aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/manual/manual.md8
-rw-r--r--doc/manual/src/SUMMARY.md90
-rw-r--r--doc/manual/src/advanced-topics/advanced-topics.md1
-rw-r--r--doc/manual/src/advanced-topics/cores-vs-jobs.md42
-rw-r--r--doc/manual/src/advanced-topics/diff-hook.md141
-rw-r--r--doc/manual/src/advanced-topics/distributed-builds.md141
-rw-r--r--doc/manual/src/advanced-topics/post-build-hook.md113
-rw-r--r--doc/manual/src/expressions/advanced-attributes.md233
-rw-r--r--doc/manual/src/expressions/arguments-variables.md72
-rw-r--r--doc/manual/src/expressions/build-script.md72
-rw-r--r--doc/manual/src/expressions/builder-syntax.md72
-rw-r--r--doc/manual/src/expressions/builtins.md839
-rw-r--r--doc/manual/src/expressions/derivations.md154
-rw-r--r--doc/manual/src/expressions/expression-language.md12
-rw-r--r--doc/manual/src/expressions/expression-syntax.md91
-rw-r--r--doc/manual/src/expressions/generic-builder.md61
-rw-r--r--doc/manual/src/expressions/language-constructs.md291
-rw-r--r--doc/manual/src/expressions/language-operators.md32
-rw-r--r--doc/manual/src/expressions/language-values.md209
-rw-r--r--doc/manual/src/expressions/simple-building-testing.md57
-rw-r--r--doc/manual/src/expressions/simple-expression.md27
-rw-r--r--doc/manual/src/expressions/writing-nix-expressions.md12
-rw-r--r--doc/manual/src/glossary.md102
-rw-r--r--doc/manual/src/hacking.md47
-rw-r--r--doc/manual/src/installation/building-source.md34
-rw-r--r--doc/manual/src/installation/env-variables.md56
-rw-r--r--doc/manual/src/installation/installation.md2
-rw-r--r--doc/manual/src/installation/installing-binary.md273
-rw-r--r--doc/manual/src/installation/installing-source.md4
-rw-r--r--doc/manual/src/installation/multi-user.md63
-rw-r--r--doc/manual/src/installation/nix-security.md15
-rw-r--r--doc/manual/src/installation/obtaining-source.md16
-rw-r--r--doc/manual/src/installation/prerequisites-source.md80
-rw-r--r--doc/manual/src/installation/single-user.md9
-rw-r--r--doc/manual/src/installation/supported-platforms.md7
-rw-r--r--doc/manual/src/installation/upgrading.md14
-rw-r--r--doc/manual/src/package-management/basic-package-mgmt.md148
-rw-r--r--doc/manual/src/package-management/binary-cache-substituter.md42
-rw-r--r--doc/manual/src/package-management/channels.md42
-rw-r--r--doc/manual/src/package-management/copy-closure.md34
-rw-r--r--doc/manual/src/package-management/garbage-collection.md61
-rw-r--r--doc/manual/src/package-management/garbage-collector-roots.md16
-rw-r--r--doc/manual/src/package-management/package-management.md4
-rw-r--r--doc/manual/src/package-management/profiles.md119
-rw-r--r--doc/manual/src/package-management/s3-substituter.md133
-rw-r--r--doc/manual/src/package-management/sharing-packages.md6
-rw-r--r--doc/manual/src/package-management/ssh-substituter.md52
-rw-r--r--doc/manual/src/release-notes/release-notes.md1
-rw-r--r--doc/manual/src/release-notes/rl-0.10.1.md5
-rw-r--r--doc/manual/src/release-notes/rl-0.10.md212
-rw-r--r--doc/manual/src/release-notes/rl-0.11.md167
-rw-r--r--doc/manual/src/release-notes/rl-0.12.md123
-rw-r--r--doc/manual/src/release-notes/rl-0.13.md55
-rw-r--r--doc/manual/src/release-notes/rl-0.14.md21
-rw-r--r--doc/manual/src/release-notes/rl-0.15.md5
-rw-r--r--doc/manual/src/release-notes/rl-0.16.md25
-rw-r--r--doc/manual/src/release-notes/rl-0.5.md3
-rw-r--r--doc/manual/src/release-notes/rl-0.6.md64
-rw-r--r--doc/manual/src/release-notes/rl-0.7.md21
-rw-r--r--doc/manual/src/release-notes/rl-0.8.1.md8
-rw-r--r--doc/manual/src/release-notes/rl-0.8.md166
-rw-r--r--doc/manual/src/release-notes/rl-0.9.1.md4
-rw-r--r--doc/manual/src/release-notes/rl-0.9.2.md11
-rw-r--r--doc/manual/src/release-notes/rl-0.9.md72
-rw-r--r--doc/manual/src/release-notes/rl-1.0.md68
-rw-r--r--doc/manual/src/release-notes/rl-1.1.md61
-rw-r--r--doc/manual/src/release-notes/rl-1.10.md31
-rw-r--r--doc/manual/src/release-notes/rl-1.11.10.md21
-rw-r--r--doc/manual/src/release-notes/rl-1.11.md87
-rw-r--r--doc/manual/src/release-notes/rl-1.2.md97
-rw-r--r--doc/manual/src/release-notes/rl-1.3.md10
-rw-r--r--doc/manual/src/release-notes/rl-1.4.md22
-rw-r--r--doc/manual/src/release-notes/rl-1.5.1.md4
-rw-r--r--doc/manual/src/release-notes/rl-1.5.2.md4
-rw-r--r--doc/manual/src/release-notes/rl-1.5.md4
-rw-r--r--doc/manual/src/release-notes/rl-1.6.1.md32
-rw-r--r--doc/manual/src/release-notes/rl-1.6.md72
-rw-r--r--doc/manual/src/release-notes/rl-1.7.md140
-rw-r--r--doc/manual/src/release-notes/rl-1.8.md88
-rw-r--r--doc/manual/src/release-notes/rl-1.9.md143
-rw-r--r--doc/manual/src/release-notes/rl-2.0.md557
-rw-r--r--doc/manual/src/release-notes/rl-2.1.md49
-rw-r--r--doc/manual/src/release-notes/rl-2.2.md82
-rw-r--r--doc/manual/src/release-notes/rl-2.3.md44
84 files changed, 6715 insertions, 13 deletions
diff --git a/doc/manual/manual.md b/doc/manual/manual.md
deleted file mode 100644
index 58e37436f..000000000
--- a/doc/manual/manual.md
+++ /dev/null
@@ -1,8 +0,0 @@
-Title: Nix Package Manager Guide
-
-1. Introduction
- 1. [About Nix](./introduction/about-nix.md)
- 1. [Quick Start](./introduction/quick-start.md)
-1. Command Reference
- 1. Utilities
- 1. [nix-copy-closure](./command-ref/nix-copy-closure.md)
diff --git a/doc/manual/src/SUMMARY.md b/doc/manual/src/SUMMARY.md
index 6897f70d9..f562d1db4 100644
--- a/doc/manual/src/SUMMARY.md
+++ b/doc/manual/src/SUMMARY.md
@@ -1,7 +1,87 @@
# Table of Contents
-- [Introduction](./introduction.md)
-- [Quick Start](./quick-start.md)
-- [Command Reference](./command-ref/command-ref.md)
- - [Utilities](./command-ref/utilities.md)
- - [nix-copy-closure](./command-ref/nix-copy-closure.md)
+- [Introduction](introduction.md)
+- [Quick Start](quick-start.md)
+- [Installation](installation/installation.md)
+ - [Supported Platforms](installation/supported-platforms.md)
+ - [Installing a Binary Distribution](installation/installing-binary.md)
+ - [Installing Nix from Source](installation/installing-source.md)
+ - [Prerequisites](installation/prerequisites-source.md)
+ - [Obtaining a Source Distribution](installation/obtaining-source.md)
+ - [Building Nix from Source](installation/building-source.md)
+ - [Security](installation/nix-security.md)
+ - [Single-User Mode](installation/single-user.md)
+ - [Multi-User Mode](installation/multi-user.md)
+ - [Environment Variables](installation/env-variables.md)
+ - [Upgrading Nix](installation/upgrading.md)
+- [Package Management](package-management/package-management.md)
+ - [Basic Package Management](package-management/basic-package-mgmt.md)
+ - [Profiles](package-management/profiles.md)
+ - [Garbage Collection](package-management/garbage-collection.md)
+ - [Garbage Collector Roots](package-management/garbage-collector-roots.md)
+ - [Channels](package-management/channels.md)
+ - [Sharing Packages Between Machines](package-management/sharing-packages.md)
+ - [Serving a Nix store via HTTP](package-management/binary-cache-substituter.md)
+ - [Copying Closures Via SSH](package-management/copy-closure.md)
+ - [Serving a Nix store via SSH](package-management/ssh-substituter.md)
+ - [Serving a Nix store via AWS S3 or S3-compatible Service](package-management/s3-substituter.md)
+- [Writing Nix Expressions](expressions/writing-nix-expressions.md)
+ - [A Simple Nix Expression](expressions/simple-expression.md)
+ - [Expression Syntax](expressions/expression-syntax.md)
+ - [Build Script](expressions/build-script.md)
+ - [Arguments and Variables](expressions/arguments-variables.md)
+ - [Building and Testing](expressions/simple-building-testing.md)
+ - [Generic Builder Syntax](expressions/generic-builder.md)
+ - [Writing Nix Expressions](expressions/expression-language.md)
+ - [Values](expressions/language-values.md)
+ - [Language Constructs](expressions/language-constructs.md)
+ - [Operators](expressions/language-operators.md)
+ - [Derivations](expressions/derivations.md)
+ - [Advanced Attributes](expressions/advanced-attributes.md)
+ - [Built-in Functions](expressions/builtins.md)
+- [Advanced Topics](advanced-topics/advanced-topics.md)
+ - [Remote Builds](advanced-topics/distributed-builds.md)
+ - [Tuning Cores and Jobs](advanced-topics/cores-vs-jobs.md)
+ - [Verifying Build Reproducibility](advanced-topics/diff-hook.md)
+ - [Using the `post-build-hook`](advanced-topics/post-build-hook.md)
+- [Command Reference](command-ref/command-ref.md)
+ - [Utilities](command-ref/utilities.md)
+ - [nix-copy-closure](command-ref/nix-copy-closure.md)
+- [Glossary](glossary.md)
+- [Hacking](hacking.md)
+- [Release Notes](release-notes/release-notes.md)
+ - [Release 2.3 (2019-09-04)](release-notes/rl-2.3.md)
+ - [Release 2.2 (2019-01-11)](release-notes/rl-2.2.md)
+ - [Release 2.1 (2018-09-02)](release-notes/rl-2.1.md)
+ - [Release 2.0 (2018-02-22)](release-notes/rl-2.0.md)
+ - [Release 1.11.10 (2017-06-12)](release-notes/rl-1.11.10.md)
+ - [Release 1.11 (2016-01-19)](release-notes/rl-1.11.md)
+ - [Release 1.10 (2015-09-03)](release-notes/rl-1.10.md)
+ - [Release 1.9 (2015-06-12)](release-notes/rl-1.9.md)
+ - [Release 1.8 (2014-12-14)](release-notes/rl-1.8.md)
+ - [Release 1.7 (2014-04-11)](release-notes/rl-1.7.md)
+ - [Release 1.6.1 (2013-10-28)](release-notes/rl-1.6.1.md)
+ - [Release 1.6 (2013-09-10)](release-notes/rl-1.6.md)
+ - [Release 1.5.2 (2013-05-13)](release-notes/rl-1.5.2.md)
+ - [Release 1.5 (2013-02-27)](release-notes/rl-1.5.md)
+ - [Release 1.4 (2013-02-26)](release-notes/rl-1.4.md)
+ - [Release 1.3 (2013-01-04)](release-notes/rl-1.3.md)
+ - [Release 1.2 (2012-12-06)](release-notes/rl-1.2.md)
+ - [Release 1.1 (2012-07-18)](release-notes/rl-1.1.md)
+ - [Release 1.0 (2012-05-11)](release-notes/rl-1.0.md)
+ - [Release 0.16 (2010-08-17)](release-notes/rl-0.16.md)
+ - [Release 0.15 (2010-03-17)](release-notes/rl-0.15.md)
+ - [Release 0.14 (2010-02-04)](release-notes/rl-0.14.md)
+ - [Release 0.13 (2009-11-05)](release-notes/rl-0.13.md)
+ - [Release 0.12 (2008-11-20)](release-notes/rl-0.12.md)
+ - [Release 0.11 (2007-12-31)](release-notes/rl-0.11.md)
+ - [Release 0.10.1 (2006-10-11)](release-notes/rl-0.10.1.md)
+ - [Release 0.10 (2006-10-06)](release-notes/rl-0.10.md)
+ - [Release 0.9.2 (2005-09-21)](release-notes/rl-0.9.2.md)
+ - [Release 0.9.1 (2005-09-20)](release-notes/rl-0.9.1.md)
+ - [Release 0.9 (2005-09-16)](release-notes/rl-0.9.md)
+ - [Release 0.8.1 (2005-04-13)](release-notes/rl-0.8.1.md)
+ - [Release 0.8 (2005-04-11)](release-notes/rl-0.8.md)
+ - [Release 0.7 (2005-01-12)](release-notes/rl-0.7.md)
+ - [Release 0.6 (2004-11-14)](release-notes/rl-0.6.md)
+ - [Release 0.5 and earlier](release-notes/rl-0.5.md)
diff --git a/doc/manual/src/advanced-topics/advanced-topics.md b/doc/manual/src/advanced-topics/advanced-topics.md
new file mode 100644
index 000000000..8b1378917
--- /dev/null
+++ b/doc/manual/src/advanced-topics/advanced-topics.md
@@ -0,0 +1 @@
+
diff --git a/doc/manual/src/advanced-topics/cores-vs-jobs.md b/doc/manual/src/advanced-topics/cores-vs-jobs.md
new file mode 100644
index 000000000..846b6356e
--- /dev/null
+++ b/doc/manual/src/advanced-topics/cores-vs-jobs.md
@@ -0,0 +1,42 @@
+# Tuning Cores and Jobs
+
+Nix has two relevant settings with regards to how your CPU cores will be
+utilized: [???](#conf-cores) and [???](#conf-max-jobs). This chapter
+will talk about what they are, how they interact, and their
+configuration trade-offs.
+
+ - [???](#conf-max-jobs)
+ Dictates how many separate derivations will be built at the same
+ time. If you set this to zero, the local machine will do no builds.
+ Nix will still substitute from binary caches, and build remotely if
+ remote builders are configured.
+
+ - [???](#conf-cores)
+ Suggests how many cores each derivation should use. Similar to `make
+ -j`.
+
+The [???](#conf-cores) setting determines the value of
+NIX\_BUILD\_CORES. NIX\_BUILD\_CORES is equal to [???](#conf-cores),
+unless [???](#conf-cores) equals `0`, in which case NIX\_BUILD\_CORES
+will be the total number of cores in the system.
+
+The maximum number of consumed cores is a simple multiplication,
+[???](#conf-max-jobs) \* NIX\_BUILD\_CORES.
+
+The balance on how to set these two independent variables depends upon
+each builder's workload and hardware. Here are a few example scenarios
+on a machine with 24 cores:
+
+| [???](#conf-max-jobs) | [???](#conf-cores) | NIX\_BUILD\_CORES | Maximum Processes | Result |
+| --------------------- | ------------------ | ----------------- | ----------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 1 | 24 | 24 | 24 | One derivation will be built at a time, each one can use 24 cores. Undersold if a job can’t use 24 cores. |
+| 4 | 6 | 6 | 24 | Four derivations will be built at once, each given access to six cores. |
+| 12 | 6 | 6 | 72 | 12 derivations will be built at once, each given access to six cores. This configuration is over-sold. If all 12 derivations being built simultaneously try to use all six cores, the machine's performance will be degraded due to extensive context switching between the 12 builds. |
+| 24 | 1 | 1 | 24 | 24 derivations can build at the same time, each using a single core. Never oversold, but derivations which require many cores will be very slow to compile. |
+| 24 | 0 | 24 | 576 | 24 derivations can build at the same time, each using all the available cores of the machine. Very likely to be oversold, and very likely to suffer context switches. |
+
+Balancing 24 Build Cores
+
+It is up to the derivations' build script to respect host's requested
+cores-per-build by following the value of the NIX\_BUILD\_CORES
+environment variable.
diff --git a/doc/manual/src/advanced-topics/diff-hook.md b/doc/manual/src/advanced-topics/diff-hook.md
new file mode 100644
index 000000000..2c9896fa5
--- /dev/null
+++ b/doc/manual/src/advanced-topics/diff-hook.md
@@ -0,0 +1,141 @@
+# Verifying Build Reproducibility
+
+Specify a program with Nix's [???](#conf-diff-hook) to compare build
+results when two builds produce different results. Note: this hook is
+only executed if the results are not the same, this hook is not used for
+determining if the results are the same.
+
+For purposes of demonstration, we'll use the following Nix file,
+`deterministic.nix` for testing:
+
+ let
+ inherit (import <nixpkgs> {}) runCommand;
+ in {
+ stable = runCommand "stable" {} ''
+ touch $out
+ '';
+
+ unstable = runCommand "unstable" {} ''
+ echo $RANDOM > $out
+ '';
+ }
+
+Additionally, `nix.conf` contains:
+
+ diff-hook = /etc/nix/my-diff-hook
+ run-diff-hook = true
+
+where `/etc/nix/my-diff-hook` is an executable file containing:
+
+ #!/bin/sh
+ exec >&2
+ echo "For derivation $3:"
+ /run/current-system/sw/bin/diff -r "$1" "$2"
+
+The diff hook is executed by the same user and group who ran the build.
+However, the diff hook does not have write access to the store path just
+built.
+
+# Spot-Checking Build Determinism
+
+Verify a path which already exists in the Nix store by passing `--check`
+to the build command.
