Add paths to the store asynchronously

Adding paths to the store can be slow due to I/O overhead, but
especially when going through the daemon because of the round-trip
latency of every wopAddToStore call.

So we now do the addToStore() calls asynchronously from a separate
thread from the evaluator. This slightly speeds up the local store,
and makes going through the daemon almost as fast as a local store.

.git-blame-ignore-revs

@@ -1,2 +1,6 @@
 # bulk initial re-formatting with clang-format
 e4f62e46088919428a68bd8014201dc8e379fed7 # !autorebase ./maintainers/format.sh --until-stable
+# meson re-formatting
+385e2c3542c707d95e3784f7f6d623f67e77ab61 # !autorebase ./maintainers/format.sh --until-stable
+# nixfmt 1.0.0
+1d943f581908f35075a84a3d89c2eba3ff35067f # !autorebase ./maintainers/format.sh --until-stable

.github/ISSUE_TEMPLATE/bug_report.md

@@ -45,7 +45,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open bug issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open bug issues and pull requests]: https://github.com/NixOS/nix/labels/bug
 

.github/ISSUE_TEMPLATE/feature_request.md

@@ -30,7 +30,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open feature issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open feature issues and pull requests]: https://github.com/NixOS/nix/labels/feature
 

.github/ISSUE_TEMPLATE/installer.md

@@ -38,7 +38,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open installer issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open installer issues and pull requests]: https://github.com/NixOS/nix/labels/installer
 

.github/ISSUE_TEMPLATE/missing_documentation.md

@@ -22,7 +22,7 @@ assignees: ''
 - [ ] checked [latest Nix manual] \([source])
 - [ ] checked [open documentation issues and pull requests] for possible duplicates
 
-[latest Nix manual]: https://nixos.org/manual/nix/unstable/
+[latest Nix manual]: https://nix.dev/manual/nix/development/
 [source]: https://github.com/NixOS/nix/tree/master/doc/manual/source
 [open documentation issues and pull requests]: https://github.com/NixOS/nix/labels/documentation
 

.github/actions/install-nix-action/action.yaml

@@ -9,7 +9,7 @@ inputs:
   install_url:
     description: "URL of the Nix installer"
     required: false
-    default: "https://releases.nixos.org/nix/nix-2.30.1/install"
+    default: "https://releases.nixos.org/nix/nix-2.30.2/install"
   github_token:
     description: "Github token"
     required: true
@@ -19,7 +19,7 @@ runs:
     - name: "Download nix install artifact from master"
       shell: bash
       id: download-nix-installer
-      if: ${{ inputs.dogfood }}
+      if: inputs.dogfood == 'true'
       run: |
         RUN_ID=$(gh run list --repo "$DOGFOOD_REPO" --workflow ci.yml --branch master --status success --json databaseId --jq ".[0].databaseId")
 
@@ -45,6 +45,6 @@ runs:
     - uses: cachix/install-nix-action@c134e4c9e34bac6cab09cf239815f9339aaaf84e # v31.5.1
       with:
         # Ternary operator in GHA: https://www.github.com/actions/runner/issues/409#issuecomment-752775072
-        install_url: ${{ inputs.dogfood && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
-        install_options: ${{ inputs.dogfood && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
+        install_url: ${{ inputs.dogfood == 'true' && format('{0}/install', steps.download-nix-installer.outputs.installer-path) || inputs.install_url }}
+        install_options: ${{ inputs.dogfood == 'true' && format('--tarball-url-prefix {0}', steps.download-nix-installer.outputs.installer-path) || '' }}
         extra_nix_config: ${{ inputs.extra_nix_config }}

.github/workflows/ci.yml

@@ -2,7 +2,15 @@ name: "CI"
 
 on:
   pull_request:
+  merge_group:
   push:
+  workflow_dispatch:
+    inputs:
+      dogfood:
+        description: 'Use dogfood Nix build'
+        required: false
+        default: true
+        type: boolean
 
 permissions: read-all
 
@@ -10,12 +18,12 @@ jobs:
   eval:
     runs-on: ubuntu-24.04
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
       with:
-        dogfood: true
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
         extra_nix_config:
           experimental-features = nix-command flakes
         github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -29,36 +37,69 @@ jobs:
           - scenario: on ubuntu
             runs-on: ubuntu-24.04
             os: linux
+            instrumented: false
+            primary: true
+            stdenv: stdenv
           - scenario: on macos
             runs-on: macos-14
             os: darwin
+            instrumented: false
+            primary: true
+            stdenv: stdenv
+          - scenario: on ubuntu (with sanitizers / coverage)
+            runs-on: ubuntu-24.04
+            os: linux
+            instrumented: true
+            primary: false
+            stdenv: clangStdenv
     name: tests ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     timeout-minutes: 60
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
     - uses: ./.github/actions/install-nix-action
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
-        dogfood: true
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
         # The sandbox would otherwise be disabled by default on Darwin
-        extra_nix_config: |
-          sandbox = true
-          max-jobs = 1
+        extra_nix_config: "sandbox = true"
     - uses: DeterminateSystems/magic-nix-cache-action@main
     # Since ubuntu 22.30, unprivileged usernamespaces are no longer allowed to map to the root user:
     # https://ubuntu.com/blog/ubuntu-23-10-restricted-unprivileged-user-namespaces
     - run: sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
       if: matrix.os == 'linux'
-    - run: scripts/build-checks
-    - run: scripts/prepare-installer-for-github-actions
+    - name: Run component tests
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix componentTests -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}"
+    - name: Run flake checks and prepare the installer tarball
+      run: |
+        ci/gha/tests/build-checks
+        ci/gha/tests/prepare-installer-for-github-actions
+      if: ${{ matrix.primary }}
+    - name: Collect code coverage
+      run: |
+        nix build --file ci/gha/tests/wrapper.nix codeCoverage.coverageReports -L \
+          --arg withInstrumentation ${{ matrix.instrumented }} \
+          --argstr stdenv "${{ matrix.stdenv }}" \
+          --out-link coverage-reports
+        cat coverage-reports/index.txt >> $GITHUB_STEP_SUMMARY
+      if: ${{ matrix.instrumented }}
+    - name: Upload coverage reports
+      uses: actions/upload-artifact@v4
+      with:
+        name: coverage-reports
+        path: coverage-reports/
+      if: ${{ matrix.instrumented }}
     - name: Upload installer tarball
       uses: actions/upload-artifact@v4
       with:
         name: installer-${{matrix.os}}
         path: out/*
+      if: ${{ matrix.primary }}
 
   installer_test:
     needs: [tests]
@@ -75,19 +116,19 @@ jobs:
     name: installer test ${{ matrix.scenario }}
     runs-on: ${{ matrix.runs-on }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
     - name: Download installer tarball
-      uses: actions/download-artifact@v4
+      uses: actions/download-artifact@v5
       with:
         name: installer-${{matrix.os}}
         path: out
-    - name: Serving installer
-      id: serving_installer
-      run: ./scripts/serve-installer-for-github-actions
+    - name: Looking up the installer tarball URL
+      id: installer-tarball-url
+      run: echo "installer-url=file://$GITHUB_WORKSPACE/out" >> "$GITHUB_OUTPUT"
     - uses: cachix/install-nix-action@v31
       with:
-        install_url: 'http://localhost:8126/install'
-        install_options: "--tarball-url-prefix http://localhost:8126/"
+        install_url: ${{ format('{0}/install', steps.installer-tarball-url.outputs.installer-url) }}
+        install_options: ${{ format('--tarball-url-prefix {0}', steps.installer-tarball-url.outputs.installer-url) }}
     - run: sudo apt install fish zsh
       if: matrix.os == 'linux'
     - run: brew install fish
@@ -106,17 +147,17 @@ jobs:
   check_secrets:
     permissions:
       contents: none
-    name: Check Docker secrets present for installer tests
+    name: Check presence of secrets
     runs-on: ubuntu-24.04
     outputs:
       docker: ${{ steps.secret.outputs.docker }}
     steps:
-      - name: Check for secrets
+      - name: Check for DockerHub secrets
         id: secret
         env:
           _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
         run: |
-          echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
+          echo "docker=${{ env._DOCKER_SECRETS != '' }}" >> $GITHUB_OUTPUT
 
   docker_push_image:
     needs: [tests, vm_tests, check_secrets]
@@ -129,13 +170,7 @@ jobs:
       github.ref_name == 'master'
     runs-on: ubuntu-24.04
     steps:
-    - name: Check for secrets
-      id: secret
-      env:
-        _DOCKER_SECRETS: ${{ secrets.DOCKERHUB_USERNAME }}${{ secrets.DOCKERHUB_TOKEN }}
-      run: |
-        echo "::set-output name=docker::${{ env._DOCKER_SECRETS != '' }}"
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@v5
       with:
         fetch-depth: 0
     - uses: cachix/install-nix-action@v31
@@ -181,10 +216,10 @@ jobs:
   vm_tests:
     runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
       - uses: ./.github/actions/install-nix-action
         with:
-          dogfood: true
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
           extra_nix_config:
             experimental-features = nix-command flakes
           github_token: ${{ secrets.GITHUB_TOKEN }}
@@ -202,22 +237,45 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout nix
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
       - name: Checkout flake-regressions
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: NixOS/flake-regressions
           path: flake-regressions
       - name: Checkout flake-regressions-data
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           repository: NixOS/flake-regressions-data
           path: flake-regressions/tests
       - uses: ./.github/actions/install-nix-action
         with:
-          dogfood: true
+          dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
           extra_nix_config:
             experimental-features = nix-command flakes
           github_token: ${{ secrets.GITHUB_TOKEN }}
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: nix build -L --out-link ./new-nix && PATH=$(pwd)/new-nix/bin:$PATH MAX_FLAKES=25 flake-regressions/eval-all.sh
+
+  profile_build:
+    needs: tests
+    runs-on: ubuntu-24.04
+    timeout-minutes: 60
+    if: >-
+      github.event_name == 'push' &&
+      github.ref_name == 'master'
+    steps:
+    - uses: actions/checkout@v5
+      with:
+        fetch-depth: 0
+    - uses: ./.github/actions/install-nix-action
+      with:
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+        dogfood: ${{ github.event_name == 'workflow_dispatch' && inputs.dogfood || github.event_name != 'workflow_dispatch' }}
+        extra_nix_config: |
+          experimental-features = flakes nix-command ca-derivations impure-derivations
+          max-jobs = 1
+    - uses: DeterminateSystems/magic-nix-cache-action@main
+    - run: |
+        nix build -L --file ./ci/gha/profile-build buildTimeReport --out-link build-time-report.md
+        cat build-time-report.md >> $GITHUB_STEP_SUMMARY

CONTRIBUTING.md

@@ -89,7 +89,7 @@ Check out the [security policy](https://github.com/NixOS/nix/security/policy).
 
 ## Making changes to the Nix manual
 
-The Nix reference manual is hosted on https://nixos.org/manual/nix.
+The Nix reference manual is hosted on https://nix.dev/manual/nix.
 The underlying source files are located in [`doc/manual/source`](./doc/manual/source).
 For small changes you can [use GitHub to edit these files](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files)
 For larger changes see the [Nix reference manual](https://nix.dev/manual/nix/development/development/contributing.html).

ci/gha/profile-build/default.nix

@@ -0,0 +1,101 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+}:
+
+let
+  inherit (pkgs) lib;
+
+  nixComponentsInstrumented =
+    (nixFlake.lib.makeComponents {
+      inherit pkgs;
+      getStdenv = p: p.clangStdenv;
+    }).overrideScope
+      (
+        _: _: {
+          mesonComponentOverrides = finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "buildprofile" ];
+            nativeBuildInputs = [ pkgs.clangbuildanalyzer ] ++ prevAttrs.nativeBuildInputs or [ ];
+            __impure = true;
+
+            env = {
+              CFLAGS = "-ftime-trace";
+              CXXFLAGS = "-ftime-trace";
+            };
+
+            preBuild = ''
+              ClangBuildAnalyzer --start $PWD
+            '';
+
+            postBuild = ''
+              ClangBuildAnalyzer --stop $PWD $buildprofile
+            '';
+          };
+        }
+      );
+
+  componentsToProfile = {
+    "nix-util" = { };
+    "nix-util-c" = { };
+    "nix-util-test-support" = { };
+    "nix-util-tests" = { };
+    "nix-store" = { };
+    "nix-store-c" = { };
+    "nix-store-test-support" = { };
+    "nix-store-tests" = { };
+    "nix-fetchers" = { };
+    "nix-fetchers-c" = { };
+    "nix-fetchers-tests" = { };
+    "nix-expr" = { };
+    "nix-expr-c" = { };
+    "nix-expr-test-support" = { };
+    "nix-expr-tests" = { };
+    "nix-flake" = { };
+    "nix-flake-c" = { };
+    "nix-flake-tests" = { };
+    "nix-main" = { };
+    "nix-main-c" = { };
+    "nix-cmd" = { };
+    "nix-cli" = { };
+  };
+
+  componentDerivationsToProfile = builtins.intersectAttrs componentsToProfile nixComponentsInstrumented;
+  componentBuildProfiles = lib.mapAttrs (
+    n: v: lib.getOutput "buildprofile" v
+  ) componentDerivationsToProfile;
+
+  buildTimeReport =
+    pkgs.runCommand "build-time-report"
+      {
+        __impure = true;
+        __structuredAttrs = true;
+        nativeBuildInputs = [ pkgs.clangbuildanalyzer ];
+        inherit componentBuildProfiles;
+      }
+      ''
+        {
+          echo "# Build time performance profile for components:"
+          echo
+          echo "This reports the build profile collected via \`-ftime-trace\` for each component."
+          echo
+        } >> $out
+
+        for name in "''\${!componentBuildProfiles[@]}"; do
+          {
+            echo "<details><summary><strong>$name</strong></summary>"
+            echo
+            echo '````'
+            ClangBuildAnalyzer --analyze "''\${componentBuildProfiles[$name]}"
+            echo '````'
+            echo
+            echo "</details>"
+          } >> $out
+        done
+      '';
+in
+
+{
+  inherit buildTimeReport;
+  inherit componentDerivationsToProfile;
+}

