nixComponents2.nix-expr.nativeBuildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.nativeBuildInputs
+      ++ lib.optionals buildCanExecuteHost pkgs.nixComponents2.nix-manual.externalNativeBuildInputs
+      ++ pkgs.nixComponents2.nix-internal-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents2.nix-external-api-docs.nativeBuildInputs
+      ++ pkgs.nixComponents2.nix-functional-tests.externalNativeBuildInputs
       ++ lib.optional (
         !buildCanExecuteHost
         # Hack around https://github.com/nixos/nixpkgs/commit/bf7ad8cfbfa102a90463433e2c5027573b462479
@@ -118,23 +114,20 @@ pkgs.nixComponents.nix-util.overrideAttrs (
         (pkgs.writeScriptBin "pre-commit-hooks-install" modular.pre-commit.settings.installationScript)
         pkgs.buildPackages.nixfmt-rfc-style
       ]
-      # TODO: Remove the darwin check once
-      # https://github.com/NixOS/nixpkgs/pull/291814 is available
-      ++ lib.optional (stdenv.cc.isClang && !stdenv.buildPlatform.isDarwin) pkgs.buildPackages.bear
       ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
         lib.hiPrio pkgs.buildPackages.clang-tools
       );
 
     buildInputs =
       attrs.buildInputs or [ ]
-      ++ pkgs.nixComponents.nix-util.buildInputs
-      ++ pkgs.nixComponents.nix-store.buildInputs
-      ++ pkgs.nixComponents.nix-store-tests.externalBuildInputs
-      ++ pkgs.nixComponents.nix-fetchers.buildInputs
-      ++ pkgs.nixComponents.nix-expr.buildInputs
-      ++ pkgs.nixComponents.nix-expr.externalPropagatedBuildInputs
-      ++ pkgs.nixComponents.nix-cmd.buildInputs
-      ++ lib.optionals havePerl pkgs.nixComponents.nix-perl-bindings.externalBuildInputs
+      ++ pkgs.nixComponents2.nix-util.buildInputs
+      ++ pkgs.nixComponents2.nix-store.buildInputs
+      ++ pkgs.nixComponents2.nix-store-tests.externalBuildInputs
+      ++ pkgs.nixComponents2.nix-fetchers.buildInputs
+      ++ pkgs.nixComponents2.nix-expr.buildInputs
+      ++ pkgs.nixComponents2.nix-expr.externalPropagatedBuildInputs
+      ++ pkgs.nixComponents2.nix-cmd.buildInputs
+      ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.externalBuildInputs
       ++ lib.optional havePerl pkgs.perl;
   }
 )

packaging/everything.nix

@@ -1,8 +1,11 @@
 {
   lib,
   stdenv,
+  lndir,
   buildEnv,
 
+  maintainers,
+
   nix-util,
   nix-util-c,
   nix-util-tests,
@@ -38,7 +41,8 @@
   nix-perl-bindings,
 
   testers,
-  runCommand,
+
+  patchedSrc ? null,
 }:
 
 let
@@ -68,48 +72,6 @@ let
           ;
       };
 
-  dev = stdenv.mkDerivation (finalAttrs: {
-    name = "nix-${nix-cli.version}-dev";
-    pname = "nix";
-    version = nix-cli.version;
-    dontUnpack = true;
-    dontBuild = true;
-    libs = map lib.getDev (lib.attrValues libs);
-    installPhase = ''
-      mkdir -p $out/nix-support
-      echo $libs >> $out/nix-support/propagated-build-inputs
-    '';
-    passthru = {
-      tests = {
-        pkg-config = testers.hasPkgConfigModules {
-          package = finalAttrs.finalPackage;
-        };
-      };
-
-      # If we were to fully emulate output selection here, we'd confuse the Nix CLIs,
-      # because they rely on `drvPath`.
-      dev = finalAttrs.finalPackage.out;
-
-      libs = throw "`nix.dev.libs` is not meant to be used; use `nix.libs` instead.";
-    };
-    meta = {
-      mainProgram = "nix";
-      pkgConfigModules = [
-        "nix-cmd"
-        "nix-expr"
-        "nix-expr-c"
-        "nix-fetchers"
-        "nix-flake"
-        "nix-flake-c"
-        "nix-main"
-        "nix-main-c"
-        "nix-store"
-        "nix-store-c"
-        "nix-util"
-        "nix-util-c"
-      ];
-    };
-  });
   devdoc = buildEnv {
     name = "nix-${nix-cli.version}-devdoc";
     paths = [
@@ -119,92 +81,164 @@ let
   };
 
 in
-(buildEnv {
-  name = "nix-${nix-cli.version}";
-  paths = [
-    nix-cli
-    nix-manual.man
+stdenv.mkDerivation (finalAttrs: {
+  pname = "nix";
+  version = nix-cli.version;
+
+  /**
+    This package uses a multi-output derivation, even though some outputs could
+    have been provided directly by the constituent component that provides it.
+
+    This is because not all tooling handles packages composed of arbitrary
+    outputs yet. This includes nix itself, https://github.com/NixOS/nix/issues/6507.
+
+    `devdoc` is also available, but not listed here, because this attribute is
+    not an output of the same derivation that provides `out`, `dev`, etc.
+  */
+  outputs = [
+    "out"
+    "dev"
+    "doc"
+    "man"
   ];
 
-  meta.mainProgram = "nix";
-}).overrideAttrs
-  (
-    finalAttrs: prevAttrs: {
-      doCheck = true;
-      doInstallCheck = true;
+  /**
+    Unpacking is handled in this package's constituent components
+  */
+  dontUnpack = true;
+  /**
+    Building is handled in this package's constituent components
+  */
+  dontBuild = true;
 
-      checkInputs =
-        [
-          # Make sure the unit tests have passed
-          nix-util-tests.tests.run
-          nix-store-tests.tests.run
-          nix-expr-tests.tests.run
-          nix-fetchers-tests.tests.run
-          nix-flake-tests.tests.run
+  /**
+    `doCheck` controles whether tests are added as build gate for the combined package.
+    This includes both the unit tests and the functional tests, but not the
+    integration tests that run in CI (the flake's `hydraJobs` and some of the `checks`).
+  */
+  doCheck = true;
 
-          # Make sure the functional tests have passed
-          nix-functional-tests
+  /**
+    `fixupPhase` currently doesn't understand that a symlink output isn't writable.
 
-          # dev bundle is ok
-          # (checkInputs must be empty paths??)
-          (runCommand "check-pkg-config" { checked = dev.tests.pkg-config; } "mkdir $out")
-        ]
-        ++ lib.optionals
-          (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
-          [
-            # Perl currently fails in static build
-            # TODO: Split out tests into a separate derivation?
-            nix-perl-bindings
-          ];
-      passthru = prevAttrs.passthru // {
-        inherit (nix-cli) version;
+    We don't compile or link anything in this derivation, so fixups aren't needed.
+  */
+  dontFixup = true;
 
-        /**
-          These are the libraries that are part of the Nix project. They are used
-          by the Nix CLI and other tools.
+  checkInputs =
+    [
+      # Make sure the unit tests have passed
+      nix-util-tests.tests.run
+      nix-store-tests.tests.run
+      nix-expr-tests.tests.run
+      nix-fetchers-tests.tests.run
+      nix-flake-tests.tests.run
 
-          If you need to use these libraries in your project, we recommend to use
-          the `-c` C API libraries exclusively, if possible.
+      # Make sure the functional tests have passed
+      nix-functional-tests
+    ]
+    ++ lib.optionals
+      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+      [
+        # Perl currently fails in static build
+        # TODO: Split out tests into a separate derivation?
+        nix-perl-bindings
+      ];
 
-          We also recommend that you build the complete package to ensure that the unit tests pass.
-          You could do this in CI, or by passing it in an unused environment variable. e.g in a `mkDerivation` call:
+  nativeBuildInputs = [
+    lndir
+  ];
 
-          ```nix
-            buildInputs = [ nix.libs.nix-util-c nix.libs.nix-store-c ];
-            # Make sure the nix libs we use are ok
-            unusedInputsForTests = [ nix ];
-            disallowedReferences = nix.all;
-          ```
-        */
-        inherit libs;
+  installPhase =
+    let
+      devPaths = lib.mapAttrsToList (_k: lib.getDev) finalAttrs.finalPackage.libs;
+    in
+    ''
+      mkdir -p $out $dev/nix-support
 
-        tests = prevAttrs.passthru.tests or { } // {
-          # TODO: create a proper fixpoint and:
-          # pkg-config =
-          #   testers.hasPkgConfigModules {
-          #     package = finalPackage;
-          #   };
-        };
+      # Custom files
+      echo $libs >> $dev/nix-support/propagated-build-inputs
+      echo ${nix-cli} ${lib.escapeShellArgs devPaths} >> $dev/nix-support/propagated-build-inputs
 