+
+If the build passes and is deterministic, Nix will exit with a status
+code of 0:
+
+ $ nix-build ./deterministic.nix -A stable
+ this derivation will be built:
+ /nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv
+ building '/nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv'...
+ /nix/store/yyxlzw3vqaas7wfp04g0b1xg51f2czgq-stable
+
+ $ nix-build ./deterministic.nix -A stable --check
+ checking outputs of '/nix/store/z98fasz2jqy9gs0xbvdj939p27jwda38-stable.drv'...
+ /nix/store/yyxlzw3vqaas7wfp04g0b1xg51f2czgq-stable
+
+If the build is not deterministic, Nix will exit with a status code of
+1:
+
+ $ nix-build ./deterministic.nix -A unstable
+ this derivation will be built:
+ /nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv
+ building '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'...
+ /nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable
+
+ $ nix-build ./deterministic.nix -A unstable --check
+ checking outputs of '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'...
+ error: derivation '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv' may not be deterministic: output '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable' differs
+
+In the Nix daemon's log, we will now see:
+
+ For derivation /nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv:
+ 1c1
+ < 8108
+ ---
+ > 30204
+
+Using `--check` with `--keep-failed` will cause Nix to keep the second
+build's output in a special, `.check` path:
+
+ $ nix-build ./deterministic.nix -A unstable --check --keep-failed
+ checking outputs of '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv'...
+ note: keeping build directory '/tmp/nix-build-unstable.drv-0'
+ error: derivation '/nix/store/cgl13lbj1w368r5z8gywipl1ifli7dhk-unstable.drv' may not be deterministic: output '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable' differs from '/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable.check'
+
+In particular, notice the
+`/nix/store/krpqk0l9ib0ibi1d2w52z293zw455cap-unstable.check` output. Nix
+has copied the build results to that directory where you can examine it.
+
+> **Note**
+>
+> Check paths are not protected against garbage collection, and this
+> path will be deleted on the next garbage collection.
+>
+> The path is guaranteed to be alive for the duration of
+> [???](#conf-diff-hook)'s execution, but may be deleted any time after.
+>
+> If the comparison is performed as part of automated tooling, please
+> use the diff-hook or author your tooling to handle the case where the
+> build was not deterministic and also a check path does not exist.
+
+`--check` is only usable if the derivation has been built on the system
+already. If the derivation has not been built Nix will fail with the
+error:
+
+ error: some outputs of '/nix/store/hzi1h60z2qf0nb85iwnpvrai3j2w7rr6-unstable.drv' are not valid, so checking is not possible
+
+Run the build without `--check`, and then try with `--check` again.
+
+# Automatic and Optionally Enforced Determinism Verification
+
+Automatically verify every build at build time by executing the build
+multiple times.
+
+Setting [???](#conf-repeat) and [???](#conf-enforce-determinism) in your
+`nix.conf` permits the automated verification of every build Nix
+performs.
+
+The following configuration will run each build three times, and will
+require the build to be deterministic:
+
+ enforce-determinism = true
+ repeat = 2
+
+Setting [???](#conf-enforce-determinism) to false as in the following
+configuration will run the build multiple times, execute the build hook,
+but will allow the build to succeed even if it does not build
+reproducibly:
+
+ enforce-determinism = false
+ repeat = 1
+
+An example output of this configuration:
+
+ $ nix-build ./test.nix -A unstable
+ this derivation will be built:
+ /nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv
+ building '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' (round 1/2)...
+ building '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' (round 2/2)...
+ output '/nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable' of '/nix/store/ch6llwpr2h8c3jmnf3f2ghkhx59aa97f-unstable.drv' differs from '/nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable.check' from previous round
+ /nix/store/6xg356v9gl03hpbbg8gws77n19qanh02-unstable
diff --git a/doc/manual/src/advanced-topics/distributed-builds.md b/doc/manual/src/advanced-topics/distributed-builds.md
new file mode 100644
index 000000000..197708ee5
--- /dev/null
+++ b/doc/manual/src/advanced-topics/distributed-builds.md
@@ -0,0 +1,141 @@
+# Remote Builds
+
+Nix supports remote builds, where a local Nix installation can forward
+Nix builds to other machines. This allows multiple builds to be
+performed in parallel and allows Nix to perform multi-platform builds in
+a semi-transparent way. For instance, if you perform a build for a
+`x86_64-darwin` on an `i686-linux` machine, Nix can automatically
+forward the build to a `x86_64-darwin` machine, if available.
+
+To forward a build to a remote machine, it’s required that the remote
+machine is accessible via SSH and that it has Nix installed. You can
+test whether connecting to the remote Nix instance works, e.g.
+
+ $ nix ping-store --store ssh://mac
+
+will try to connect to the machine named `mac`. It is possible to
+specify an SSH identity file as part of the remote store URI, e.g.
+
+ $ nix ping-store --store ssh://mac?ssh-key=/home/alice/my-key
+
+Since builds should be non-interactive, the key should not have a
+passphrase. Alternatively, you can load identities ahead of time into
+`ssh-agent` or `gpg-agent`.
+
+If you get the error
+
+ bash: nix-store: command not found
+ error: cannot connect to 'mac'
+
+then you need to ensure that the PATH of non-interactive login shells
+contains Nix.
+
+> **Warning**
+>
+> If you are building via the Nix daemon, it is the Nix daemon user
+> account (that is, `root`) that should have SSH access to the remote
+> machine. If you can’t or don’t want to configure `root` to be able to
+> access to remote machine, you can use a private Nix store instead by
+> passing e.g. `--store ~/my-nix`.
+
+The list of remote machines can be specified on the command line or in
+the Nix configuration file. The former is convenient for testing. For
+example, the following command allows you to build a derivation for
+`x86_64-darwin` on a Linux machine:
+
+ $ uname
+ Linux
+
+ $ nix build \
+ '(with import <nixpkgs> { system = "x86_64-darwin"; }; runCommand "foo" {} "uname > $out")' \
+ --builders 'ssh://mac x86_64-darwin'
+ [1/0/1 built, 0.0 MiB DL] building foo on ssh://mac
+
+ $ cat ./result
+ Darwin
+
+It is possible to specify multiple builders separated by a semicolon or
+a newline, e.g.
+
+```
+ --builders 'ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd'
+```
+
+Each machine specification consists of the following elements, separated
+by spaces. Only the first element is required. To leave a field at its
+default, set it to `-`.
+
+1. The URI of the remote store in the format
+ `ssh://[username@]hostname`, e.g. `ssh://nix@mac` or `ssh://mac`.
+ For backward compatibility, `ssh://` may be omitted. The hostname
+ may be an alias defined in your `~/.ssh/config`.
+
+2. A comma-separated list of Nix platform type identifiers, such as
+ `x86_64-darwin`. It is possible for a machine to support multiple
+ platform types, e.g., `i686-linux,x86_64-linux`. If omitted, this
+ defaults to the local platform type.
+
+3. The SSH identity file to be used to log in to the remote machine. If
+ omitted, SSH will use its regular identities.
+
+4. The maximum number of builds that Nix will execute in parallel on
+ the machine. Typically this should be equal to the number of CPU
+ cores. For instance, the machine `itchy` in the example will execute
+ up to 8 builds in parallel.
+
+5. The “speed factor”, indicating the relative speed of the machine. If
+ there are multiple machines of the right type, Nix will prefer the
+ fastest, taking load into account.
+
+6. A comma-separated list of *supported features*. If a derivation has
+ the `requiredSystemFeatures` attribute, then Nix will only perform
+ the derivation on a machine that has the specified features. For
+ instance, the attribute
+
+ requiredSystemFeatures = [ "kvm" ];
+
+ will cause the build to be performed on a machine that has the `kvm`
+ feature.
+
+7. A comma-separated list of *mandatory features*. A machine will only
+ be used to build a derivation if all of the machine’s mandatory
+ features appear in the derivation’s `requiredSystemFeatures`
+ attribute..
+
+For example, the machine specification
+
+ nix@scratchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy_auto 8 1 kvm
+ nix@itchy.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy_auto 8 2
+ nix@poochie.labs.cs.uu.nl i686-linux /home/nix/.ssh/id_scratchy_auto 1 2 kvm benchmark
+
+specifies several machines that can perform `i686-linux` builds.
+However, `poochie` will only do builds that have the attribute
+
+ requiredSystemFeatures = [ "benchmark" ];
+
+or
+
+ requiredSystemFeatures = [ "benchmark" "kvm" ];
+
+`itchy` cannot do builds that require `kvm`, but `scratchy` does support
+such builds. For regular builds, `itchy` will be preferred over
+`scratchy` because it has a higher speed factor.
+
+Remote builders can also be configured in `nix.conf`, e.g.
+
+ builders = ssh://mac x86_64-darwin ; ssh://beastie x86_64-freebsd
+
+Finally, remote builders can be configured in a separate configuration
+file included in `builders` via the syntax `@file`. For example,
+
+ builders = @/etc/nix/machines
+
+causes the list of machines in `/etc/nix/machines` to be included. (This
+is the default.)
+
+If you want the builders to use caches, you likely want to set the
+option [`builders-use-substitutes`](#conf-builders-use-substitutes) in
+your local `nix.conf`.
+
+To build only on remote builders and disable building on the local
+machine, you can use the option `--max-jobs 0`.
diff --git a/doc/manual/src/advanced-topics/post-build-hook.md b/doc/manual/src/advanced-topics/post-build-hook.md
new file mode 100644
index 000000000..166b57da6
--- /dev/null
+++ b/doc/manual/src/advanced-topics/post-build-hook.md
@@ -0,0 +1,113 @@
+# Using the `post-build-hook`
+
+# Implementation Caveats
+
+Here we use the post-build hook to upload to a binary cache. This is a
+simple and working example, but it is not suitable for all use cases.
+
+The post build hook program runs after each executed build, and blocks
+the build loop. The build loop exits if the hook program fails.
+
+Concretely, this implementation will make Nix slow or unusable when the
+internet is slow or unreliable.
+
+A more advanced implementation might pass the store paths to a
+user-supplied daemon or queue for processing the store paths outside of
+the build loop.
+
+# Prerequisites
+
+This tutorial assumes you have configured an S3-compatible binary cache
+according to the instructions at
+[???](#ssec-s3-substituter-authenticated-writes), and that the `root`
+user's default AWS profile can upload to the bucket.
+
+# Set up a Signing Key
+
+Use `nix-store --generate-binary-cache-key` to create our public and
+private signing keys. We will sign paths with the private key, and
+distribute the public key for verifying the authenticity of the paths.
+
+ # nix-store --generate-binary-cache-key example-nix-cache-1 /etc/nix/key.private /etc/nix/key.public
+ # cat /etc/nix/key.public
+ example-nix-cache-1:1/cKDz3QCCOmwcztD2eV6Coggp6rqc9DGjWv7C0G+rM=
+
+Then, add the public key and the cache URL to your `nix.conf`'s
+[???](#conf-trusted-public-keys) and [???](#conf-substituters) like:
+
+ substituters = https://cache.nixos.org/ s3://example-nix-cache
+ trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= example-nix-cache-1:1/cKDz3QCCOmwcztD2eV6Coggp6rqc9DGjWv7C0G+rM=
+
+We will restart the Nix daemon in a later step.
+
+# Implementing the build hook
+
+Write the following script to `/etc/nix/upload-to-cache.sh`:
+
+ #!/bin/sh
+
+ set -eu
+ set -f # disable globbing
+ export IFS=' '
+
+ echo "Signing paths" $OUT_PATHS
+ nix sign-paths --key-file /etc/nix/key.private $OUT_PATHS
+ echo "Uploading paths" $OUT_PATHS
+ exec nix copy --to 's3://example-nix-cache' $OUT_PATHS
+
+> **Note**
+>
+> The `$OUT_PATHS` variable is a space-separated list of Nix store
+> paths. In this case, we expect and want the shell to perform word
+> splitting to make each output path its own argument to `nix
+> sign-paths`. Nix guarantees the paths will not contain any spaces,
+> however a store path might contain glob characters. The `set -f`
+> disables globbing in the shell.
+
+Then make sure the hook program is executable by the `root` user:
+
+ # chmod +x /etc/nix/upload-to-cache.sh
+
+# Updating Nix Configuration
+
+Edit `/etc/nix/nix.conf` to run our hook, by adding the following
+configuration snippet at the end:
+
+ post-build-hook = /etc/nix/upload-to-cache.sh
+
+Then, restart the `nix-daemon`.
+
+# Testing
+
+Build any derivation, for example:
+
+ $ nix-build -E '(import <nixpkgs> {}).writeText "example" (builtins.toString builtins.currentTime)'
+ this derivation will be built:
+ /nix/store/s4pnfbkalzy5qz57qs6yybna8wylkig6-example.drv
+ building '/nix/store/s4pnfbkalzy5qz57qs6yybna8wylkig6-example.drv'...
+ running post-build-hook '/home/grahamc/projects/github.com/NixOS/nix/post-hook.sh'...
+ post-build-hook: Signing paths /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example
+ post-build-hook: Uploading paths /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example
+ /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example
+
+Then delete the path from the store, and try substituting it from the
+binary cache:
+
+ $ rm ./result
+ $ nix-store --delete /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example
+
+Now, copy the path back from the cache:
+
+ $ nix-store --realise /nix/store/ibcyipq5gf91838ldx40mjsp0b8w9n18-example
+ copying path '/nix/store/m8bmqwrch6l3h8s0k3d673xpmipcdpsa-example from 's3://example-nix-cache'...
+ warning: you did not specify '--add-root'; the result might be removed by the garbage collector
+ /nix/store/m8bmqwrch6l3h8s0k3d673xpmipcdpsa-example
+
+# Conclusion
+
+We now have a Nix installation configured to automatically sign and
+upload every local build to a remote binary cache.
+
+Before deploying this to production, be sure to consider the
+implementation caveats in [Implementation
+Caveats](#chap-post-build-hook-caveats).
diff --git a/doc/manual/src/expressions/advanced-attributes.md b/doc/manual/src/expressions/advanced-attributes.md
new file mode 100644
index 000000000..683b504a7
--- /dev/null
+++ b/doc/manual/src/expressions/advanced-attributes.md
@@ -0,0 +1,233 @@
+# Advanced Attributes
+
+Derivations can declare some infrequently used optional attributes.
+
+ - `allowedReferences`
+ The optional attribute `allowedReferences` specifies a list of legal
+ references (dependencies) of the output of the builder. For example,
+
+ allowedReferences = [];
+
+ enforces that the output of a derivation cannot have any runtime
+ dependencies on its inputs. To allow an output to have a runtime
+ dependency on itself, use `"out"` as a list item. This is used in
+ NixOS to check that generated files such as initial ramdisks for
+ booting Linux don’t have accidental dependencies on other paths in
+ the Nix store.
+
+ - `allowedRequisites`
+ This attribute is similar to `allowedReferences`, but it specifies
+ the legal requisites of the whole closure, so all the dependencies
+ recursively. For example,
+
+ allowedRequisites = [ foobar ];
+
+ enforces that the output of a derivation cannot have any other
+ runtime dependency than `foobar`, and in addition it enforces that
+ `foobar` itself doesn't introduce any other dependency itself.
+
+ - `disallowedReferences`
+ The optional attribute `disallowedReferences` specifies a list of
+ illegal references (dependencies) of the output of the builder. For
+ example,
+
+ disallowedReferences = [ foo ];
+
+ enforces that the output of a derivation cannot have a direct
+ runtime dependencies on the derivation `foo`.
+
+ - `disallowedRequisites`
+ This attribute is similar to `disallowedReferences`, but it
+ specifies illegal requisites for the whole closure, so all the
+ dependencies recursively. For example,
+
+ disallowedRequisites = [ foobar ];
+
+ enforces that the output of a derivation cannot have any runtime
+ dependency on `foobar` or any other derivation depending recursively
+ on `foobar`.
+
+ - `exportReferencesGraph`
+ This attribute allows builders access to the references graph of
+ their inputs. The attribute is a list of inputs in the Nix store
+ whose references graph the builder needs to know. The value of this
+ attribute should be a list of pairs `[ name1
+ path1 name2
+ path2 ...
+ ]`. The references graph of each pathN will be stored in a text file
+ nameN in the temporary build directory. The text files have the
+ format used by `nix-store
+ --register-validity` (with the deriver fields left empty). For
+ example, when the following derivation is built:
+
+ derivation {
+ ...
+ exportReferencesGraph = [ "libfoo-graph" libfoo ];
+ };
+
+ the references graph of `libfoo` is placed in the file
+ `libfoo-graph` in the temporary build directory.
+
+ `exportReferencesGraph` is useful for builders that want to do
+ something with the closure of a store path. Examples include the
+ builders in NixOS that generate the initial ramdisk for booting
+ Linux (a `cpio` archive containing the closure of the boot script)
+ and the ISO-9660 image for the installation CD (which is populated
+ with a Nix store containing the closure of a bootable NixOS
+ configuration).
+
+ - `impureEnvVars`
+ This attribute allows you to specify a list of environment variables
+ that should be passed from the environment of the calling user to
+ the builder. Usually, the environment is cleared completely when the
+ builder is executed, but with this attribute you can allow specific
+ environment variables to be passed unmodified. For example,
+ `fetchurl` in Nixpkgs has the line
+
+ impureEnvVars = [ "http_proxy" "https_proxy" ... ];
+
+ to make it use the proxy server configuration specified by the user
+ in the environment variables http\_proxy and friends.
+
+ This attribute is only allowed in [fixed-output
+ derivations](#fixed-output-drvs), where impurities such as these are
+ okay since (the hash of) the output is known in advance. It is
+ ignored for all other derivations.
+
+ > **Warning**
+ >
+ > `impureEnvVars` implementation takes environment variables from
+ > the current builder process. When a daemon is building its
+ > environmental variables are used. Without the daemon, the
+ > environmental variables come from the environment of the
+ > `nix-build`.