ci/gha/tests/default.nix

@@ -0,0 +1,229 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  nixComponents ? (
+    nixFlake.lib.makeComponents {
+      inherit pkgs;
+      inherit getStdenv;
+    }
+  ),
+  getStdenv ? p: p.stdenv,
+  componentTestsPrefix ? "",
+  withSanitizers ? false,
+  withCoverage ? false,
+  ...
+}:
+
+let
+  inherit (pkgs) lib;
+  hydraJobs = nixFlake.hydraJobs;
+  packages' = nixFlake.packages.${system};
+  stdenv = (getStdenv pkgs);
+
+  enableSanitizersLayer = finalAttrs: prevAttrs: {
+    mesonFlags =
+      (prevAttrs.mesonFlags or [ ])
+      ++ [
+        # Run all tests with UBSAN enabled. Running both with ubsan and
+        # without doesn't seem to have much immediate benefit for doubling
+        # the GHA CI workaround.
+        #
+        # TODO: Work toward enabling "address,undefined" if it seems feasible.
+        # This would maybe require dropping Boost coroutines and ignoring intentional
+        # memory leaks with detect_leaks=0.
+        (lib.mesonOption "b_sanitize" "undefined")
+      ]
+      ++ (lib.optionals stdenv.cc.isClang [
+        # https://www.github.com/mesonbuild/meson/issues/764
+        (lib.mesonBool "b_lundef" false)
+      ]);
+  };
+
+  collectCoverageLayer = finalAttrs: prevAttrs: {
+    env =
+      let
+        # https://clang.llvm.org/docs/SourceBasedCodeCoverage.html#the-code-coverage-workflow
+        coverageFlags = [
+          "-fprofile-instr-generate"
+          "-fcoverage-mapping"
+        ];
+      in
+      {
+        CFLAGS = toString coverageFlags;
+        CXXFLAGS = toString coverageFlags;
+      };
+
+    # Done in a pre-configure hook, because $NIX_BUILD_TOP needs to be substituted.
+    preConfigure = prevAttrs.preConfigure or "" + ''
+      mappingFlag=" -fcoverage-prefix-map=$NIX_BUILD_TOP/${finalAttrs.src.name}=${finalAttrs.src}"
+      CFLAGS+="$mappingFlag"
+      CXXFLAGS+="$mappingFlag"
+    '';
+  };
+
+  componentOverrides =
+    (lib.optional withSanitizers enableSanitizersLayer)
+    ++ (lib.optional withCoverage collectCoverageLayer);
+in
+
+rec {
+  nixComponentsInstrumented = nixComponents.overrideScope (
+    final: prev: {
+      nix-store-tests = prev.nix-store-tests.override { withBenchmarks = true; };
+
+      mesonComponentOverrides = lib.composeManyExtensions componentOverrides;
+    }
+  );
+
+  /**
+    Top-level tests for the flake outputs, as they would be built by hydra.
+    These tests generally can't be overridden to run with sanitizers.
+  */
+  topLevel = {
+    installerScriptForGHA = hydraJobs.installerScriptForGHA.${system};
+    installTests = hydraJobs.installTests.${system};
+    nixpkgsLibTests = hydraJobs.tests.nixpkgsLibTests.${system};
+    rl-next = pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
+      LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${../../../doc/manual/rl-next} >$out
+    '';
+    repl-completion = pkgs.callPackage ../../../tests/repl-completion.nix { inherit (packages') nix; };
+
+    /**
+      Checks for our packaging expressions.
+      This shouldn't build anything significant; just check that things
+      (including derivations) are _set up_ correctly.
+    */
+    packaging-overriding =
+      let
+        nix = packages'.nix;
+      in
+      assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
+      if pkgs.stdenv.buildPlatform.isDarwin then
+        lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
+      else
+        # If this fails, something might be wrong with how we've wired the scope,
+        # or something could be broken in Nixpkgs.
+        pkgs.testers.testEqualContents {
+          assertion = "trivial patch does not change source contents";
+          expected = "${../../..}";
+          actual =
+            # Same for all components; nix-util is an arbitrary pick
+            (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
+        };
+  };
+
+  componentTests =
+    (lib.concatMapAttrs (
+      pkgName: pkg:
+      lib.concatMapAttrs (testName: test: {
+        "${componentTestsPrefix}${pkgName}-${testName}" = test;
+      }) (pkg.tests or { })
+    ) nixComponentsInstrumented)
+    // lib.optionalAttrs (pkgs.stdenv.hostPlatform == pkgs.stdenv.buildPlatform) {
+      "${componentTestsPrefix}nix-functional-tests" = nixComponentsInstrumented.nix-functional-tests;
+    };
+
+  codeCoverage =
+    let
+      componentsTestsToProfile =
+        (builtins.mapAttrs (n: v: nixComponentsInstrumented.${n}.tests.run) {
+          "nix-util-tests" = { };
+          "nix-store-tests" = { };
+          "nix-fetchers-tests" = { };
+          "nix-expr-tests" = { };
+          "nix-flake-tests" = { };
+        })
+        // {
+          inherit (nixComponentsInstrumented) nix-functional-tests;
+        };
+
+      coverageProfileDrvs = lib.mapAttrs (
+        n: v:
+        v.overrideAttrs (
+          finalAttrs: prevAttrs: {
+            outputs = (prevAttrs.outputs or [ "out" ]) ++ [ "profraw" ];
+            env = {
+              LLVM_PROFILE_FILE = "${placeholder "profraw"}/%m";
+            };
+          }
+        )
+      ) componentsTestsToProfile;
+
+      coverageProfiles = lib.mapAttrsToList (n: v: lib.getOutput "profraw" v) coverageProfileDrvs;
+
+      mergedProfdata =
+        pkgs.runCommand "merged-profdata"
+          {
+            __structuredAttrs = true;
+            nativeBuildInputs = [ pkgs.llvmPackages.libllvm ];
+            inherit coverageProfiles;
+          }
+          ''
+            rawProfiles=()
+            for dir in "''\${coverageProfiles[@]}"; do
+              rawProfiles+=($dir/*)
+            done
+            llvm-profdata merge -sparse -output $out "''\${rawProfiles[@]}"
+          '';
+
+      coverageReports =
+        let
+          nixComponentDrvs = lib.filter (lib.isDerivation) (lib.attrValues nixComponentsInstrumented);
+        in
+        pkgs.runCommand "code-coverage-report"
+          {
+            nativeBuildInputs = [
+              pkgs.llvmPackages.libllvm
+              pkgs.jq
+            ];
+            __structuredAttrs = true;
+            nixComponents = nixComponentDrvs;
+          }
+          ''
+            # ${toString (lib.map (v: v.src) nixComponentDrvs)}
+
+            binaryFiles=()
+            for dir in "''\${nixComponents[@]}"; do
+              readarray -t filesInDir < <(find "$dir" -type f -executable)
+              binaryFiles+=("''\${filesInDir[@]}")
+            done
+
+            arguments=$(concatStringsSep " -object " binaryFiles)
+            llvm-cov show $arguments -instr-profile ${mergedProfdata} -output-dir $out -format=html
+
+            {
+              echo "# Code coverage summary (generated via \`llvm-cov\`):"
+              echo
+              echo '```'
+              llvm-cov report $arguments -instr-profile ${mergedProfdata} -format=text -use-color=false
+              echo '```'
+              echo
+            } >> $out/index.txt
+
+            llvm-cov export $arguments -instr-profile ${mergedProfdata} -format=text > $out/coverage.json
+
+            mkdir -p $out/nix-support
+
+            coverageTotals=$(jq ".data[0].totals" $out/coverage.json)
+
+            # Mostly inline from pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh [1],
+            # which we can't use here, because we rely on LLVM's infra for source code coverage collection.
+            # [1]: https://github.com/NixOS/nixpkgs/blob/67bb48c4c8e327417d6d5aa7e538244b209e852b/pkgs/build-support/setup-hooks/make-coverage-analysis-report.sh#L16
+            declare -A metricsArray=(["lineCoverage"]="lines" ["functionCoverage"]="functions" ["branchCoverage"]="branches")
+
+            for metricName in "''\${!metricsArray[@]}"; do
+              key="''\${metricsArray[$metricName]}"
+              metric=$(echo "$coverageTotals" | jq ".$key.percent * 10 | round / 10")
+              echo "$metricName $metric %" >> $out/nix-support/hydra-metrics
+            done
+
+            echo "report coverage $out" >> $out/nix-support/hydra-build-products
+          '';
+    in
+    assert withCoverage;
+    assert stdenv.cc.isClang;
+    {
+      inherit coverageProfileDrvs mergedProfdata coverageReports;
+    };
+}

ci/gha/tests/wrapper.nix

@@ -0,0 +1,16 @@
+{
+  nixFlake ? builtins.getFlake ("git+file://" + toString ../../..),
+  system ? builtins.currentSystem,
+  pkgs ? nixFlake.inputs.nixpkgs.legacyPackages.${system},
+  stdenv ? "stdenv",
+  componentTestsPrefix ? "",
+  withInstrumentation ? false,
+}@args:
+import ./. (
+  args
+  // {
+    getStdenv = p: p.${stdenv};
+    withSanitizers = withInstrumentation;
+    withCoverage = withInstrumentation;
+  }
+)

doc/manual/meson.build

@@ -1,4 +1,5 @@
-project('nix-manual',
+project(
+  'nix-manual',
   version : files('.version'),
   meson_version : '>= 1.1',
   license : 'LGPL-2.1-or-later',
@@ -8,44 +9,45 @@ nix = find_program('nix', native : true)
 
 mdbook = find_program('mdbook', native : true)
 bash = find_program('bash', native : true)
-rsync = find_program('rsync', required: true, native: true)
+rsync = find_program('rsync', required : true, native : true)
 
 pymod = import('python')
 python = pymod.find_installation('python3')
 
 nix_env_for_docs = {
-  'HOME': '/dummy',
-  'NIX_CONF_DIR': '/dummy',
-  'NIX_SSL_CERT_FILE': '/dummy/no-ca-bundle.crt',
-  'NIX_STATE_DIR': '/dummy',
-  'NIX_CONFIG': 'cores = 0',
+  'HOME' : '/dummy',
+  'NIX_CONF_DIR' : '/dummy',
+  'NIX_SSL_CERT_FILE' : '/dummy/no-ca-bundle.crt',
+  'NIX_STATE_DIR' : '/dummy',
+  'NIX_CONFIG' : 'cores = 0',
 }
 
-nix_for_docs = [nix, '--experimental-features', 'nix-command']
+nix_for_docs = [ nix, '--experimental-features', 'nix-command' ]
 nix_eval_for_docs_common = nix_for_docs + [
   'eval',
-  '-I', 'nix=' + meson.current_source_dir(),
+  '-I',
+  'nix=' + meson.current_source_dir(),
   '--store', 'dummy://',
   '--impure',
 ]
 nix_eval_for_docs = nix_eval_for_docs_common + '--raw'
 
 conf_file_json = custom_target(
-  command : nix_for_docs + ['config', 'show', '--json'],
+  command : nix_for_docs + [ 'config', 'show', '--json' ],
   capture : true,
   output : 'conf-file.json',
   env : nix_env_for_docs,
 )
 
 language_json = custom_target(
-  command: [nix, '__dump-language'],
+  command : [ nix, '__dump-language' ],
   output : 'language.json',
   capture : true,
   env : nix_env_for_docs,
 )
 
 nix3_cli_json = custom_target(
-  command : [nix, '__dump-cli'],
+  command : [ nix, '__dump-cli' ],
   capture : true,
   output : 'nix.json',
   env : nix_env_for_docs,
@@ -79,7 +81,8 @@ manual = custom_target(
   'manual',
   command : [
     bash,
-    '-euo', 'pipefail',
+    '-euo',
+    'pipefail',
     '-c',
     '''
         @0@ @INPUT0@ @CURRENT_SOURCE_DIR@ > @DEPFILE@
@@ -120,8 +123,8 @@ manual = custom_target(
   ],
   depfile : 'manual.d',
   env : {
-    'RUST_LOG': 'info',
-    'MDBOOK_SUBSTITUTE_SEARCH': meson.current_build_dir() / 'source',
+    'RUST_LOG' : 'info',
+    'MDBOOK_SUBSTITUTE_SEARCH' : meson.current_build_dir() / 'source',
   },
 )
 manual_html = manual[0]
@@ -133,7 +136,8 @@ install_subdir(
 )
 
 nix_nested_manpages = [
-  [ 'nix-env',
+  [
+    'nix-env',
     [
       'delete-generations',
       'install',
@@ -148,7 +152,8 @@ nix_nested_manpages = [
       'upgrade',
     ],
   ],
-  [ 'nix-store',
+  [
+    'nix-store',
     [
       'add-fixed',
       'add',

doc/manual/package.nix

@@ -46,24 +46,23 @@ mkMesonDerivation (finalAttrs: {
   ];
 
   # Hack for sake of the dev shell
-  passthru.externalNativeBuildInputs =
-    [
-      meson
-      ninja
-      (lib.getBin lowdown-unsandboxed)
-      mdbook
-      mdbook-linkcheck
-      jq
-      python3
-      rsync
-      changelog-d
-    ]
-    ++ lib.optionals (!officialRelease) [
-      # When not an official release, we likely have changelog entries that have
-      # yet to be rendered.
-      # When released, these are rendered into a committed file to save a dependency.
-      changelog-d
-    ];
+  passthru.externalNativeBuildInputs = [
+    meson
+    ninja
+    (lib.getBin lowdown-unsandboxed)
+    mdbook
+    mdbook-linkcheck
+    jq
+    python3
+    rsync
+    changelog-d
+  ]
+  ++ lib.optionals (!officialRelease) [
+    # When not an official release, we likely have changelog entries that have
+    # yet to be rendered.
+    # When released, these are rendered into a committed file to save a dependency.
+    changelog-d
+  ];
 
   nativeBuildInputs = finalAttrs.passthru.externalNativeBuildInputs ++ [
     nix-cli

doc/manual/rl-next/git-lfs-ssh.md

@@ -0,0 +1,11 @@
+---
+synopsis: "Fix Git LFS SSH issues"
+prs: [13743]
+issues: [13337]
+---
+
+Fixed some outstanding issues with Git LFS and SSH.
+
+* Added support for `NIX_SSHOPTS`.
+* Properly use the parsed port from URL.
+* Better use of the response of `git-lfs-authenticate` to determine API endpoint when the API is not exposed on port 443.

doc/manual/rl-next/port-in-store-uris.md

@@ -0,0 +1,13 @@
+---
+synopsis: "Add support for user@address:port syntax in store URIs"
+prs: [3425]
+issues: [7044]
+---
+
+It's now possible to specify the port used for the SSH stores directly in the store URL in accordance with [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986). Previously the only way to specify custom ports was via `ssh_config` or `NIX_SSHOPTS` environment variable, because Nix incorrectly passed the port number together with the host name to the SSH executable. This has now been fixed.
+
+This change affects [store references](@docroot@/store/types/index.md#store-url-format) passed via the `--store` and similar flags in CLI as well as in the configuration for [remote builders](@docroot@/command-ref/conf-file.md#conf-builders). For example, the following store URIs now work:
+
+- `ssh://127.0.0.1:2222`
+- `ssh://[b573:6a48:e224:840b:6007:6275:f8f7:ebf3]:22`
+- `ssh-ng://[b573:6a48:e224:840b:6007:6275:f8f7:ebf3]:22`

doc/manual/rl-next/rfc4007-zone-id-in-uri-rfc6874.md

@@ -0,0 +1,6 @@
+---
+synopsis: "Represent IPv6 RFC4007 ZoneId literals in conformance with RFC6874"
+prs: [13445]
+---
+
+Prior versions of Nix since [#4646](https://github.com/NixOS/nix/pull/4646) accepted [IPv6 scoped addresses](https://datatracker.ietf.org/doc/html/rfc4007) in URIs like [store references](@docroot@/store/types/index.md#store-url-format) in the textual representation with a literal percent character: `[fe80::1%18]`. This was ambiguous, because the the percent literal `%` is reserved by [RFC3986](https://datatracker.ietf.org/doc/html/rfc3986), since it's used to indicate percent encoding. Nix now requires that the percent `%` symbol is percent-encoded as `%25`. This implements [RFC6874](https://datatracker.ietf.org/doc/html/rfc6874), which defines the representation of zone identifiers in URIs. The example from above now has to be specified as `[fe80::1%2518]`.

doc/manual/source/SUMMARY.md.in

@@ -128,6 +128,7 @@
 - [Development](development/index.md)
   - [Building](development/building.md)
   - [Testing](development/testing.md)
+  - [Benchmarking](development/benchmarking.md)
   - [Debugging](development/debugging.md)
   - [Documentation](development/documentation.md)
   - [CLI guideline](development/cli-guideline.md)

doc/manual/source/command-ref/env-common.md

@@ -75,7 +75,7 @@ Most Nix commands interpret the following environment variables:
 - <span id="env-NIX_CONF_DIR">[`NIX_CONF_DIR`](#env-NIX_CONF_DIR)</span>
 
   Overrides the location of the system Nix configuration directory
-  (default `prefix/etc/nix`).
+  (default `sysconfdir/nix`, i.e. `/etc/nix` on most systems).
 
 - <span id="env-NIX_CONFIG">[`NIX_CONFIG`](#env-NIX_CONFIG)</span>
 

doc/manual/source/command-ref/meson.build

@@ -1,13 +1,12 @@
 xp_features_json = custom_target(
-  command : [nix, '__dump-xp-features'],
+  command : [ nix, '__dump-xp-features' ],
   capture : true,
   output : 'xp-features.json',
 )
 
 experimental_features_shortlist_md = custom_target(
   command : nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
   ],
   input : [
     '../../generate-xp-features-shortlist.nix',
@@ -19,14 +18,8 @@ experimental_features_shortlist_md = custom_target(
 )
 
 nix3_cli_files = custom_target(
-  command : [
-    python.full_path(),
-    '@INPUT0@',
-    '@OUTPUT@',
-    '--'
-  ] + nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', 'import @INPUT1@ true (builtins.readFile ./@INPUT2@)',
   ],
   input : [
     '../../remove_before_wrapper.py',
@@ -40,8 +33,7 @@ nix3_cli_files = custom_target(
 conf_file_md_body = custom_target(
   command : [
     nix_eval_for_docs,
-    '--expr',
-    'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
+    '--expr', 'import @INPUT0@ { prefix = "conf"; } (builtins.fromJSON (builtins.readFile ./@INPUT1@))',
   ],
   capture : true,
   input : [