-        /**
-          A derivation referencing the `dev` outputs of the Nix libraries.
-        */
-        inherit dev;
-        inherit devdoc;
-        doc = nix-manual;
-        outputs = [
-          "out"
-          "dev"
-          "devdoc"
-          "doc"
-        ];
-        all = lib.attrValues (
-          lib.genAttrs finalAttrs.passthru.outputs (outName: finalAttrs.finalPackage.${outName})
-        );
+      # Merged outputs
+      lndir ${nix-cli} $out
+
+      for lib in ${lib.escapeShellArgs devPaths}; do
+        lndir $lib $dev
+      done
+
+      # Forwarded outputs
+      ln -sT ${nix-manual} $doc
+      ln -sT ${nix-manual.man} $man
+    '';
+
+  passthru = {
+    inherit (nix-cli) version;
+    src = patchedSrc;
+
+    /**
+      These are the libraries that are part of the Nix project. They are used
+      by the Nix CLI and other tools.
+
+      If you need to use these libraries in your project, we recommend to use
+      the `-c` C API libraries exclusively, if possible.
+
+      We also recommend that you build the complete package to ensure that the unit tests pass.
+      You could do this in CI, or by passing it in an unused environment variable. e.g in a `mkDerivation` call:
+
+      ```nix
+        buildInputs = [ nix.libs.nix-util-c nix.libs.nix-store-c ];
+        # Make sure the nix libs we use are ok
+        unusedInputsForTests = [ nix ];
+        disallowedReferences = nix.all;
+      ```
+    */
+    inherit libs;
+
+    /**
+      Developer documentation for `nix`, in `share/doc/nix/{internal,external}-api/`.
+
+      This is not a proper output; see `outputs` for context.
+    */
+    inherit devdoc;
+
+    /**
+      Extra tests that test this package, but do not run as part of the build.
+      See <https://nixos.org/manual/nixpkgs/stable/index.html#var-passthru-tests>
+    */
+    tests = {
+      pkg-config = testers.hasPkgConfigModules {
+        package = finalAttrs.finalPackage;
       };
-      meta = prevAttrs.meta // {
-        description = "The Nix package manager";
-        pkgConfigModules = dev.meta.pkgConfigModules;
-      };
-    }
-  )
+    };
+  };
+
+  meta = {
+    mainProgram = "nix";
+    description = "The Nix package manager";
+    longDescription = nix-cli.meta.longDescription;
+    homepage = nix-cli.meta.homepage;
+    license = nix-cli.meta.license;
+    maintainers = maintainers;
+    platforms = nix-cli.meta.platforms;
+    outputsToInstall = [
+      "out"
+      "man"
+    ];
+    pkgConfigModules = [
+      "nix-cmd"
+      "nix-expr"
+      "nix-expr-c"
+      "nix-fetchers"
+      "nix-flake"
+      "nix-flake-c"
+      "nix-main"
+      "nix-main-c"
+      "nix-store"
+      "nix-store-c"
+      "nix-util"
+      "nix-util-c"
+    ];
+  };
+
+})

packaging/hydra.nix

@@ -19,45 +19,99 @@ let
 
   testNixVersions =
     pkgs: daemon:
-    pkgs.nixComponents.nix-functional-tests.override {
+    pkgs.nixComponents2.nix-functional-tests.override {
       pname = "nix-daemon-compat-tests";
       version = "${pkgs.nix.version}-with-daemon-${daemon.version}";
 
       test-daemon = daemon;
     };
 
-  # Technically we could just return `pkgs.nixComponents`, but for Hydra it's
+  # Technically we could just return `pkgs.nixComponents2`, but for Hydra it's
   # convention to transpose it, and to transpose it efficiently, we need to
   # enumerate them manually, so that we don't evaluate unnecessary package sets.
-  forAllPackages = lib.genAttrs [
-    "nix-everything"
-    "nix-util"
-    "nix-util-c"
-    "nix-util-test-support"
-    "nix-util-tests"
-    "nix-store"
-    "nix-store-c"
-    "nix-store-test-support"
-    "nix-store-tests"
-    "nix-fetchers"
-    "nix-fetchers-tests"
-    "nix-expr"
-    "nix-expr-c"
-    "nix-expr-test-support"
-    "nix-expr-tests"
-    "nix-flake"
-    "nix-flake-tests"
-    "nix-main"
-    "nix-main-c"
-    "nix-cmd"
-    "nix-cli"
-    "nix-functional-tests"
-  ];
+  # See listingIsComplete below.
+  forAllPackages = forAllPackages' { };
+  forAllPackages' =
+    {
+      enableBindings ? false,
+      enableDocs ? false, # already have separate attrs for these
+    }:
+    lib.genAttrs (
+      [
+        "nix-everything"
+        "nix-util"
+        "nix-util-c"
+        "nix-util-test-support"
+        "nix-util-tests"
+        "nix-store"
+        "nix-store-c"
+        "nix-store-test-support"
+        "nix-store-tests"
+        "nix-fetchers"
+        "nix-fetchers-tests"
+        "nix-expr"
+        "nix-expr-c"
+        "nix-expr-test-support"
+        "nix-expr-tests"
+        "nix-flake"
+        "nix-flake-c"
+        "nix-flake-tests"
+        "nix-main"
+        "nix-main-c"
+        "nix-cmd"
+        "nix-cli"
+        "nix-functional-tests"
+      ]
+      ++ lib.optionals enableBindings [
+        "nix-perl-bindings"
+      ]
+      ++ lib.optionals enableDocs [
+        "nix-manual"
+        "nix-internal-api-docs"
+        "nix-external-api-docs"
+      ]
+    );
 in
 {
+  /**
+    An internal check to make sure our package listing is complete.
+  */
+  listingIsComplete =
+    let
+      arbitrarySystem = "x86_64-linux";
+      listedPkgs = forAllPackages' {
+        enableBindings = true;
+        enableDocs = true;
+      } (_: null);
+      actualPkgs = lib.concatMapAttrs (
+        k: v: if lib.strings.hasPrefix "nix-" k then { ${k} = null; } else { }
+      ) nixpkgsFor.${arbitrarySystem}.native.nixComponents2;
+      diff = lib.concatStringsSep "\n" (
+        lib.concatLists (
+          lib.mapAttrsToList (
+            k: _:
+            if (listedPkgs ? ${k}) && !(actualPkgs ? ${k}) then
+              [ "- ${k}: redundant?" ]
+            else if !(listedPkgs ? ${k}) && (actualPkgs ? ${k}) then
+              [ "- ${k}: missing?" ]
+            else
+              [ ]
+          ) (listedPkgs // actualPkgs)
+        )
+      );
+    in
+    if listedPkgs == actualPkgs then
+      { }
+    else
+      throw ''
+        Please update the components list in hydra.nix (or fix this check)
+        Differences:
+        ${diff}
+      '';
+
   # Binary package for various platforms.
   build = forAllPackages (
-    pkgName: forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.${pkgName})
+    pkgName: forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.${pkgName})
   );
 
   shellInputs = removeAttrs (forAllSystems (
@@ -67,7 +121,7 @@ in
   buildStatic = forAllPackages (
     pkgName:
     lib.genAttrs linux64BitSystems (
-      system: nixpkgsFor.${system}.native.pkgsStatic.nixComponents.${pkgName}
+      system: nixpkgsFor.${system}.native.pkgsStatic.nixComponents2.${pkgName}
     )
   );
 
@@ -84,7 +138,7 @@ in
         forAllCrossSystems (
           crossSystem:
           lib.genAttrs [ "x86_64-linux" ] (
-            system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents.${pkgName}
+            system: nixpkgsFor.${system}.cross.${crossSystem}.nixComponents2.${pkgName}
           )
         )
       )
@@ -94,7 +148,7 @@ in
     let
       components = forAllSystems (
         system:
-        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+        nixpkgsFor.${system}.native.nixComponents2.overrideScope (
           self: super: {
             nix-expr = super.nix-expr.override { enableGC = false; };
           }
@@ -103,7 +157,7 @@ in
     in
     forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
-  buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-cli);
+  buildNoTests = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.nix-cli);
 
   # Toggles some settings for better coverage. Windows needs these
   # library combinations, and Debian build Nix with GNU readline too.
@@ -111,7 +165,7 @@ in
     let
       components = forAllSystems (
         system:
-        nixpkgsFor.${system}.native.nixComponents.overrideScope (
+        nixpkgsFor.${system}.native.nixComponents2.overrideScope (
           self: super: {
             nix-cmd = super.nix-cmd.override {
               enableMarkdown = false;
@@ -124,7 +178,7 @@ in
     forAllPackages (pkgName: forAllSystems (system: components.${system}.${pkgName}));
 
   # Perl bindings for various platforms.
-  perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents.nix-perl-bindings);
+  perlBindings = forAllSystems (system: nixpkgsFor.${system}.native.nixComponents2.nix-perl-bindings);
 
   # Binary tarball for various platforms, containing a Nix store
   # with the closure of 'nix' package, and the second half of
@@ -174,13 +228,13 @@ in
   # };
 
   # Nix's manual
-  manual = nixpkgsFor.x86_64-linux.native.nixComponents.nix-manual;
+  manual = nixpkgsFor.x86_64-linux.native.nixComponents2.nix-manual;
 
   # API docs for Nix's unstable internal C++ interfaces.
-  internal-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents.nix-internal-api-docs;
+  internal-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents2.nix-internal-api-docs;
 