+
+ - `outputHash`; `outputHashAlgo`; `outputHashMode`
+ These attributes declare that the derivation is a so-called
+ *fixed-output derivation*, which means that a cryptographic hash of
+ the output is already known in advance. When the build of a
+ fixed-output derivation finishes, Nix computes the cryptographic
+ hash of the output and compares it to the hash declared with these
+ attributes. If there is a mismatch, the build fails.
+
+ The rationale for fixed-output derivations is derivations such as
+ those produced by the `fetchurl` function. This function downloads a
+ file from a given URL. To ensure that the downloaded file has not
+ been modified, the caller must also specify a cryptographic hash of
+ the file. For example,
+
+ fetchurl {
+ url = "http://ftp.gnu.org/pub/gnu/hello/hello-2.1.1.tar.gz";
+ sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+ }
+
+ It sometimes happens that the URL of the file changes, e.g., because
+ servers are reorganised or no longer available. We then must update
+ the call to `fetchurl`, e.g.,
+
+ fetchurl {
+ url = "ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz";
+ sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+ }
+
+ If a `fetchurl` derivation was treated like a normal derivation, the
+ output paths of the derivation and *all derivations depending on it*
+ would change. For instance, if we were to change the URL of the
+ Glibc source distribution in Nixpkgs (a package on which almost all
+ other packages depend) massive rebuilds would be needed. This is
+ unfortunate for a change which we know cannot have a real effect as
+ it propagates upwards through the dependency graph.
+
+ For fixed-output derivations, on the other hand, the name of the
+ output path only depends on the `outputHash*` and `name` attributes,
+ while all other attributes are ignored for the purpose of computing
+ the output path. (The `name` attribute is included because it is
+ part of the path.)
+
+ As an example, here is the (simplified) Nix expression for
+ `fetchurl`:
+
+ { stdenv, curl }: # The curl program is used for downloading.
+
+ { url, sha256 }:
+
+ stdenv.mkDerivation {
+ name = baseNameOf (toString url);
+ builder = ./builder.sh;
+ buildInputs = [ curl ];
+
+ # This is a fixed-output derivation; the output must be a regular
+ # file with SHA256 hash sha256.
+ outputHashMode = "flat";
+ outputHashAlgo = "sha256";
+ outputHash = sha256;
+
+ inherit url;
+ }
+
+ The `outputHashAlgo` attribute specifies the hash algorithm used to
+ compute the hash. It can currently be `"sha1"`, `"sha256"` or
+ `"sha512"`.
+
+ The `outputHashMode` attribute determines how the hash is computed.
+ It must be one of the following two values:
+
+ - `"flat"`
+ The output must be a non-executable regular file. If it isn’t,
+ the build fails. The hash is simply computed over the contents
+ of that file (so it’s equal to what Unix commands like
+ `sha256sum` or `sha1sum` produce).
+
+ This is the default.
+
+ - `"recursive"`
+ The hash is computed over the NAR archive dump of the output
+ (i.e., the result of [`nix-store
+ --dump`](#refsec-nix-store-dump)). In this case, the output can
+ be anything, including a directory tree.
+
+ The `outputHash` attribute, finally, must be a string containing the
+ hash in either hexadecimal or base-32 notation. (See the [`nix-hash`
+ command](#sec-nix-hash) for information about converting to and from
+ base-32 notation.)
+
+ - `passAsFile`
+ A list of names of attributes that should be passed via files rather
+ than environment variables. For example, if you have
+
+ ```
+ passAsFile = ["big"];
+ big = "a very long string";
+
+ ```
+
+ then when the builder runs, the environment variable bigPath will
+ contain the absolute path to a temporary file containing `a very
+ long
+ string`. That is, for any attribute x listed in `passAsFile`, Nix
+ will pass an environment variable xPath holding the path of the file
+ containing the value of attribute x. This is useful when you need to
+ pass large strings to a builder, since most operating systems impose
+ a limit on the size of the environment (typically, a few hundred
+ kilobyte).
+
+ - `preferLocalBuild`
+ If this attribute is set to `true` and [distributed building is
+ enabled](#chap-distributed-builds), then, if possible, the derivaton
+ will be built locally instead of forwarded to a remote machine. This
+ is appropriate for trivial builders where the cost of doing a
+ download or remote build would exceed the cost of building locally.
+
+ - `allowSubstitutes`
+ If this attribute is set to `false`, then Nix will always build this
+ derivation; it will not try to substitute its outputs. This is
+ useful for very trivial derivations (such as `writeText` in Nixpkgs)
+ that are cheaper to build than to substitute from a binary cache.
+
+ > **Note**
+ >
+ > You need to have a builder configured which satisfies the
+ > derivation’s `system` attribute, since the derivation cannot be
+ > substituted. Thus it is usually a good idea to align `system` with
+ > `builtins.currentSystem` when setting `allowSubstitutes` to
+ > `false`. For most trivial derivations this should be the case.
diff --git a/doc/manual/src/expressions/arguments-variables.md b/doc/manual/src/expressions/arguments-variables.md
new file mode 100644
index 000000000..9a373d94d
--- /dev/null
+++ b/doc/manual/src/expressions/arguments-variables.md
@@ -0,0 +1,72 @@
+# Arguments and Variables
+
+ ...
+
+ rec {
+
+ hello = import ../applications/misc/hello/ex-1 {
+ inherit fetchurl stdenv perl;
+ };
+
+ perl = import ../development/interpreters/perl {
+ inherit fetchurl stdenv;
+ };
+
+ fetchurl = import ../build-support/fetchurl {
+ inherit stdenv; ...
+ };
+
+ stdenv = ...;
+
+ }
+
+The Nix expression in [???](#ex-hello-nix) is a function; it is missing
+some arguments that have to be filled in somewhere. In the Nix Packages
+collection this is done in the file `pkgs/top-level/all-packages.nix`,
+where all Nix expressions for packages are imported and called with the
+appropriate arguments. [example\_title](#ex-hello-composition) shows
+some fragments of `all-packages.nix`.
+
+ - This file defines a set of attributes, all of which are concrete
+ derivations (i.e., not functions). In fact, we define a *mutually
+ recursive* set of attributes. That is, the attributes can refer to
+ each other. This is precisely what we want since we want to “plug”
+ the various packages into each other.
+
+ - Here we *import* the Nix expression for GNU Hello. The import
+ operation just loads and returns the specified Nix expression. In
+ fact, we could just have put the contents of [???](#ex-hello-nix) in
+ `all-packages.nix` at this point. That would be completely
+ equivalent, but it would make the file rather bulky.
+
+ Note that we refer to `../applications/misc/hello/ex-1`, not
+ `../applications/misc/hello/ex-1/default.nix`. When you try to
+ import a directory, Nix automatically appends `/default.nix` to the
+ file name.
+
+ - This is where the actual composition takes place. Here we *call* the
+ function imported from `../applications/misc/hello/ex-1` with a set
+ containing the things that the function expects, namely `fetchurl`,
+ `stdenv`, and `perl`. We use inherit again to use the attributes
+ defined in the surrounding scope (we could also have written
+ `fetchurl = fetchurl;`, etc.).
+
+ The result of this function call is an actual derivation that can be
+ built by Nix (since when we fill in the arguments of the function,
+ what we get is its body, which is the call to `stdenv.mkDerivation`
+ in [???](#ex-hello-nix)).
+
+ > **Note**
+ >
+ > Nixpkgs has a convenience function `callPackage` that imports and
+ > calls a function, filling in any missing arguments by passing the
+ > corresponding attribute from the Nixpkgs set, like this:
+ >
+ > hello = callPackage ../applications/misc/hello/ex-1 { };
+ >
+ > If necessary, you can set or override arguments:
+ >
+ > hello = callPackage ../applications/misc/hello/ex-1 { stdenv = myStdenv; };
+
+ - Likewise, we have to instantiate Perl, `fetchurl`, and the standard
+ environment.
diff --git a/doc/manual/src/expressions/build-script.md b/doc/manual/src/expressions/build-script.md
new file mode 100644
index 000000000..256a5cd44
--- /dev/null
+++ b/doc/manual/src/expressions/build-script.md
@@ -0,0 +1,72 @@
+# Build Script
+
+ source $stdenv/setup
+
+ PATH=$perl/bin:$PATH
+
+ tar xvfz $src
+ cd hello-*
+ ./configure --prefix=$out
+ make
+ make install
+
+[example\_title](#ex-hello-builder) shows the builder referenced from
+Hello's Nix expression (stored in
+`pkgs/applications/misc/hello/ex-1/builder.sh`). The builder can
+actually be made a lot shorter by using the *generic builder* functions
+provided by `stdenv`, but here we write out the build steps to elucidate
+what a builder does. It performs the following steps:
+
+ - When Nix runs a builder, it initially completely clears the
+ environment (except for the attributes declared in the derivation).
+ For instance, the PATH variable is empty\[1\]. This is done to
+ prevent undeclared inputs from being used in the build process. If
+ for example the PATH contained `/usr/bin`, then you might
+ accidentally use `/usr/bin/gcc`.
+
+ So the first step is to set up the environment. This is done by
+ calling the `setup` script of the standard environment. The
+ environment variable stdenv points to the location of the standard
+ environment being used. (It wasn't specified explicitly as an
+ attribute in [???](#ex-hello-nix), but `mkDerivation` adds it
+ automatically.)
+
+ - Since Hello needs Perl, we have to make sure that Perl is in the
+ PATH. The perl environment variable points to the location of the
+ Perl package (since it was passed in as an attribute to the
+ derivation), so `$perl/bin` is the directory containing the Perl
+ interpreter.
+
+ - Now we have to unpack the sources. The `src` attribute was bound to
+ the result of fetching the Hello source tarball from the network, so
+ the src environment variable points to the location in the Nix store
+ to which the tarball was downloaded. After unpacking, we `cd` to the
+ resulting source directory.
+
+ The whole build is performed in a temporary directory created in
+ `/tmp`, by the way. This directory is removed after the builder
+ finishes, so there is no need to clean up the sources afterwards.
+ Also, the temporary directory is always newly created, so you don't
+ have to worry about files from previous builds interfering with the
+ current build.
+
+ - GNU Hello is a typical Autoconf-based package, so we first have to
+ run its `configure` script. In Nix every package is stored in a
+ separate location in the Nix store, for instance
+ `/nix/store/9a54ba97fb71b65fda531012d0443ce2-hello-2.1.1`. Nix
+ computes this path by cryptographically hashing all attributes of
+ the derivation. The path is passed to the builder through the out
+ environment variable. So here we give `configure` the parameter
+ `--prefix=$out` to cause Hello to be installed in the expected
+ location.
+
+ - Finally we build Hello (`make`) and install it into the location
+ specified by out (`make install`).
+
+If you are wondering about the absence of error checking on the result
+of various commands called in the builder: this is because the shell
+script is evaluated with Bash's `-e` option, which causes the script to
+be aborted if any command fails without an error check.
+
+1. Actually, it's initialised to `/path-not-set` to prevent Bash from
+ setting it to a default value.
diff --git a/doc/manual/src/expressions/builder-syntax.md b/doc/manual/src/expressions/builder-syntax.md
new file mode 100644
index 000000000..c92acf106
--- /dev/null
+++ b/doc/manual/src/expressions/builder-syntax.md
@@ -0,0 +1,72 @@
+# Builder Syntax
+
+ source $stdenv/setup
+
+ PATH=$perl/bin:$PATH
+
+ tar xvfz $src
+ cd hello-*
+ ./configure --prefix=$out
+ make
+ make install
+
+[example\_title](#ex-hello-builder) shows the builder referenced from
+Hello's Nix expression (stored in
+`pkgs/applications/misc/hello/ex-1/builder.sh`). The builder can
+actually be made a lot shorter by using the *generic builder* functions
+provided by `stdenv`, but here we write out the build steps to elucidate
+what a builder does. It performs the following steps:
+
+ - When Nix runs a builder, it initially completely clears the
+ environment (except for the attributes declared in the derivation).
+ For instance, the PATH variable is empty\[1\]. This is done to
+ prevent undeclared inputs from being used in the build process. If
+ for example the PATH contained `/usr/bin`, then you might
+ accidentally use `/usr/bin/gcc`.
+
+ So the first step is to set up the environment. This is done by
+ calling the `setup` script of the standard environment. The
+ environment variable stdenv points to the location of the standard
+ environment being used. (It wasn't specified explicitly as an
+ attribute in [???](#ex-hello-nix), but `mkDerivation` adds it
+ automatically.)
+
+ - Since Hello needs Perl, we have to make sure that Perl is in the
+ PATH. The perl environment variable points to the location of the
+ Perl package (since it was passed in as an attribute to the
+ derivation), so `$perl/bin` is the directory containing the Perl
+ interpreter.
+
+ - Now we have to unpack the sources. The `src` attribute was bound to
+ the result of fetching the Hello source tarball from the network, so
+ the src environment variable points to the location in the Nix store
+ to which the tarball was downloaded. After unpacking, we `cd` to the
+ resulting source directory.
+
+ The whole build is performed in a temporary directory created in
+ `/tmp`, by the way. This directory is removed after the builder
+ finishes, so there is no need to clean up the sources afterwards.
+ Also, the temporary directory is always newly created, so you don't
+ have to worry about files from previous builds interfering with the
+ current build.
+
+ - GNU Hello is a typical Autoconf-based package, so we first have to
+ run its `configure` script. In Nix every package is stored in a
+ separate location in the Nix store, for instance
+ `/nix/store/9a54ba97fb71b65fda531012d0443ce2-hello-2.1.1`. Nix
+ computes this path by cryptographically hashing all attributes of
+ the derivation. The path is passed to the builder through the out
+ environment variable. So here we give `configure` the parameter
+ `--prefix=$out` to cause Hello to be installed in the expected
+ location.
+
+ - Finally we build Hello (`make`) and install it into the location
+ specified by out (`make install`).
+
+If you are wondering about the absence of error checking on the result
+of various commands called in the builder: this is because the shell
+script is evaluated with Bash's `-e` option, which causes the script to
+be aborted if any command fails without an error check.
+
+1. Actually, it's initialised to `/path-not-set` to prevent Bash from
+ setting it to a default value.
diff --git a/doc/manual/src/expressions/builtins.md b/doc/manual/src/expressions/builtins.md
new file mode 100644
index 000000000..a378fe8e4
--- /dev/null
+++ b/doc/manual/src/expressions/builtins.md
@@ -0,0 +1,839 @@
+# Built-in Functions
+
+This section lists the functions and constants built into the Nix
+expression evaluator. (The built-in function `derivation` is discussed
+above.) Some built-ins, such as `derivation`, are always in scope of
+every Nix expression; you can just access them right away. But to
+prevent polluting the namespace too much, most built-ins are not in
+scope. Instead, you can access them through the `builtins` built-in
+value, which is a set that contains all built-in functions and values.
+For instance, `derivation` is also available as `builtins.derivation`.
+
+ - `abort` s; `builtins.abort` s
+ Abort Nix expression evaluation, print error message s.
+
+ - `builtins.add` e1 e2
+ Return the sum of the numbers e1 and e2.
+
+ - `builtins.all` pred list
+ Return `true` if the function pred returns `true` for all elements
+ of list, and `false` otherwise.
+
+ - `builtins.any` pred list
+ Return `true` if the function pred returns `true` for at least one
+ element of list, and `false` otherwise.
+
+ - `builtins.attrNames` set
+ Return the names of the attributes in the set set in an
+ alphabetically sorted list. For instance, `builtins.attrNames { y
+ = 1; x = "foo"; }` evaluates to `[ "x" "y" ]`.
+
+ - `builtins.attrValues` set
+ Return the values of the attributes in the set set in the order
+ corresponding to the sorted attribute names.
+
+ - `baseNameOf` s
+ Return the *base name* of the string s, that is, everything
+ following the final slash in the string. This is similar to the GNU
+ `basename` command.
+
+ - `builtins.bitAnd` e1 e2
+ Return the bitwise AND of the integers e1 and e2.
+
+ - `builtins.bitOr` e1 e2
+ Return the bitwise OR of the integers e1 and e2.
+
+ - `builtins.bitXor` e1 e2
+ Return the bitwise XOR of the integers e1 and e2.
+
+ - `builtins`
+ The set `builtins` contains all the built-in functions and values.
+ You can use `builtins` to test for the availability of features in
+ the Nix installation, e.g.,
+
+ if builtins ? getEnv then builtins.getEnv "PATH" else ""
+
+ This allows a Nix expression to fall back gracefully on older Nix
+ installations that don’t have the desired built-in function.
+
+ - `builtins.compareVersions` s1 s2
+ Compare two strings representing versions and return `-1` if version
+ s1 is older than version s2, `0` if they are the same, and `1` if s1
+ is newer than s2. The version comparison algorithm is the same as
+ the one used by [`nix-env
+ -u`](#ssec-version-comparisons).
+
+ - `builtins.concatLists` lists
+ Concatenate a list of lists into a single list.
+
+ - `builtins.concatStringsSep` separator list
+ Concatenate a list of strings with a separator between each element,
+ e.g. `concatStringsSep "/"
+ ["usr" "local" "bin"] == "usr/local/bin"`
+
+ - `builtins.currentSystem`
+ The built-in value `currentSystem` evaluates to the Nix platform
+ identifier for the Nix installation on which the expression is being
+ evaluated, such as `"i686-linux"` or `"x86_64-darwin"`.
+
+ - `builtins.deepSeq` e1 e2
+ This is like `seq
+ e1
+ e2`, except that e1 is evaluated *deeply*: if it’s a list or set,
+ its elements or attributes are also evaluated recursively.
+
+ - `derivation` attrs; `builtins.derivation` attrs
+ `derivation` is described in [???](#ssec-derivation).
+
+ - `dirOf` s; `builtins.dirOf` s
+ Return the directory part of the string s, that is, everything
+ before the final slash in the string. This is similar to the GNU
+ `dirname` command.