doc/manual/source/development/benchmarking.md

@@ -0,0 +1,187 @@
+# Running Benchmarks
+
+This guide explains how to build and run performance benchmarks in the Nix codebase.
+
+## Overview
+
+Nix uses the [Google Benchmark](https://github.com/google/benchmark) framework for performance testing. Benchmarks help measure and track the performance of critical operations like derivation parsing.
+
+## Building Benchmarks
+
+Benchmarks are disabled by default and must be explicitly enabled during the build configuration. For accurate results, use a debug-optimized release build.
+
+### Development Environment Setup
+
+First, enter the development shell which includes the necessary dependencies:
+
+```bash
+nix develop .#native-ccacheStdenv
+```
+
+### Configure Build with Benchmarks
+
+From the project root, configure the build with benchmarks enabled and optimization:
+
+```bash
+cd build
+meson configure -Dbenchmarks=true -Dbuildtype=debugoptimized
+```
+
+The `debugoptimized` build type provides:
+- Compiler optimizations for realistic performance measurements
+- Debug symbols for profiling and analysis
+- Balance between performance and debuggability
+
+### Build the Benchmarks
+
+Build the project including benchmarks:
+
+```bash
+ninja
+```
+
+This will create benchmark executables in the build directory. Currently available:
+- `build/src/libstore-tests/nix-store-benchmarks` - Store-related performance benchmarks
+
+Additional benchmark executables will be created as more benchmarks are added to the codebase.
+
+## Running Benchmarks
+
+### Basic Usage
+
+Run benchmark executables directly. For example, to run store benchmarks:
+
+```bash
+./build/src/libstore-tests/nix-store-benchmarks
+```
+
+As more benchmark executables are added, run them similarly from their respective build directories.
+
+### Filtering Benchmarks
+
+Run specific benchmarks using regex patterns:
+
+```bash
+# Run only derivation parser benchmarks
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter="derivation.*"
+
+# Run only benchmarks for hello.drv
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_filter=".*hello.*"
+```
+
+### Output Formats
+
+Generate benchmark results in different formats:
+
+```bash
+# JSON output
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > results.json
+
+# CSV output
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=csv > results.csv
+```
+
+### Advanced Options
+
+```bash
+# Run benchmarks multiple times for better statistics
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_repetitions=10
+
+# Set minimum benchmark time (useful for micro-benchmarks)
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_min_time=2
+
+# Compare against baseline
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
+
+# Display time in custom units
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_time_unit=ms
+```
+
+## Writing New Benchmarks
+
+To add new benchmarks:
+
+1. Create a new `.cc` file in the appropriate `*-tests` directory
+2. Include the benchmark header:
+   ```cpp
+   #include <benchmark/benchmark.h>
+   ```
+
+3. Write benchmark functions:
+   ```cpp
+   static void BM_YourBenchmark(benchmark::State & state)
+   {
+       // Setup code here
+
+       for (auto _ : state) {
+           // Code to benchmark
+       }
+   }
+   BENCHMARK(BM_YourBenchmark);
+   ```
+
+4. Add the file to the corresponding `meson.build`:
+   ```meson
+   benchmarks_sources = files(
+       'your-benchmark.cc',
+       # existing benchmarks...
+   )
+   ```
+
+## Profiling with Benchmarks
+
+For deeper performance analysis, combine benchmarks with profiling tools:
+
+```bash
+# Using Linux perf
+perf record ./build/src/libstore-tests/nix-store-benchmarks
+perf report
+```
+
+### Using Valgrind Callgrind
+
+Valgrind's callgrind tool provides detailed profiling information that can be visualized with kcachegrind:
+
+```bash
+# Profile with callgrind
+valgrind --tool=callgrind ./build/src/libstore-tests/nix-store-benchmarks
+
+# Visualize the results with kcachegrind
+kcachegrind callgrind.out.*
+```
+
+This provides:
+- Function call graphs
+- Instruction-level profiling
+- Source code annotation
+- Interactive visualization of performance bottlenecks
+
+## Continuous Performance Testing
+
+```bash
+# Save baseline results
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_format=json > baseline.json
+
+# Compare against baseline in CI
+./build/src/libstore-tests/nix-store-benchmarks --benchmark_baseline=baseline.json
+```
+
+## Troubleshooting
+
+### Benchmarks not building
+
+Ensure benchmarks are enabled:
+```bash
+meson configure build | grep benchmarks
+# Should show: benchmarks true
+```
+
+### Inconsistent results
+
+- Ensure your system is not under heavy load
+- Disable CPU frequency scaling for consistent results
+- Run benchmarks multiple times with `--benchmark_repetitions`
+
+## See Also
+
+- [Google Benchmark documentation](https://github.com/google/benchmark/blob/main/docs/user_guide.md)

doc/manual/source/development/building.md

@@ -215,14 +215,18 @@ nix build .#nix-everything-x86_64-w64-mingw32
 
 For historic reasons and backward-compatibility, some CPU and OS identifiers are translated as follows:
 
-| `config.guess`             | Nix                 |
-|----------------------------|---------------------|
-| `amd64`                    | `x86_64`            |
-| `i*86`                     | `i686`              |
-| `arm6`                     | `arm6l`             |
-| `arm7`                     | `arm7l`             |
-| `linux-gnu*`               | `linux`             |
-| `linux-musl*`              | `linux`             |
+| `host_machine.cpu_family()` | `host_machine.endian()` | Nix                 |
+|-----------------------------|-------------------------|---------------------|
+| `x86`                       |                         | `i686`              |
+| `arm`                       |                         | `host_machine.cpu()`|
+| `ppc`                       | `little`                | `powerpcle`         |
+| `ppc64`                     | `little`                | `powerpc64le`       |
+| `ppc`                       | `big`                   | `powerpc`           |
+| `ppc64`                     | `big`                   | `powerpc64`         |
+| `mips`                      | `little`                | `mipsel`            |
+| `mips64`                    | `little`                | `mips64el`          |
+| `mips`                      | `big`                   | `mips`              |
+| `mips64`                    | `big`                   | `mips64`            |
 
 ## Compilation environments
 

doc/manual/source/development/meson.build

@@ -1,7 +1,6 @@
 experimental_feature_descriptions_md = custom_target(
   command : nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
+    '--expr', 'import @INPUT0@ (builtins.fromJSON (builtins.readFile @INPUT1@))',
   ],
   input : [
     '../../generate-xp-features.nix',

doc/manual/source/installation/prerequisites-source.md

@@ -10,7 +10,7 @@
   - Bash Shell. The `./configure` script relies on bashisms, so Bash is
     required.
 
-  - A version of GCC or Clang that supports C++20.
+  - A version of GCC or Clang that supports C++23.
 
   - `pkg-config` to locate dependencies. If your distribution does not
     provide it, you can get it from

doc/manual/source/installation/uninstall.md

@@ -41,6 +41,38 @@ There may also be references to Nix in
 
 which you may remove.
 
+### FreeBSD
+
+1. Stop and remove the Nix daemon service:
+
+   ```console
+   sudo service nix-daemon stop
+   sudo rm -f /usr/local/etc/rc.d/nix-daemon
+   sudo sysrc -x nix_daemon_enable
+   ```
+
+2. Remove files created by Nix:
+
+   ```console
+   sudo rm -rf /etc/nix /usr/local/etc/profile.d/nix.sh /nix ~root/.nix-channels ~root/.nix-defexpr ~root/.nix-profile ~root/.cache/nix
+   ```
+
+3. Remove build users and their group:
+
+   ```console
+   for i in $(seq 1 32); do
+     sudo pw userdel nixbld$i
+   done
+   sudo pw groupdel nixbld
+   ```
+
+4. There may also be references to Nix in:
+   - `/usr/local/etc/bashrc`
+   - `/usr/local/etc/zshrc`
+   - Shell configuration files in users' home directories
+
+   which you may remove.
+
 ### macOS
 
 > **Updating to macOS 15 Sequoia**

doc/manual/source/language/advanced-attributes.md

@@ -160,7 +160,6 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
 ## Other output modifications
 
   - [`unsafeDiscardReferences`]{#adv-attr-unsafeDiscardReferences}\
-
     When using [structured attributes](#adv-attr-structuredAttrs), the
     attribute `unsafeDiscardReferences` is an attribute set with a boolean value for each output name.
     If set to `true`, it disables scanning the output for runtime dependencies.
@@ -195,7 +194,6 @@ See the [corresponding section in the derivation output page](@docroot@/store/de
     [`builder`]: ./derivations.md#attr-builder
 
 - [`requiredSystemFeatures`]{#adv-attr-requiredSystemFeatures}\
-
   If a derivation has the `requiredSystemFeatures` attribute, then Nix will only build it on a machine that has the corresponding features set in its [`system-features` configuration](@docroot@/command-ref/conf-file.md#conf-system-features).
 
   For example, setting

doc/manual/source/language/meson.build

@@ -1,19 +1,13 @@
 builtins_md = custom_target(
-  command : [
-    python.full_path(),
-    '@INPUT0@',
-    '@OUTPUT@',
-    '--'
-  ] + nix_eval_for_docs + [
-    '--expr',
-    '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', '(builtins.readFile @INPUT3@) + import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)) + (builtins.readFile @INPUT4@)',
   ],
   input : [
     '../../remove_before_wrapper.py',
     '../../generate-builtins.nix',
     language_json,
     'builtins-prefix.md',
-    'builtins-suffix.md'
+    'builtins-suffix.md',
   ],
   output : 'builtins.md',
   env : nix_env_for_docs,

doc/manual/source/meson.build

@@ -1,7 +1,8 @@
 summary_rl_next = custom_target(
   command : [
     bash,
-    '-euo', 'pipefail',
+    '-euo',
+    'pipefail',
     '-c',
     '''
       if [ -e "@INPUT@" ]; then
@@ -12,6 +13,6 @@ summary_rl_next = custom_target(
   input : [
     rl_next_generated,
   ],
-  capture: true,
+  capture : true,
   output : 'SUMMARY-rl-next.md',
 )

doc/manual/source/protocols/nix-archive.md

@@ -24,7 +24,7 @@ nar-obj-inner
   | str("type"), str("directory") directory
   ;
 
-regular = [ str("executable"), str("") ], str("contents"), str(contents);
+regular = [ str("executable") ], str("contents"), str(contents);
 
 symlink = str("target"), str(target);
 

doc/manual/source/release-notes/rl-2.8.md

@@ -48,6 +48,6 @@
 
 * `nix run` is now stricter in what it accepts: members of the `apps`
   flake output are now required to be apps (as defined in [the
-  manual](https://nixos.org/manual/nix/stable/command-ref/new-cli/nix3-run.html#apps)),
+  manual](https://nix.dev/manual/nix/stable/command-ref/new-cli/nix3-run.html#apps)),
   and members of `packages` or `legacyPackages` must be derivations
   (not apps).

doc/manual/source/store/meson.build

@@ -1,12 +1,6 @@
 types_dir = custom_target(
-  command : [
-    python.full_path(),
-    '@INPUT0@',
-    '@OUTPUT@',
-    '--'
-  ] + nix_eval_for_docs + [
-    '--expr',
-    'import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)).stores',
+  command : [ python.full_path(), '@INPUT0@', '@OUTPUT@', '--' ] + nix_eval_for_docs + [
+    '--expr', 'import @INPUT1@ (builtins.fromJSON (builtins.readFile ./@INPUT2@)).stores',
   ],
   input : [
     '../../remove_before_wrapper.py',

docker.nix

@@ -65,62 +65,61 @@ let
     iana-etc
     gitMinimal
     openssh
-  ] ++ extraPkgs;
+  ]
+  ++ extraPkgs;
 
-  users =
-    {
+  users = {
 
-      root = {
-        uid = 0;
-        shell = lib.getExe bashInteractive;
-        home = "/root";
-        gid = 0;
-        groups = [ "root" ];
-        description = "System administrator";
-      };
-
-      nobody = {
-        uid = 65534;
-        shell = lib.getExe' shadow "nologin";
-        home = "/var/empty";
-        gid = 65534;
-        groups = [ "nobody" ];
-        description = "Unprivileged account (don't use!)";
-      };
-
-    }
-    // lib.optionalAttrs (uid != 0) {
-      "${uname}" = {
-        uid = uid;
-        shell = lib.getExe bashInteractive;
-        home = "/home/${uname}";
-        gid = gid;
-        groups = [ "${gname}" ];
-        description = "Nix user";
-      };
-    }
-    // lib.listToAttrs (
-      map (n: {
-        name = "nixbld${toString n}";
-        value = {
-          uid = 30000 + n;
-          gid = 30000;
-          groups = [ "nixbld" ];
-          description = "Nix build user ${toString n}";
-        };
-      }) (lib.lists.range 1 32)
-    );
-
-  groups =
-    {
-      root.gid = 0;
-      nixbld.gid = 30000;
-      nobody.gid = 65534;
-    }
-    // lib.optionalAttrs (gid != 0) {
-      "${gname}".gid = gid;
+    root = {
+      uid = 0;
+      shell = lib.getExe bashInteractive;
+      home = "/root";
+      gid = 0;
+      groups = [ "root" ];
+      description = "System administrator";
     };
 
+    nobody = {
+      uid = 65534;
+      shell = lib.getExe' shadow "nologin";
+      home = "/var/empty";
+      gid = 65534;
+      groups = [ "nobody" ];
+      description = "Unprivileged account (don't use!)";
+    };
+
+  }
+  // lib.optionalAttrs (uid != 0) {
+    "${uname}" = {
+      uid = uid;
+      shell = lib.getExe bashInteractive;
+      home = "/home/${uname}";
+      gid = gid;
+      groups = [ "${gname}" ];
+      description = "Nix user";
+    };
+  }
+  // lib.listToAttrs (
+    map (n: {
+      name = "nixbld${toString n}";
+      value = {
+        uid = 30000 + n;
+        gid = 30000;
+        groups = [ "nixbld" ];
+        description = "Nix build user ${toString n}";
+      };
+    }) (lib.lists.range 1 32)
+  );
+
+  groups = {
+    root.gid = 0;
+    nixbld.gid = 30000;
+    nobody.gid = 65534;
+  }
+  // lib.optionalAttrs (gid != 0) {
+    "${gname}".gid = gid;
+  };
+
   userToPasswd = (
     k:
     {
@@ -311,6 +310,7 @@ let
           # see doc/manual/source/command-ref/files/profiles.md
           ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
           ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
+          ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
 
           # see doc/manual/source/command-ref/files/channels.md
           ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link

flake.lock

@@ -63,16 +63,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1747179050,
-        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "lastModified": 1755442223,
+        "narHash": "sha256-VtMQg02B3kt1oejwwrGn50U9Xbjgzfbb5TV5Wtx8dKI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "rev": "cd32a774ac52caaa03bcfc9e7591ac8c18617ced",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.05-small",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,7 +1,7 @@
 {
   description = "The purely functional package manager";
 
-  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05-small";
 
   inputs.nixpkgs-regression.url = "github:NixOS/nixpkgs/215d4d0fd80ca5163643b03a33fde804a29cc1e2";
   inputs.nixpkgs-23-11.url = "github:NixOS/nixpkgs/a62e6edd6d5e1fa0329b8653c801147986f8d446";
@@ -131,31 +131,107 @@
         }
       );
 
-      overlayFor =
-        getStdenv: final: prev:
+      /**
+        Produce the `nixComponents` and `nixDependencies` package sets (scopes) for
+        a given `pkgs` and `getStdenv`.
+      */
+      packageSetsFor =
         let
-          stdenv = getStdenv final;
+          /**
+            Removes a prefix from the attribute names of a set of splices.
+            This is a completely uninteresting and exists for compatibility only.
+
+            Example:
+            ```nix
+            renameSplicesFrom "pkgs" { pkgsBuildBuild = ...; ... }
+            => { buildBuild = ...; ... }
+            ```
+          */
+          renameSplicesFrom = prefix: x: {
+            buildBuild = x."${prefix}BuildBuild";
+            buildHost = x."${prefix}BuildHost";
+            buildTarget = x."${prefix}BuildTarget";
+            hostHost = x."${prefix}HostHost";
+            hostTarget = x."${prefix}HostTarget";
+            targetTarget = x."${prefix}TargetTarget";
+          };
+
+          /**
+            Adds a prefix to the attribute names of a set of splices.
+            This is a completely uninteresting and exists for compatibility only.
+
+            Example:
+            ```nix
+            renameSplicesTo "self" { buildBuild = ...; ... }
+            => { selfBuildBuild = ...; ... }
+            ```
+          */
+          renameSplicesTo = prefix: x: {
+            "${prefix}BuildBuild" = x.buildBuild;
+            "${prefix}BuildHost" = x.buildHost;
+            "${prefix}BuildTarget" = x.buildTarget;
+            "${prefix}HostHost" = x.hostHost;
+            "${prefix}HostTarget" = x.hostTarget;
+            "${prefix}TargetTarget" = x.targetTarget;
+          };
+
+          /**
+            Takes a function `f` and returns a function that applies `f` pointwise to each splice.
+
+            Example:
+            ```nix
+            mapSplices (x: x * 10) { buildBuild = 1; buildHost = 2; ... }
+            => { buildBuild = 10; buildHost = 20; ... }
+            ```
+          */
+          mapSplices =
+            f:
+            {
+              buildBuild,
+              buildHost,
+              buildTarget,
+              hostHost,
+              hostTarget,
+              targetTarget,
+            }:
+            {
+              buildBuild = f buildBuild;
+              buildHost = f buildHost;
+              buildTarget = f buildTarget;
+              hostHost = f hostHost;
+              hostTarget = f hostTarget;
+              targetTarget = f targetTarget;
+            };
+
         in
-        {
-          nixStable = prev.nix;
+        args@{
+          pkgs,
+          getStdenv ? pkgs: pkgs.stdenv,
+        }:
+        let
+          nixComponentsSplices = mapSplices (
+            pkgs': (packageSetsFor (args // { pkgs = pkgs'; })).nixComponents
+          ) (renameSplicesFrom "pkgs" pkgs);
+          nixDependenciesSplices = mapSplices (
+            pkgs': (packageSetsFor (args // { pkgs = pkgs'; })).nixDependencies
+          ) (renameSplicesFrom "pkgs" pkgs);
 
           # A new scope, so that we can use `callPackage` to inject our own interdependencies
           # without "polluting" the top level "`pkgs`" attrset.
           # This also has the benefit of providing us with a distinct set of packages
           # we can iterate over.
-          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
-          nixComponents2 =
+          nixComponents =
             lib.makeScopeWithSplicing'
               {
-                inherit (final) splicePackages;
-                inherit (final.nixDependencies2) newScope;
+                inherit (pkgs) splicePackages;
+                inherit (nixDependencies) newScope;
               }
               {
-                otherSplices = final.generateSplicesForMkScope "nixComponents2";
+                otherSplices = renameSplicesTo "self" nixComponentsSplices;
                 f = import ./packaging/components.nix {
-                  inherit (final) lib;
+                  inherit (pkgs) lib;
                   inherit officialRelease;
-                  pkgs = final;
+                  inherit pkgs;
                   src = self;
                   maintainers = [ ];
                 };
@@ -163,29 +239,71 @@
 