   # API docs for Nix's C bindings.
-  external-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents.nix-external-api-docs;
+  external-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents2.nix-external-api-docs;
 
   # System tests.
   tests =

scripts/nix-profile-daemon.sh.in

@@ -1,7 +1,7 @@
 # Only execute this file once per shell.
 # This file is tested by tests/installer/default.nix.
 if [ -n "${__ETC_PROFILE_NIX_SOURCED:-}" ]; then return; fi
-__ETC_PROFILE_NIX_SOURCED=1
+export __ETC_PROFILE_NIX_SOURCED=1
 
 NIX_LINK=$HOME/.nix-profile
 if [ -n "${XDG_STATE_HOME-}" ]; then

src/build-remote/build-remote.cc

@@ -5,23 +5,23 @@
 #include <memory>
 #include <tuple>
 #include <iomanip>
-#if __APPLE__
+#ifdef __APPLE__
 #include <sys/time.h>
 #endif
 
-#include "machines.hh"
-#include "shared.hh"
-#include "plugin.hh"
-#include "pathlocks.hh"
-#include "globals.hh"
-#include "serialise.hh"
-#include "build-result.hh"
-#include "store-api.hh"
-#include "strings.hh"
-#include "derivations.hh"
-#include "local-store.hh"
-#include "legacy.hh"
-#include "experimental-features.hh"
+#include "nix/store/machines.hh"
+#include "nix/main/shared.hh"
+#include "nix/main/plugin.hh"
+#include "nix/store/pathlocks.hh"
+#include "nix/store/globals.hh"
+#include "nix/util/serialise.hh"
+#include "nix/store/build-result.hh"
+#include "nix/store/store-api.hh"
+#include "nix/util/strings.hh"
+#include "nix/store/derivations.hh"
+#include "nix/store/local-store.hh"
+#include "nix/cmd/legacy.hh"
+#include "nix/util/experimental-features.hh"
 
 using namespace nix;
 using std::cin;
@@ -225,7 +225,7 @@ static int main_build_remote(int argc, char * * argv)
                     break;
                 }
 
-#if __APPLE__
+#ifdef __APPLE__
                 futimes(bestSlotLock.get(), NULL);
 #else
                 futimens(bestSlotLock.get(), NULL);

src/libcmd/built-path.cc

@@ -1,7 +1,7 @@
-#include "built-path.hh"
-#include "derivations.hh"
-#include "store-api.hh"
-#include "comparator.hh"
+#include "nix/cmd/built-path.hh"
+#include "nix/store/derivations.hh"
+#include "nix/store/store-api.hh"
+#include "nix/util/comparator.hh"
 
 #include <nlohmann/json.hpp>
 

src/libcmd/command-installable-value.cc

@@ -1,4 +1,4 @@
-#include "command-installable-value.hh"
+#include "nix/cmd/command-installable-value.hh"
 
 namespace nix {
 

src/libcmd/command.cc

@@ -1,16 +1,16 @@
 #include <algorithm>
 #include <nlohmann/json.hpp>
 
-#include "command.hh"
-#include "markdown.hh"
-#include "store-api.hh"
-#include "local-fs-store.hh"
-#include "derivations.hh"
-#include "nixexpr.hh"
-#include "profiles.hh"
-#include "repl.hh"
-#include "strings.hh"
-#include "environment-variables.hh"
+#include "nix/cmd/command.hh"
+#include "nix/cmd/markdown.hh"
+#include "nix/store/store-api.hh"
+#include "nix/store/local-fs-store.hh"
+#include "nix/store/derivations.hh"
+#include "nix/expr/nixexpr.hh"
+#include "nix/store/profiles.hh"
+#include "nix/cmd/repl.hh"
+#include "nix/util/strings.hh"
+#include "nix/util/environment-variables.hh"
 
 namespace nix {
 
@@ -237,12 +237,13 @@ void StorePathCommand::run(ref<Store> store, StorePaths && storePaths)
 
 MixProfile::MixProfile()
 {
-    addFlag(
-        {.longName = "profile",
-         .description = "The profile to operate on.",
-         .labels = {"path"},
-         .handler = {&profile},
-         .completer = completePath});
+    addFlag({
+        .longName = "profile",
+        .description = "The profile to operate on.",
+        .labels = {"path"},
+        .handler = {&profile},
+        .completer = completePath,
+    });
 }
 
 void MixProfile::updateProfile(const StorePath & storePath)

src/libcmd/common-eval-args.cc

@@ -1,20 +1,20 @@
-#include "fetch-settings.hh"
-#include "eval-settings.hh"
-#include "common-eval-args.hh"
-#include "shared.hh"
-#include "config-global.hh"
-#include "filetransfer.hh"
-#include "eval.hh"
-#include "fetchers.hh"
-#include "registry.hh"
-#include "flake/flakeref.hh"
-#include "flake/settings.hh"
-#include "store-api.hh"
-#include "command.hh"
-#include "tarball.hh"
-#include "fetch-to-store.hh"
-#include "compatibility-settings.hh"
-#include "eval-settings.hh"
+#include "nix/fetchers/fetch-settings.hh"
+#include "nix/expr/eval-settings.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/main/shared.hh"
+#include "nix/util/config-global.hh"
+#include "nix/store/filetransfer.hh"
+#include "nix/expr/eval.hh"
+#include "nix/fetchers/fetchers.hh"
+#include "nix/fetchers/registry.hh"
+#include "nix/flake/flakeref.hh"
+#include "nix/flake/settings.hh"
+#include "nix/store/store-api.hh"
+#include "nix/cmd/command.hh"
+#include "nix/fetchers/tarball.hh"
+#include "nix/fetchers/fetch-to-store.hh"
+#include "nix/cmd/compatibility-settings.hh"
+#include "nix/expr/eval-settings.hh"
 
 namespace nix {
 
@@ -63,7 +63,7 @@ MixEvalArgs::MixEvalArgs()
         .description = "Pass the value *expr* as the argument *name* to Nix functions.",
         .category = category,
         .labels = {"name", "expr"},
-        .handler = {[&](std::string name, std::string expr) { autoArgs.insert_or_assign(name, AutoArg{AutoArgExpr{expr}}); }}
+        .handler = {[&](std::string name, std::string expr) { autoArgs.insert_or_assign(name, AutoArg{AutoArgExpr{expr}}); }},
     });
 
     addFlag({
@@ -80,7 +80,7 @@ MixEvalArgs::MixEvalArgs()
         .category = category,
         .labels = {"name", "path"},
         .handler = {[&](std::string name, std::string path) { autoArgs.insert_or_assign(name, AutoArg{AutoArgFile{path}}); }},
-        .completer = completePath
+        .completer = completePath,
     });
 
     addFlag({
@@ -105,7 +105,7 @@ MixEvalArgs::MixEvalArgs()
         .labels = {"path"},
         .handler = {[&](std::string s) {
             lookupPath.elements.emplace_back(LookupPath::Elem::parse(s));
-        }}
+        }},
     });
 
     addFlag({
@@ -131,7 +131,7 @@ MixEvalArgs::MixEvalArgs()
         }},
         .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
             completeFlakeRef(completions, openStore(), prefix);
-        }}
+        }},
     });
 
     addFlag({

src/libcmd/editor-for.cc

@@ -1,6 +1,6 @@
-#include "editor-for.hh"
-#include "environment-variables.hh"
-#include "source-path.hh"
+#include "nix/cmd/editor-for.hh"
+#include "nix/util/environment-variables.hh"
+#include "nix/util/source-path.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/built-path.hh

@@ -1,8 +1,8 @@
 #pragma once
 ///@file
 
-#include "derived-path.hh"
-#include "realisation.hh"
+#include "nix/store/derived-path.hh"
+#include "nix/store/realisation.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/command-installable-value.hh

@@ -1,8 +1,8 @@
 #pragma once
 ///@file
 
-#include "installable-value.hh"
-#include "command.hh"
+#include "nix/cmd/installable-value.hh"
+#include "nix/cmd/command.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/command.hh

@@ -1,11 +1,11 @@
 #pragma once
 ///@file
 
-#include "installable-value.hh"
-#include "args.hh"
-#include "common-eval-args.hh"
-#include "path.hh"
-#include "flake/lockfile.hh"
+#include "nix/cmd/installable-value.hh"
+#include "nix/util/args.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/store/path.hh"
+#include "nix/flake/lockfile.hh"
 
 #include <optional>
 

src/libcmd/include/nix/cmd/common-eval-args.hh

@@ -1,10 +1,10 @@
 #pragma once
 ///@file
 
-#include "args.hh"
-#include "canon-path.hh"
-#include "common-args.hh"
-#include "search-path.hh"
+#include "nix/util/args.hh"
+#include "nix/util/canon-path.hh"
+#include "nix/main/common-args.hh"
+#include "nix/expr/search-path.hh"
 
 #include <filesystem>
 

src/libcmd/include/nix/cmd/compatibility-settings.hh

@@ -1,5 +1,5 @@
 #pragma once
-#include "config.hh"
+#include "nix/util/configuration.hh"
 
 namespace nix {
 struct CompatibilitySettings : public Config

src/libcmd/include/nix/cmd/editor-for.hh

@@ -1,8 +1,8 @@
 #pragma once
 ///@file
 
-#include "types.hh"
-#include "source-path.hh"
+#include "nix/util/types.hh"
+#include "nix/util/source-path.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/installable-attr-path.hh