+
+ - `builtins.div` e1 e2
+ Return the quotient of the numbers e1 and e2.
+
+ - `builtins.elem` x xs
+ Return `true` if a value equal to x occurs in the list xs, and
+ `false` otherwise.
+
+ - `builtins.elemAt` xs n
+ Return element n from the list xs. Elements are counted starting
+ from 0. A fatal error occurs if the index is out of bounds.
+
+ - `builtins.fetchurl` url
+ Download the specified URL and return the path of the downloaded
+ file. This function is not available if [restricted evaluation
+ mode](#conf-restrict-eval) is enabled.
+
+ - `fetchTarball` url; `builtins.fetchTarball` url
+ Download the specified URL, unpack it and return the path of the
+ unpacked tree. The file must be a tape archive (`.tar`) compressed
+ with `gzip`, `bzip2` or `xz`. The top-level path component of the
+ files in the tarball is removed, so it is best if the tarball
+ contains a single directory at top level. The typical use of the
+ function is to obtain external Nix expression dependencies, such as
+ a particular version of Nixpkgs, e.g.
+
+ with import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz) {};
+
+ stdenv.mkDerivation { … }
+
+ The fetched tarball is cached for a certain amount of time (1 hour
+ by default) in `~/.cache/nix/tarballs/`. You can change the cache
+ timeout either on the command line with `--option tarball-ttl number
+ of seconds` or in the Nix configuration file with this option: `
+ number of seconds to cache `.
+
+ Note that when obtaining the hash with ` nix-prefetch-url
+ ` the option `--unpack` is required.
+
+ This function can also verify the contents against a hash. In that
+ case, the function takes a set instead of a URL. The set requires
+ the attribute `url` and the attribute `sha256`, e.g.
+
+ with import (fetchTarball {
+ url = "https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz";
+ sha256 = "1jppksrfvbk5ypiqdz4cddxdl8z6zyzdb2srq8fcffr327ld5jj2";
+ }) {};
+
+ stdenv.mkDerivation { … }
+
+ This function is not available if [restricted evaluation
+ mode](#conf-restrict-eval) is enabled.
+
+ - `builtins.fetchGit` args
+ Fetch a path from git. args can be a URL, in which case the HEAD of
+ the repo at that URL is fetched. Otherwise, it can be an attribute
+ with the following attributes (all except `url` optional):
+
+ - url
+ The URL of the repo.
+
+ - name
+ The name of the directory the repo should be exported to in the
+ store. Defaults to the basename of the URL.
+
+ - rev
+ The git revision to fetch. Defaults to the tip of `ref`.
+
+ - ref
+ The git ref to look for the requested revision under. This is
+ often a branch or tag name. Defaults to `HEAD`.
+
+ By default, the `ref` value is prefixed with `refs/heads/`. As
+ of Nix 2.3.0 Nix will not prefix `refs/heads/` if `ref` starts
+ with `refs/`.
+
+ - submodules
+ A Boolean parameter that specifies whether submodules should be
+ checked out. Defaults to `false`.
+
+ <!-- end list -->
+
+ builtins.fetchGit {
+ url = "git@github.com:my-secret/repository.git";
+ ref = "master";
+ rev = "adab8b916a45068c044658c4158d81878f9ed1c3";
+ }
+
+ builtins.fetchGit {
+ url = "https://github.com/NixOS/nix.git";
+ ref = "refs/heads/0.5-release";
+ }
+
+ If the revision you're looking for is in the default branch of the
+ git repository you don't strictly need to specify the branch name in
+ the `ref` attribute.
+
+ However, if the revision you're looking for is in a future branch
+ for the non-default branch you will need to specify the the `ref`
+ attribute as well.
+
+ builtins.fetchGit {
+ url = "https://github.com/nixos/nix.git";
+ rev = "841fcbd04755c7a2865c51c1e2d3b045976b7452";
+ ref = "1.11-maintenance";
+ }
+
+ > **Note**
+ >
+ > It is nice to always specify the branch which a revision belongs
+ > to. Without the branch being specified, the fetcher might fail if
+ > the default branch changes. Additionally, it can be confusing to
+ > try a commit from a non-default branch and see the fetch fail. If
+ > the branch is specified the fault is much more obvious.
+
+ If the revision you're looking for is in the default branch of the
+ git repository you may omit the `ref` attribute.
+
+ builtins.fetchGit {
+ url = "https://github.com/nixos/nix.git";
+ rev = "841fcbd04755c7a2865c51c1e2d3b045976b7452";
+ }
+
+ builtins.fetchGit {
+ url = "https://github.com/nixos/nix.git";
+ ref = "refs/tags/1.9";
+ }
+
+ `builtins.fetchGit` can behave impurely fetch the latest version of
+ a remote branch.
+
+ > **Note**
+ >
+ > Nix will refetch the branch in accordance to
+ > [???](#conf-tarball-ttl).
+
+ > **Note**
+ >
+ > This behavior is disabled in *Pure evaluation mode*.
+
+ builtins.fetchGit {
+ url = "ssh://git@github.com/nixos/nix.git";
+ ref = "master";
+ }
+
+ - `builtins.filter` f xs
+ Return a list consisting of the elements of xs for which the
+ function f returns `true`.
+
+ - `builtins.filterSource` e1 e2
+ This function allows you to copy sources into the Nix store while
+ filtering certain files. For instance, suppose that you want to use
+ the directory `source-dir` as an input to a Nix expression, e.g.
+
+ stdenv.mkDerivation {
+ ...
+ src = ./source-dir;
+ }
+
+ However, if `source-dir` is a Subversion working copy, then all
+ those annoying `.svn` subdirectories will also be copied to the
+ store. Worse, the contents of those directories may change a lot,
+ causing lots of spurious rebuilds. With `filterSource` you can
+ filter out the `.svn` directories:
+
+ ```
+ src = builtins.filterSource
+ (path: type: type != "directory" || baseNameOf path != ".svn")
+ ./source-dir;
+ ```
+
+ Thus, the first argument e1 must be a predicate function that is
+ called for each regular file, directory or symlink in the source
+ tree e2. If the function returns `true`, the file is copied to the
+ Nix store, otherwise it is omitted. The function is called with two
+ arguments. The first is the full path of the file. The second is a
+ string that identifies the type of the file, which is either
+ `"regular"`, `"directory"`, `"symlink"` or `"unknown"` (for other
+ kinds of files such as device nodes or fifos — but note that those
+ cannot be copied to the Nix store, so if the predicate returns
+ `true` for them, the copy will fail). If you exclude a directory,
+ the entire corresponding subtree of e2 will be excluded.
+
+ - `builtins.foldl’` op nul list
+ Reduce a list by applying a binary operator, from left to right,
+ e.g. `foldl’ op nul [x0 x1 x2 ...] = op (op
+ (op nul x0) x1) x2) ...`. The operator is applied strictly, i.e.,
+ its arguments are evaluated first. For example, `foldl’ (x: y: x +
+ y) 0 [1 2 3]` evaluates to 6.
+
+ - `builtins.functionArgs` f
+ Return a set containing the names of the formal arguments expected
+ by the function f. The value of each attribute is a Boolean denoting
+ whether the corresponding argument has a default value. For
+ instance, `functionArgs ({ x, y ? 123}: ...) = { x = false; y =
+ true; }`.
+
+ "Formal argument" here refers to the attributes pattern-matched by
+ the function. Plain lambdas are not included, e.g. `functionArgs (x:
+ ...) = { }`.
+
+ - `builtins.fromJSON` e
+ Convert a JSON string to a Nix value. For example,
+
+ builtins.fromJSON ''{"x": [1, 2, 3], "y": null}''
+
+ returns the value `{ x = [ 1 2 3 ]; y = null;
+ }`.
+
+ - `builtins.genList` generator length
+ Generate list of size length, with each element i equal to the value
+ returned by generator `i`. For example,
+
+ builtins.genList (x: x * x) 5
+
+ returns the list `[ 0 1 4 9 16 ]`.
+
+ - `builtins.getAttr` s set
+ `getAttr` returns the attribute named s from set. Evaluation aborts
+ if the attribute doesn’t exist. This is a dynamic version of the `.`
+ operator, since s is an expression rather than an identifier.
+
+ - `builtins.getEnv` s
+ `getEnv` returns the value of the environment variable s, or an
+ empty string if the variable doesn’t exist. This function should be
+ used with care, as it can introduce all sorts of nasty environment
+ dependencies in your Nix expression.
+
+ `getEnv` is used in Nix Packages to locate the file
+ `~/.nixpkgs/config.nix`, which contains user-local settings for Nix
+ Packages. (That is, it does a `getEnv "HOME"` to locate the user’s
+ home directory.)
+
+ - `builtins.hasAttr` s set
+ `hasAttr` returns `true` if set has an attribute named s, and
+ `false` otherwise. This is a dynamic version of the `?` operator,
+ since s is an expression rather than an identifier.
+
+ - `builtins.hashString` type s
+ Return a base-16 representation of the cryptographic hash of string
+ s. The hash algorithm specified by type must be one of `"md5"`,
+ `"sha1"`, `"sha256"` or `"sha512"`.
+
+ - `builtins.hashFile` type p
+ Return a base-16 representation of the cryptographic hash of the
+ file at path p. The hash algorithm specified by type must be one of
+ `"md5"`, `"sha1"`, `"sha256"` or `"sha512"`.
+
+ - `builtins.head` list
+ Return the first element of a list; abort evaluation if the argument
+ isn’t a list or is an empty list. You can test whether a list is
+ empty by comparing it with `[]`.
+
+ - `import` path; `builtins.import` path
+ Load, parse and return the Nix expression in the file path. If path
+ is a directory, the file ` default.nix
+ ` in that directory is loaded. Evaluation aborts if the file
+ doesn’t exist or contains an incorrect Nix expression. `import`
+ implements Nix’s module system: you can put any Nix expression (such
+ as a set or a function) in a separate file, and use it from Nix
+ expressions in other files.
+
+ > **Note**
+ >
+ > Unlike some languages, `import` is a regular function in Nix.
+ > Paths using the angle bracket syntax (e.g., `
+ > > > > > import` \<foo\>) are normal path values (see [???](#ssec-values)).
+
+ A Nix expression loaded by `import` must not contain any *free
+ variables* (identifiers that are not defined in the Nix expression
+ itself and are not built-in). Therefore, it cannot refer to
+ variables that are in scope at the call site. For instance, if you
+ have a calling expression
+
+ rec {
+ x = 123;
+ y = import ./foo.nix;
+ }
+
+ then the following `foo.nix` will give an error:
+
+ x + 456
+
+ since `x` is not in scope in `foo.nix`. If you want `x` to be
+ available in `foo.nix`, you should pass it as a function argument:
+
+ rec {
+ x = 123;
+ y = import ./foo.nix x;
+ }
+
+ and
+
+ x: x + 456
+
+ (The function argument doesn’t have to be called `x` in `foo.nix`;
+ any name would work.)
+
+ - `builtins.intersectAttrs` e1 e2
+ Return a set consisting of the attributes in the set e2 that also
+ exist in the set e1.
+
+ - `builtins.isAttrs` e
+ Return `true` if e evaluates to a set, and `false` otherwise.
+
+ - `builtins.isList` e
+ Return `true` if e evaluates to a list, and `false` otherwise.
+
+ - `builtins.isFunction` e
+ Return `true` if e evaluates to a function, and `false` otherwise.
+
+ - `builtins.isString` e
+ Return `true` if e evaluates to a string, and `false` otherwise.
+
+ - `builtins.isInt` e
+ Return `true` if e evaluates to an int, and `false` otherwise.
+
+ - `builtins.isFloat` e
+ Return `true` if e evaluates to a float, and `false` otherwise.
+
+ - `builtins.isBool` e
+ Return `true` if e evaluates to a bool, and `false` otherwise.
+
+ - `builtins.isPath` e
+ Return `true` if e evaluates to a path, and `false` otherwise.
+
+ - `isNull` e; `builtins.isNull` e
+ Return `true` if e evaluates to `null`, and `false` otherwise.
+
+ > **Warning**
+ >
+ > This function is *deprecated*; just write `e == null` instead.
+
+ - `builtins.length` e
+ Return the length of the list e.
+
+ - `builtins.lessThan` e1 e2
+ Return `true` if the number e1 is less than the number e2, and
+ `false` otherwise. Evaluation aborts if either e1 or e2 does not
+ evaluate to a number.
+
+ - `builtins.listToAttrs` e
+ Construct a set from a list specifying the names and values of each
+ attribute. Each element of the list should be a set consisting of a
+ string-valued attribute `name` specifying the name of the attribute,
+ and an attribute `value` specifying its value. Example:
+
+ builtins.listToAttrs
+ [ { name = "foo"; value = 123; }
+ { name = "bar"; value = 456; }
+ ]
+
+ evaluates to
+
+ { foo = 123; bar = 456; }
+
+ - `map` f list; `builtins.map` f list
+ Apply the function f to each element in the list list. For example,
+
+ map (x: "foo" + x) [ "bar" "bla" "abc" ]
+
+ evaluates to `[ "foobar" "foobla" "fooabc"
+ ]`.
+
+ - `builtins.match` regex str
+ Returns a list if the [extended POSIX regular
+ expression](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04)
+ regex matches str precisely, otherwise returns `null`. Each item in
+ the list is a regex group.
+
+ builtins.match "ab" "abc"
+
+ Evaluates to `null`.
+
+ builtins.match "abc" "abc"
+
+ Evaluates to `[ ]`.
+
+ builtins.match "a(b)(c)" "abc"
+
+ Evaluates to `[ "b" "c" ]`.
+
+ builtins.match "[[:space:]]+([[:upper:]]+)[[:space:]]+" " FOO "
+
+ Evaluates to `[ "foo" ]`.
+
+ - `builtins.mul` e1 e2
+ Return the product of the numbers e1 and e2.
+
+ - `builtins.parseDrvName` s
+ Split the string s into a package name and version. The package name
+ is everything up to but not including the first dash followed by a
+ digit, and the version is everything following that dash. The result
+ is returned in a set `{ name, version }`. Thus,
+ `builtins.parseDrvName "nix-0.12pre12876"` returns `{ name = "nix";
+ version = "0.12pre12876";
+ }`.
+
+ - `builtins.path` args
+ An enrichment of the built-in path type, based on the attributes
+ present in args. All are optional except `path`:
+
+ - path
+ The underlying path.
+
+ - name
+ The name of the path when added to the store. This can used to
+ reference paths that have nix-illegal characters in their names,
+ like `@`.
+
+ - filter
+ A function of the type expected by
+ [builtins.filterSource](#builtin-filterSource), with the same
+ semantics.
+
+ - recursive
+ When `false`, when `path` is added to the store it is with a
+ flat hash, rather than a hash of the NAR serialization of the
+ file. Thus, `path` must refer to a regular file, not a
+ directory. This allows similar behavior to `fetchurl`. Defaults
+ to `true`.
+
+ - sha256
+ When provided, this is the expected hash of the file at the
+ path. Evaluation will fail if the hash is incorrect, and
+ providing a hash allows `builtins.path` to be used even when the
+ `pure-eval` nix config option is on.
+
+ - `builtins.pathExists` path
+ Return `true` if the path path exists at evaluation time, and
+ `false` otherwise.
+
+ - `builtins.placeholder` output
+ Return a placeholder string for the specified output that will be
+ substituted by the corresponding output path at build time. Typical
+ outputs would be `"out"`, `"bin"` or `"dev"`.
+
+ - `builtins.readDir` path
+ Return the contents of the directory path as a set mapping directory
+ entries to the corresponding file type. For instance, if directory
+ `A` contains a regular file `B` and another directory `C`, then
+ `builtins.readDir
+ ./A` will return the set
+
+ { B = "regular"; C = "directory"; }
+
+ The possible values for the file type are `"regular"`,
+ `"directory"`, `"symlink"` and `"unknown"`.
+
+ - `builtins.readFile` path
+ Return the contents of the file path as a string.
+
+ - `removeAttrs` set list; `builtins.removeAttrs` set list
+ Remove the attributes listed in list from set. The attributes don’t
+ have to exist in set. For instance,
+
+ removeAttrs { x = 1; y = 2; z = 3; } [ "a" "x" "z" ]
+
+ evaluates to `{ y = 2; }`.
+
+ - `builtins.replaceStrings` from to s
+ Given string s, replace every occurrence of the strings in from with
+ the corresponding string in to. For example,
+
+ builtins.replaceStrings ["oo" "a"] ["a" "i"] "foobar"
+
+ evaluates to `"fabir"`.
+
+ - `builtins.seq` e1 e2
+ Evaluate e1, then evaluate and return e2. This ensures that a
+ computation is strict in the value of e1.
+
+ - `builtins.sort` comparator list
+ Return list in sorted order. It repeatedly calls the function
+ comparator with two elements. The comparator should return `true` if
+ the first element is less than the second, and `false` otherwise.
+ For example,
+
+ builtins.sort builtins.lessThan [ 483 249 526 147 42 77 ]
+
+ produces the list `[ 42 77 147 249 483 526
+ ]`.
+
+ This is a stable sort: it preserves the relative order of elements
+ deemed equal by the comparator.
+
+ - `builtins.split` regex str
+ Returns a list composed of non matched strings interleaved with the
+ lists of the [extended POSIX regular
+ expression](http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html#tag_09_04)
+ regex matches of str. Each item in the lists of matched sequences is
+ a regex group.
+
+ builtins.split "(a)b" "abc"
+
+ Evaluates to `[ "" [ "a" ] "c" ]`.
+
+ builtins.split "([ac])" "abc"
+
+ Evaluates to `[ "" [ "a" ] "b" [ "c" ] "" ]`.
+
+ builtins.split "(a)|(c)" "abc"
+
+ Evaluates to `[ "" [ "a" null ] "b" [ null "c" ] "" ]`.