           # The dependencies are in their own scope, so that they don't have to be
           # in Nixpkgs top level `pkgs` or `nixComponents2`.
-          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
-          nixDependencies2 =
+          nixDependencies =
             lib.makeScopeWithSplicing'
               {
-                inherit (final) splicePackages;
-                inherit (final) newScope; # layered directly on pkgs, unlike nixComponents2 above
+                inherit (pkgs) splicePackages;
+                inherit (pkgs) newScope; # layered directly on pkgs, unlike nixComponents2 above
               }
               {
-                otherSplices = final.generateSplicesForMkScope "nixDependencies2";
+                otherSplices = renameSplicesTo "self" nixDependenciesSplices;
                 f = import ./packaging/dependencies.nix {
-                  inherit inputs stdenv;
-                  pkgs = final;
+                  inherit inputs pkgs;
+                  stdenv = getStdenv pkgs;
                 };
               };
 
+          # If the package set is largely empty, we should(?) return empty sets
+          # This is what most package sets in Nixpkgs do. Otherwise, we get
+          # an error message that indicates that some stdenv attribute is missing,
+          # and indeed it will be missing, as seemingly `pkgsTargetTarget` is
+          # very incomplete.
+          fixup = lib.mapAttrs (k: v: if !(pkgs ? nix) then { } else v);
+        in
+        fixup {
+          inherit nixDependencies;
+          inherit nixComponents;
+        };
+
+      overlayFor =
+        getStdenv: final: prev:
+        let
+          packageSets = packageSetsFor {
+            inherit getStdenv;
+            pkgs = final;
+          };
+        in
+        {
+          nixStable = prev.nix;
+
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixComponents2 = packageSets.nixComponents;
+
+          # The dependencies are in their own scope, so that they don't have to be
+          # in Nixpkgs top level `pkgs` or `nixComponents2`.
+          # The `2` suffix is here because otherwise it interferes with `nixVersions.latest`, which is used in daemon compat tests.
+          nixDependencies2 = packageSets.nixDependencies;
+
           nix = final.nixComponents2.nix-cli;
         };
 
     in
     {
-      # A Nixpkgs overlay that overrides the 'nix' and
-      # 'nix-perl-bindings' packages.
-      overlays.default = overlayFor (p: p.stdenv);
+      overlays.internal = overlayFor (p: p.stdenv);
+
+      /**
+        A Nixpkgs overlay that sets `nix` to something like `packages.<system>.nix-everything`,
+        except dependencies aren't taken from (flake) `nix.inputs.nixpkgs`, but from the Nixpkgs packages
+        where the overlay is used.
+      */
+      overlays.default =
+        final: prev:
+        let
+          packageSets = packageSetsFor { pkgs = final; };
+        in
+        {
+          nix = packageSets.nixComponents.nix-everything;
+        };
 
       hydraJobs = import ./packaging/hydra.nix {
         inherit
@@ -202,43 +320,11 @@
 
       checks = forAllSystems (
         system:
-        {
-          installerScriptForGHA = self.hydraJobs.installerScriptForGHA.${system};
-          installTests = self.hydraJobs.installTests.${system};
-          nixpkgsLibTests = self.hydraJobs.tests.nixpkgsLibTests.${system};
-          rl-next =
-            let
-              pkgs = nixpkgsFor.${system}.native;
-            in
-            pkgs.buildPackages.runCommand "test-rl-next-release-notes" { } ''
-              LANG=C.UTF-8 ${pkgs.changelog-d}/bin/changelog-d ${./doc/manual/rl-next} >$out
-            '';
-          repl-completion = nixpkgsFor.${system}.native.callPackage ./tests/repl-completion.nix { };
-
-          /**
-            Checks for our packaging expressions.
-            This shouldn't build anything significant; just check that things
-            (including derivations) are _set up_ correctly.
-          */
-          packaging-overriding =
-            let
-              pkgs = nixpkgsFor.${system}.native;
-              nix = self.packages.${system}.nix;
-            in
-            assert (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src.patches == [ pkgs.emptyFile ];
-            if pkgs.stdenv.buildPlatform.isDarwin then
-              lib.warn "packaging-overriding check currently disabled because of a permissions issue on macOS" pkgs.emptyFile
-            else
-              # If this fails, something might be wrong with how we've wired the scope,
-              # or something could be broken in Nixpkgs.
-              pkgs.testers.testEqualContents {
-                assertion = "trivial patch does not change source contents";
-                expected = "${./.}";
-                actual =
-                  # Same for all components; nix-util is an arbitrary pick
-                  (nix.appendPatches [ pkgs.emptyFile ]).libs.nix-util.src;
-              };
-        }
+        (import ./ci/gha/tests {
+          inherit system;
+          pkgs = nixpkgsFor.${system}.native;
+          nixFlake = self;
+        }).topLevel
         // (lib.optionalAttrs (builtins.elem system linux64BitSystems)) {
           dockerImage = self.hydraJobs.dockerImage.${system};
         }
@@ -251,58 +337,20 @@
         # Add "passthru" tests
         //
           flatMapAttrs
+            {
+              "" = {
+                pkgs = nixpkgsFor.${system}.native;
+              };
+            }
             (
-              {
-                # Run all tests with UBSAN enabled. Running both with ubsan and
-                # without doesn't seem to have much immediate benefit for doubling
-                # the GHA CI workaround.
-                #
-                # TODO: Work toward enabling "address,undefined" if it seems feasible.
-                # This would maybe require dropping Boost coroutines and ignoring intentional
-                # memory leaks with detect_leaks=0.
-                "" = rec {
-                  nixpkgs = nixpkgsFor.${system}.native;
-                  nixComponents = nixpkgs.nixComponents2.overrideScope (
-                    nixCompFinal: nixCompPrev: {
-                      mesonComponentOverrides = _finalAttrs: prevAttrs: {
-                        mesonFlags =
-                          (prevAttrs.mesonFlags or [ ])
-                          # TODO: Macos builds instrumented with ubsan take very long
-                          # to run functional tests.
-                          ++ lib.optionals (!nixpkgs.stdenv.hostPlatform.isDarwin) [
-                            (lib.mesonOption "b_sanitize" "undefined")
-                          ];
-                      };
-                    }
-                  );
-                };
-              }
-              // lib.optionalAttrs (!nixpkgsFor.${system}.native.stdenv.hostPlatform.isDarwin) {
-                # TODO: enable static builds for darwin, blocked on:
-                #       https://github.com/NixOS/nixpkgs/issues/320448
-                # TODO: disabled to speed up GHA CI.
-                # "static-" = {
-                #   nixpkgs = nixpkgsFor.${system}.native.pkgsStatic;
-                # };
-              }
-            )
-            (
-              nixpkgsPrefix:
-              {
-                nixpkgs,
-                nixComponents ? nixpkgs.nixComponents2,
-              }:
-              flatMapAttrs nixComponents (
-                pkgName: pkg:
-                flatMapAttrs pkg.tests or { } (
-                  testName: test: {
-                    "${nixpkgsPrefix}${pkgName}-${testName}" = test;
-                  }
-                )
-              )
-              // lib.optionalAttrs (nixpkgs.stdenv.hostPlatform == nixpkgs.stdenv.buildPlatform) {
-                "${nixpkgsPrefix}nix-functional-tests" = nixComponents.nix-functional-tests;
-              }
+              nixpkgsPrefix: args:
+              (import ./ci/gha/tests (
+                args
+                // {
+                  nixFlake = self;
+                  componentTestsPrefix = nixpkgsPrefix;
+                }
+              )).componentTests
             )
         // devFlake.checks.${system} or { }
       );
@@ -465,5 +513,53 @@
             default = self.devShells.${system}.native;
           }
         );
+
+      lib = {
+        /**
+          Creates a package set for a given Nixpkgs instance and stdenv.
+
+          # Inputs
+
+          - `pkgs`: The Nixpkgs instance to use.
+
+          - `getStdenv`: _Optional_ A function that takes a package set and returns the stdenv to use.
+            This needs to be a function in order to support cross compilation - the `pkgs` passed to `getStdenv` can be `pkgsBuildHost` or any other variation needed.
+
+          # Outputs
+
+          The return value is a fresh Nixpkgs scope containing all the packages that are defined in the Nix repository,
+          as well as some internals and parameters, which may be subject to change.
+
+          # Example
+
+          ```console
+          nix repl> :lf NixOS/nix
+          nix-repl> ps = lib.makeComponents { pkgs = import inputs.nixpkgs { crossSystem = "riscv64-linux"; }; }
+          nix-repl> ps
+          {
+            appendPatches = «lambda appendPatches @ ...»;
+            callPackage = «lambda callPackageWith @ ...»;
+            overrideAllMesonComponents = «lambda overrideSource @ ...»;
+            overrideSource = «lambda overrideSource @ ...»;
+            # ...
+            nix-everything
+            # ...
+            nix-store
+            nix-store-c
+            # ...
+          }
+          ```
+        */
+        makeComponents =
+          {
+            pkgs,
+            getStdenv ? pkgs: pkgs.stdenv,
+          }:
+
+          let
+            packageSets = packageSetsFor { inherit getStdenv pkgs; };
+          in
+          packageSets.nixComponents;
+      };
     };
 }

maintainers/flake-module.nix

@@ -37,118 +37,29 @@
               fi
             ''}";
           };
-          meson-format = {
-            enable = true;
-            files = "(meson.build|meson.options)$";
-            entry = "${pkgs.writeScript "format-meson" ''
-              #!${pkgs.runtimeShell}
-              for file in "$@"; do
-                ${lib.getExe pkgs.meson} format -ic ${../meson.format} "$file"
-              done
-            ''}";
-            excludes = [
-              # We haven't applied formatting to these files yet
-              ''^doc/manual/meson.build$''
-              ''^doc/manual/source/command-ref/meson.build$''
-              ''^doc/manual/source/development/meson.build$''
-              ''^doc/manual/source/language/meson.build$''
-              ''^doc/manual/source/meson.build$''
-              ''^doc/manual/source/release-notes/meson.build$''
-              ''^doc/manual/source/store/meson.build$''
-              ''^misc/bash/meson.build$''
-              ''^misc/fish/meson.build$''
-              ''^misc/launchd/meson.build$''
-              ''^misc/meson.build$''
-              ''^misc/systemd/meson.build$''
-              ''^misc/zsh/meson.build$''
-              ''^nix-meson-build-support/$''
-              ''^nix-meson-build-support/big-objs/meson.build$''
-              ''^nix-meson-build-support/common/meson.build$''
-              ''^nix-meson-build-support/deps-lists/meson.build$''
-              ''^nix-meson-build-support/export/meson.build$''
-              ''^nix-meson-build-support/export-all-symbols/meson.build$''
-              ''^nix-meson-build-support/generate-header/meson.build$''
-              ''^nix-meson-build-support/libatomic/meson.build$''
-              ''^nix-meson-build-support/subprojects/meson.build$''
-              ''^scripts/meson.build$''
-              ''^src/external-api-docs/meson.build$''
-              ''^src/internal-api-docs/meson.build$''
-              ''^src/libcmd/include/nix/cmd/meson.build$''
-              ''^src/libcmd/meson.build$''
-              ''^src/libcmd/nix-meson-build-support$''
-              ''^src/libexpr/include/nix/expr/meson.build$''
-              ''^src/libexpr/meson.build$''
-              ''^src/libexpr/nix-meson-build-support$''
-              ''^src/libexpr-c/meson.build$''
-              ''^src/libexpr-c/nix-meson-build-support$''
-              ''^src/libexpr-test-support/meson.build$''
-              ''^src/libexpr-test-support/nix-meson-build-support$''
-              ''^src/libexpr-tests/meson.build$''
-              ''^src/libexpr-tests/nix-meson-build-support$''
-              ''^src/libfetchers/include/nix/fetchers/meson.build$''
-              ''^src/libfetchers/meson.build$''
-              ''^src/libfetchers/nix-meson-build-support$''
-              ''^src/libfetchers-c/meson.build$''
-              ''^src/libfetchers-c/nix-meson-build-support$''
-              ''^src/libfetchers-tests/meson.build$''
-              ''^src/libfetchers-tests/nix-meson-build-support$''
-              ''^src/libflake/include/nix/flake/meson.build$''
-              ''^src/libflake/meson.build$''
-              ''^src/libflake/nix-meson-build-support$''
-              ''^src/libflake-c/meson.build$''
-              ''^src/libflake-c/nix-meson-build-support$''
-              ''^src/libflake-tests/meson.build$''
-              ''^src/libflake-tests/nix-meson-build-support$''
-              ''^src/libmain/include/nix/main/meson.build$''
-              ''^src/libmain/meson.build$''
-              ''^src/libmain/nix-meson-build-support$''
-              ''^src/libmain-c/meson.build$''
-              ''^src/libmain-c/nix-meson-build-support$''
-              ''^src/libstore/include/nix/store/meson.build$''
-              ''^src/libstore/meson.build$''
-              ''^src/libstore/nix-meson-build-support$''
-              ''^src/libstore/unix/include/nix/store/meson.build$''
-              ''^src/libstore/unix/meson.build$''
-              ''^src/libstore/windows/meson.build$''
-              ''^src/libstore-c/meson.build$''
-              ''^src/libstore-c/nix-meson-build-support$''
-              ''^src/libstore-test-support/include/nix/store/tests/meson.build$''
-              ''^src/libstore-test-support/meson.build$''
-              ''^src/libstore-test-support/nix-meson-build-support$''
-              ''^src/libstore-tests/meson.build$''
-              ''^src/libstore-tests/nix-meson-build-support$''
-              ''^src/libutil/meson.build$''
-              ''^src/libutil/nix-meson-build-support$''
-              ''^src/libutil/unix/include/nix/util/meson.build$''
-              ''^src/libutil/unix/meson.build$''
-              ''^src/libutil/windows/meson.build$''
-              ''^src/libutil-c/meson.build$''
-              ''^src/libutil-c/nix-meson-build-support$''
-              ''^src/libutil-test-support/include/nix/util/tests/meson.build$''
-              ''^src/libutil-test-support/meson.build$''
-              ''^src/libutil-test-support/nix-meson-build-support$''
-              ''^src/libutil-tests/meson.build$''
-              ''^src/libutil-tests/nix-meson-build-support$''
-              ''^src/nix/meson.build$''
-              ''^src/nix/nix-meson-build-support$''
-              ''^src/perl/lib/Nix/meson.build$''
-              ''^src/perl/meson.build$''
-              ''^tests/functional/ca/meson.build$''
-              ''^tests/functional/common/meson.build$''
-              ''^tests/functional/dyn-drv/meson.build$''
-              ''^tests/functional/flakes/meson.build$''
-              ''^tests/functional/git-hashing/meson.build$''
-              ''^tests/functional/local-overlay-store/meson.build$''
-              ''^tests/functional/meson.build$''
-              ''^src/libcmd/meson.options$''
-              ''^src/libexpr/meson.options$''
-              ''^src/libstore/meson.options$''
-              ''^src/libutil/meson.options$''
-              ''^src/libutil-c/meson.options$''
-              ''^src/nix/meson.options$''
-              ''^src/perl/meson.options$''
-            ];
-          };
+          meson-format =
+            let
+              meson = pkgs.meson.overrideAttrs {
+                doCheck = false;
+                doInstallCheck = false;
+                patches = [
+                  (pkgs.fetchpatch {
+                    url = "https://github.com/mesonbuild/meson/commit/38d29b4dd19698d5cad7b599add2a69b243fd88a.patch";
+                    hash = "sha256-PgPBvGtCISKn1qQQhzBW5XfknUe91i5XGGBcaUK4yeE=";
+                  })
+                ];
+              };
+            in
+            {
+              enable = true;
+              files = "(meson.build|meson.options)$";
+              entry = "${pkgs.writeScript "format-meson" ''
+                #!${pkgs.runtimeShell}
+                for file in "$@"; do
+                  ${lib.getExe meson} format -ic ${../meson.format} "$file"
+                done
+              ''}";
+            };
           nixfmt-rfc-style = {
             enable = true;
             excludes = [
@@ -262,8 +173,6 @@
               ''^tests/functional/gc-concurrent\.sh$''
               ''^tests/functional/gc-concurrent2\.builder\.sh$''
               ''^tests/functional/gc-non-blocking\.sh$''
-              ''^tests/functional/git-hashing/common\.sh$''
-              ''^tests/functional/git-hashing/simple\.sh$''
               ''^tests/functional/hash-convert\.sh$''
               ''^tests/functional/impure-derivations\.sh$''
               ''^tests/functional/impure-eval\.sh$''
@@ -339,7 +248,6 @@
               ''^tests/functional/user-envs\.builder\.sh$''
               ''^tests/functional/user-envs\.sh$''
               ''^tests/functional/why-depends\.sh$''
-              ''^src/libutil-tests/data/git/check-data\.sh$''
             ];
           };
         };

maintainers/onboarding.md

@@ -3,5 +3,9 @@
 
 - https://github.com/NixOS/nixos-homepage/
 - https://github.com/orgs/NixOS/teams/nix-team
-- Matrix room
+- Matrix rooms
+  - [private] Nix maintainer team
+  - Nix ∪ Lix devs (also private)
+  - any open security issues if present and needed
+
 - Team member should subscribe to notifications for the [Nix development category on Discourse](https://discourse.nixos.org/c/dev/nix/50)

meson.build

@@ -8,7 +8,6 @@ project(
   subproject_dir : 'src',
   default_options : [
     'localstatedir=/nix/var',
-    # hack for trailing newline
   ],
   meson_version : '>= 1.1',
 )
@@ -29,7 +28,7 @@ subproject('nix')
 if get_option('doc-gen')
   subproject('internal-api-docs')
   subproject('external-api-docs')
-  if not meson.is_cross_build()
+  if meson.can_run_host_binaries()
     subproject('nix-manual')
   endif
 endif