@@ -1,22 +1,22 @@
 #pragma once
 ///@file
 
-#include "globals.hh"
-#include "installable-value.hh"
-#include "outputs-spec.hh"
-#include "command.hh"
-#include "attr-path.hh"
-#include "common-eval-args.hh"
-#include "derivations.hh"
-#include "eval-inline.hh"
-#include "eval.hh"
-#include "get-drvs.hh"
-#include "store-api.hh"
-#include "shared.hh"
-#include "eval-cache.hh"
-#include "url.hh"
-#include "registry.hh"
-#include "build-result.hh"
+#include "nix/store/globals.hh"
+#include "nix/cmd/installable-value.hh"
+#include "nix/store/outputs-spec.hh"
+#include "nix/cmd/command.hh"
+#include "nix/expr/attr-path.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/store/derivations.hh"
+#include "nix/expr/eval-inline.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/get-drvs.hh"
+#include "nix/store/store-api.hh"
+#include "nix/main/shared.hh"
+#include "nix/expr/eval-cache.hh"
+#include "nix/util/url.hh"
+#include "nix/fetchers/registry.hh"
+#include "nix/store/build-result.hh"
 
 #include <regex>
 #include <queue>

src/libcmd/include/nix/cmd/installable-derived-path.hh

@@ -1,7 +1,7 @@
 #pragma once
 ///@file
 
-#include "installables.hh"
+#include "nix/cmd/installables.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/installable-flake.hh

@@ -1,8 +1,8 @@
 #pragma once
 ///@file
 
-#include "common-eval-args.hh"
-#include "installable-value.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/cmd/installable-value.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/installable-value.hh

@@ -1,8 +1,8 @@
 #pragma once
 ///@file
 
-#include "installables.hh"
-#include "flake/flake.hh"
+#include "nix/cmd/installables.hh"
+#include "nix/flake/flake.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/installables.hh

@@ -1,12 +1,12 @@
 #pragma once
 ///@file
 
-#include "path.hh"
-#include "outputs-spec.hh"
-#include "derived-path.hh"
-#include "built-path.hh"
-#include "store-api.hh"
-#include "build-result.hh"
+#include "nix/store/path.hh"
+#include "nix/store/outputs-spec.hh"
+#include "nix/store/derived-path.hh"
+#include "nix/cmd/built-path.hh"
+#include "nix/store/store-api.hh"
+#include "nix/store/build-result.hh"
 
 #include <optional>
 

src/libcmd/include/nix/cmd/meson.build

@@ -0,0 +1,23 @@
+# Public headers directory
+
+include_dirs = [include_directories('../..')]
+
+headers = files(
+  'built-path.hh',
+  'command-installable-value.hh',
+  'command.hh',
+  'common-eval-args.hh',
+  'compatibility-settings.hh',
+  'editor-for.hh',
+  'installable-attr-path.hh',
+  'installable-derived-path.hh',
+  'installable-flake.hh',
+  'installable-value.hh',
+  'installables.hh',
+  'legacy.hh',
+  'markdown.hh',
+  'misc-store-flags.hh',
+  'network-proxy.hh',
+  'repl-interacter.hh',
+  'repl.hh',
+)

src/libcmd/include/nix/cmd/misc-store-flags.hh

@@ -1,5 +1,5 @@
-#include "args.hh"
-#include "content-address.hh"
+#include "nix/util/args.hh"
+#include "nix/store/content-address.hh"
 
 namespace nix::flag {
 

src/libcmd/include/nix/cmd/network-proxy.hh

@@ -1,7 +1,7 @@
 #pragma once
 ///@file
 
-#include "types.hh"
+#include "nix/util/types.hh"
 
 namespace nix {
 

src/libcmd/include/nix/cmd/repl-interacter.hh

@@ -1,8 +1,8 @@
 #pragma once
 /// @file
 
-#include "finally.hh"
-#include "types.hh"
+#include "nix/util/finally.hh"
+#include "nix/util/types.hh"
 #include <functional>
 #include <string>
 

src/libcmd/include/nix/cmd/repl.hh

@@ -1,7 +1,7 @@
 #pragma once
 ///@file
 
-#include "eval.hh"
+#include "nix/expr/eval.hh"
 
 namespace nix {
 

src/libcmd/installable-attr-path.cc

@@ -1,21 +1,21 @@
-#include "globals.hh"
-#include "installable-attr-path.hh"
-#include "outputs-spec.hh"
-#include "util.hh"
-#include "command.hh"
-#include "attr-path.hh"
-#include "common-eval-args.hh"
-#include "derivations.hh"
-#include "eval-inline.hh"
-#include "eval.hh"
-#include "get-drvs.hh"
-#include "store-api.hh"
-#include "shared.hh"
-#include "flake/flake.hh"
-#include "eval-cache.hh"
-#include "url.hh"
-#include "registry.hh"
-#include "build-result.hh"
+#include "nix/store/globals.hh"
+#include "nix/cmd/installable-attr-path.hh"
+#include "nix/store/outputs-spec.hh"
+#include "nix/util/util.hh"
+#include "nix/cmd/command.hh"
+#include "nix/expr/attr-path.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/store/derivations.hh"
+#include "nix/expr/eval-inline.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/get-drvs.hh"
+#include "nix/store/store-api.hh"
+#include "nix/main/shared.hh"
+#include "nix/flake/flake.hh"
+#include "nix/expr/eval-cache.hh"
+#include "nix/util/url.hh"
+#include "nix/fetchers/registry.hh"
+#include "nix/store/build-result.hh"
 
 #include <regex>
 #include <queue>

src/libcmd/installable-derived-path.cc

@@ -1,5 +1,5 @@
-#include "installable-derived-path.hh"
-#include "derivations.hh"
+#include "nix/cmd/installable-derived-path.hh"
+#include "nix/store/derivations.hh"
 
 namespace nix {
 

src/libcmd/installable-flake.cc

@@ -1,22 +1,22 @@
-#include "globals.hh"
-#include "installable-flake.hh"
-#include "installable-derived-path.hh"
-#include "outputs-spec.hh"
-#include "util.hh"
-#include "command.hh"
-#include "attr-path.hh"
-#include "common-eval-args.hh"
-#include "derivations.hh"
-#include "eval-inline.hh"
-#include "eval.hh"
-#include "get-drvs.hh"
-#include "store-api.hh"
-#include "shared.hh"
-#include "flake/flake.hh"
-#include "eval-cache.hh"
-#include "url.hh"
-#include "registry.hh"
-#include "build-result.hh"
+#include "nix/store/globals.hh"
+#include "nix/cmd/installable-flake.hh"
+#include "nix/cmd/installable-derived-path.hh"
+#include "nix/store/outputs-spec.hh"
+#include "nix/util/util.hh"
+#include "nix/cmd/command.hh"
+#include "nix/expr/attr-path.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/store/derivations.hh"
+#include "nix/expr/eval-inline.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/get-drvs.hh"
+#include "nix/store/store-api.hh"
+#include "nix/main/shared.hh"
+#include "nix/flake/flake.hh"
+#include "nix/expr/eval-cache.hh"
+#include "nix/util/url.hh"
+#include "nix/fetchers/registry.hh"
+#include "nix/store/build-result.hh"
 
 #include <regex>
 #include <queue>

src/libcmd/installable-value.cc

@@ -1,6 +1,6 @@
-#include "installable-value.hh"
-#include "eval-cache.hh"
-#include "fetch-to-store.hh"
+#include "nix/cmd/installable-value.hh"
+#include "nix/expr/eval-cache.hh"
+#include "nix/fetchers/fetch-to-store.hh"
 
 namespace nix {
 

src/libcmd/installables.cc

@@ -1,33 +1,33 @@
-#include "globals.hh"
-#include "installables.hh"
-#include "installable-derived-path.hh"
-#include "installable-attr-path.hh"
-#include "installable-flake.hh"
-#include "outputs-spec.hh"
-#include "users.hh"
-#include "util.hh"
-#include "command.hh"
-#include "attr-path.hh"
-#include "common-eval-args.hh"
-#include "derivations.hh"
-#include "eval-inline.hh"
-#include "eval.hh"
-#include "eval-settings.hh"
-#include "get-drvs.hh"
-#include "store-api.hh"
-#include "shared.hh"
-#include "flake/flake.hh"
-#include "eval-cache.hh"
-#include "url.hh"
-#include "registry.hh"
-#include "build-result.hh"
+#include "nix/store/globals.hh"
+#include "nix/cmd/installables.hh"
+#include "nix/cmd/installable-derived-path.hh"
+#include "nix/cmd/installable-attr-path.hh"
+#include "nix/cmd/installable-flake.hh"
+#include "nix/store/outputs-spec.hh"
+#include "nix/util/users.hh"
+#include "nix/util/util.hh"
+#include "nix/cmd/command.hh"
+#include "nix/expr/attr-path.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/store/derivations.hh"
+#include "nix/expr/eval-inline.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/eval-settings.hh"
+#include "nix/expr/get-drvs.hh"
+#include "nix/store/store-api.hh"
+#include "nix/main/shared.hh"
+#include "nix/flake/flake.hh"
+#include "nix/expr/eval-cache.hh"
+#include "nix/util/url.hh"
+#include "nix/fetchers/registry.hh"
+#include "nix/store/build-result.hh"
 