+
+ builtins.split "([[:upper:]]+)" " FOO "
+
+ Evaluates to `[ " " [ "FOO" ] " " ]`.
+
+ - `builtins.splitVersion` s
+ Split a string representing a version into its components, by the
+ same version splitting logic underlying the version comparison in
+ [`nix-env -u`](#ssec-version-comparisons).
+
+ - `builtins.stringLength` e
+ Return the length of the string e. If e is not a string, evaluation
+ is aborted.
+
+ - `builtins.sub` e1 e2
+ Return the difference between the numbers e1 and e2.
+
+ - `builtins.substring` start len s
+ Return the substring of s from character position start (zero-based)
+ up to but not including start + len. If start is greater than the
+ length of the string, an empty string is returned, and if start +
+ len lies beyond the end of the string, only the substring up to the
+ end of the string is returned. start must be non-negative. For
+ example,
+
+ builtins.substring 0 3 "nixos"
+
+ evaluates to `"nix"`.
+
+ - `builtins.tail` list
+ Return the second to last elements of a list; abort evaluation if
+ the argument isn’t a list or is an empty list.
+
+ - `throw` s; `builtins.throw` s
+ Throw an error message s. This usually aborts Nix expression
+ evaluation, but in `nix-env -qa` and other commands that try to
+ evaluate a set of derivations to get information about those
+ derivations, a derivation that throws an error is silently skipped
+ (which is not the case for `abort`).
+
+ - `builtins.toFile` name s
+ Store the string s in a file in the Nix store and return its path.
+ The file has suffix name. This file can be used as an input to
+ derivations. One application is to write builders “inline”. For
+ instance, the following Nix expression combines [???](#ex-hello-nix)
+ and [???](#ex-hello-builder) into one file:
+
+ { stdenv, fetchurl, perl }:
+
+ stdenv.mkDerivation {
+ name = "hello-2.1.1";
+
+ builder = builtins.toFile "builder.sh" "
+ source $stdenv/setup
+
+ PATH=$perl/bin:$PATH
+
+ tar xvfz $src
+ cd hello-*
+ ./configure --prefix=$out
+ make
+ make install
+ ";
+
+ src = fetchurl {
+ url = "http://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz";
+ sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+ };
+ inherit perl;
+ }
+
+ It is even possible for one file to refer to another, e.g.,
+
+ ```
+ builder = let
+ configFile = builtins.toFile "foo.conf" "
+ # This is some dummy configuration file.
+ ...
+ ";
+ in builtins.toFile "builder.sh" "
+ source $stdenv/setup
+ ...
+ cp ${configFile} $out/etc/foo.conf
+ ";
+ ```
+
+ Note that `${configFile}` is an antiquotation (see
+ [???](#ssec-values)), so the result of the expression `configFile`
+ (i.e., a path like `/nix/store/m7p7jfny445k...-foo.conf`) will be
+ spliced into the resulting string.
+
+ It is however *not* allowed to have files mutually referring to each
+ other, like so:
+
+ let
+ foo = builtins.toFile "foo" "...${bar}...";
+ bar = builtins.toFile "bar" "...${foo}...";
+ in foo
+
+ This is not allowed because it would cause a cyclic dependency in
+ the computation of the cryptographic hashes for `foo` and `bar`.
+
+ It is also not possible to reference the result of a derivation. If
+ you are using Nixpkgs, the `writeTextFile` function is able to do
+ that.
+
+ - `builtins.toJSON` e
+ Return a string containing a JSON representation of e. Strings,
+ integers, floats, booleans, nulls and lists are mapped to their JSON
+ equivalents. Sets (except derivations) are represented as objects.
+ Derivations are translated to a JSON string containing the
+ derivation’s output path. Paths are copied to the store and
+ represented as a JSON string of the resulting store path.
+
+ - `builtins.toPath` s
+ DEPRECATED. Use `/. + "/path"` to convert a string into an absolute
+ path. For relative paths, use `./. + "/path"`.
+
+ - `toString` e; `builtins.toString` e
+ Convert the expression e to a string. e can be:
+
+ - A string (in which case the string is returned unmodified).
+
+ - A path (e.g., `toString /foo/bar` yields `"/foo/bar"`.
+
+ - A set containing `{ __toString = self: ...; }`.
+
+ - An integer.
+
+ - A list, in which case the string representations of its elements
+ are joined with spaces.
+
+ - A Boolean (`false` yields `""`, `true` yields `"1"`).
+
+ - `null`, which yields the empty string.
+
+ - `builtins.toXML` e
+ Return a string containing an XML representation of e. The main
+ application for `toXML` is to communicate information with the
+ builder in a more structured format than plain environment
+ variables.
+
+ [example\_title](#ex-toxml) shows an example where this is the case.
+ The builder is supposed to generate the configuration file for a
+ [Jetty servlet container](http://jetty.mortbay.org/). A servlet
+ container contains a number of servlets (`*.war` files) each
+ exported under a specific URI prefix. So the servlet configuration
+ is a list of sets containing the `path` and `war` of the servlet
+ ([co\_title](#ex-toxml-co-servlets)). This kind of information is
+ difficult to communicate with the normal method of passing
+ information through an environment variable, which just concatenates
+ everything together into a string (which might just work in this
+ case, but wouldn’t work if fields are optional or contain lists
+ themselves). Instead the Nix expression is converted to an XML
+ representation with `toXML`, which is unambiguous and can easily be
+ processed with the appropriate tools. For instance, in the example
+ an XSLT stylesheet ([co\_title](#ex-toxml-co-stylesheet)) is applied
+ to it ([co\_title](#ex-toxml-co-apply)) to generate the XML
+ configuration file for the Jetty server. The XML representation
+ produced from [co\_title](#ex-toxml-co-servlets) by `toXML` is shown
+ in [example\_title](#ex-toxml-result).
+
+ Note that [example\_title](#ex-toxml) uses the `toFile` built-in to
+ write the builder and the stylesheet “inline” in the Nix expression.
+ The path of the stylesheet is spliced into the builder at `xsltproc
+ ${stylesheet}
+ ...`.
+
+ { stdenv, fetchurl, libxslt, jira, uberwiki }:
+
+ stdenv.mkDerivation (rec {
+ name = "web-server";
+
+ buildInputs = [ libxslt ];
+
+ builder = builtins.toFile "builder.sh" "
+ source $stdenv/setup
+ mkdir $out
+ echo "$servlets" | xsltproc ${stylesheet} - > $out/server-conf.xml
+ ";
+
+ stylesheet = builtins.toFile "stylesheet.xsl"
+ "<?xml version='1.0' encoding='UTF-8'?>
+ <xsl:stylesheet xmlns:xsl='http://www.w3.org/1999/XSL/Transform' version='1.0'>
+ <xsl:template match='/'>
+ <Configure>
+ <xsl:for-each select='/expr/list/attrs'>
+ <Call name='addWebApplication'>
+ <Arg><xsl:value-of select=\"attr[@name = 'path']/string/@value\" /></Arg>
+ <Arg><xsl:value-of select=\"attr[@name = 'war']/path/@value\" /></Arg>
+ </Call>
+ </xsl:for-each>
+ </Configure>
+ </xsl:template>
+ </xsl:stylesheet>
+ ";
+
+ servlets = builtins.toXML [
+ { path = "/bugtracker"; war = jira + "/lib/atlassian-jira.war"; }
+ { path = "/wiki"; war = uberwiki + "/uberwiki.war"; }
+ ];
+ })
+
+ <?xml version='1.0' encoding='utf-8'?>
+ <expr>
+ <list>
+ <attrs>
+ <attr name="path">
+ <string value="/bugtracker" />
+ </attr>
+ <attr name="war">
+ <path value="/nix/store/d1jh9pasa7k2...-jira/lib/atlassian-jira.war" />
+ </attr>
+ </attrs>
+ <attrs>
+ <attr name="path">
+ <string value="/wiki" />
+ </attr>
+ <attr name="war">
+ <path value="/nix/store/y6423b1yi4sx...-uberwiki/uberwiki.war" />
+ </attr>
+ </attrs>
+ </list>
+ </expr>
+
+ - `builtins.trace` e1 e2
+ Evaluate e1 and print its abstract syntax representation on standard
+ error. Then return e2. This function is useful for debugging.
+
+ - `builtins.tryEval` e
+ Try to shallowly evaluate e. Return a set containing the attributes
+ `success` (`true` if e evaluated successfully, `false` if an error
+ was thrown) and `value`, equalling e if successful and `false`
+ otherwise. Note that this doesn't evaluate e deeply, so ` let e = {
+ x = throw ""; }; in (builtins.tryEval e).success
+ ` will be `true`. Using ` builtins.deepSeq
+ ` one can get the expected result: `let e = { x = throw "";
+ }; in (builtins.tryEval (builtins.deepSeq e e)).success` will be
+ `false`.
+
+ - `builtins.typeOf` e
+ Return a string representing the type of the value e, namely
+ `"int"`, `"bool"`, `"string"`, `"path"`, `"null"`, `"set"`,
+ `"list"`, `"lambda"` or `"float"`.
diff --git a/doc/manual/src/expressions/derivations.md b/doc/manual/src/expressions/derivations.md
new file mode 100644
index 000000000..7ffc6fabe
--- /dev/null
+++ b/doc/manual/src/expressions/derivations.md
@@ -0,0 +1,154 @@
+# Derivations
+
+The most important built-in function is `derivation`, which is used to
+describe a single derivation (a build action). It takes as input a set,
+the attributes of which specify the inputs of the build.
+
+ - There must be an attribute named `system` whose value must be a
+ string specifying a Nix platform identifier, such as `"i686-linux"`
+ or `"x86_64-darwin"`\[1\] The build can only be performed on a
+ machine and operating system matching the platform identifier. (Nix
+ can automatically forward builds for other platforms by forwarding
+ them to other machines; see [???](#chap-distributed-builds).)
+
+ - There must be an attribute named `name` whose value must be a
+ string. This is used as a symbolic name for the package by
+ `nix-env`, and it is appended to the output paths of the derivation.
+
+ - There must be an attribute named `builder` that identifies the
+ program that is executed to perform the build. It can be either a
+ derivation or a source (a local file reference, e.g.,
+ `./builder.sh`).
+
+ - Every attribute is passed as an environment variable to the builder.
+ Attribute values are translated to environment variables as follows:
+
+ - Strings and numbers are just passed verbatim.
+
+ - A *path* (e.g., `../foo/sources.tar`) causes the referenced file
+ to be copied to the store; its location in the store is put in
+ the environment variable. The idea is that all sources should
+ reside in the Nix store, since all inputs to a derivation should
+ reside in the Nix store.
+
+ - A *derivation* causes that derivation to be built prior to the
+ present derivation; its default output path is put in the
+ environment variable.
+
+ - Lists of the previous types are also allowed. They are simply
+ concatenated, separated by spaces.
+
+ - `true` is passed as the string `1`, `false` and `null` are
+ passed as an empty string.
+
+ - The optional attribute `args` specifies command-line arguments to be
+ passed to the builder. It should be a list.
+
+ - The optional attribute `outputs` specifies a list of symbolic
+ outputs of the derivation. By default, a derivation produces a
+ single output path, denoted as `out`. However, derivations can
+ produce multiple output paths. This is useful because it allows
+ outputs to be downloaded or garbage-collected separately. For
+ instance, imagine a library package that provides a dynamic library,
+ header files, and documentation. A program that links against the
+ library doesn’t need the header files and documentation at runtime,
+ and it doesn’t need the documentation at build time. Thus, the
+ library package could specify:
+
+ outputs = [ "lib" "headers" "doc" ];
+
+ This will cause Nix to pass environment variables `lib`, `headers`
+ and `doc` to the builder containing the intended store paths of each
+ output. The builder would typically do something like
+
+ ./configure --libdir=$lib/lib --includedir=$headers/include --docdir=$doc/share/doc
+
+ for an Autoconf-style package. You can refer to each output of a
+ derivation by selecting it as an attribute, e.g.
+
+ buildInputs = [ pkg.lib pkg.headers ];
+
+ The first element of `outputs` determines the *default output*.
+ Thus, you could also write
+
+ buildInputs = [ pkg pkg.headers ];
+
+ since `pkg` is equivalent to `pkg.lib`.
+
+The function `mkDerivation` in the Nixpkgs standard environment is a
+wrapper around `derivation` that adds a default value for `system` and
+always uses Bash as the builder, to which the supplied builder is passed
+as a command-line argument. See the Nixpkgs manual for details.
+
+The builder is executed as follows:
+
+ - A temporary directory is created under the directory specified by
+ TMPDIR (default `/tmp`) where the build will take place. The current
+ directory is changed to this directory.
+
+ - The environment is cleared and set to the derivation attributes, as
+ specified above.
+
+ - In addition, the following variables are set:
+
+ - NIX\_BUILD\_TOP contains the path of the temporary directory for
+ this build.
+
+ - Also, TMPDIR, TEMPDIR, TMP, TEMP are set to point to the
+ temporary directory. This is to prevent the builder from
+ accidentally writing temporary files anywhere else. Doing so
+ might cause interference by other processes.
+
+ - PATH is set to `/path-not-set` to prevent shells from
+ initialising it to their built-in default value.
+
+ - HOME is set to `/homeless-shelter` to prevent programs from
+ using `/etc/passwd` or the like to find the user's home
+ directory, which could cause impurity. Usually, when HOME is
+ set, it is used as the location of the home directory, even if
+ it points to a non-existent path.
+
+ - NIX\_STORE is set to the path of the top-level Nix store
+ directory (typically, `/nix/store`).
+
+ - For each output declared in `outputs`, the corresponding
+ environment variable is set to point to the intended path in the
+ Nix store for that output. Each output path is a concatenation
+ of the cryptographic hash of all build inputs, the `name`
+ attribute and the output name. (The output name is omitted if
+ it’s `out`.)
+
+ - If an output path already exists, it is removed. Also, locks are
+ acquired to prevent multiple Nix instances from performing the same
+ build at the same time.
+
+ - A log of the combined standard output and error is written to
+ `/nix/var/log/nix`.
+
+ - The builder is executed with the arguments specified by the
+ attribute `args`. If it exits with exit code 0, it is considered to
+ have succeeded.
+
+ - The temporary directory is removed (unless the `-K` option was
+ specified).
+
+ - If the build was successful, Nix scans each output path for
+ references to input paths by looking for the hash parts of the input
+ paths. Since these are potential runtime dependencies, Nix registers
+ them as dependencies of the output paths.
+
+ - After the build, Nix sets the last-modified timestamp on all files
+ in the build result to 1 (00:00:01 1/1/1970 UTC), sets the group to
+ the default group, and sets the mode of the file to 0444 or 0555
+ (i.e., read-only, with execute permission enabled if the file was
+ originally executable). Note that possible `setuid` and `setgid`
+ bits are cleared. Setuid and setgid programs are not currently
+ supported by Nix. This is because the Nix archives used in
+ deployment have no concept of ownership information, and because it
+ makes the build result dependent on the user performing the build.
+
+<!-- end list -->
+
+1. To figure out your platform identifier, look at the line “Checking
+ for the canonical Nix system name” in the output of Nix's
+ `configure` script.
diff --git a/doc/manual/src/expressions/expression-language.md b/doc/manual/src/expressions/expression-language.md
new file mode 100644
index 000000000..267fcb983
--- /dev/null
+++ b/doc/manual/src/expressions/expression-language.md
@@ -0,0 +1,12 @@
+# Nix Expression Language
+
+The Nix expression language is a pure, lazy, functional language. Purity
+means that operations in the language don't have side-effects (for
+instance, there is no variable assignment). Laziness means that
+arguments to functions are evaluated only when they are needed.
+Functional means that functions are “normal” values that can be passed
+around and manipulated in interesting ways. The language is not a
+full-featured, general purpose language. Its main job is to describe
+packages, compositions of packages, and the variability within packages.
+
+This section presents the various features of the language.
diff --git a/doc/manual/src/expressions/expression-syntax.md b/doc/manual/src/expressions/expression-syntax.md
new file mode 100644
index 000000000..935484c33
--- /dev/null
+++ b/doc/manual/src/expressions/expression-syntax.md
@@ -0,0 +1,91 @@
+# Expression Syntax
+
+ { stdenv, fetchurl, perl }:
+
+ stdenv.mkDerivation {
+ name = "hello-2.1.1";
+ builder = ./builder.sh;
+ src = fetchurl {
+ url = "ftp://ftp.nluug.nl/pub/gnu/hello/hello-2.1.1.tar.gz";
+ sha256 = "1md7jsfd8pa45z73bz1kszpp01yw6x5ljkjk2hx7wl800any6465";
+ };
+ inherit perl;
+ }
+
+[example\_title](#ex-hello-nix) shows a Nix expression for GNU Hello.
+It's actually already in the Nix Packages collection in
+`pkgs/applications/misc/hello/ex-1/default.nix`. It is customary to
+place each package in a separate directory and call the single Nix
+expression in that directory `default.nix`. The file has the following
+elements (referenced from the figure by number):
+
+ - This states that the expression is a *function* that expects to be
+ called with three arguments: `stdenv`, `fetchurl`, and `perl`. They
+ are needed to build Hello, but we don't know how to build them here;
+ that's why they are function arguments. `stdenv` is a package that
+ is used by almost all Nix Packages packages; it provides a
+ “standard” environment consisting of the things you would expect
+ in a basic Unix environment: a C/C++ compiler (GCC, to be precise),
+ the Bash shell, fundamental Unix tools such as `cp`, `grep`, `tar`,
+ etc. `fetchurl` is a function that downloads files. `perl` is the
+ Perl interpreter.
+
+ Nix functions generally have the form `{ x, y, ...,
+ z }: e` where `x`, `y`, etc. are the names of the expected
+ arguments, and where e is the body of the function. So here, the
+ entire remainder of the file is the body of the function; when given
+ the required arguments, the body should describe how to build an
+ instance of the Hello package.