meson.options

@@ -20,3 +20,10 @@ option(
   value : true,
   description : 'Build language bindings (e.g. Perl)',
 )
+
+option(
+  'benchmarks',
+  type : 'boolean',
+  value : false,
+  description : 'Build benchmarks (requires gbenchmark)',
+)

misc/freebsd/meson.build

@@ -0,0 +1,10 @@
+configure_file(
+  input : 'nix-daemon.in',
+  output : 'nix-daemon',
+  install : true,
+  install_dir : get_option('prefix') / 'etc/rc.d',
+  install_mode : 'rwxr-xr-x',
+  configuration : {
+    'bindir' : bindir,
+  },
+)

misc/freebsd/nix-daemon.in

@@ -0,0 +1,49 @@
+#!/bin/sh
+#
+# PROVIDE: nix_daemon
+# REQUIRE: DAEMON
+# KEYWORD: shutdown
+#
+# Add the following lines to /etc/rc.conf to enable nix-daemon:
+#
+# nix_daemon_enable="YES"
+#
+
+# shellcheck source=/dev/null
+. /etc/rc.subr
+
+name="nix_daemon"
+# shellcheck disable=SC2034
+rcvar="nix_daemon_enable"
+
+load_rc_config $name
+
+: "${nix_daemon_enable:=NO}"
+
+command="@bindir@/nix-daemon"
+command_args=""
+pidfile="/var/run/nix-daemon.pid"
+
+# shellcheck disable=SC2034
+start_cmd="${name}_start"
+# shellcheck disable=SC2034
+stop_cmd="${name}_stop"
+
+nix_daemon_start() {
+    echo "Starting ${name}."
+    # command_args is intentionally unquoted to allow multiple arguments
+    # shellcheck disable=SC2086
+    /usr/sbin/daemon -c -f -p "${pidfile}" "${command}" ${command_args}
+}
+
+nix_daemon_stop() {
+    if [ -f "${pidfile}" ]; then
+        echo "Stopping ${name}."
+        kill -TERM "$(cat "${pidfile}")"
+        rm -f "${pidfile}"
+    else
+        echo "${name} is not running."
+    fi
+}
+
+run_rc_command "$1"

misc/launchd/meson.build

@@ -9,5 +9,5 @@ configure_file(
     # 'storedir' : store_dir,
     # 'localstatedir' : localstatedir,
     # 'bindir' : bindir,
-  },
+},
 )

misc/meson.build

@@ -9,3 +9,7 @@ endif
 if host_machine.system() == 'darwin'
   subdir('launchd')
 endif
+
+if host_machine.system() == 'freebsd'
+  subdir('freebsd')
+endif

nix-meson-build-support/big-objs/meson.build

@@ -2,5 +2,5 @@ if host_machine.system() == 'windows'
   # libexpr's primops creates a large object
   # Without the following flag, we'll get errors when cross-compiling to mingw32:
   # Fatal error: can't write 66 bytes to section .text of src/libexpr/libnixexpr.dll.p/primops.cc.obj: 'file too big'
-  add_project_arguments([ '-Wa,-mbig-obj' ], language: 'cpp')
+  add_project_arguments([ '-Wa,-mbig-obj' ], language : 'cpp')
 endif

nix-meson-build-support/common/meson.build

@@ -18,3 +18,25 @@ add_project_arguments(
   '-Wno-deprecated-declarations',
   language : 'cpp',
 )
+
+# GCC doesn't benefit much from precompiled headers.
+do_pch = cxx.get_id() == 'clang'
+
+# This is a clang-only option for improving build times.
+# It forces the instantiation of templates in the PCH itself and
+# not every translation unit it's included in.
+# It's available starting from clang 11, which is old enough to not
+# bother checking the version.
+# This feature helps in particular with the expensive nlohmann::json template
+# instantiations in libutil and libstore.
+if cxx.get_id() == 'clang'
+  add_project_arguments('-fpch-instantiate-templates', language : 'cpp')
+endif
+
+# Clang gets grumpy about missing libasan symbols if -shared-libasan is not
+# passed when building shared libs, at least on Linux
+if cxx.get_id() == 'clang' and ('address' in get_option('b_sanitize') or 'undefined' in get_option(
+  'b_sanitize',
+))
+  add_project_link_arguments('-shared-libasan', language : 'cpp')
+endif

nix-meson-build-support/default-system-cpu/meson.build

@@ -0,0 +1,19 @@
+# This attempts to translate meson cpu_family and cpu_name specified via
+# --cross-file [1] into a nix *system double*. Nixpkgs mostly respects ([2]) the
+# conventions outlined in [1].
+#
+# [1]: https://mesonbuild.com/Reference-tables.html#cpu-families
+# [2]: https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/lib/meson.nix
+
+nix_system_cpu = {'ppc64' : 'powerpc64', 'ppc' : 'powerpc', 'x86' : 'i686'}.get(
+  host_machine.cpu_family(),
+  host_machine.cpu_family(),
+)
+
+if (host_machine.cpu_family() in [ 'ppc64', 'ppc' ]) and host_machine.endian() == 'little'
+  nix_system_cpu += 'le'
+elif host_machine.cpu_family() in [ 'mips64', 'mips' ] and host_machine.endian() == 'little'
+  nix_system_cpu += 'el'
+elif host_machine.cpu_family() == 'arm'
+  nix_system_cpu = host_machine.cpu()
+endif

nix-meson-build-support/deps-lists/meson.build

@@ -6,7 +6,7 @@
 # *interface*.
 #
 # See `man pkg-config` for some details.
-deps_private = [ ]
+deps_private = []
 
 # These are public dependencies with pkg-config files. Public is the
 # opposite of private: these dependencies are used in installed header
@@ -23,14 +23,14 @@ deps_private = [ ]
 # N.B. For distributions that care about "ABI" stability and not just
 # "API" stability, the private dependencies also matter as they can
 # potentially affect the public ABI.
-deps_public = [ ]
+deps_public = []
 
 # These are subproject deps (type == "internal"). They are other
 # packages in `/src` in this repo. The private vs public distinction is
 # the same as above.
-deps_private_subproject = [ ]
-deps_public_subproject = [ ]
+deps_private_subproject = []
+deps_public_subproject = []
 
 # These are dependencencies without pkg-config files. Ideally they are
 # just private, but they may also be public (e.g. boost).
-deps_other = [ ]
+deps_other = []

nix-meson-build-support/export-all-symbols/meson.build

@@ -5,7 +5,7 @@ if host_machine.system() == 'cygwin' or host_machine.system() == 'windows'
   # and not detail with this yet.
   #
   # TODO do not do this, and instead do fine-grained export annotations.
-  linker_export_flags = ['-Wl,--export-all-symbols']
+  linker_export_flags = [ '-Wl,--export-all-symbols' ]
 else
   linker_export_flags = []
 endif

nix-meson-build-support/export/meson.build

@@ -1,12 +1,12 @@
 requires_private = []
 foreach dep : deps_private_subproject
-  requires_private  += dep.name()
+  requires_private += dep.name()
 endforeach
 requires_private += deps_private
 
-requires_public  = []
+requires_public = []
 foreach dep : deps_public_subproject
-  requires_public  += dep.name()
+  requires_public += dep.name()
 endforeach
 requires_public += deps_public
 
@@ -14,7 +14,7 @@ extra_pkg_config_variables = get_variable('extra_pkg_config_variables', {})
 
 extra_cflags = []
 if not meson.project_name().endswith('-c')
-    extra_cflags += ['-std=c++2a']
+  extra_cflags += [ '-std=c++23' ]
 endif
 
 import('pkgconfig').generate(
@@ -29,10 +29,13 @@ import('pkgconfig').generate(
   variables : extra_pkg_config_variables,
 )
 
-meson.override_dependency(meson.project_name(), declare_dependency(
-  include_directories : include_dirs,
-  link_with : this_library,
-  compile_args : ['-std=c++2a'],
-  dependencies : deps_public_subproject + deps_public,
-  variables : extra_pkg_config_variables,
-))
+meson.override_dependency(
+  meson.project_name(),
+  declare_dependency(
+    include_directories : include_dirs,
+    link_with : this_library,
+    compile_args : [ '-std=c++23' ],
+    dependencies : deps_public_subproject + deps_public,
+    variables : extra_pkg_config_variables,
+  ),
+)

nix-meson-build-support/generate-header/meson.build

@@ -1,7 +1,12 @@
-bash = find_program('bash', native: true)
+bash = find_program('bash', native : true)
 
 gen_header = generator(
   bash,
-  arguments : [ '-c', '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"', '_ignored_argv0', '@OUTPUT@' ],
+  arguments : [
+    '-c',
+    '{ echo \'R"__NIX_STR(\' && cat @INPUT@ && echo \')__NIX_STR"\'; } > "$1"',
+    '_ignored_argv0',
+    '@OUTPUT@',
+  ],
   output : '@PLAINNAME@.gen.hh',
 )

packaging/binary-tarball.nix

@@ -37,6 +37,9 @@ runCommand "nix-binary-tarball-${version}" env ''
   substitute ${../scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
+  substitute ${../scripts/install-freebsd-multi-user.sh} $TMPDIR/install-freebsd-multi-user.sh \
+    --subst-var-by nix ${nix} \
+    --subst-var-by cacert ${cacert}
   substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
     --subst-var-by nix ${nix} \
     --subst-var-by cacert ${cacert}
@@ -48,6 +51,7 @@ runCommand "nix-binary-tarball-${version}" env ''
     shellcheck $TMPDIR/create-darwin-volume.sh
     shellcheck $TMPDIR/install-darwin-multi-user.sh
     shellcheck $TMPDIR/install-systemd-multi-user.sh
+    shellcheck $TMPDIR/install-freebsd-multi-user.sh
 
     # SC1091: Don't panic about not being able to source
     #         /etc/profile
@@ -64,6 +68,7 @@ runCommand "nix-binary-tarball-${version}" env ''
   chmod +x $TMPDIR/create-darwin-volume.sh
   chmod +x $TMPDIR/install-darwin-multi-user.sh
   chmod +x $TMPDIR/install-systemd-multi-user.sh
+  chmod +x $TMPDIR/install-freebsd-multi-user.sh
   chmod +x $TMPDIR/install-multi-user
   dir=nix-${version}-${system}
   fn=$out/$dir.tar.xz
@@ -82,6 +87,7 @@ runCommand "nix-binary-tarball-${version}" env ''
     $TMPDIR/create-darwin-volume.sh \
     $TMPDIR/install-darwin-multi-user.sh \
     $TMPDIR/install-systemd-multi-user.sh \
+    $TMPDIR/install-freebsd-multi-user.sh \
     $TMPDIR/install-multi-user \
     $TMPDIR/reginfo \
     $(cat ${installerClosureInfo}/store-paths)

packaging/components.nix

@@ -54,12 +54,12 @@ let
     preConfigure =
       prevAttrs.preConfigure or ""
       +
-        # Update the repo-global .version file.
-        # Symlink ./.version points there, but by default only workDir is writable.
-        ''
-          chmod u+w ./.version
-          echo ${finalAttrs.version} > ./.version
-        '';
+      # Update the repo-global .version file.
+      # Symlink ./.version points there, but by default only workDir is writable.
+      ''
+        chmod u+w ./.version
+        echo ${finalAttrs.version} > ./.version
+      '';
   };
 
   localSourceLayer =
@@ -148,7 +148,8 @@ let
     nativeBuildInputs = [
       meson
       ninja
-    ] ++ prevAttrs.nativeBuildInputs or [ ];
+    ]
+    ++ prevAttrs.nativeBuildInputs or [ ];
     mesonCheckFlags = prevAttrs.mesonCheckFlags or [ ] ++ [
       "--print-errorlogs"
     ];
@@ -365,18 +366,33 @@ in
 
   nix-cmd = callPackage ../src/libcmd/package.nix { };
 
+  /**
+    The Nix command line interface. Note that this does not include its tests, whereas `nix-everything` does.
+  */
   nix-cli = callPackage ../src/nix/package.nix { version = fineVersion; };
 
   nix-functional-tests = callPackage ../tests/functional/package.nix {
     version = fineVersion;
   };
 
+  /**
+    The manual as would be published on https://nix.dev/reference/nix-manual
+  */
   nix-manual = callPackage ../doc/manual/package.nix { version = fineVersion; };
+  /**
+    Doxygen pages for C++ code
+  */
   nix-internal-api-docs = callPackage ../src/internal-api-docs/package.nix { version = fineVersion; };
+  /**
+    Doxygen pages for the public C API
+  */
   nix-external-api-docs = callPackage ../src/external-api-docs/package.nix { version = fineVersion; };
 
   nix-perl-bindings = callPackage ../src/perl/package.nix { };
 
+  /**
+    Combined package that has the CLI, libraries, and (assuming non-cross, no overrides) it requires that all tests succeed.
+  */
   nix-everything = callPackage ../packaging/everything.nix { } // {
     # Note: no `passthru.overrideAllMesonComponents` etc
     #       This would propagate into `nix.overrideAttrs f`, but then discard

packaging/dependencies.nix

@@ -50,9 +50,31 @@ scope: {
         requiredSystemFeatures = [ ];
       };
 
-  boehmgc = pkgs.boehmgc.override {
-    enableLargeConfig = true;
-  };
+  boehmgc =
+    (pkgs.boehmgc.override {
+      enableLargeConfig = true;
+    }).overrideAttrs
+      (attrs: {
+        # Increase the initial mark stack size to avoid stack
+        # overflows, since these inhibit parallel marking (see
+        # GC_mark_some()). To check whether the mark stack is too
+        # small, run Nix with GC_PRINT_STATS=1 and look for messages
+        # such as `Mark stack overflow`, `No room to copy back mark
+        # stack`, and `Grew mark stack to ... frames`.
+        NIX_CFLAGS_COMPILE = "-DINITIAL_MARK_STACK_SIZE=1048576";
+      });
+
+  lowdown = pkgs.lowdown.overrideAttrs (prevAttrs: rec {
+    version = "2.0.2";
+    src = pkgs.fetchurl {
+      url = "https://kristaps.bsd.lv/lowdown/snapshots/lowdown-${version}.tar.gz";
+      hash = "sha512-cfzhuF4EnGmLJf5EGSIbWqJItY3npbRSALm+GarZ7SMU7Hr1xw0gtBFMpOdi5PBar4TgtvbnG4oRPh+COINGlA==";
+    };
+    nativeBuildInputs = prevAttrs.nativeBuildInputs ++ [ pkgs.buildPackages.bmake ];
+    postInstall =
+      lib.replaceStrings [ "lowdown.so.1" "lowdown.1.dylib" ] [ "lowdown.so.2" "lowdown.2.dylib" ]
+        prevAttrs.postInstall;
+  });
 
   # TODO Hack until https://github.com/NixOS/nixpkgs/issues/45462 is fixed.
   boost =
@@ -62,6 +84,7 @@ scope: {
         "--with-context"
         "--with-coroutine"
         "--with-iostreams"
+        "--with-url"
       ];
       enableIcu = false;
     }).overrideAttrs

packaging/dev-shell.nix

@@ -71,17 +71,16 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
     # We use this shell with the local checkout, not unpackPhase.
     src = null;
 
-    env =
-      {
-        # For `make format`, to work without installing pre-commit
-        _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
-          modular.pre-commit.settings.rawConfig
-        }";
-      }
-      // lib.optionalAttrs stdenv.hostPlatform.isLinux {
-        CC_LD = "mold";
-        CXX_LD = "mold";
-      };
+    env = {
+      # For `make format`, to work without installing pre-commit
+      _NIX_PRE_COMMIT_HOOKS_CONFIG = "${(pkgs.formats.yaml { }).generate "pre-commit-config.yaml"
+        modular.pre-commit.settings.rawConfig
+      }";
+    }
+    // lib.optionalAttrs stdenv.hostPlatform.isLinux {
+      CC_LD = "mold";
+      CXX_LD = "mold";
+    };
 
     mesonFlags =
       map (transformFlag "libutil") (ignoreCrossFile pkgs.nixComponents2.nix-util.mesonFlags)
@@ -119,22 +118,25 @@ pkgs.nixComponents2.nix-util.overrideAttrs (
         modular.pre-commit.settings.package
         (pkgs.writeScriptBin "pre-commit-hooks-install" modular.pre-commit.settings.installationScript)
         pkgs.buildPackages.nixfmt-rfc-style
+        pkgs.buildPackages.gdb
       ]
       ++ lib.optional (stdenv.cc.isClang && stdenv.hostPlatform == stdenv.buildPlatform) (
         lib.hiPrio pkgs.buildPackages.clang-tools
       )
       ++ lib.optional stdenv.hostPlatform.isLinux pkgs.buildPackages.mold-wrapped;
 