 #include <regex>
 #include <queue>
 
 #include <nlohmann/json.hpp>
 
-#include "strings-inline.hh"
+#include "nix/util/strings-inline.hh"
 
 namespace nix {
 
@@ -40,7 +40,7 @@ void completeFlakeInputAttrPath(
     std::string_view prefix)
 {
     for (auto & flakeRef : flakeRefs) {
-        auto flake = flake::getFlake(*evalState, flakeRef, true);
+        auto flake = flake::getFlake(*evalState, flakeRef, fetchers::UseRegistries::All);
         for (auto & input : flake.inputs)
             if (hasPrefix(input.first, prefix))
                 completions.add(input.first);
@@ -64,21 +64,21 @@ MixFlakeOptions::MixFlakeOptions()
         .handler = {[&]() {
             lockFlags.recreateLockFile = true;
             warn("'--recreate-lock-file' is deprecated and will be removed in a future version; use 'nix flake update' instead.");
-        }}
+        }},
     });
 
     addFlag({
         .longName = "no-update-lock-file",
         .description = "Do not allow any updates to the flake's lock file.",
         .category = category,
-        .handler = {&lockFlags.updateLockFile, false}
+        .handler = {&lockFlags.updateLockFile, false},
     });
 
     addFlag({
         .longName = "no-write-lock-file",
         .description = "Do not write the flake's newly generated lock file.",
         .category = category,
-        .handler = {&lockFlags.writeLockFile, false}
+        .handler = {&lockFlags.writeLockFile, false},
     });
 
     addFlag({
@@ -94,14 +94,14 @@ MixFlakeOptions::MixFlakeOptions()
         .handler = {[&]() {
             lockFlags.useRegistries = false;
             warn("'--no-registries' is deprecated; use '--no-use-registries'");
-        }}
+        }},
     });
 
     addFlag({
         .longName = "commit-lock-file",
         .description = "Commit changes to the flake's lock file.",
         .category = category,
-        .handler = {&lockFlags.commitLockFile, true}
+        .handler = {&lockFlags.commitLockFile, true},
     });
 
     addFlag({
@@ -121,7 +121,7 @@ MixFlakeOptions::MixFlakeOptions()
         }},
         .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
             completeFlakeInputAttrPath(completions, getEvalState(), getFlakeRefsForCompletion(), prefix);
-        }}
+        }},
     });
 
     addFlag({
@@ -141,7 +141,7 @@ MixFlakeOptions::MixFlakeOptions()
             } else if (n == 1) {
                 completeFlakeRef(completions, getEvalState()->store, prefix);
             }
-        }}
+        }},
     });
 
     addFlag({
@@ -152,7 +152,7 @@ MixFlakeOptions::MixFlakeOptions()
         .handler = {[&](std::string lockFilePath) {
             lockFlags.referenceLockFilePath = {getFSSourceAccessor(), CanonPath(absPath(lockFilePath))};
         }},
-        .completer = completePath
+        .completer = completePath,
     });
 
     addFlag({
@@ -163,7 +163,7 @@ MixFlakeOptions::MixFlakeOptions()
         .handler = {[&](std::string lockFilePath) {
             lockFlags.outputLockFilePath = lockFilePath;
         }},
-        .completer = completePath
+        .completer = completePath,
     });
 
     addFlag({
@@ -190,7 +190,7 @@ MixFlakeOptions::MixFlakeOptions()
         }},
         .completer = {[&](AddCompletions & completions, size_t, std::string_view prefix) {
             completeFlakeRef(completions, getEvalState()->store, prefix);
-        }}
+        }},
     });
 }
 
@@ -206,7 +206,7 @@ SourceExprCommand::SourceExprCommand()
         .category = installablesCategory,
         .labels = {"file"},
         .handler = {&file},
-        .completer = completePath
+        .completer = completePath,
     });
 
     addFlag({
@@ -214,7 +214,7 @@ SourceExprCommand::SourceExprCommand()
         .description = "Interpret [*installables*](@docroot@/command-ref/new-cli/nix.md#installables) as attribute paths relative to the Nix expression *expr*.",
         .category = installablesCategory,
         .labels = {"expr"},
-        .handler = {&expr}
+        .handler = {&expr},
     });
 }
 
@@ -834,7 +834,7 @@ RawInstallablesCommand::RawInstallablesCommand()
     addFlag({
         .longName = "stdin",
         .description = "Read installables from the standard input. No default installable applied.",
-        .handler = {&readFromStdIn, true}
+        .handler = {&readFromStdIn, true},
     });
 
     expectArgs({

src/libcmd/legacy.cc

@@ -1,4 +1,4 @@
-#include "legacy.hh"
+#include "nix/cmd/legacy.hh"
 
 namespace nix {
 

src/libcmd/markdown.cc

@@ -1,8 +1,10 @@
-#include "markdown.hh"
-#include "environment-variables.hh"
-#include "error.hh"
-#include "finally.hh"
-#include "terminal.hh"
+#include "nix/cmd/markdown.hh"
+#include "nix/util/environment-variables.hh"
+#include "nix/util/error.hh"
+#include "nix/util/finally.hh"
+#include "nix/util/terminal.hh"
+
+#include "cmd-config-private.hh"
 
 #if HAVE_LOWDOWN
 #  include <sys/queue.h>

src/libcmd/meson.build

@@ -44,30 +44,18 @@ if readline_flavor == 'editline'
 elif readline_flavor == 'readline'
   readline = dependency('readline')
   deps_private += readline
-  configdata.set(
-    'USE_READLINE',
-    1,
-    description: 'Use readline instead of editline',
-  )
 else
   error('illegal editline flavor', readline_flavor)
 endif
-
-config_h = configure_file(
-  configuration : configdata,
-  output : 'config-cmd.hh',
+configdata.set(
+  'USE_READLINE',
+  (readline_flavor == 'readline').to_int(),
+  description: 'Use readline instead of editline',
 )
 
-add_project_arguments(
-  # TODO(Qyriad): Yes this is how the autoconf+Make system did it.
-  # It would be nice for our headers to be idempotent instead.
-  '-include', 'config-util.hh',
-  '-include', 'config-store.hh',
-  # '-include', 'config-fetchers.h',
-  '-include', 'config-expr.hh',
-  '-include', 'config-main.hh',
-  '-include', 'config-cmd.hh',
-  language : 'cpp',
+config_priv_h = configure_file(
+  configuration : configdata,
+  output : 'cmd-config-private.hh',
 )
 
 subdir('nix-meson-build-support/common')
@@ -91,37 +79,23 @@ sources = files(
   'repl.cc',
 )
 
-include_dirs = [include_directories('.')]
+subdir('include/nix/cmd')
 
-headers = [config_h] + files(
-  'built-path.hh',
-  'command-installable-value.hh',
-  'command.hh',
-  'common-eval-args.hh',
-  'compatibility-settings.hh',
-  'editor-for.hh',
-  'installable-attr-path.hh',
-  'installable-derived-path.hh',
-  'installable-flake.hh',
-  'installable-value.hh',
-  'installables.hh',
-  'legacy.hh',
-  'markdown.hh',
-  'misc-store-flags.hh',
-  'network-proxy.hh',
-  'repl-interacter.hh',
-  'repl.hh',
-)
+subdir('nix-meson-build-support/export-all-symbols')
+subdir('nix-meson-build-support/windows-version')
 
 this_library = library(
   'nixcmd',
   sources,
+  config_priv_h,
   dependencies : deps_public + deps_private + deps_other,
+  include_directories : include_dirs,
+  link_args: linker_export_flags,
   prelink : true, # For C++ static initializers
   install : true,
 )
 
-install_headers(headers, subdir : 'nix', preserve_path : true)
+install_headers(headers, subdir : 'nix/cmd', preserve_path : true)
 
 libraries_private = []
 

src/libcmd/misc-store-flags.cc

@@ -1,4 +1,4 @@
-#include "misc-store-flags.hh"
+#include "nix/cmd/misc-store-flags.hh"
 
 namespace nix::flag
 {

src/libcmd/network-proxy.cc

@@ -1,8 +1,8 @@
-#include "network-proxy.hh"
+#include "nix/cmd/network-proxy.hh"
 
 #include <algorithm>
 
-#include "environment-variables.hh"
+#include "nix/util/environment-variables.hh"
 
 namespace nix {
 

src/libcmd/package.nix

@@ -46,6 +46,7 @@ mkMesonLibrary (finalAttrs: {
     ./.version
     ./meson.build
     ./meson.options
+    ./include/nix/cmd/meson.build
     (fileset.fileFilter (file: file.hasExt "cc") ./.)
     (fileset.fileFilter (file: file.hasExt "hh") ./.)
   ];

src/libcmd/repl-interacter.cc

@@ -1,6 +1,8 @@
+#include "cmd-config-private.hh"
+
 #include <cstdio>
 
-#ifdef USE_READLINE
+#if USE_READLINE
 #include <readline/history.h>
 #include <readline/readline.h>
 #else
@@ -14,12 +16,12 @@ extern "C" {
 }
 #endif
 