+
+ - So we have to build a package. Building something from other stuff
+ is called a *derivation* in Nix (as opposed to sources, which are
+ built by humans instead of computers). We perform a derivation by
+ calling `stdenv.mkDerivation`. `mkDerivation` is a function provided
+ by `stdenv` that builds a package from a set of *attributes*. A set
+ is just a list of key/value pairs where each key is a string and
+ each value is an arbitrary Nix expression. They take the general
+ form `{
+ name1 =
+ expr1; ...
+ nameN =
+ exprN; }`.
+
+ - The attribute `name` specifies the symbolic name and version of the
+ package. Nix doesn't really care about these things, but they are
+ used by for instance `nix-env
+ -q` to show a “human-readable” name for packages. This attribute is
+ required by `mkDerivation`.
+
+ - The attribute `builder` specifies the builder. This attribute can
+ sometimes be omitted, in which case `mkDerivation` will fill in a
+ default builder (which does a `configure; make; make install`, in
+ essence). Hello is sufficiently simple that the default builder
+ would suffice, but in this case, we will show an actual builder for
+ educational purposes. The value `./builder.sh` refers to the shell
+ script shown in [???](#ex-hello-builder), discussed below.
+
+ - The builder has to know what the sources of the package are. Here,
+ the attribute `src` is bound to the result of a call to the
+ `fetchurl` function. Given a URL and a SHA-256 hash of the expected
+ contents of the file at that URL, this function builds a derivation
+ that downloads the file and checks its hash. So the sources are a
+ dependency that like all other dependencies is built before Hello
+ itself is built.
+
+ Instead of `src` any other name could have been used, and in fact
+ there can be any number of sources (bound to different attributes).
+ However, `src` is customary, and it's also expected by the default
+ builder (which we don't use in this example).
+
+ - Since the derivation requires Perl, we have to pass the value of the
+ `perl` function argument to the builder. All attributes in the set
+ are actually passed as environment variables to the builder, so
+ declaring an attribute
+
+ perl = perl;
+
+ will do the trick: it binds an attribute `perl` to the function
+ argument which also happens to be called `perl`. However, it looks a
+ bit silly, so there is a shorter syntax. The `inherit` keyword
+ causes the specified attributes to be bound to whatever variables
+ with the same name happen to be in scope.
diff --git a/doc/manual/src/expressions/generic-builder.md b/doc/manual/src/expressions/generic-builder.md
new file mode 100644
index 000000000..cbc484199
--- /dev/null
+++ b/doc/manual/src/expressions/generic-builder.md
@@ -0,0 +1,61 @@
+# Generic Builder Syntax
+
+Recall from [???](#ex-hello-builder) that the builder looked something
+like this:
+
+ PATH=$perl/bin:$PATH
+ tar xvfz $src
+ cd hello-*
+ ./configure --prefix=$out
+ make
+ make install
+
+The builders for almost all Unix packages look like this — set up some
+environment variables, unpack the sources, configure, build, and
+install. For this reason the standard environment provides some Bash
+functions that automate the build process. A builder using the generic
+build facilities in shown in [example\_title](#ex-hello-builder2).
+
+ buildInputs="$perl"
+
+ source $stdenv/setup
+
+ genericBuild
+
+ - The buildInputs variable tells `setup` to use the indicated packages
+ as “inputs”. This means that if a package provides a `bin`
+ subdirectory, it's added to PATH; if it has a `include`
+ subdirectory, it's added to GCC's header search path; and so
+ on.\[1\]
+
+ - The function `genericBuild` is defined in the file `$stdenv/setup`.
+
+ - The final step calls the shell function `genericBuild`, which
+ performs the steps that were done explicitly in
+ [???](#ex-hello-builder). The generic builder is smart enough to
+ figure out whether to unpack the sources using `gzip`, `bzip2`, etc.
+ It can be customised in many ways; see the Nixpkgs manual for
+ details.
+
+Discerning readers will note that the buildInputs could just as well
+have been set in the Nix expression, like this:
+
+```
+ buildInputs = [ perl ];
+```
+
+The `perl` attribute can then be removed, and the builder becomes even
+shorter:
+
+ source $stdenv/setup
+ genericBuild
+
+In fact, `mkDerivation` provides a default builder that looks exactly
+like that, so it is actually possible to omit the builder for Hello
+entirely.
+
+1. How does it work? `setup` tries to source the file
+ `pkg/nix-support/setup-hook` of all dependencies. These “setup
+ hooks” can then set up whatever environment variables they want;
+ for instance, the setup hook for Perl sets the PERL5LIB environment
+ variable to contain the `lib/site_perl` directories of all inputs.
diff --git a/doc/manual/src/expressions/language-constructs.md b/doc/manual/src/expressions/language-constructs.md
new file mode 100644
index 000000000..a773c239b
--- /dev/null
+++ b/doc/manual/src/expressions/language-constructs.md
@@ -0,0 +1,291 @@
+# Language Constructs
+
+Recursive sets are just normal sets, but the attributes can refer to
+each other. For example,
+
+ rec {
+ x = y;
+ y = 123;
+ }.x
+
+evaluates to `123`. Note that without `rec` the binding `x = y;` would
+refer to the variable `y` in the surrounding scope, if one exists, and
+would be invalid if no such variable exists. That is, in a normal
+(non-recursive) set, attributes are not added to the lexical scope; in a
+recursive set, they are.
+
+Recursive sets of course introduce the danger of infinite recursion. For
+example,
+
+ rec {
+ x = y;
+ y = x;
+ }.x
+
+does not terminate\[1\].
+
+A let-expression allows you to define local variables for an expression.
+For instance,
+
+ let
+ x = "foo";
+ y = "bar";
+ in x + y
+
+evaluates to `"foobar"`.
+
+When defining a set or in a let-expression it is often convenient to
+copy variables from the surrounding lexical scope (e.g., when you want
+to propagate attributes). This can be shortened using the `inherit`
+keyword. For instance,
+
+ let x = 123; in
+ { inherit x;
+ y = 456;
+ }
+
+is equivalent to
+
+ let x = 123; in
+ { x = x;
+ y = 456;
+ }
+
+and both evaluate to `{ x = 123; y = 456; }`. (Note that this works
+because `x` is added to the lexical scope by the `let` construct.) It is
+also possible to inherit attributes from another set. For instance, in
+this fragment from `all-packages.nix`,
+
+```
+ graphviz = (import ../tools/graphics/graphviz) {
+ inherit fetchurl stdenv libpng libjpeg expat x11 yacc;
+ inherit (xlibs) libXaw;
+ };
+
+ xlibs = {
+ libX11 = ...;
+ libXaw = ...;
+ ...
+ }
+
+ libpng = ...;
+ libjpg = ...;
+ ...
+```
+
+the set used in the function call to the function defined in
+`../tools/graphics/graphviz` inherits a number of variables from the
+surrounding scope (`fetchurl` ... `yacc`), but also inherits `libXaw`
+(the X Athena Widgets) from the `xlibs` (X11 client-side libraries) set.
+
+Summarizing the fragment
+
+ ...
+ inherit x y z;
+ inherit (src-set) a b c;
+ ...
+
+is equivalent to
+
+ ...
+ x = x; y = y; z = z;
+ a = src-set.a; b = src-set.b; c = src-set.c;
+ ...
+
+when used while defining local variables in a let-expression or while
+defining a set.
+
+Functions have the following form:
+
+ pattern: body
+
+The pattern specifies what the argument of the function must look like,
+and binds variables in the body to (parts of) the argument. There are
+three kinds of patterns:
+
+ - If a pattern is a single identifier, then the function matches any
+ argument. Example:
+
+ let negate = x: !x;
+ concat = x: y: x + y;
+ in if negate true then concat "foo" "bar" else ""
+
+ Note that `concat` is a function that takes one argument and returns
+ a function that takes another argument. This allows partial
+ parameterisation (i.e., only filling some of the arguments of a
+ function); e.g.,
+
+ map (concat "foo") [ "bar" "bla" "abc" ]
+
+ evaluates to `[ "foobar" "foobla"
+ "fooabc" ]`.
+
+ - A *set pattern* of the form `{ name1, name2, …, nameN }` matches a
+ set containing the listed attributes, and binds the values of those
+ attributes to variables in the function body. For example, the
+ function
+
+ { x, y, z }: z + y + x
+
+ can only be called with a set containing exactly the attributes `x`,
+ `y` and `z`. No other attributes are allowed. If you want to allow
+ additional arguments, you can use an ellipsis (`...`):
+
+ { x, y, z, ... }: z + y + x
+
+ This works on any set that contains at least the three named
+ attributes.
+
+ It is possible to provide *default values* for attributes, in which
+ case they are allowed to be missing. A default value is specified by
+ writing `name ?
+ e`, where e is an arbitrary expression. For example,
+
+ { x, y ? "foo", z ? "bar" }: z + y + x
+
+ specifies a function that only requires an attribute named `x`, but
+ optionally accepts `y` and `z`.
+
+ - An `@`-pattern provides a means of referring to the whole value
+ being matched:
+
+ ```
+ args@{ x, y, z, ... }: z + y + x + args.a
+ ```
+
+ but can also be written as:
+
+ ```
+ { x, y, z, ... } @ args: z + y + x + args.a
+ ```
+
+ Here `args` is bound to the entire argument, which is further
+ matched against the pattern `{ x, y, z,
+ ... }`. `@`-pattern makes mainly sense with an ellipsis(`...`) as
+ you can access attribute names as `a`, using `args.a`, which was
+ given as an additional attribute to the function.
+
+ > **Warning**
+ >
+ > The `args@` expression is bound to the argument passed to the
+ > function which means that attributes with defaults that aren't
+ > explicitly specified in the function call won't cause an
+ > evaluation error, but won't exist in `args`.
+ >
+ > For instance
+ >
+ > let
+ > function = args@{ a ? 23, ... }: args;
+ > in
+ > function {}
+ >
+ > will evaluate to an empty attribute set.
+
+Note that functions do not have names. If you want to give them a name,
+you can bind them to an attribute, e.g.,
+
+ let concat = { x, y }: x + y;
+ in concat { x = "foo"; y = "bar"; }
+
+Conditionals look like this:
+
+ if e1 then e2 else e3
+
+where e1 is an expression that should evaluate to a Boolean value
+(`true` or `false`).
+
+Assertions are generally used to check that certain requirements on or
+between features and dependencies hold. They look like this:
+
+ assert e1; e2
+
+where e1 is an expression that should evaluate to a Boolean value. If it
+evaluates to `true`, e2 is returned; otherwise expression evaluation is
+aborted and a backtrace is printed.
+
+ { localServer ? false
+ , httpServer ? false
+ , sslSupport ? false
+ , pythonBindings ? false
+ , javaSwigBindings ? false
+ , javahlBindings ? false
+ , stdenv, fetchurl
+ , openssl ? null, httpd ? null, db4 ? null, expat, swig ? null, j2sdk ? null
+ }:
+
+ assert localServer -> db4 != null;
+ assert httpServer -> httpd != null && httpd.expat == expat;
+ assert sslSupport -> openssl != null && (httpServer -> httpd.openssl == openssl);
+ assert pythonBindings -> swig != null && swig.pythonSupport;
+ assert javaSwigBindings -> swig != null && swig.javaSupport;
+ assert javahlBindings -> j2sdk != null;
+
+ stdenv.mkDerivation {
+ name = "subversion-1.1.1";
+ ...
+ openssl = if sslSupport then openssl else null;
+ ...
+ }
+
+[example\_title](#ex-subversion-nix) show how assertions are used in the
+Nix expression for Subversion.
+
+ - This assertion states that if Subversion is to have support for
+ local repositories, then Berkeley DB is needed. So if the Subversion
+ function is called with the `localServer` argument set to `true` but
+ the `db4` argument set to `null`, then the evaluation fails.
+
+ - This is a more subtle condition: if Subversion is built with Apache
+ (`httpServer`) support, then the Expat library (an XML library) used
+ by Subversion should be same as the one used by Apache. This is
+ because in this configuration Subversion code ends up being linked
+ with Apache code, and if the Expat libraries do not match, a build-
+ or runtime link error or incompatibility might occur.
+
+ - This assertion says that in order for Subversion to have SSL support
+ (so that it can access `https` URLs), an OpenSSL library must be
+ passed. Additionally, it says that *if* Apache support is enabled,
+ then Apache's OpenSSL should match Subversion's. (Note that if
+ Apache support is not enabled, we don't care about Apache's
+ OpenSSL.)
+
+ - The conditional here is not really related to assertions, but is
+ worth pointing out: it ensures that if SSL support is disabled, then
+ the Subversion derivation is not dependent on OpenSSL, even if a
+ non-`null` value was passed. This prevents an unnecessary rebuild of
+ Subversion if OpenSSL changes.
+
+A *with-expression*,
+
+ with e1; e2
+
+introduces the set e1 into the lexical scope of the expression e2. For
+instance,
+
+ let as = { x = "foo"; y = "bar"; };
+ in with as; x + y
+
+evaluates to `"foobar"` since the `with` adds the `x` and `y` attributes
+of `as` to the lexical scope in the expression `x + y`. The most common
+use of `with` is in conjunction with the `import` function. E.g.,
+
+ with (import ./definitions.nix); ...
+
+makes all attributes defined in the file `definitions.nix` available as
+if they were defined locally in a `let`-expression.
+
+The bindings introduced by `with` do not shadow bindings introduced by
+other means, e.g.
+
+ let a = 3; in with { a = 1; }; let a = 4; in with { a = 2; }; ...
+
+establishes the same scope as
+
+ let a = 1; in let a = 2; in let a = 3; in let a = 4; in ...
+
+Comments can be single-line, started with a `#` character, or
+inline/multi-line, enclosed within `/*
+... */`.
+
+1. Actually, Nix detects infinite recursion in this case and aborts
+ (“infinite recursion encountered”).
diff --git a/doc/manual/src/expressions/language-operators.md b/doc/manual/src/expressions/language-operators.md
new file mode 100644
index 000000000..4fa2eca37
--- /dev/null
+++ b/doc/manual/src/expressions/language-operators.md
@@ -0,0 +1,32 @@
+# Operators
+
+[table\_title](#table-operators) lists the operators in the Nix
+expression language, in order of precedence (from strongest to weakest
+binding).
+
+| Name | Syntax | Associativity | Description | Precedence |
+| ------------------------ | ----------------------------- | ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| Select | e `.` attrpath \[ `or` def \] | none | Select attribute denoted by the attribute path attrpath from set e. (An attribute path is a dot-separated list of attribute names.) If the attribute doesn’t exist, return def if provided, otherwise abort evaluation. | 1 |
+| Application | e1 e2 | left | Call function e1 with argument e2. | 2 |
+| Arithmetic Negation | `-` e | none | Arithmetic negation. | 3 |
+| Has Attribute | e `?` attrpath | none | Test whether set e contains the attribute denoted by attrpath; return `true` or `false`. | 4 |
+| List Concatenation | e1 `++` e2 | right | List concatenation. | 5 |
+| Multiplication | e1 `*` e2, | left | Arithmetic multiplication. | 6 |
+| Division | e1 `/` e2 | left | Arithmetic division. | 6 |
+| Addition | e1 `+` e2 | left | Arithmetic addition. | 7 |
+| Subtraction | e1 `-` e2 | left | Arithmetic subtraction. | 7 |
+| String Concatenation | string1 `+` string2 | left | String concatenation. | 7 |
+| Not | `!` e | none | Boolean negation. | 8 |
+| Update | e1 `//` e2 | right | Return a set consisting of the attributes in e1 and e2 (with the latter taking precedence over the former in case of equally named attributes). | 9 |
+| Less Than | e1 `<` e2, | none | Arithmetic comparison. | 10 |
+| Less Than or Equal To | e1 `<=` e2 | none | Arithmetic comparison. | 10 |
+| Greater Than | e1 `>` e2 | none | Arithmetic comparison. | 10 |
+| Greater Than or Equal To | e1 `>=` e2 | none | Arithmetic comparison. | 10 |
+| Equality | e1 `==` e2 | none | Equality. | 11 |
+| Inequality | e1 `!=` e2 | none | Inequality. | 11 |
+| Logical AND | e1 `&&` e2 | left | Logical AND. | 12 |
+| Logical OR | e1 `\|\|` e2 | left | Logical OR. | 13 |
+| Logical Implication | e1 `->` e2 | none | Logical implication (equivalent to `!e1 \|\|
+ e2`). | 14 |
+
+Operators
diff --git a/doc/manual/src/expressions/language-values.md b/doc/manual/src/expressions/language-values.md
new file mode 100644
index 000000000..98ad97c97
--- /dev/null
+++ b/doc/manual/src/expressions/language-values.md
@@ -0,0 +1,209 @@
+# Values
+
+Nix has the following basic data types:
+
+ - *Strings* can be written in three ways.
+
+ The most common way is to enclose the string between double quotes,
+ e.g., `"foo bar"`. Strings can span multiple lines. The special
+ characters `"` and `\` and the character sequence `${` must be
+ escaped by prefixing them with a backslash (`\`). Newlines, carriage
+ returns and tabs can be written as `\n`, `\r` and `\t`,
+ respectively.
+
+ You can include the result of an expression into a string by
+ enclosing it in `${...}`, a feature known as *antiquotation*. The
+ enclosed expression must evaluate to something that can be coerced
+ into a string (meaning that it must be a string, a path, or a
+ derivation). For instance, rather than writing
+
+ "--with-freetype2-library=" + freetype + "/lib"
+
+ (where `freetype` is a derivation), you can instead write the more
+ natural
+
+ "--with-freetype2-library=${freetype}/lib"
+
+ The latter is automatically translated to the former. A more
+ complicated example (from the Nix expression for
+ [Qt](http://www.trolltech.com/products/qt)):
+
+ configureFlags = "
+ -system-zlib -system-libpng -system-libjpeg
+ ${if openglSupport then "-dlopen-opengl
+ -L${mesa}/lib -I${mesa}/include
+ -L${libXmu}/lib -I${libXmu}/include" else ""}
+ ${if threadSupport then "-thread" else "-no-thread"}
+ ";
+
+ Note that Nix expressions and strings can be arbitrarily nested; in
+ this case the outer string contains various antiquotations that
+ themselves contain strings (e.g., `"-thread"`), some of which in
+ turn contain expressions (e.g., `${mesa}`).