-    buildInputs =
-      attrs.buildInputs or [ ]
-      ++ pkgs.nixComponents2.nix-util.buildInputs
-      ++ pkgs.nixComponents2.nix-store.buildInputs
-      ++ pkgs.nixComponents2.nix-store-tests.externalBuildInputs
-      ++ pkgs.nixComponents2.nix-fetchers.buildInputs
-      ++ pkgs.nixComponents2.nix-expr.buildInputs
-      ++ pkgs.nixComponents2.nix-expr.externalPropagatedBuildInputs
-      ++ pkgs.nixComponents2.nix-cmd.buildInputs
-      ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.externalBuildInputs
-      ++ lib.optional havePerl pkgs.perl;
+    buildInputs = [
+      pkgs.gbenchmark
+    ]
+    ++ attrs.buildInputs or [ ]
+    ++ pkgs.nixComponents2.nix-util.buildInputs
+    ++ pkgs.nixComponents2.nix-store.buildInputs
+    ++ pkgs.nixComponents2.nix-store-tests.externalBuildInputs
+    ++ pkgs.nixComponents2.nix-fetchers.buildInputs
+    ++ pkgs.nixComponents2.nix-expr.buildInputs
+    ++ pkgs.nixComponents2.nix-expr.externalPropagatedBuildInputs
+    ++ pkgs.nixComponents2.nix-cmd.buildInputs
+    ++ lib.optionals havePerl pkgs.nixComponents2.nix-perl-bindings.externalBuildInputs
+    ++ lib.optional havePerl pkgs.perl;
   }
 )

packaging/everything.nix

@@ -47,25 +47,25 @@
 }:
 
 let
-  libs =
-    {
-      inherit
-        nix-util
-        nix-util-c
-        nix-store
-        nix-store-c
-        nix-fetchers
-        nix-fetchers-c
-        nix-expr
-        nix-expr-c
-        nix-flake
-        nix-flake-c
-        nix-main
-        nix-main-c
-        nix-cmd
-        ;
-    }
-    // lib.optionalAttrs
+  libs = {
+    inherit
+      nix-util
+      nix-util-c
+      nix-store
+      nix-store-c
+      nix-fetchers
+      nix-fetchers-c
+      nix-expr
+      nix-expr-c
+      nix-flake
+      nix-flake-c
+      nix-main
+      nix-main-c
+      nix-cmd
+      ;
+  }
+  //
+    lib.optionalAttrs
       (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
       {
         # Currently fails in static build
@@ -127,20 +127,19 @@ stdenv.mkDerivation (finalAttrs: {
   */
   dontFixup = true;
 
-  checkInputs =
-    [
-      # Make sure the unit tests have passed
-      nix-util-tests.tests.run
-      nix-store-tests.tests.run
-      nix-expr-tests.tests.run
-      nix-fetchers-tests.tests.run
-      nix-flake-tests.tests.run
+  checkInputs = [
+    # Make sure the unit tests have passed
+    nix-util-tests.tests.run
+    nix-store-tests.tests.run
+    nix-expr-tests.tests.run
+    nix-fetchers-tests.tests.run
+    nix-flake-tests.tests.run
 
-      # Make sure the functional tests have passed
-      nix-functional-tests
-    ]
-    ++ lib.optionals
-      (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
+    # Make sure the functional tests have passed
+    nix-functional-tests
+  ]
+  ++
+    lib.optionals (!stdenv.hostPlatform.isStatic && stdenv.buildPlatform.canExecute stdenv.hostPlatform)
       [
         # Perl currently fails in static build
         # TODO: Split out tests into a separate derivation?

packaging/hydra.nix

@@ -223,10 +223,17 @@ in
   dockerImage = lib.genAttrs linux64BitSystems (system: self.packages.${system}.dockerImage);
 
   # # Line coverage analysis.
-  # coverage = nixpkgsFor.x86_64-linux.native.nix.override {
-  #   pname = "nix-coverage";
-  #   withCoverageChecks = true;
-  # };
+  coverage =
+    (import ./../ci/gha/tests rec {
+      withCoverage = true;
+      pkgs = nixpkgsFor.x86_64-linux.nativeForStdenv.clangStdenv;
+      nixComponents = pkgs.nixComponents2;
+      nixFlake = null;
+      getStdenv = p: p.clangStdenv;
+    }).codeCoverage.coverageReports.overrideAttrs
+      {
+        name = "nix-coverage"; # For historical consistency
+      };
 
   # Nix's manual
   manual = nixpkgsFor.x86_64-linux.native.nixComponents2.nix-manual;
@@ -240,7 +247,9 @@ in
   # System tests.
   tests =
     import ../tests/nixos {
-      inherit lib nixpkgs nixpkgsFor;
+      inherit lib nixpkgs;
+      pkgs = nixpkgsFor.x86_64-linux.native;
+      nixComponents = nixpkgsFor.x86_64-linux.native.nixComponents2;
       inherit (self.inputs) nixpkgs-23-11;
     }
     // {

scripts/install-freebsd-multi-user.sh

@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+
+set -eu
+set -o pipefail
+
+# System specific settings
+# FreeBSD typically uses UIDs from 1001+ for regular users,
+# so we'll use a range that's unlikely to conflict
+export NIX_FIRST_BUILD_UID="${NIX_FIRST_BUILD_UID:-30001}"
+export NIX_BUILD_GROUP_ID="${NIX_BUILD_GROUP_ID:-30000}"
+export NIX_BUILD_USER_NAME_TEMPLATE="nixbld%d"
+
+# FreeBSD service paths
+readonly SERVICE_SRC=/etc/rc.d/nix-daemon
+readonly SERVICE_DEST=/usr/local/etc/rc.d/nix-daemon
+
+poly_cure_artifacts() {
+    :
+}
+
+poly_service_installed_check() {
+    if [ -f "$SERVICE_DEST" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
+poly_service_uninstall_directions() {
+    cat <<EOF
+$1. Delete the rc.d service
+
+  sudo service nix-daemon stop
+  sudo rm -f $SERVICE_DEST
+  sudo sysrc -x nix_daemon_enable
+
+EOF
+}
+
+poly_service_setup_note() {
+    cat <<EOF
+ - link the nix-daemon rc.d service to $SERVICE_DEST
+
+EOF
+}
+
+poly_extra_try_me_commands() {
+    cat <<EOF
+  $ sudo service nix-daemon start
+EOF
+}
+
+poly_configure_nix_daemon_service() {
+    task "Setting up the nix-daemon rc.d service"
+
+    # Ensure the rc.d directory exists
+    _sudo "to create the rc.d directory" \
+          mkdir -p /usr/local/etc/rc.d
+
+    # Link the pre-installed rc.d script
+    _sudo "to set up the nix-daemon service" \
+          ln -sfn "/nix/var/nix/profiles/default$SERVICE_SRC" "$SERVICE_DEST"
+
+    _sudo "to enable the nix-daemon service" \
+          sysrc nix_daemon_enable=YES
+
+    _sudo "to start the nix-daemon" \
+          service nix-daemon start
+}
+
+poly_group_exists() {
+    pw group show "$1" > /dev/null 2>&1
+}
+
+poly_group_id_get() {
+    pw group show "$1" | cut -d: -f3
+}
+
+poly_create_build_group() {
+    _sudo "Create the Nix build group, $NIX_BUILD_GROUP_NAME" \
+          pw groupadd -n "$NIX_BUILD_GROUP_NAME" -g "$NIX_BUILD_GROUP_ID" >&2
+}
+
+poly_user_exists() {
+    pw user show "$1" > /dev/null 2>&1
+}
+
+poly_user_id_get() {
+    pw user show "$1" | cut -d: -f3
+}
+
+poly_user_hidden_get() {
+    # FreeBSD doesn't have a concept of hidden users like macOS
+    echo "0"
+}
+
+poly_user_hidden_set() {
+    # No-op on FreeBSD
+    true
+}
+
+poly_user_home_get() {
+    pw user show "$1" | cut -d: -f9
+}
+
+poly_user_home_set() {
+    _sudo "in order to give $1 a safe home directory" \
+          pw usermod -n "$1" -d "$2"
+}
+
+poly_user_note_get() {
+    pw user show "$1" | cut -d: -f8
+}
+
+poly_user_note_set() {
+    _sudo "in order to give $1 a useful comment" \
+          pw usermod -n "$1" -c "$2"
+}
+
+poly_user_shell_get() {
+    pw user show "$1" | cut -d: -f10
+}
+
+poly_user_shell_set() {
+    _sudo "in order to prevent $1 from logging in" \
+          pw usermod -n "$1" -s "$2"
+}
+
+poly_user_in_group_check() {
+    groups "$1" 2>/dev/null | grep -q "\<$2\>"
+}
+
+poly_user_in_group_set() {
+    _sudo "Add $1 to the $2 group" \
+          pw groupmod -n "$2" -m "$1"
+}
+
+poly_user_primary_group_get() {
+    pw user show "$1" | cut -d: -f4
+}
+
+poly_user_primary_group_set() {
+    _sudo "to let the nix daemon use this user for builds" \
+          pw usermod -n "$1" -g "$2"
+}
+
+poly_create_build_user() {
+    username=$1
+    uid=$2
+    builder_num=$3
+
+    _sudo "Creating the Nix build user, $username" \
+          pw useradd \
+          -n "$username" \
+          -u "$uid" \
+          -g "$NIX_BUILD_GROUP_NAME" \
+          -G "$NIX_BUILD_GROUP_NAME" \
+          -d /var/empty \
+          -s /sbin/nologin \
+          -c "Nix build user $builder_num"
+}
+
+poly_prepare_to_install() {
+    # FreeBSD-specific preparation steps
+    :
+}
+
+poly_configure_default_profile_targets() {
+    # FreeBSD-specific profile locations
+    # FreeBSD uses /usr/local/etc for third-party shell configurations
+    # Include both profile (for login shells) and bashrc (for interactive shells)
+    echo "/usr/local/etc/profile /usr/local/etc/bashrc /usr/local/etc/profile.d/nix.sh /usr/local/etc/zshrc"
+}

scripts/install-multi-user.sh

@@ -33,7 +33,8 @@ readonly NIX_BUILD_GROUP_NAME="nixbld"
 readonly NIX_ROOT="/nix"
 readonly NIX_EXTRA_CONF=${NIX_EXTRA_CONF:-}
 
-readonly PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/etc/bash.bashrc" "/etc/zsh/zshrc")
+# PROFILE_TARGETS will be set later after OS-specific scripts are loaded
+PROFILE_TARGETS=()
 readonly PROFILE_BACKUP_SUFFIX=".backup-before-nix"
 readonly PROFILE_NIX_FILE="$NIX_ROOT/var/nix/profiles/default/etc/profile.d/nix-daemon.sh"
 
@@ -99,6 +100,14 @@ is_os_darwin() {
     fi
 }
 
+is_os_freebsd() {
+    if [ "$(uname -s)" = "FreeBSD" ]; then
+        return 0
+    else
+        return 1
+    fi
+}
+
 contact_us() {
     echo "You can open an issue at"
     echo "https://github.com/NixOS/nix/issues/new?labels=installer&template=installer.md"
@@ -498,6 +507,10 @@ You have aborted the installation.
 EOF
         fi
     fi
+
+    if is_os_freebsd; then
+        ok "Detected FreeBSD, will set up rc.d service for nix-daemon"
+    fi
 }
 
 setup_report() {
@@ -834,7 +847,7 @@ install_from_extracted_nix() {
     (
         cd "$EXTRACTED_NIX_PATH"
 
-        if is_os_darwin; then
+        if is_os_darwin || is_os_freebsd; then
             _sudo "to copy the basic Nix files to the new store at $NIX_ROOT/store" \
                   cp -RPp ./store/* "$NIX_ROOT/store/"
         else
@@ -989,11 +1002,22 @@ main() {
         # shellcheck source=./install-systemd-multi-user.sh
         . "$EXTRACTED_NIX_PATH/install-systemd-multi-user.sh" # most of this works on non-systemd distros also
         check_required_system_specific_settings "install-systemd-multi-user.sh"
+    elif is_os_freebsd; then
+        # shellcheck source=./install-freebsd-multi-user.sh
+        . "$EXTRACTED_NIX_PATH/install-freebsd-multi-user.sh"
+        check_required_system_specific_settings "install-freebsd-multi-user.sh"
     else
         failure "Sorry, I don't know what to do on $(uname)"
     fi
 
 
+    # Set profile targets after OS-specific scripts are loaded
+    if command -v poly_configure_default_profile_targets > /dev/null 2>&1; then
+        PROFILE_TARGETS=($(poly_configure_default_profile_targets))
+    else
+        PROFILE_TARGETS=("/etc/bashrc" "/etc/profile.d/nix.sh" "/etc/zshrc" "/etc/bash.bashrc" "/etc/zsh/zshrc")
+    fi
+
     welcome_to_nix
 
     if ! is_root; then

scripts/install-nix-from-tarball.sh

@@ -26,8 +26,10 @@ if [ -z "$HOME" ]; then
     exit 1
 fi
 
+OS="$(uname -s)"
+
 # macOS support for 10.12.6 or higher
-if [ "$(uname -s)" = "Darwin" ]; then
+if [ "$OS" = "Darwin" ]; then
     IFS='.' read -r macos_major macos_minor macos_patch << EOF
 $(sw_vers -productVersion)
 EOF
@@ -39,11 +41,11 @@ EOF
 fi
 
 # Determine if we could use the multi-user installer or not
-if [ "$(uname -s)" = "Linux" ]; then
-    echo "Note: a multi-user installation is possible. See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation" >&2
+if [ "$OS" = "Linux" ] || [ "$OS" = "FreeBSD" ]; then
+    echo "Note: a multi-user installation is possible. See https://nix.dev/manual/nix/stable/installation/installing-binary.html#multi-user-installation" >&2
 fi
 
-case "$(uname -s)" in
+case "$OS" in
     "Darwin")
         INSTALL_MODE=daemon;;
     *)
@@ -60,7 +62,7 @@ while [ $# -gt 0 ]; do
             ACTION=install
             ;;
         --no-daemon)
-            if [ "$(uname -s)" = "Darwin" ]; then
+            if [ "$OS" = "Darwin" ]; then
                 printf '\e[1;31mError: --no-daemon installs are no-longer supported on Darwin/macOS!\e[0m\n' >&2
                 exit 1
             fi
@@ -96,7 +98,7 @@ while [ $# -gt 0 ]; do
                 echo "              providing multi-user support and better isolation for local builds."
                 echo "              Both for security and reproducibility, this method is recommended if"
                 echo "              supported on your platform."
-                echo "              See https://nixos.org/manual/nix/stable/installation/installing-binary.html#multi-user-installation"
+                echo "              See https://nix.dev/manual/nix/stable/installation/installing-binary.html#multi-user-installation"
                 echo ""
                 echo " --no-daemon: Simple, single-user installation that does not require root and is"
                 echo "              trivial to uninstall."
@@ -123,6 +125,13 @@ while [ $# -gt 0 ]; do
 done
 
 if [ "$INSTALL_MODE" = "daemon" ]; then
+    # Check for bash on systems that don't have it by default
+    if [ "$OS" = "FreeBSD" ] && ! command -v bash >/dev/null 2>&1; then
+        printf '\e[1;31mError: bash is required for multi-user installation but was not found.\e[0m\n' >&2
+        printf 'Please install bash first:\n' >&2
+        printf '  pkg install bash\n' >&2
+        exit 1
+    fi
     printf '\e[1;31mSwitching to the Multi-user Installer\e[0m\n'
     exec "$self/install-multi-user" $ACTION
     exit 0
@@ -144,7 +153,7 @@ if ! [ -e "$dest" ]; then
 fi
 
 if ! [ -w "$dest" ]; then
-    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nixos.org/manual/nix/stable/installation/multi-user.html. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
+    echo "$0: directory $dest exists, but is not writable by you. This could indicate that another user has already performed a single-user installation of Nix on this system. If you wish to enable multi-user support see https://nix.dev/manual/nix/stable/installation/multi-user.html. If you wish to continue with a single-user install for $USER please run 'chown -R $USER $dest' as root." >&2
     exit 1
 fi
 
@@ -167,7 +176,7 @@ for i in $(cd "$self/store" >/dev/null && echo ./*); do
         rm -rf "$i_tmp"
     fi
     if ! [ -e "$dest/store/$i" ]; then
-        if [ "$(uname -s)" = "Darwin" ]; then
+        if [ "$OS" = "Darwin" ] || [ "$OS" = "FreeBSD" ]; then
             cp -RPp "$self/store/$i" "$i_tmp"
         else
             cp -RP --preserve=ownership,timestamps "$self/store/$i" "$i_tmp"

scripts/meson.build

@@ -2,19 +2,19 @@ configure_file(
   input : 'nix-profile.sh.in',
   output : 'nix-profile.sh',
   configuration : {
-    'localstatedir': localstatedir,
-  }
+    'localstatedir' : localstatedir,
+  },
 )
 
 foreach rc : [ '.sh', '.fish', '-daemon.sh', '-daemon.fish' ]
   configure_file(
-    input : 'nix-profile' + rc  + '.in',
+    input : 'nix-profile' + rc + '.in',
     output : 'nix' + rc,
     install : true,
     install_dir : get_option('profile-dir'),
     install_mode : 'rw-r--r--',
     configuration : {
-      'localstatedir': localstatedir,
+      'localstatedir' : localstatedir,
     },
   )
 endforeach

scripts/serve-installer-for-github-actions

@@ -1,22 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-if [[ ! -d out ]]; then
-  echo "run prepare-installer-for-github-actions first"
-  exit 1
-fi
-cd out
-PORT=${PORT:-8126}
-nohup python -m http.server "$PORT" >/dev/null 2>&1 &
-pid=$!
-
-while ! curl -s "http://localhost:$PORT"; do
-  sleep 1
-  if ! kill -0 $pid; then
-    echo "Failed to start http server"
-    exit 1
-  fi
-done
-
-echo 'To install nix, run the following command:'
-echo "sh <(curl http://localhost:$PORT/install) --tarball-url-prefix http://localhost:$PORT"

src/external-api-docs/meson.build

@@ -1,4 +1,5 @@
-project('nix-external-api-docs',
+project(
+  'nix-external-api-docs',
   version : files('.version'),
   meson_version : '>= 1.1',
   license : 'LGPL-2.1-or-later',
@@ -10,7 +11,7 @@ doxygen_cfg = configure_file(
   input : 'doxygen.cfg.in',
   output : 'doxygen.cfg',
   configuration : {
-    'PROJECT_NUMBER': meson.project_version(),
+    'PROJECT_NUMBER' : meson.project_version(),
     'OUTPUT_DIRECTORY' : meson.current_build_dir(),
     'src' : fs.parent(fs.parent(meson.project_source_root())),
   },
@@ -20,7 +21,7 @@ doxygen = find_program('doxygen', native : true, required : true)
 
 custom_target(
   'external-api-docs',
-  command : [ doxygen , doxygen_cfg ],
+  command : [ doxygen, doxygen_cfg ],
   input : [
     doxygen_cfg,
   ],

src/internal-api-docs/doxygen.cfg.in

@@ -57,9 +57,7 @@ INPUT                  = \
   @src@/libutil/args \
   @src@/libutil-tests \
   @src@/libutil-test-support/tests \
-  @src@/nix \
-  @src@/nix-env \
-  @src@/nix-store
+  @src@/nix
 