-#include "signals.hh"
-#include "finally.hh"
-#include "repl-interacter.hh"
-#include "file-system.hh"
-#include "repl.hh"
-#include "environment-variables.hh"
+#include "nix/util/signals.hh"
+#include "nix/util/finally.hh"
+#include "nix/cmd/repl-interacter.hh"
+#include "nix/util/file-system.hh"
+#include "nix/cmd/repl.hh"
+#include "nix/util/environment-variables.hh"
 
 namespace nix {
 
@@ -35,7 +37,7 @@ void sigintHandler(int signo)
 
 static detail::ReplCompleterMixin * curRepl; // ugly
 
-#ifndef USE_READLINE
+#if !USE_READLINE
 static char * completionCallback(char * s, int * match)
 {
     auto possible = curRepl->completePrefix(s);
@@ -113,14 +115,14 @@ ReadlineLikeInteracter::Guard ReadlineLikeInteracter::init(detail::ReplCompleter
     } catch (SystemError & e) {
         logWarning(e.info());
     }
-#ifndef USE_READLINE
+#if !USE_READLINE
     el_hist_size = 1000;
 #endif
     read_history(historyFile.c_str());
     auto oldRepl = curRepl;
     curRepl = repl;
     Guard restoreRepl([oldRepl] { curRepl = oldRepl; });
-#ifndef USE_READLINE
+#if !USE_READLINE
     rl_set_complete_func(completionCallback);
     rl_set_list_possib_func(listPossibleCallback);
 #endif
@@ -183,7 +185,7 @@ bool ReadlineLikeInteracter::getLine(std::string & input, ReplPromptType promptT
     // quite useful for reading the test output, so we add it here.
     if (auto e = getEnv("_NIX_TEST_REPL_ECHO"); s && e && *e == "1")
     {
-#ifndef USE_READLINE
+#if !USE_READLINE
         // This is probably not right for multi-line input, but we don't use that
         // in the characterisation tests, so it's fine.
         std::cout << promptForType(promptType) << s << std::endl;

src/libcmd/repl.cc

@@ -2,34 +2,34 @@
 #include <cstdlib>
 #include <cstring>
 
-#include "error.hh"
-#include "repl-interacter.hh"
-#include "repl.hh"
+#include "nix/util/error.hh"
+#include "nix/cmd/repl-interacter.hh"
+#include "nix/cmd/repl.hh"
 
-#include "ansicolor.hh"
-#include "shared.hh"
-#include "eval.hh"
-#include "eval-settings.hh"
-#include "attr-path.hh"
-#include "signals.hh"
-#include "store-api.hh"
-#include "log-store.hh"
-#include "common-eval-args.hh"
-#include "get-drvs.hh"
-#include "derivations.hh"
-#include "globals.hh"
-#include "flake/flake.hh"
-#include "flake/lockfile.hh"
-#include "users.hh"
-#include "editor-for.hh"
-#include "finally.hh"
-#include "markdown.hh"
-#include "local-fs-store.hh"
-#include "print.hh"
-#include "ref.hh"
-#include "value.hh"
+#include "nix/util/ansicolor.hh"
+#include "nix/main/shared.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/eval-settings.hh"
+#include "nix/expr/attr-path.hh"
+#include "nix/util/signals.hh"
+#include "nix/store/store-api.hh"
+#include "nix/store/log-store.hh"
+#include "nix/cmd/common-eval-args.hh"
+#include "nix/expr/get-drvs.hh"
+#include "nix/store/derivations.hh"
+#include "nix/store/globals.hh"
+#include "nix/flake/flake.hh"
+#include "nix/flake/lockfile.hh"
+#include "nix/util/users.hh"
+#include "nix/cmd/editor-for.hh"
+#include "nix/util/finally.hh"
+#include "nix/cmd/markdown.hh"
+#include "nix/store/local-fs-store.hh"
+#include "nix/expr/print.hh"
+#include "nix/util/ref.hh"
+#include "nix/expr/value.hh"
 
-#include "strings.hh"
+#include "nix/util/strings.hh"
 
 namespace nix {
 
@@ -61,7 +61,10 @@ struct NixRepl
 {
     size_t debugTraceIndex;
 
+    // Arguments passed to :load, saved so they can be reloaded with :reload
     Strings loadedFiles;
+    // Arguments passed to :load-flake, saved so they can be reloaded with :reload
+    Strings loadedFlakes;
     std::function<AnnotatedValues()> getValues;
 
     const static int envSize = 32768;
@@ -90,7 +93,8 @@ struct NixRepl
     void loadFile(const Path & path);
     void loadFlake(const std::string & flakeRef);
     void loadFiles();
-    void reloadFiles();
+    void loadFlakes();
+    void reloadFilesAndFlakes();
     void addAttrsToScope(Value & attrs);
     void addVarToScope(const Symbol name, Value & v);
     Expr * parseString(std::string s);
@@ -102,8 +106,7 @@ struct NixRepl
                               unsigned int maxDepth = std::numeric_limits<unsigned int>::max())
     {
         // Hide the progress bar during printing because it might interfere
-        logger->pause();
-        Finally resumeLoggerDefer([]() { logger->resume(); });
+        auto suspension = logger->suspend();
         ::nix::printValue(*state, str, v, PrintOptions {
             .ansiColors = true,
             .force = true,
@@ -125,7 +128,7 @@ std::string removeWhitespace(std::string s)
 
 
 NixRepl::NixRepl(const LookupPath & lookupPath, nix::ref<Store> store, ref<EvalState> state,
-            std::function<NixRepl::AnnotatedValues()> getValues, RunNix * runNix = nullptr)
+            std::function<NixRepl::AnnotatedValues()> getValues, RunNix * runNix)
     : AbstractNixRepl(state)
     , debugTraceIndex(0)
     , getValues(getValues)
@@ -141,16 +144,13 @@ static std::ostream & showDebugTrace(std::ostream & out, const PosTable & positi
         out << ANSI_RED "error: " << ANSI_NORMAL;
     out << dt.hint.str() << "\n";
 
-    // prefer direct pos, but if noPos then try the expr.
-    auto pos = dt.pos
-        ? dt.pos
-        : positions[dt.expr.getPos() ? dt.expr.getPos() : noPos];
+    auto pos = dt.getPos(positions);
 
     if (pos) {
-        out << *pos;
-        if (auto loc = pos->getCodeLines()) {
+        out << pos;
+        if (auto loc = pos.getCodeLines()) {
             out << "\n";
-            printCodeLines(out, "", *pos, *loc);
+            printCodeLines(out, "", pos, *loc);
             out << "\n";
         }
     }
@@ -180,18 +180,20 @@ ReplExitStatus NixRepl::mainLoop()
 
     while (true) {
         // Hide the progress bar while waiting for user input, so that it won't interfere.
-        logger->pause();
-        // When continuing input from previous lines, don't print a prompt, just align to the same
-        // number of chars as the prompt.
-        if (!interacter->getLine(input, input.empty() ? ReplPromptType::ReplPrompt : ReplPromptType::ContinuationPrompt)) {
-            // Ctrl-D should exit the debugger.
-            state->debugStop = false;
-            logger->cout("");
-            // TODO: Should Ctrl-D exit just the current debugger session or
-            // the entire program?
-            return ReplExitStatus::QuitAll;
+        {
+            auto suspension = logger->suspend();
+            // When continuing input from previous lines, don't print a prompt, just align to the same
+            // number of chars as the prompt.
+            if (!interacter->getLine(input, input.empty() ? ReplPromptType::ReplPrompt : ReplPromptType::ContinuationPrompt)) {
+                // Ctrl-D should exit the debugger.
+                state->debugStop = false;
+                logger->cout("");
+                // TODO: Should Ctrl-D exit just the current debugger session or
+                // the entire program?
+                return ReplExitStatus::QuitAll;
+            }
+            // `suspension` resumes the logger
         }
-        logger->resume();
         try {
             switch (processLine(input)) {
                 case ProcessLineResult::Quit:
@@ -246,14 +248,13 @@ StringSet NixRepl::completePrefix(const std::string & prefix)
         try {
             auto dir = std::string(cur, 0, slash);
             auto prefix2 = std::string(cur, slash + 1);
-            for (auto & entry : std::filesystem::directory_iterator{dir == "" ? "/" : dir}) {
+            for (auto & entry : DirectoryIterator{dir == "" ? "/" : dir}) {
                 checkInterrupt();
                 auto name = entry.path().filename().string();
                 if (name[0] != '.' && hasPrefix(name, prefix2))
                     completions.insert(prev + entry.path().string());
             }
         } catch (Error &) {
-        } catch (std::filesystem::filesystem_error &) {
         }
     } else if ((dot = cur.rfind('.')) == std::string::npos) {
         /* This is a variable name; look it up in the current scope. */
@@ -469,7 +470,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
 
     else if (command == ":r" || command == ":reload") {
         state->resetFileCache();
-        reloadFiles();
+        reloadFilesAndFlakes();
     }
 
     else if (command == ":e" || command == ":edit") {
@@ -504,7 +505,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
 