+
+ The second way to write string literals is as an *indented string*,
+ which is enclosed between pairs of *double single-quotes*, like so:
+
+ ''
+ This is the first line.
+ This is the second line.
+ This is the third line.
+ ''
+
+ This kind of string literal intelligently strips indentation from
+ the start of each line. To be precise, it strips from each line a
+ number of spaces equal to the minimal indentation of the string as a
+ whole (disregarding the indentation of empty lines). For instance,
+ the first and second line are indented two space, while the third
+ line is indented four spaces. Thus, two spaces are stripped from
+ each line, so the resulting string is
+
+ "This is the first line.\nThis is the second line.\n This is the third line.\n"
+
+ Note that the whitespace and newline following the opening `''` is
+ ignored if there is no non-whitespace text on the initial line.
+
+ Antiquotation (`${expr}`) is supported in indented strings.
+
+ Since `${` and `''` have special meaning in indented strings, you
+ need a way to quote them. `$` can be escaped by prefixing it with
+ `''` (that is, two single quotes), i.e., `''$`. `''` can be escaped
+ by prefixing it with `'`, i.e., `'''`. `$` removes any special
+ meaning from the following `$`. Linefeed, carriage-return and tab
+ characters can be written as `''\n`, `''\r`, `''\t`, and `''\`
+ escapes any other character.
+
+ Indented strings are primarily useful in that they allow multi-line
+ string literals to follow the indentation of the enclosing Nix
+ expression, and that less escaping is typically necessary for
+ strings representing languages such as shell scripts and
+ configuration files because `''` is much less common than `"`.
+ Example:
+
+ stdenv.mkDerivation {
+ ...
+ postInstall =
+ ''
+ mkdir $out/bin $out/etc
+ cp foo $out/bin
+ echo "Hello World" > $out/etc/foo.conf
+ ${if enableBar then "cp bar $out/bin" else ""}
+ '';
+ ...
+ }
+
+ Finally, as a convenience, *URIs* as defined in appendix B of
+ [RFC 2396](http://www.ietf.org/rfc/rfc2396.txt) can be written *as
+ is*, without quotes. For instance, the string
+ `"http://example.org/foo.tar.bz2"` can also be written as
+ `http://example.org/foo.tar.bz2`.
+
+ - Numbers, which can be *integers* (like `123`) or *floating point*
+ (like `123.43` or `.27e13`).
+
+ Numbers are type-compatible: pure integer operations will always
+ return integers, whereas any operation involving at least one
+ floating point number will have a floating point number as a result.
+
+ - *Paths*, e.g., `/bin/sh` or `./builder.sh`. A path must contain at
+ least one slash to be recognised as such; for instance, `builder.sh`
+ is not a path\[1\]. If the file name is relative, i.e., if it does
+ not begin with a slash, it is made absolute at parse time relative
+ to the directory of the Nix expression that contained it. For
+ instance, if a Nix expression in `/foo/bar/bla.nix` refers to
+ `../xyzzy/fnord.nix`, the absolute path is `/foo/xyzzy/fnord.nix`.
+
+ If the first component of a path is a `~`, it is interpreted as if
+ the rest of the path were relative to the user's home directory.
+ e.g. `~/foo` would be equivalent to `/home/edolstra/foo` for a user
+ whose home directory is `/home/edolstra`.
+
+ Paths can also be specified between angle brackets, e.g.
+ `<nixpkgs>`. This means that the directories listed in the
+ environment variable NIX\_PATH will be searched for the given file
+ or directory name.
+
+ - *Booleans* with values `true` and `false`.
+
+ - The null value, denoted as `null`.
+
+Lists are formed by enclosing a whitespace-separated list of values
+between square brackets. For example,
+
+ [ 123 ./foo.nix "abc" (f { x = y; }) ]
+
+defines a list of four elements, the last being the result of a call to
+the function `f`. Note that function calls have to be enclosed in
+parentheses. If they had been omitted, e.g.,
+
+ [ 123 ./foo.nix "abc" f { x = y; } ]
+
+the result would be a list of five elements, the fourth one being a
+function and the fifth being a set.
+
+Note that lists are only lazy in values, and they are strict in length.
+
+Sets are really the core of the language, since ultimately the Nix
+language is all about creating derivations, which are really just sets
+of attributes to be passed to build scripts.
+
+Sets are just a list of name/value pairs (called *attributes*) enclosed
+in curly brackets, where each value is an arbitrary expression
+terminated by a semicolon. For example:
+
+ { x = 123;
+ text = "Hello";
+ y = f { bla = 456; };
+ }
+
+This defines a set with attributes named `x`, `text`, `y`. The order of
+the attributes is irrelevant. An attribute name may only occur once.
+
+Attributes can be selected from a set using the `.` operator. For
+instance,
+
+ { a = "Foo"; b = "Bar"; }.a
+
+evaluates to `"Foo"`. It is possible to provide a default value in an
+attribute selection using the `or` keyword. For example,
+
+ { a = "Foo"; b = "Bar"; }.c or "Xyzzy"
+
+will evaluate to `"Xyzzy"` because there is no `c` attribute in the set.
+
+You can use arbitrary double-quoted strings as attribute names:
+
+ { "foo ${bar}" = 123; "nix-1.0" = 456; }."foo ${bar}"
+
+This will evaluate to `123` (Assuming `bar` is antiquotable). In the
+case where an attribute name is just a single antiquotation, the quotes
+can be dropped:
+
+ { foo = 123; }.${bar} or 456
+
+This will evaluate to `123` if `bar` evaluates to `"foo"` when coerced
+to a string and `456` otherwise (again assuming `bar` is antiquotable).
+
+In the special case where an attribute name inside of a set declaration
+evaluates to `null` (which is normally an error, as `null` is not
+antiquotable), that attribute is simply not added to the set:
+
+ { ${if foo then "bar" else null} = true; }
+
+This will evaluate to `{}` if `foo` evaluates to `false`.
+
+A set that has a `__functor` attribute whose value is callable (i.e. is
+itself a function or a set with a `__functor` attribute whose value is
+callable) can be applied as if it were a function, with the set itself
+passed in first , e.g.,
+
+ let add = { __functor = self: x: x + self.x; };
+ inc = add // { x = 1; };
+ in inc 1
+
+evaluates to `2`. This can be used to attach metadata to a function
+without the caller needing to treat it specially, or to implement a form
+of object-oriented programming, for example.
+
+1. It's parsed as an expression that selects the attribute `sh` from
+ the variable `builder`.
diff --git a/doc/manual/src/expressions/simple-building-testing.md b/doc/manual/src/expressions/simple-building-testing.md
new file mode 100644
index 000000000..bc064c733
--- /dev/null
+++ b/doc/manual/src/expressions/simple-building-testing.md
@@ -0,0 +1,57 @@
+# Building and Testing
+
+You can now try to build Hello. Of course, you could do `nix-env -i
+hello`, but you may not want to install a possibly broken package just
+yet. The best way to test the package is by using the command
+`nix-build`, which builds a Nix expression and creates a symlink named
+`result` in the current directory:
+
+ $ nix-build -A hello
+ building path `/nix/store/632d2b22514d...-hello-2.1.1'
+ hello-2.1.1/
+ hello-2.1.1/intl/
+ hello-2.1.1/intl/ChangeLog
+ ...
+
+ $ ls -l result
+ lrwxrwxrwx ... 2006-09-29 10:43 result -> /nix/store/632d2b22514d...-hello-2.1.1
+
+ $ ./result/bin/hello
+ Hello, world!
+
+The [`-A`](#opt-attr) option selects the `hello` attribute. This is
+faster than using the symbolic package name specified by the `name`
+attribute (which also happens to be `hello`) and is unambiguous (there
+can be multiple packages with the symbolic name `hello`, but there can
+be only one attribute in a set named `hello`).
+
+`nix-build` registers the `./result` symlink as a garbage collection
+root, so unless and until you delete the `./result` symlink, the output
+of the build will be safely kept on your system. You can use
+`nix-build`’s `-o` switch to give the symlink another name.
+
+Nix has transactional semantics. Once a build finishes successfully, Nix
+makes a note of this in its database: it registers that the path denoted
+by out is now “valid”. If you try to build the derivation again, Nix
+will see that the path is already valid and finish immediately. If a
+build fails, either because it returns a non-zero exit code, because Nix
+or the builder are killed, or because the machine crashes, then the
+output paths will not be registered as valid. If you try to build the
+derivation again, Nix will remove the output paths if they exist (e.g.,
+because the builder died half-way through `make
+install`) and try again. Note that there is no “negative caching”: Nix
+doesn't remember that a build failed, and so a failed build can always
+be repeated. This is because Nix cannot distinguish between permanent
+failures (e.g., a compiler error due to a syntax error in the source)
+and transient failures (e.g., a disk full condition).
+
+Nix also performs locking. If you run multiple Nix builds
+simultaneously, and they try to build the same derivation, the first Nix
+instance that gets there will perform the build, while the others block
+(or perform other derivations if available) until the build finishes:
+
+ $ nix-build -A hello
+ waiting for lock on `/nix/store/0h5b7hp8d4hqfrw8igvx97x1xawrjnac-hello-2.1.1x'
+
+So it is always safe to run multiple instances of Nix in parallel (which
+isn’t the case with, say, `make`).
diff --git a/doc/manual/src/expressions/simple-expression.md b/doc/manual/src/expressions/simple-expression.md
new file mode 100644
index 000000000..9023f97a4
--- /dev/null
+++ b/doc/manual/src/expressions/simple-expression.md
@@ -0,0 +1,27 @@
+# A Simple Nix Expression
+
+This section shows how to add and test the [GNU Hello
+package](http://www.gnu.org/software/hello/hello.html) to the Nix
+Packages collection. Hello is a program that prints out the text “Hello,
+world\!”.
+
+To add a package to the Nix Packages collection, you generally need to
+do three things:
+
+1. Write a Nix expression for the package. This is a file that
+ describes all the inputs involved in building the package, such as
+ dependencies, sources, and so on.
+
+2. Write a *builder*. This is a shell script\[1\] that actually builds
+ the package from the inputs.
+
+3. Add the package to the file `pkgs/top-level/all-packages.nix`. The
+ Nix expression written in the first step is a *function*; it
+ requires other packages in order to build it. In this step you put
+ it all together, i.e., you call the function with the right
+ arguments to build the actual package.
+
+<!-- end list -->
+
+1. In fact, it can be written in any language, but typically it's a
+ `bash` shell script.
diff --git a/doc/manual/src/expressions/writing-nix-expressions.md b/doc/manual/src/expressions/writing-nix-expressions.md
new file mode 100644
index 000000000..5664108e7
--- /dev/null
+++ b/doc/manual/src/expressions/writing-nix-expressions.md
@@ -0,0 +1,12 @@
+This chapter shows you how to write Nix expressions, which instruct Nix
+how to build packages. It starts with a simple example (a Nix expression
+for GNU Hello), and then moves on to a more in-depth look at the Nix
+expression language.
+
+> **Note**
+>
+> This chapter is mostly about the Nix expression language. For more
+> extensive information on adding packages to the Nix Packages
+> collection (such as functions in the standard environment and coding
+> conventions), please consult [its
+> manual](http://nixos.org/nixpkgs/manual/).
diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
new file mode 100644
index 000000000..c8bdf4fd2
--- /dev/null
+++ b/doc/manual/src/glossary.md
@@ -0,0 +1,102 @@
+# Glossary
+
+ - derivation
+ A description of a build action. The result of a derivation is a
+ store object. Derivations are typically specified in Nix expressions
+ using the [`derivation` primitive](#ssec-derivation). These are
+ translated into low-level *store derivations* (implicitly by
+ `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
+
+ - store
+ The location in the file system where store objects live. Typically
+ `/nix/store`.
+
+ - store path
+ The location in the file system of a store object, i.e., an
+ immediate child of the Nix store directory.
+
+ - store object
+ A file that is an immediate child of the Nix store directory. These
+ can be regular files, but also entire directory trees. Store objects
+ can be sources (objects copied from outside of the store),
+ derivation outputs (objects produced by running a build action), or
+ derivations (files describing a build action).
+
+ - substitute
+ A substitute is a command invocation stored in the Nix database that
+ describes how to build a store object, bypassing the normal build
+ mechanism (i.e., derivations). Typically, the substitute builds the
+ store object by downloading a pre-built version of the store object
+ from some server.
+
+ - purity
+ The assumption that equal Nix derivations when run always produce
+ the same output. This cannot be guaranteed in general (e.g., a
+ builder can rely on external inputs such as the network or the
+ system time) but the Nix model assumes it.
+
+ - Nix expression
+ A high-level description of software packages and compositions
+ thereof. Deploying software using Nix entails writing Nix
+ expressions for your packages. Nix expressions are translated to
+ derivations that are stored in the Nix store. These derivations can
+ then be built.
+
+ - reference
+ A store path `P` is said to have a reference to a store path `Q` if
+ the store object at `P` contains the path `Q` somewhere. The
+ *references* of a store path are the set of store paths to which it
+ has a reference.
+
+ A derivation can reference other derivations and sources (but not
+ output paths), whereas an output path only references other output
+ paths.
+
+ - reachable
+ A store path `Q` is reachable from another store path `P` if `Q` is
+ in the [closure](#gloss-closure) of the
+ [references](#gloss-reference) relation.
+
+ - closure
+ The closure of a store path is the set of store paths that are
+ directly or indirectly “reachable” from that store path; that is,
+ it’s the closure of the path under the
+ [references](#gloss-reference) relation. For a package, the closure
+ of its derivation is equivalent to the build-time dependencies,
+ while the closure of its output path is equivalent to its runtime
+ dependencies. For correct deployment it is necessary to deploy whole
+ closures, since otherwise at runtime files could be missing. The
+ command `nix-store -qR` prints out closures of store paths.
+
+ As an example, if the store object at path `P` contains a reference
+ to path `Q`, then `Q` is in the closure of `P`. Further, if `Q`
+ references `R` then `R` is also in the closure of `P`.
+
+ - output path
+ A store path produced by a derivation.
+
+ - deriver
+ The deriver of an [output path](#gloss-output-path) is the store
+ derivation that built it.
+
+ - validity
+ A store path is considered *valid* if it exists in the file system,
+ is listed in the Nix database as being valid, and if all paths in
+ its closure are also valid.
+
+ - user environment
+ An automatically generated store object that consists of a set of
+ symlinks to “active” applications, i.e., other store paths. These
+ are generated automatically by [`nix-env`](#sec-nix-env). See
+ [???](#sec-profiles).
+
+ - profile
+ A symlink to the current [user environment](#gloss-user-env) of a
+ user, e.g., `/nix/var/nix/profiles/default`.
+
+ - NAR
+ A *N*ix *AR*chive. This is a serialisation of a path in the Nix
+ store. It can contain regular files, directories and symbolic links.
+ NARs are generated and unpacked using `nix-store --dump` and
+ `nix-store
+ --restore`.
diff --git a/doc/manual/src/hacking.md b/doc/manual/src/hacking.md
new file mode 100644
index 000000000..f8375822d
--- /dev/null
+++ b/doc/manual/src/hacking.md
@@ -0,0 +1,47 @@
+# Hacking
+
+This section provides some notes on how to hack on Nix. To get the
+latest version of Nix from GitHub:
+
+ $ git clone https://github.com/NixOS/nix.git
+ $ cd nix
+
+To build Nix for the current operating system/architecture use
+
+ $ nix-build
+
+or if you have a flakes-enabled nix:
+
+ $ nix build
+
+This will build `defaultPackage` attribute defined in the `flake.nix`
+file. To build for other platforms add one of the following suffixes to
+it: aarch64-linux, i686-linux, x86\_64-darwin, x86\_64-linux. i.e.
+
+ $ nix-build -A defaultPackage.x86_64-linux
+
+To build all dependencies and start a shell in which all environment
+variables are set up so that those dependencies can be found:
+
+ $ nix-shell
+
+To build Nix itself in this shell:
+
+ [nix-shell]$ ./bootstrap.sh
+ [nix-shell]$ ./configure $configureFlags
+ [nix-shell]$ make -j $NIX_BUILD_CORES
+
+To install it in `$(pwd)/inst` and test it:
+
+ [nix-shell]$ make install
+ [nix-shell]$ make installcheck
+ [nix-shell]$ ./inst/bin/nix --version
+ nix (Nix) 2.4
+
+If you have a flakes-enabled nix you can replace:
+
+ $ nix-shell
+
+by:
+
+ $ nix develop
diff --git a/doc/manual/src/installation/building-source.md b/doc/manual/src/installation/building-source.md
new file mode 100644
index 000000000..c498713de
--- /dev/null
+++ b/doc/manual/src/installation/building-source.md
@@ -0,0 +1,34 @@
+# Building Nix from Source
+
+After unpacking or checking out the Nix sources, issue the following
+commands:
+
+ $ ./configure options...
+ $ make
+ $ make install
+
+Nix requires GNU Make so you may need to invoke `gmake` instead.
+
+When building from the Git repository, these should be preceded by the
+command:
+
+ $ ./bootstrap.sh
+
+The installation path can be specified by passing the `--prefix=prefix`
+to `configure`. The default installation directory is `/usr/local`. You
+can change this to any location you like. You must have write permission
+to the prefix path.
+
+Nix keeps its *store* (the place where packages are stored) in
+`/nix/store` by default. This can be changed using
+`--with-store-dir=path`.