 # If the MACRO_EXPANSION tag is set to YES, doxygen will expand all macro names
 # in the source code. If set to NO, only conditional compilation will be

src/internal-api-docs/meson.build

@@ -1,4 +1,5 @@
-project('nix-internal-api-docs',
+project(
+  'nix-internal-api-docs',
   version : files('.version'),
   meson_version : '>= 1.1',
   license : 'LGPL-2.1-or-later',
@@ -10,7 +11,7 @@ doxygen_cfg = configure_file(
   input : 'doxygen.cfg.in',
   output : 'doxygen.cfg',
   configuration : {
-    'PROJECT_NUMBER': meson.project_version(),
+    'PROJECT_NUMBER' : meson.project_version(),
     'OUTPUT_DIRECTORY' : meson.current_build_dir(),
     'BUILD_ROOT' : meson.build_root(),
     'src' : fs.parent(fs.parent(meson.project_source_root())) / 'src',
@@ -21,7 +22,7 @@ doxygen = find_program('doxygen', native : true, required : true)
 
 custom_target(
   'internal-api-docs',
-  command : [ doxygen , doxygen_cfg ],
+  command : [ doxygen, doxygen_cfg ],
   input : [
     doxygen_cfg,
   ],

src/libcmd/include/nix/cmd/common-eval-args.hh

@@ -82,7 +82,7 @@ private:
 };
 
 /**
- * @param baseDir Optional [base directory](https://nixos.org/manual/nix/unstable/glossary#gloss-base-directory)
+ * @param baseDir Optional [base directory](https://nix.dev/manual/nix/development/glossary#gloss-base-directory)
  */
 SourcePath lookupFileArg(EvalState & state, std::string_view s, const Path * baseDir = nullptr);
 

src/libcmd/include/nix/cmd/meson.build

@@ -1,6 +1,6 @@
 # Public headers directory
 
-include_dirs = [include_directories('../..')]
+include_dirs = [ include_directories('../..') ]
 
 headers = files(
   'built-path.hh',

src/libcmd/installable-attr-path.cc

@@ -89,7 +89,8 @@ DerivedPathsWithInfo InstallableAttrPath::toDerivedPaths()
     }
 
     DerivedPathsWithInfo res;
-    for (auto & [drvPath, outputs] : byDrvPath)
+    for (auto & [drvPath, outputs] : byDrvPath) {
+        state->waitForPath(drvPath);
         res.push_back({
             .path =
                 DerivedPath::Built{
@@ -102,6 +103,7 @@ DerivedPathsWithInfo InstallableAttrPath::toDerivedPaths()
                    so we can fill in this info. */
             }),
         });
+    }
 
     return res;
 }

src/libcmd/installable-flake.cc

@@ -102,6 +102,7 @@ DerivedPathsWithInfo InstallableFlake::toDerivedPaths()
     }
 
     auto drvPath = attr->forceDerivation();
+    state->waitForPath(drvPath);
 
     std::optional<NixInt::Inner> priority;
 

src/libcmd/markdown.cc

@@ -37,9 +37,17 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
         .vmargin = 0,
 #  endif
         .feat = LOWDOWN_COMMONMARK | LOWDOWN_FENCED | LOWDOWN_DEFLIST | LOWDOWN_TABLES,
-        .oflags = LOWDOWN_TERM_NOLINK,
+        .oflags =
+#  if HAVE_LOWDOWN_1_4
+            LOWDOWN_TERM_NORELLINK // To render full links while skipping relative ones
+#  else
+            LOWDOWN_TERM_NOLINK
+#  endif
     };
 
+    if (!isTTY())
+        opts.oflags |= LOWDOWN_TERM_NOANSI;
+
     auto doc = lowdown_doc_new(&opts);
     if (!doc)
         throw Error("cannot allocate Markdown document");
@@ -65,7 +73,7 @@ static std::string doRenderMarkdownToTerminal(std::string_view markdown)
     if (!rndr_res)
         throw Error("allocation error while rendering Markdown");
 
-    return filterANSIEscapes(std::string(buf->data, buf->size), !isTTY());
+    return std::string(buf->data, buf->size);
 }
 
 std::string renderMarkdownToTerminal(std::string_view markdown)

src/libcmd/meson.build

@@ -1,7 +1,9 @@
-project('nix-cmd', 'cpp',
+project(
+  'nix-cmd',
+  'cpp',
   version : files('.version'),
   default_options : [
-    'cpp_std=c++2a',
+    'cpp_std=c++23',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
     'errorlogs=true', # Please print logs for tests that fail
@@ -16,8 +18,7 @@ subdir('nix-meson-build-support/deps-lists')
 
 configdata = configuration_data()
 
-deps_private_maybe_subproject = [
-]
+deps_private_maybe_subproject = []
 deps_public_maybe_subproject = [
   dependency('nix-util'),
   dependency('nix-store'),
@@ -31,11 +32,18 @@ subdir('nix-meson-build-support/subprojects')
 nlohmann_json = dependency('nlohmann_json', version : '>= 3.9')
 deps_public += nlohmann_json
 
-lowdown = dependency('lowdown', version : '>= 0.9.0', required : get_option('markdown'))
+lowdown = dependency(
+  'lowdown',
+  version : '>= 0.9.0',
+  required : get_option('markdown'),
+)
 deps_private += lowdown
 configdata.set('HAVE_LOWDOWN', lowdown.found().to_int())
 # The API changed slightly around terminal initialization.
-configdata.set('HAVE_LOWDOWN_1_4', lowdown.version().version_compare('>= 1.4.0').to_int())
+configdata.set(
+  'HAVE_LOWDOWN_1_4',
+  lowdown.version().version_compare('>= 1.4.0').to_int(),
+)
 
 readline_flavor = get_option('readline-flavor')
 if readline_flavor == 'editline'
@@ -50,7 +58,7 @@ endif
 configdata.set(
   'USE_READLINE',
   (readline_flavor == 'readline').to_int(),
-  description: 'Use readline instead of editline',
+  description : 'Use readline instead of editline',
 )
 
 config_priv_h = configure_file(
@@ -89,9 +97,10 @@ this_library = library(
   config_priv_h,
   dependencies : deps_public + deps_private + deps_other,
   include_directories : include_dirs,
-  link_args: linker_export_flags,
+  link_args : linker_export_flags,
   prelink : true, # For C++ static initializers
   install : true,
+  cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
 )
 
 install_headers(headers, subdir : 'nix/cmd', preserve_path : true)

src/libcmd/meson.options

@@ -2,14 +2,14 @@
 
 option(
   'markdown',
-  type: 'feature',
-  description: 'Enable Markdown rendering in the Nix binary (requires lowdown)',
+  type : 'feature',
+  description : 'Enable Markdown rendering in the Nix binary (requires lowdown)',
 )
 
 option(
   'readline-flavor',
   type : 'combo',
-  choices : ['editline', 'readline'],
+  choices : [ 'editline', 'readline' ],
   value : 'editline',
   description : 'Which library to use for nice line editing with the Nix language REPL',
 )

src/libcmd/package.nix

@@ -53,7 +53,8 @@ mkMesonLibrary (finalAttrs: {
 
   buildInputs = [
     ({ inherit editline readline; }.${readlineFlavor})
-  ] ++ lib.optional enableMarkdown lowdown;
+  ]
+  ++ lib.optional enableMarkdown lowdown;
 
   propagatedBuildInputs = [
     nix-util

src/libcmd/pch/precompiled-headers.hh

@@ -0,0 +1,4 @@
+#include "nix/cmd/installables.hh"
+#include "nix/expr/eval.hh"
+#include "nix/util/util.hh"
+#include "nix/flake/flake.hh"

src/libcmd/repl.cc

@@ -333,6 +333,7 @@ StorePath NixRepl::getDerivationPath(Value & v)
     auto drvPath = packageInfo->queryDrvPath();
     if (!drvPath)
         throw Error("expression did not evaluate to a valid derivation (no 'drvPath' attribute)");
+    state->waitForPath(*drvPath);
     if (!state->store->isValidPath(*drvPath))
         throw Error("expression evaluated to invalid derivation '%s'", state->store->printStorePath(*drvPath));
     return *drvPath;
@@ -574,14 +575,15 @@ ProcessLineResult NixRepl::processLine(std::string line)
             for (auto & sub : subs) {
                 auto * logSubP = dynamic_cast<LogStore *>(&*sub);
                 if (!logSubP) {
-                    printInfo("Skipped '%s' which does not support retrieving build logs", sub->getUri());
+                    printInfo(
+                        "Skipped '%s' which does not support retrieving build logs", sub->config.getHumanReadableURI());
                     continue;
                 }
                 auto & logSub = *logSubP;
 
                 auto log = logSub.getBuildLog(drvPath);
                 if (log) {
-                    printInfo("got build log for '%s' from '%s'", drvPathRaw, logSub.getUri());
+                    printInfo("got build log for '%s' from '%s'", drvPathRaw, logSub.config.getHumanReadableURI());
                     logger->writeToStdout(*log);
                     foundLog = true;
                     break;
@@ -915,6 +917,7 @@ ReplExitStatus AbstractNixRepl::runSimple(ref<EvalState> evalState, const ValMap
         return values;
     };
     LookupPath lookupPath = {};
+    // NOLINTNEXTLINE(clang-analyzer-cplusplus.NewDelete)
     auto repl = std::make_unique<NixRepl>(
         lookupPath,
         openStore(),

src/libexpr-c/meson.build

@@ -1,7 +1,9 @@
-project('nix-expr-c', 'cpp',
+project(
+  'nix-expr-c',
+  'cpp',
   version : files('.version'),
   default_options : [
-    'cpp_std=c++2a',
+    'cpp_std=c++23',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
     'errorlogs=true', # Please print logs for tests that fail
@@ -33,7 +35,7 @@ sources = files(
   'nix_api_value.cc',
 )
 
-include_dirs = [include_directories('.')]
+include_dirs = [ include_directories('.') ]
 
 headers = files(
   'nix_api_expr.h',
@@ -50,7 +52,7 @@ this_library = library(
   sources,
   dependencies : deps_public + deps_private + deps_other,
   include_directories : include_dirs,
-  link_args: linker_export_flags,
+  link_args : linker_export_flags,
   prelink : true, # For C++ static initializers
   install : true,
 )

src/libexpr-c/nix_api_expr.cc

@@ -69,6 +69,7 @@ nix_err nix_expr_eval_from_string(
         nix::Expr * parsedExpr = state->state.parseExprFromString(expr, state->state.rootPath(nix::CanonPath(path)));
         state->state.eval(parsedExpr, value->value);
         state->state.forceValue(value->value, nix::noPos);
+        state->state.waitForAllPaths();
     }
     NIXC_CATCH_ERRS
 }
@@ -80,6 +81,7 @@ nix_err nix_value_call(nix_c_context * context, EvalState * state, Value * fn, n
     try {
         state->state.callFunction(fn->value, arg->value, value->value, nix::noPos);
         state->state.forceValue(value->value, nix::noPos);
+        state->state.waitForAllPaths();
     }
     NIXC_CATCH_ERRS
 }
@@ -92,6 +94,7 @@ nix_err nix_value_call_multi(
     try {
         state->state.callFunction(fn->value, {(nix::Value **) args, nargs}, value->value, nix::noPos);
         state->state.forceValue(value->value, nix::noPos);
+        state->state.waitForAllPaths();
     }
     NIXC_CATCH_ERRS
 }
@@ -102,6 +105,7 @@ nix_err nix_value_force(nix_c_context * context, EvalState * state, nix_value *
         context->last_err_code = NIX_OK;
     try {
         state->state.forceValue(value->value, nix::noPos);
+        state->state.waitForAllPaths();
     }
     NIXC_CATCH_ERRS
 }
@@ -112,6 +116,7 @@ nix_err nix_value_force_deep(nix_c_context * context, EvalState * state, nix_val
         context->last_err_code = NIX_OK;
     try {
         state->state.forceValueDeep(value->value);
+        state->state.waitForAllPaths();
     }
     NIXC_CATCH_ERRS
 }

src/libexpr-c/nix_api_value.cc

@@ -345,6 +345,7 @@ nix_value * nix_get_attr_byname(nix_c_context * context, const nix_value * value
         if (attr) {
             nix_gc_incref(nullptr, attr->value);
             state->state.forceValue(*attr->value, nix::noPos);
+            state->state.waitForAllPaths();
             return as_nix_value_ptr(attr->value);
         }
         nix_set_err_msg(context, NIX_ERR_KEY, "missing attribute");

src/libexpr-test-support/include/nix/expr/tests/meson.build

@@ -6,5 +6,4 @@ headers = files(
   'libexpr.hh',
   'nix_api_expr.hh',
   'value/context.hh',
-  # hack for trailing newline
 )

src/libexpr-test-support/meson.build

@@ -1,7 +1,9 @@
-project('nix-expr-test-support', 'cpp',
+project(
+  'nix-expr-test-support',
+  'cpp',
   version : files('.version'),
   default_options : [
-    'cpp_std=c++2a',
+    'cpp_std=c++23',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
     'errorlogs=true', # Please print logs for tests that fail
@@ -14,8 +16,7 @@ cxx = meson.get_compiler('cpp')
 
 subdir('nix-meson-build-support/deps-lists')
 
-deps_private_maybe_subproject = [
-]
+deps_private_maybe_subproject = []
 deps_public_maybe_subproject = [
   dependency('nix-util'),
   dependency('nix-util-test-support'),
@@ -47,7 +48,7 @@ this_library = library(
   include_directories : include_dirs,
   # TODO: Remove `-lrapidcheck` when https://github.com/emil-e/rapidcheck/pull/326
   #       is available. See also ../libutil/build.meson
-  link_args: linker_export_flags + ['-lrapidcheck'],
+  link_args : linker_export_flags + [ '-lrapidcheck' ],
   prelink : true, # For C++ static initializers
   install : true,
 )

src/libexpr-test-support/tests/value/context.cc

@@ -1,3 +1,4 @@
+#include <exception> // Needed by rapidcheck on Darwin
 #include <rapidcheck.h>
 
 #include "nix/store/tests/path.hh"

src/libexpr-tests/derived-path.cc

@@ -1,5 +1,6 @@
 #include <nlohmann/json.hpp>
 #include <gtest/gtest.h>
+#include <exception> // Needed by rapidcheck on Darwin
 #include <rapidcheck/gtest.h>
 
 #include "nix/store/tests/derived-path.hh"

src/libexpr-tests/meson.build

@@ -1,7 +1,9 @@
-project('nix-expr-tests', 'cpp',
+project(
+  'nix-expr-tests',
+  'cpp',
   version : files('.version'),
   default_options : [
-    'cpp_std=c++2a',
+    'cpp_std=c++23',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
     'errorlogs=true', # Please print logs for tests that fail
@@ -19,8 +21,7 @@ deps_private_maybe_subproject = [
   dependency('nix-expr-c'),
   dependency('nix-expr-test-support'),
 ]
-deps_public_maybe_subproject = [
-]
+deps_public_maybe_subproject = []
 subdir('nix-meson-build-support/subprojects')
 
 subdir('nix-meson-build-support/export-all-symbols')
@@ -62,7 +63,7 @@ sources = files(
   'value/value.cc',
 )
 