         // Reload right after exiting the editor
         state->resetFileCache();
-        reloadFiles();
+        reloadFilesAndFlakes();
     }
 
     else if (command == ":t") {
@@ -586,6 +587,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
     else if (command == ":p" || command == ":print") {
         Value v;
         evalString(arg, v);
+        auto suspension = logger->suspend();
         if (v.type() == nString) {
             std::cout << v.string_view();
         } else {
@@ -694,6 +696,7 @@ ProcessLineResult NixRepl::processLine(std::string line)
         } else {
             Value v;
             evalString(line, v);
+            auto suspension = logger->suspend();
             printValue(std::cout, v, 1);
             std::cout << std::endl;
         }
@@ -717,6 +720,9 @@ void NixRepl::loadFlake(const std::string & flakeRefS)
     if (flakeRefS.empty())
         throw Error("cannot use ':load-flake' without a path specified. (Use '.' for the current working directory.)");
 
+    loadedFlakes.remove(flakeRefS);
+    loadedFlakes.push_back(flakeRefS);
+
     std::filesystem::path cwd;
     try {
         cwd = std::filesystem::current_path();
@@ -755,11 +761,12 @@ void NixRepl::initEnv()
 }
 
 
-void NixRepl::reloadFiles()
+void NixRepl::reloadFilesAndFlakes()
 {
     initEnv();
 
     loadFiles();
+    loadFlakes();
 }
 
 
@@ -780,6 +787,18 @@ void NixRepl::loadFiles()
 }
 
 
+void NixRepl::loadFlakes()
+{
+    Strings old = loadedFlakes;
+    loadedFlakes.clear();
+
+    for (auto & i : old) {
+        notice("Loading flake '%1%'...", i);
+        loadFlake(i);
+    }
+}
+
+
 void NixRepl::addAttrsToScope(Value & attrs)
 {
     state->forceAttrs(attrs, [&]() { return attrs.determinePos(noPos); }, "while evaluating an attribute set to be merged in the global scope");
@@ -839,9 +858,10 @@ std::unique_ptr<AbstractNixRepl> AbstractNixRepl::create(
 {
     return std::make_unique<NixRepl>(
         lookupPath,
-        openStore(),
+        std::move(store),
         state,
-        getValues
+        getValues,
+        runNix
     );
 }
 
@@ -859,7 +879,8 @@ ReplExitStatus AbstractNixRepl::runSimple(
             lookupPath,
             openStore(),
             evalState,
-            getValues
+            getValues,
+            /*runNix=*/nullptr
         );
 
     repl->initEnv();

src/libexpr-c/meson.build

@@ -14,8 +14,6 @@ cxx = meson.get_compiler('cpp')
 
 subdir('nix-meson-build-support/deps-lists')
 
-configdata = configuration_data()
-
 deps_private_maybe_subproject = [
   dependency('nix-util'),
   dependency('nix-store'),
@@ -27,30 +25,6 @@ deps_public_maybe_subproject = [
 ]
 subdir('nix-meson-build-support/subprojects')
 
-# TODO rename, because it will conflict with downstream projects
-configdata.set_quoted('PACKAGE_VERSION', meson.project_version())
-
-config_h = configure_file(
-  configuration : configdata,
-  output : 'config-expr.h',
-)
-
-add_project_arguments(
-  # TODO(Qyriad): Yes this is how the autoconf+Make system did it.
-  # It would be nice for our headers to be idempotent instead.
-
-  # From C++ libraries, only for internals
-  '-include', 'config-util.hh',
-  '-include', 'config-store.hh',
-  '-include', 'config-expr.hh',
-
-  # From C libraries, for our public, installed headers too
-  '-include', 'config-util.h',
-  '-include', 'config-store.h',
-  '-include', 'config-expr.h',
-  language : 'cpp',
-)
-
 subdir('nix-meson-build-support/common')
 
 sources = files(
@@ -61,7 +35,7 @@ sources = files(
 
 include_dirs = [include_directories('.')]
 
-headers = [config_h] + files(
+headers = files(
   'nix_api_expr.h',
   'nix_api_external.h',
   'nix_api_value.h',
@@ -83,7 +57,7 @@ this_library = library(
   install : true,
 )
 
-install_headers(headers, subdir : 'nix', preserve_path : true)
+install_headers(headers, preserve_path : true)
 
 libraries_private = []
 

src/libexpr-c/nix_api_expr.cc

@@ -2,11 +2,11 @@
 #include <stdexcept>
 #include <string>
 
-#include "eval.hh"
-#include "eval-gc.hh"
-#include "globals.hh"
-#include "eval-settings.hh"
-#include "ref.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/eval-gc.hh"
+#include "nix/store/globals.hh"
+#include "nix/expr/eval-settings.hh"
+#include "nix/util/ref.hh"
 
 #include "nix_api_expr.h"
 #include "nix_api_expr_internal.h"
@@ -15,7 +15,7 @@
 #include "nix_api_util.h"
 #include "nix_api_util_internal.h"
 
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
 #  include <mutex>
 #endif
 
@@ -207,7 +207,7 @@ void nix_state_free(EvalState * state)
     delete state;
 }
 
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
 std::unordered_map<
     const void *,
     unsigned int,
@@ -283,7 +283,7 @@ nix_err nix_value_decref(nix_c_context * context, nix_value *x)
 
 void nix_gc_register_finalizer(void * obj, void * cd, void (*finalizer)(void * obj, void * cd))
 {
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
     GC_REGISTER_FINALIZER(obj, finalizer, cd, 0, 0);
 #endif
 }

src/libexpr-c/nix_api_expr_internal.h

@@ -1,12 +1,12 @@
 #ifndef NIX_API_EXPR_INTERNAL_H
 #define NIX_API_EXPR_INTERNAL_H
 
-#include "fetch-settings.hh"
-#include "eval.hh"
-#include "eval-settings.hh"
-#include "attr-set.hh"
+#include "nix/fetchers/fetch-settings.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/eval-settings.hh"
+#include "nix/expr/attr-set.hh"
 #include "nix_api_value.h"
-#include "search-path.hh"
+#include "nix/expr/search-path.hh"
 
 struct nix_eval_state_builder
 {

src/libexpr-c/nix_api_external.cc

@@ -1,8 +1,8 @@
-#include "attr-set.hh"
-#include "config.hh"
-#include "eval.hh"
-#include "globals.hh"
-#include "value.hh"
+#include "nix/expr/attr-set.hh"
+#include "nix/util/configuration.hh"
+#include "nix/expr/eval.hh"
+#include "nix/store/globals.hh"
+#include "nix/expr/value.hh"
 
 #include "nix_api_expr.h"
 #include "nix_api_expr_internal.h"
@@ -10,7 +10,7 @@
 #include "nix_api_util.h"
 #include "nix_api_util_internal.h"
 #include "nix_api_value.h"
-#include "value/context.hh"
+#include "nix/expr/value/context.hh"
 
 #include <nlohmann/json.hpp>
 
@@ -168,7 +168,7 @@ ExternalValue * nix_create_external_value(nix_c_context * context, NixCExternalV
         context->last_err_code = NIX_OK;
     try {
         auto ret = new
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
             (GC)
 #endif
                 NixCExternalValue(*desc, v);

src/libexpr-c/nix_api_external.h

@@ -12,9 +12,10 @@
 #include "nix_api_expr.h"
 #include "nix_api_util.h"
 #include "nix_api_value.h"
-#include "stdbool.h"
-#include "stddef.h"
-#include "stdint.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {

src/libexpr-c/nix_api_value.cc

@@ -1,10 +1,10 @@
-#include "attr-set.hh"
-#include "config.hh"
-#include "eval.hh"
-#include "globals.hh"
-#include "path.hh"
-#include "primops.hh"
-#include "value.hh"
+#include "nix/expr/attr-set.hh"
+#include "nix/util/configuration.hh"
+#include "nix/expr/eval.hh"
+#include "nix/store/globals.hh"
+#include "nix/store/path.hh"
+#include "nix/expr/primops.hh"
+#include "nix/expr/value.hh"
 
 #include "nix_api_expr.h"
 #include "nix_api_expr_internal.h"
@@ -12,7 +12,7 @@
 #include "nix_api_util_internal.h"
 #include "nix_api_store_internal.h"
 #include "nix_api_value.h"
-#include "value/context.hh"
+#include "nix/expr/value/context.hh"
 
 // Internal helper functions to check [in] and [out] `Value *` parameters
 static const nix::Value & check_value_not_null(const nix_value * value)
@@ -125,7 +125,7 @@ PrimOp * nix_alloc_primop(
     try {
         using namespace std::placeholders;
         auto p = new
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
             (GC)
 #endif
                 nix::PrimOp{
@@ -497,7 +497,7 @@ ListBuilder * nix_make_list_builder(nix_c_context * context, EvalState * state,
     try {
         auto builder = state->state.buildList(capacity);
         return new
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
             (NoGC)
 #endif
                 ListBuilder{std::move(builder)};
@@ -519,7 +519,7 @@ nix_list_builder_insert(nix_c_context * context, ListBuilder * list_builder, uns
 
 void nix_list_builder_free(ListBuilder * list_builder)
 {
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
     GC_FREE(list_builder);
 #else
     delete list_builder;
@@ -578,7 +578,7 @@ BindingsBuilder * nix_make_bindings_builder(nix_c_context * context, EvalState *
     try {
         auto bb = state->state.buildBindings(capacity);
         return new
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
             (NoGC)
 #endif
                 BindingsBuilder{std::move(bb)};
@@ -600,7 +600,7 @@ nix_err nix_bindings_builder_insert(nix_c_context * context, BindingsBuilder * b
 
 void nix_bindings_builder_free(BindingsBuilder * bb)
 {
-#if HAVE_BOEHMGC
+#if NIX_USE_BOEHMGC
     GC_FREE((nix::BindingsBuilder *) bb);
 #else
     delete (nix::BindingsBuilder *) bb;

src/libexpr-c/nix_api_value.h

@@ -10,9 +10,10 @@
 
 #include "nix_api_util.h"
 #include "nix_api_store.h"
-#include "stdbool.h"
-#include "stddef.h"
-#include "stdint.h"
+
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
 
 #ifdef __cplusplus
 extern "C" {

src/libexpr-test-support/include/nix/expr/tests/libexpr.hh

@@ -4,16 +4,16 @@
 #include <gtest/gtest.h>
 #include <gmock/gmock.h>
 
-#include "fetch-settings.hh"
-#include "value.hh"
-#include "nixexpr.hh"
-#include "nixexpr.hh"
-#include "eval.hh"
-#include "eval-gc.hh"
-#include "eval-inline.hh"
-#include "eval-settings.hh"
+#include "nix/fetchers/fetch-settings.hh"
+#include "nix/expr/value.hh"
+#include "nix/expr/nixexpr.hh"
+#include "nix/expr/nixexpr.hh"
+#include "nix/expr/eval.hh"
+#include "nix/expr/eval-gc.hh"
+#include "nix/expr/eval-inline.hh"
+#include "nix/expr/eval-settings.hh"
 
-#include "tests/libstore.hh"
+#include "nix/store/tests/libstore.hh"
 
 namespace nix {
     class LibExprTest : public LibStoreTest {

src/libexpr-test-support/include/nix/expr/tests/meson.build

@@ -0,0 +1,9 @@
+# Public headers directory
+
+include_dirs = [include_directories('../../..')]
+
+headers = files(
+  'libexpr.hh',
+  'nix_api_expr.hh',
+  'value/context.hh',
+)

src/libexpr-test-support/include/nix/expr/tests/nix_api_expr.hh

@@ -2,7 +2,7 @@
 ///@file
 #include "nix_api_expr.h"
 #include "nix_api_value.h"
-#include "tests/nix_api_store.hh"
+#include "nix/store/tests/nix_api_store.hh"
 
 #include <gtest/gtest.h>
 

src/libexpr-test-support/include/nix/expr/tests/value/context.hh

@@ -3,7 +3,7 @@
 
 #include <rapidcheck/gen/Arbitrary.h>
 
-#include "value/context.hh"
+#include "nix/expr/value/context.hh"
 
 namespace rc {
 using namespace nix;

src/libexpr-test-support/meson.build

@@ -29,28 +29,13 @@ subdir('nix-meson-build-support/subprojects')
 rapidcheck = dependency('rapidcheck')
 deps_public += rapidcheck
 
-add_project_arguments(
-  # TODO(Qyriad): Yes this is how the autoconf+Make system did it.
-  # It would be nice for our headers to be idempotent instead.
-  '-include', 'config-util.hh',
-  '-include', 'config-store.hh',
-  '-include', 'config-expr.hh',
-  language : 'cpp',
-)
-
 subdir('nix-meson-build-support/common')
 
 sources = files(
   'tests/value/context.cc',
 )
 
-include_dirs = [include_directories('.')]
-
-headers = files(
-  'tests/libexpr.hh',
-  'tests/nix_api_expr.hh',
-  'tests/value/context.hh',
-)
+subdir('include/nix/expr/tests')
 
 subdir('nix-meson-build-support/export-all-symbols')
 subdir('nix-meson-build-support/windows-version')
@@ -67,7 +52,7 @@ this_library = library(
   install : true,
 )
 
-install_headers(headers, subdir : 'nix', preserve_path : true)
+install_headers(headers, subdir : 'nix/expr/tests', preserve_path : true)
 
 libraries_private = []
 

src/libexpr-test-support/package.nix

@@ -29,6 +29,7 @@ mkMesonLibrary (finalAttrs: {
     ./.version
     ./meson.build
     # ./meson.options
+    ./include/nix/expr/tests/meson.build
     (fileset.fileFilter (file: file.hasExt "cc") ./.)
     (fileset.fileFilter (file: file.hasExt "hh") ./.)
   ];

src/libexpr-test-support/tests/value/context.cc

@@ -1,30 +1,39 @@
 #include <rapidcheck.h>
 
-#include "tests/path.hh"
-#include "tests/value/context.hh"
+#include "nix/store/tests/path.hh"
+#include "nix/expr/tests/value/context.hh"
 
 namespace rc {
 using namespace nix;
 
 Gen<NixStringContextElem::DrvDeep> Arbitrary<NixStringContextElem::DrvDeep>::arbitrary()
 {
-    return gen::just(NixStringContextElem::DrvDeep {
-        .drvPath = *gen::arbitrary<StorePath>(),
+    return gen::map(gen::arbitrary<StorePath>(), [](StorePath drvPath) {
+        return NixStringContextElem::DrvDeep{
+            .drvPath = drvPath,
+        };
     });
 }
 
 Gen<NixStringContextElem> Arbitrary<NixStringContextElem>::arbitrary()
 {
-    switch (*gen::inRange<uint8_t>(0, std::variant_size_v<NixStringContextElem::Raw>)) {
-    case 0:
-        return gen::just<NixStringContextElem>(*gen::arbitrary<NixStringContextElem::Opaque>());
-    case 1:
-        return gen::just<NixStringContextElem>(*gen::arbitrary<NixStringContextElem::DrvDeep>());
-    case 2:
-        return gen::just<NixStringContextElem>(*gen::arbitrary<NixStringContextElem::Built>());
-    default:
-        assert(false);
-    }
+    return gen::mapcat(
+        gen::inRange<uint8_t>(0, std::variant_size_v<NixStringContextElem::Raw>),
+        [](uint8_t n) -> Gen<NixStringContextElem> {
+            switch (n) {
+            case 0:
+                return gen::map(
+                    gen::arbitrary<NixStringContextElem::Opaque>(), [](NixStringContextElem a) { return a; });
+            case 1:
+                return gen::map(
+                    gen::arbitrary<NixStringContextElem::DrvDeep>(), [](NixStringContextElem a) { return a; });
+            case 2:
+                return gen::map(
+                    gen::arbitrary<NixStringContextElem::Built>(), [](NixStringContextElem a) { return a; });
+            default:
+                assert(false);
+            }
+        });
 }
 
 }

src/libexpr-tests/derived-path.cc

@@ -2,8 +2,8 @@
 #include <gtest/gtest.h>
 #include <rapidcheck/gtest.h>
 
-#include "tests/derived-path.hh"
-#include "tests/libexpr.hh"
+#include "nix/store/tests/derived-path.hh"
+#include "nix/expr/tests/libexpr.hh"
 
 namespace nix {
 
@@ -44,11 +44,11 @@ RC_GTEST_FIXTURE_PROP(
      * to worry about race conditions if the tests run concurrently.
      */
     ExperimentalFeatureSettings mockXpSettings;
-    mockXpSettings.set("experimental-features", "ca-derivations");
+    mockXpSettings.set("experimental-features", "ca-derivations dynamic-derivations");
 
     auto * v = state.allocValue();
     state.mkOutputString(*v, b, std::nullopt, mockXpSettings);
-    auto [d, _] = state.coerceToSingleDerivedPathUnchecked(noPos, *v, "");
+    auto [d, _] = state.coerceToSingleDerivedPathUnchecked(noPos, *v, "", mockXpSettings);
     RC_ASSERT(SingleDerivedPath { b } == d);
 }
 
@@ -57,9 +57,12 @@ RC_GTEST_FIXTURE_PROP(
     prop_derived_path_built_out_path_round_trip,
     (const SingleDerivedPath::Built & b, const StorePath & outPath))
 {
+    ExperimentalFeatureSettings mockXpSettings;
+    mockXpSettings.set("experimental-features", "dynamic-derivations");
+
     auto * v = state.allocValue();
-    state.mkOutputString(*v, b, outPath);
-    auto [d, _] = state.coerceToSingleDerivedPathUnchecked(noPos, *v, "");
+    state.mkOutputString(*v, b, outPath, mockXpSettings);
+    auto [d, _] = state.coerceToSingleDerivedPathUnchecked(noPos, *v, "", mockXpSettings);
     RC_ASSERT(SingleDerivedPath { b } == d);
 }