-include_dirs = [include_directories('.')]
+include_dirs = [ include_directories('.') ]
 
 
 this_exe = executable(
@@ -72,15 +73,16 @@ this_exe = executable(
   dependencies : deps_private_subproject + deps_private + deps_other,
   include_directories : include_dirs,
   # TODO: -lrapidcheck, see ../libutil-support/build.meson
-  link_args: linker_export_flags + ['-lrapidcheck'],
+  link_args : linker_export_flags + [ '-lrapidcheck' ],
   install : true,
+  cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
 )
 
 test(
   meson.project_name(),
   this_exe,
   env : {
-    '_NIX_TEST_UNIT_DATA': meson.current_source_dir() / 'data',
+    '_NIX_TEST_UNIT_DATA' : meson.current_source_dir() / 'data',
   },
   protocol : 'gtest',
 )

src/libexpr-tests/pch/precompiled-headers.hh

@@ -0,0 +1,4 @@
+#include "nix/expr/tests/libexpr.hh"
+
+#include <gtest/gtest.h>
+#include <gmock/gmock.h>

src/libexpr/eval-cache.cc

@@ -708,6 +708,7 @@ StorePath AttrCursor::forceDerivation()
         /* The eval cache contains 'drvPath', but the actual path has
            been garbage-collected. So force it to be regenerated. */
         aDrvPath->forceValue();
+        root->state.waitForPath(drvPath);
         if (!root->state.store->isValidPath(drvPath))
             throw Error(
                 "don't know how to recreate store derivation '%s'!", root->state.store->printStorePath(drvPath));

src/libexpr/eval-gc.cc

@@ -15,8 +15,6 @@
 #    include <pthread_np.h>
 #  endif
 
-#  include <gc/gc.h>
-#  include <gc/gc_cpp.h>
 #  include <gc/gc_allocator.h>
 
 #  include <boost/coroutine2/coroutine.hpp>
@@ -53,6 +51,9 @@ static inline void initGCReal()
 
     GC_INIT();
 
+    /* Enable parallel marking. */
+    GC_allow_register_threads();
+
     /* Register valid displacements in case we are using alignment niches
        for storing the type information. This way tagged pointers are considered
        to be valid, even when they are not aligned. */

src/libexpr/eval-profiler-settings.cc

@@ -1,6 +1,5 @@
 #include "nix/expr/eval-profiler-settings.hh"
 #include "nix/util/configuration.hh"
-#include "nix/util/logging.hh" /* Needs to be included before config-impl.hh */
 #include "nix/util/config-impl.hh"
 #include "nix/util/abstract-setting-to-json.hh"
 

src/libexpr/eval.cc

@@ -21,6 +21,7 @@
 #include "nix/fetchers/fetch-to-store.hh"
 #include "nix/fetchers/tarball.hh"
 #include "nix/fetchers/input-cache.hh"
+#include "nix/store/async-path-writer.hh"
 
 #include "parser-tab.hh"
 
@@ -326,6 +327,7 @@ EvalState::EvalState(
     , debugRepl(nullptr)
     , debugStop(false)
     , trylevel(0)
+    , asyncPathWriter(AsyncPathWriter::make(store))
     , regexCache(makeRegexCache())
 #if NIX_USE_BOEHMGC
     , valueAllocCache(std::allocate_shared<void *>(traceable_allocator<void *>(), nullptr))
@@ -1024,6 +1026,7 @@ std::string EvalState::mkSingleDerivedPathStringRaw(const SingleDerivedPath & p)
                 auto optStaticOutputPath = std::visit(
                     overloaded{
                         [&](const SingleDerivedPath::Opaque & o) {
+                            waitForPath(o.path);
                             auto drv = store->readDerivation(o.path);
                             auto i = drv.outputs.find(b.output);
                             if (i == drv.outputs.end())
@@ -1812,7 +1815,7 @@ void EvalState::autoCallFunction(const Bindings & args, Value & fun, Value & res
 Nix attempted to evaluate a function as a top level expression; in
 this case it must have its arguments supplied either by default
 values, or passed explicitly with '--arg' or '--argstr'. See
-https://nixos.org/manual/nix/stable/language/constructs.html#functions.)",
+https://nix.dev/manual/nix/stable/language/syntax.html#functions.)",
                     symbols[i.name])
                     .atPos(i.pos)
                     .withFrame(*fun.lambda().env, *fun.lambda().fun)
@@ -3249,4 +3252,24 @@ void forceNoNullByte(std::string_view s, std::function<Pos()> pos)
     }
 }
 
+void EvalState::waitForPath(const StorePath & path)
+{
+    asyncPathWriter->waitForPath(path);
+}
+
+void EvalState::waitForPath(const SingleDerivedPath & path)
+{
+    std::visit(
+        overloaded{
+            [&](const DerivedPathOpaque & p) { waitForPath(p.path); },
+            [&](const SingleDerivedPathBuilt & p) { waitForPath(*p.drvPath); },
+        },
+        path.raw());
+}
+
+void EvalState::waitForAllPaths()
+{
+    asyncPathWriter->waitForAllPaths();
+}
+
 } // namespace nix

src/libexpr/include/nix/expr/attr-set.hh

@@ -22,7 +22,7 @@ struct Attr
        way we keep Attr size at two words with no wasted space. */
     Symbol name;
     PosIdx pos;
-    Value * value;
+    Value * value = nullptr;
     Attr(Symbol name, Value * value, PosIdx pos = noPos)
         : name(name)
         , pos(pos)

src/libexpr/include/nix/expr/eval-gc.hh

@@ -3,12 +3,13 @@
 
 #include <cstddef>
 
-// For `NIX_USE_BOEHMGC`, and if that's set, `GC_THREADS`
+// For `NIX_USE_BOEHMGC`
 #include "nix/expr/config.hh"
 
 #if NIX_USE_BOEHMGC
 
 #  define GC_INCLUDE_NEW
+#  define GC_THREADS 1
 
 #  include <gc/gc.h>
 #  include <gc/gc_cpp.h>

src/libexpr/include/nix/expr/eval-inline.hh

@@ -6,9 +6,6 @@
 #include "nix/expr/eval-error.hh"
 #include "nix/expr/eval-settings.hh"
 
-// For `NIX_USE_BOEHMGC`, and if that's set, `GC_THREADS`
-#include "nix/expr/config.hh"
-
 namespace nix {
 
 /**

src/libexpr/include/nix/expr/eval-settings.hh

@@ -327,6 +327,21 @@ struct EvalSettings : Config
 
           This option can be enabled by setting `NIX_ABORT_ON_WARN=1` in the environment.
         )"};
+
+    Setting<bool> warnShortPathLiterals{
+        this,
+        false,
+        "warn-short-path-literals",
+        R"(
+          If set to true, the Nix evaluator will warn when encountering relative path literals
+          that don't start with `./` or `../`.
+
+          For example, with this setting enabled, `foo/bar` would emit a warning
+          suggesting to use `./foo/bar` instead.
+
+          This is useful for improving code readability and making path literals
+          more explicit.
+    )"};
 };
 
 /**

src/libexpr/include/nix/expr/eval.hh

@@ -45,6 +45,7 @@ class StorePath;
 struct SingleDerivedPath;
 enum RepairFlag : bool;
 struct MemorySourceAccessor;
+struct AsyncPathWriter;
 
 namespace eval_cache {
 class EvalCache;
@@ -320,6 +321,8 @@ public:
     std::list<DebugTrace> debugTraces;
     std::map<const Expr *, const std::shared_ptr<const StaticEnv>> exprEnvs;
 
+    ref<AsyncPathWriter> asyncPathWriter;
+
     const std::shared_ptr<const StaticEnv> getStaticEnv(const Expr & expr) const
     {
         auto i = exprEnvs.find(&expr);
@@ -907,6 +910,10 @@ public:
 
     DocComment getDocCommentForPos(PosIdx pos);
 
+    void waitForPath(const StorePath & path);
+    void waitForPath(const SingleDerivedPath & path);
+    void waitForAllPaths();
+
 private:
 
     /**

src/libexpr/include/nix/expr/meson.build

@@ -1,13 +1,13 @@
 # Public headers directory
 
-include_dirs = [include_directories('../..')]
+include_dirs = [ include_directories('../..') ]
 
 config_pub_h = configure_file(
   configuration : configdata_pub,
   output : 'config.hh',
 )
 
-headers = [config_pub_h] + files(
+headers = [ config_pub_h ] + files(
   'attr-path.hh',
   'attr-set.hh',
   'eval-cache.hh',

src/libexpr/meson.build

@@ -1,7 +1,9 @@
-project('nix-expr', 'cpp',
+project(
+  'nix-expr',
+  'cpp',
   version : files('.version'),
   default_options : [
-    'cpp_std=c++2a',
+    'cpp_std=c++23',
     # TODO(Qyriad): increase the warning level
     'warning_level=1',
     'errorlogs=true', # Please print logs for tests that fail
@@ -17,8 +19,7 @@ subdir('nix-meson-build-support/deps-lists')
 configdata_pub = configuration_data()
 configdata_priv = configuration_data()
 
-deps_private_maybe_subproject = [
-]
+deps_private_maybe_subproject = []
 deps_public_maybe_subproject = [
   dependency('nix-util'),
   dependency('nix-store'),
@@ -39,8 +40,8 @@ endforeach
 
 boost = dependency(
   'boost',
-  modules : ['container', 'context'],
-  include_type: 'system',
+  modules : [ 'container', 'context' ],
+  include_type : 'system',
 )
 # boost is a public dependency, but not a pkg-config dependency unfortunately, so we
 # put in `deps_other`.
@@ -60,8 +61,6 @@ if bdw_gc.found()
     define_value = cxx.has_function(funcspec).to_int()
     configdata_priv.set(define_name, define_value)
   endforeach
-  # Affects ABI, because it changes what bdw_gc itself does!
-  configdata_pub.set('GC_THREADS', 1)
 endif
 # Used in public header. Affects ABI!
 configdata_pub.set('NIX_USE_BOEHMGC', bdw_gc.found().to_int())
@@ -70,7 +69,7 @@ toml11 = dependency(
   'toml11',
   version : '>=3.7.0',
   method : 'cmake',
-  include_type: 'system',
+  include_type : 'system',
 )
 deps_other += toml11
 
@@ -113,8 +112,7 @@ lexer_tab = custom_target(
   command : [
     'flex',
     '-Cf', # Use full scanner tables
-    '--outfile',
-    '@OUTPUT0@',
+    '--outfile', '@OUTPUT0@',
     '--header-file=' + '@OUTPUT1@',
     '@INPUT0@',
   ],
@@ -175,9 +173,10 @@ this_library = library(
   generated_headers,
   dependencies : deps_public + deps_private + deps_other,
   include_directories : include_dirs,
-  link_args: linker_export_flags,
+  link_args : linker_export_flags,
   prelink : true, # For C++ static initializers
   install : true,
+  cpp_pch : do_pch ? [ 'pch/precompiled-headers.hh' ] : [],
 )
 
 install_headers(headers, subdir : 'nix/expr', preserve_path : true)

src/libexpr/meson.options

@@ -1,3 +1,5 @@
-option('gc', type : 'feature',
+option(
+  'gc',
+  type : 'feature',
   description : 'enable garbage collection in the Nix expression evaluator (requires Boehm GC)',
 )

src/libexpr/package.nix

@@ -70,13 +70,15 @@ mkMesonLibrary (finalAttrs: {
     nix-util
     nix-store
     nix-fetchers
-  ] ++ finalAttrs.passthru.externalPropagatedBuildInputs;
+  ]
+  ++ finalAttrs.passthru.externalPropagatedBuildInputs;
 
   # Hack for sake of the dev shell
   passthru.externalPropagatedBuildInputs = [
     boost
     nlohmann_json
-  ] ++ lib.optional enableGC boehmgc;
+  ]
+  ++ lib.optional enableGC boehmgc;
 
   mesonFlags = [
     (lib.mesonEnable "gc" enableGC)

src/libexpr/parser.y

@@ -365,6 +365,15 @@ string_parts_interpolated
 path_start
   : PATH {
     std::string_view literal({$1.p, $1.l});
+
+    /* check for short path literals */
+    if (state->settings.warnShortPathLiterals && literal.front() != '/' && literal.front() != '.') {
+        logWarning({
+            .msg = HintFmt("relative path literal '%s' should be prefixed with '.' for clarity: './%s'. (" ANSI_BOLD "warn-short-path-literals" ANSI_NORMAL " = true)", literal, literal),
+            .pos = state->positions[CUR_POS]
+        });
+    }
+
     Path path(absPath(literal, state->basePath.path.abs()));
     /* add back in the trailing '/' to the first segment */
     if (literal.size() > 1 && literal.back() == '/')

src/libexpr/pch/precompiled-headers.hh

@@ -0,0 +1 @@
+#include "nix/expr/eval.hh"

src/libexpr/primops.cc

@@ -63,6 +63,7 @@ StringMap EvalState::realiseContext(const NixStringContext & context, StorePathS
 
     for (auto & c : context) {
         auto ensureValid = [&](const StorePath & p) {
+            waitForPath(p);
             if (!store->isValidPath(p))
                 error<InvalidPathError>(store->printStorePath(p)).debugThrow();
         };
@@ -291,6 +292,7 @@ static void import(EvalState & state, const PosIdx pos, Value & vPath, Value * v
         if (!state.store->isStorePath(path2))
             return std::nullopt;
         auto storePath = state.store->parseStorePath(path2);
+        state.waitForPath(storePath);
         if (!(state.store->isValidPath(storePath) && isDerivation(path2)))
             return std::nullopt;
         return storePath;
@@ -1363,7 +1365,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
 
     /* Check whether attributes should be passed as a JSON file. */
     using nlohmann::json;
-    std::optional<json> jsonObject;
+    std::optional<StructuredAttrs> jsonObject;
     auto pos = v.determinePos(noPos);
     auto attr = attrs->find(state.sStructuredAttrs);
     if (attr != attrs->end()
@@ -1372,7 +1374,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
             pos,
             "while evaluating the `__structuredAttrs` "
             "attribute passed to builtins.derivationStrict"))
-        jsonObject = json::object();
+        jsonObject = StructuredAttrs{.structuredAttrs = json::object()};
 
     /* Check whether null attributes should be ignored. */
     bool ignoreNulls = false;
@@ -1484,7 +1486,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
                     if (i->name == state.sStructuredAttrs)
                         continue;
 
-                    jsonObject->emplace(key, printValueAsJSON(state, true, *i->value, pos, context));
+                    jsonObject->structuredAttrs.emplace(key, printValueAsJSON(state, true, *i->value, pos, context));
 
                     if (i->name == state.sBuilder)
                         drv.builder = state.forceString(*i->value, context, pos, context_below);
@@ -1532,23 +1534,26 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
 
                 } else {
                     auto s = state.coerceToString(pos, *i->value, context, context_below, true).toOwned();
-                    drv.env.emplace(key, s);
-                    if (i->name == state.sBuilder)
-                        drv.builder = std::move(s);
-                    else if (i->name == state.sSystem)
-                        drv.platform = std::move(s);
-                    else if (i->name == state.sOutputHash)
-                        outputHash = std::move(s);
-                    else if (i->name == state.sOutputHashAlgo)
-                        outputHashAlgo = parseHashAlgoOpt(s);
-                    else if (i->name == state.sOutputHashMode)
-                        handleHashMode(s);
-                    else if (i->name == state.sOutputs)
-                        handleOutputs(tokenizeString<Strings>(s));
-                    else if (i->name == state.sJson)
+                    if (i->name == state.sJson) {
                         warn(
                             "In derivation '%s': setting structured attributes via '__json' is deprecated, and may be disallowed in future versions of Nix. Set '__structuredAttrs = true' instead.",
                             drvName);
+                        drv.structuredAttrs = StructuredAttrs::parse(s);
+                    } else {
+                        drv.env.emplace(key, s);
+                        if (i->name == state.sBuilder)
+                            drv.builder = std::move(s);
+                        else if (i->name == state.sSystem)
+                            drv.platform = std::move(s);
+                        else if (i->name == state.sOutputHash)
+                            outputHash = std::move(s);
+                        else if (i->name == state.sOutputHashAlgo)
+                            outputHashAlgo = parseHashAlgoOpt(s);
+                        else if (i->name == state.sOutputHashMode)
+                            handleHashMode(s);
+                        else if (i->name == state.sOutputs)
+                            handleOutputs(tokenizeString<Strings>(s));
+                    }
                 }
             }
 
@@ -1560,8 +1565,10 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
     }
 
     if (jsonObject) {
-        drv.env.emplace("__json", jsonObject->dump());
-        jsonObject.reset();
+        /* The only other way `drv.structuredAttrs` can be set is when
+           `jsonObject` is not set. */
+        assert(!drv.structuredAttrs);
+        drv.structuredAttrs = std::move(*jsonObject);
     }
 
     /* Everything in the context of the strings in the derivation
@@ -1578,6 +1585,8 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
                 [&](const NixStringContextElem::DrvDeep & d) {
                     /* !!! This doesn't work if readOnlyMode is set. */
                     StorePathSet refs;
+                    // FIXME: don't need to wait, we only need the references.
+                    state.waitForPath(d.drvPath);
                     state.store->computeFSClosure(d.drvPath, refs);
                     for (auto & j : refs) {
                         drv.inputSrcs.insert(j);
@@ -1702,7 +1711,7 @@ static void derivationStrictInternal(EvalState & state, std::string_view drvName
     }
 
     /* Write the resulting term into the Nix store directory. */
-    auto drvPath = writeDerivation(*state.store, drv, state.repair);
+    auto drvPath = writeDerivation(*state.store, *state.asyncPathWriter, drv, state.repair);
     auto drvPathS = state.store->printStorePath(drvPath);
 
     printMsg(lvlChatty, "instantiated '%1%' -> '%2%'", drvName, drvPathS);

src/libexpr/primops/context.cc

@@ -61,6 +61,7 @@ static void prim_unsafeDiscardOutputDependency(EvalState & state, const PosIdx p
     NixStringContext context2;
     for (auto && c : context) {
         if (auto * ptr = std::get_if<NixStringContextElem::DrvDeep>(&c.raw)) {
+            state.waitForPath(ptr->drvPath); // FIXME: why?
             context2.emplace(NixStringContextElem::Opaque{.path = ptr->drvPath});
         } else {
             /* Can reuse original item */