+
+> **Warning**
+>
+> It is best *not* to change the Nix store from its default, since doing
+> so makes it impossible to use pre-built binaries from the standard
+> Nixpkgs channels — that is, all packages will need to be built from
+> source.
+
+Nix keeps state (such as its database and log files) in `/nix/var` by
+default. This can be changed using `--localstatedir=path`.
diff --git a/doc/manual/src/installation/env-variables.md b/doc/manual/src/installation/env-variables.md
new file mode 100644
index 000000000..7946ac437
--- /dev/null
+++ b/doc/manual/src/installation/env-variables.md
@@ -0,0 +1,56 @@
+# Environment Variables
+
+To use Nix, some environment variables should be set. In particular,
+PATH should contain the directories `prefix/bin` and
+`~/.nix-profile/bin`. The first directory contains the Nix tools
+themselves, while `~/.nix-profile` is a symbolic link to the current
+*user environment* (an automatically generated package consisting of
+symlinks to installed packages). The simplest way to set the required
+environment variables is to include the file
+`prefix/etc/profile.d/nix.sh` in your `~/.profile` (or similar), like
+this:
+
+ source prefix/etc/profile.d/nix.sh
+
+# NIX\_SSL\_CERT\_FILE
+
+If you need to specify a custom certificate bundle to account for an
+HTTPS-intercepting man in the middle proxy, you must specify the path to
+the certificate bundle in the environment variable NIX\_SSL\_CERT\_FILE.
+
+If you don't specify a NIX\_SSL\_CERT\_FILE manually, Nix will install
+and use its own certificate bundle.
+
+Set the environment variable and install Nix
+
+ $ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
+ $ sh <(curl -L https://nixos.org/nix/install)
+
+In the shell profile and rc files (for example, `/etc/bashrc`,
+`/etc/zshrc`), add the following line:
+
+ export NIX_SSL_CERT_FILE=/etc/ssl/my-certificate-bundle.crt
+
+> **Note**
+>
+> You must not add the export and then do the install, as the Nix
+> installer will detect the presense of Nix configuration, and abort.
+
+## NIX\_SSL\_CERT\_FILE with macOS and the Nix daemon
+
+On macOS you must specify the environment variable for the Nix daemon
+service, then restart it:
+
+ $ sudo launchctl setenv NIX_SSL_CERT_FILE /etc/ssl/my-certificate-bundle.crt
+ $ sudo launchctl kickstart -k system/org.nixos.nix-daemon
+
+## Proxy Environment Variables
+
+The Nix installer has special handling for these proxy-related
+environment variables: `http_proxy`, `https_proxy`, `ftp_proxy`,
+`no_proxy`, `HTTP_PROXY`, `HTTPS_PROXY`, `FTP_PROXY`, `NO_PROXY`.
+
+If any of these variables are set when running the Nix installer, then
+the installer will create an override file at
+`/etc/systemd/system/nix-daemon.service.d/override.conf` so `nix-daemon`
+will use them.
diff --git a/doc/manual/src/installation/installation.md b/doc/manual/src/installation/installation.md
new file mode 100644
index 000000000..b40c5b95f
--- /dev/null
+++ b/doc/manual/src/installation/installation.md
@@ -0,0 +1,2 @@
+This section describes how to install and configure Nix for first-time
+use.
diff --git a/doc/manual/src/installation/installing-binary.md b/doc/manual/src/installation/installing-binary.md
new file mode 100644
index 000000000..d4e412e67
--- /dev/null
+++ b/doc/manual/src/installation/installing-binary.md
@@ -0,0 +1,273 @@
+# Installing a Binary Distribution
+
+If you are using Linux or macOS versions up to 10.14 (Mojave), the
+easiest way to install Nix is to run the following command:
+
+```
+ $ sh <(curl -L https://nixos.org/nix/install)
+```
+
+If you're using macOS 10.15 (Catalina) or newer, consult [the macOS
+installation instructions](#sect-macos-installation) before installing.
+
+As of Nix 2.1.0, the Nix installer will always default to creating a
+single-user installation, however opting in to the multi-user
+installation is highly recommended.
+
+# Single User Installation
+
+To explicitly select a single-user installation on your system:
+
+```
+ sh <(curl -L https://nixos.org/nix/install) --no-daemon
+```
+
+This will perform a single-user installation of Nix, meaning that `/nix`
+is owned by the invoking user. You should run this under your usual user
+account, *not* as root. The script will invoke `sudo` to create `/nix`
+if it doesn’t already exist. If you don’t have `sudo`, you should
+manually create `/nix` first as root, e.g.:
+
+ $ mkdir /nix
+ $ chown alice /nix
+
+The install script will modify the first writable file from amongst
+`.bash_profile`, `.bash_login` and `.profile` to source
+`~/.nix-profile/etc/profile.d/nix.sh`. You can set the
+NIX\_INSTALLER\_NO\_MODIFY\_PROFILE environment variable before
+executing the install script to disable this behaviour.
+
+You can uninstall Nix simply by running:
+
+ $ rm -rf /nix
+
+# Multi User Installation
+
+The multi-user Nix installation creates system users, and a system
+service for the Nix daemon.
+
+ - Linux running systemd, with SELinux disabled
+
+ - macOS
+
+You can instruct the installer to perform a multi-user installation on
+your system:
+
+ sh <(curl -L https://nixos.org/nix/install) --daemon
+
+The multi-user installation of Nix will create build users between the
+user IDs 30001 and 30032, and a group with the group ID 30000. You
+should run this under your usual user account, *not* as root. The script
+will invoke `sudo` as needed.
+
+> **Note**
+>
+> If you need Nix to use a different group ID or user ID set, you will
+> have to download the tarball manually and [edit the install
+> script](#sect-nix-install-binary-tarball).
+
+The installer will modify `/etc/bashrc`, and `/etc/zshrc` if they exist.
+The installer will first back up these files with a `.backup-before-nix`
+extension. The installer will also create `/etc/profile.d/nix.sh`.
+
+You can uninstall Nix with the following commands:
+
+ sudo rm -rf /etc/profile/nix.sh /etc/nix /nix ~root/.nix-profile ~root/.nix-defexpr ~root/.nix-channels ~/.nix-profile ~/.nix-defexpr ~/.nix-channels
+
+ # If you are on Linux with systemd, you will need to run:
+ sudo systemctl stop nix-daemon.socket
+ sudo systemctl stop nix-daemon.service
+ sudo systemctl disable nix-daemon.socket
+ sudo systemctl disable nix-daemon.service
+ sudo systemctl daemon-reload
+
+ # If you are on macOS, you will need to run:
+ sudo launchctl unload /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+ sudo rm /Library/LaunchDaemons/org.nixos.nix-daemon.plist
+
+There may also be references to Nix in `/etc/profile`, `/etc/bashrc`,
+and `/etc/zshrc` which you may remove.
+
+# macOS Installation
+
+Starting with macOS 10.15 (Catalina), the root filesystem is read-only.
+This means `/nix` can no longer live on your system volume, and that
+you'll need a workaround to install Nix.
+
+The recommended approach, which creates an unencrypted APFS volume for
+your Nix store and a "synthetic" empty directory to mount it over at
+`/nix`, is least likely to impair Nix or your system.
+
+> **Note**
+>
+> With all separate-volume approaches, it's possible something on your
+> system (particularly daemons/services and restored apps) may need
+> access to your Nix store before the volume is mounted. Adding
+> additional encryption makes this more likely.
+
+If you're using a recent Mac with a [T2
+chip](https://www.apple.com/euro/mac/shared/docs/Apple_T2_Security_Chip_Overview.pdf),
+your drive will still be encrypted at rest (in which case "unencrypted"
+is a bit of a misnomer). To use this approach, just install Nix with:
+
+ $ sh <(curl -L https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume
+
+If you don't like the sound of this, you'll want to weigh the other
+approaches and tradeoffs detailed in this section.
+
+> **Note**
+>
+> All of the known workarounds have drawbacks, but we hope better
+> solutions will be available in the future. Some that we have our eye
+> on are:
+>
+> 1. A true firmlink would enable the Nix store to live on the primary
+> data volume without the build problems caused by the symlink
+> approach. End users cannot currently create true firmlinks.
+>
+> 2. If the Nix store volume shared FileVault encryption with the
+> primary data volume (probably by using the same volume group and
+> role), FileVault encryption could be easily supported by the
+> installer without requiring manual setup by each user.
+
+## Change the Nix store path prefix
+
+Changing the default prefix for the Nix store is a simple approach which
+enables you to leave it on your root volume, where it can take full
+advantage of FileVault encryption if enabled. Unfortunately, this
+approach also opts your device out of some benefits that are enabled by
+using the same prefix across systems:
+
+ - Your system won't be able to take advantage of the binary cache
+ (unless someone is able to stand up and support duplicate caching
+ infrastructure), which means you'll spend more time waiting for
+ builds.
+
+ - It's harder to build and deploy packages to Linux systems.
+
+It would also possible (and often requested) to just apply this change
+ecosystem-wide, but it's an intrusive process that has side effects we
+want to avoid for now.
+
+## Use a separate encrypted volume
+
+If you like, you can also add encryption to the recommended approach
+taken by the installer. You can do this by pre-creating an encrypted
+volume before you run the installer--or you can run the installer and
+encrypt the volume it creates later.
+
+In either case, adding encryption to a second volume isn't quite as
+simple as enabling FileVault for your boot volume. Before you dive in,
+there are a few things to weigh:
+
+1. The additional volume won't be encrypted with your existing
+ FileVault key, so you'll need another mechanism to decrypt the
+ volume.
+
+2. You can store the password in Keychain to automatically decrypt the
+ volume on boot--but it'll have to wait on Keychain and may not mount
+ before your GUI apps restore. If any of your launchd agents or apps
+ depend on Nix-installed software (for example, if you use a
+ Nix-installed login shell), the restore may fail or break.
+
+ On a case-by-case basis, you may be able to work around this problem
+ by using `wait4path` to block execution until your executable is
+ available.
+
+ It's also possible to decrypt and mount the volume earlier with a
+ login hook--but this mechanism appears to be deprecated and its
+ future is unclear.
+
+3. You can hard-code the password in the clear, so that your store
+ volume can be decrypted before Keychain is available.
+
+If you are comfortable navigating these tradeoffs, you can encrypt the
+volume with something along the lines of:
+
+ alice$ diskutil apfs enableFileVault /nix -user disk
+
+## Symlink the Nix store to a custom location
+
+Another simple approach is using `/etc/synthetic.conf` to symlink the
+Nix store to the data volume. This option also enables your store to
+share any configured FileVault encryption. Unfortunately, builds that
+resolve the symlink may leak the canonical path or even fail.
+
+Because of these downsides, we can't recommend this approach.
+
+## Notes on the recommended approach
+
+This section goes into a little more detail on the recommended approach.
+You don't need to understand it to run the installer, but it can serve
+as a helpful reference if you run into trouble.
+
+1. In order to compose user-writable locations into the new read-only
+ system root, Apple introduced a new concept called `firmlinks`,
+ which it describes as a "bi-directional wormhole" between two
+ filesystems. You can see the current firmlinks in
+ `/usr/share/firmlinks`. Unfortunately, firmlinks aren't (currently?)
+ user-configurable.
+
+ For special cases like NFS mount points or package manager roots,
+ [synthetic.conf(5)](https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man5/synthetic.conf.5.html)
+ supports limited user-controlled file-creation (of symlinks, and
+ synthetic empty directories) at `/`. To create a synthetic empty
+ directory for mounting at `/nix`, add the following line to
+ `/etc/synthetic.conf` (create it if necessary):
+
+ nix
+
+2. This configuration is applied at boot time, but you can use
+ `apfs.util` to trigger creation (not deletion) of new entries
+ without a reboot:
+
+ alice$ /System/Library/Filesystems/apfs.fs/Contents/Resources/apfs.util -B
+
+3. Create the new APFS volume with diskutil:
+
+ alice$ sudo diskutil apfs addVolume diskX APFS 'Nix Store' -mountpoint /nix
+
+4. Using `vifs`, add the new mount to `/etc/fstab`. If it doesn't
+ already have other entries, it should look something like:
+
+ #
+ # Warning - this file should only be modified with vifs(8)
+ #
+ # Failure to do so is unsupported and may be destructive.
+ #
+ LABEL=Nix\040Store /nix apfs rw,nobrowse
+
+ The nobrowse setting will keep Spotlight from indexing this volume,
+ and keep it from showing up on your desktop.
+
+# Installing a pinned Nix version from a URL
+
+NixOS.org hosts version-specific installation URLs for all Nix versions
+since 1.11.16, at `https://releases.nixos.org/nix/nix-version/install`.
+
+These install scripts can be used the same as the main NixOS.org
+installation script:
+
+```
+ sh <(curl -L https://nixos.org/nix/install)
+```
+
+In the same directory of the install script are sha256 sums, and gpg
+signature files.
+
+# Installing from a binary tarball
+
+You can also download a binary tarball that contains Nix and all its
+dependencies. (This is what the install script at
+<https://nixos.org/nix/install> does automatically.) You should unpack
+it somewhere (e.g. in `/tmp`), and then run the script named `install`
+inside the binary tarball:
+
+ alice$ cd /tmp
+ alice$ tar xfj nix-1.8-x86_64-darwin.tar.bz2
+ alice$ cd nix-1.8-x86_64-darwin
+ alice$ ./install
+
+If you need to edit the multi-user installation script to use different
+group ID or a different user ID range, modify the variables set in the
+file named `install-multi-user`.
diff --git a/doc/manual/src/installation/installing-source.md b/doc/manual/src/installation/installing-source.md
new file mode 100644
index 000000000..e52d38a03
--- /dev/null
+++ b/doc/manual/src/installation/installing-source.md
@@ -0,0 +1,4 @@
+# Installing Nix from Source
+
+If no binary package is available, you can download and compile a source
+distribution.
diff --git a/doc/manual/src/installation/multi-user.md b/doc/manual/src/installation/multi-user.md
new file mode 100644
index 000000000..17286fdc5
--- /dev/null
+++ b/doc/manual/src/installation/multi-user.md
@@ -0,0 +1,63 @@
+# Multi-User Mode
+
+To allow a Nix store to be shared safely among multiple users, it is
+important that users are not able to run builders that modify the Nix
+store or database in arbitrary ways, or that interfere with builds
+started by other users. If they could do so, they could install a Trojan
+horse in some package and compromise the accounts of other users.
+
+To prevent this, the Nix store and database are owned by some privileged
+user (usually `root`) and builders are executed under special user
+accounts (usually named `nixbld1`, `nixbld2`, etc.). When a unprivileged
+user runs a Nix command, actions that operate on the Nix store (such as
+builds) are forwarded to a *Nix daemon* running under the owner of the
+Nix store/database that performs the operation.
+
+> **Note**
+>
+> Multi-user mode has one important limitation: only root and a set of
+> trusted users specified in `nix.conf` can specify arbitrary binary
+> caches. So while unprivileged users may install packages from
+> arbitrary Nix expressions, they may not get pre-built binaries.
+
+The *build users* are the special UIDs under which builds are performed.
+They should all be members of the *build users group* `nixbld`. This
+group should have no other members. The build users should not be
+members of any other group. On Linux, you can create the group and users
+as follows:
+
+ $ groupadd -r nixbld
+ $ for n in $(seq 1 10); do useradd -c "Nix build user $n" \
+ -d /var/empty -g nixbld -G nixbld -M -N -r -s "$(which nologin)" \
+ nixbld$n; done
+
+This creates 10 build users. There can never be more concurrent builds
+than the number of build users, so you may want to increase this if you
+expect to do many builds at the same time.
+
+The [Nix daemon](#sec-nix-daemon) should be started as follows (as
+`root`):
+
+ $ nix-daemon
+
+You’ll want to put that line somewhere in your system’s boot scripts.
+
+To let unprivileged users use the daemon, they should set the
+[NIX\_REMOTE environment variable](#envar-remote) to `daemon`. So you
+should put a line like
+
+ export NIX_REMOTE=daemon
+
+into the users’ login scripts.
+
+To limit which users can perform Nix operations, you can use the
+permissions on the directory `/nix/var/nix/daemon-socket`. For instance,
+if you want to restrict the use of Nix to the members of a group called
+`nix-users`, do
+
+ $ chgrp nix-users /nix/var/nix/daemon-socket
+ $ chmod ug=rwx,o= /nix/var/nix/daemon-socket
+
+This way, users who are not in the `nix-users` group cannot connect to
+the Unix domain socket `/nix/var/nix/daemon-socket/socket`, so they
+cannot perform Nix operations.
diff --git a/doc/manual/src/installation/nix-security.md b/doc/manual/src/installation/nix-security.md
new file mode 100644
index 000000000..1e9036b68
--- /dev/null
+++ b/doc/manual/src/installation/nix-security.md
@@ -0,0 +1,15 @@
+# Security
+
+Nix has two basic security models. First, it can be used in “single-user
+mode”, which is similar to what most other package management tools do:
+there is a single user (typically root) who performs all package
+management operations. All other users can then use the installed
+packages, but they cannot perform package management operations
+themselves.
+
+Alternatively, you can configure Nix in “multi-user mode”. In this
+model, all users can perform package management operations — for
+instance, every user can install software without requiring root
+privileges. Nix ensures that this is secure. For instance, it’s not
+possible for one user to overwrite a package used by another user with a
+Trojan horse.
diff --git a/doc/manual/src/installation/obtaining-source.md b/doc/manual/src/installation/obtaining-source.md
new file mode 100644
index 000000000..2937130cf
--- /dev/null
+++ b/doc/manual/src/installation/obtaining-source.md
@@ -0,0 +1,16 @@
+# Obtaining a Source Distribution
+
+The source tarball of the most recent stable release can be downloaded
+from the [Nix homepage](http://nixos.org/nix/download.html). You can
+also grab the [most recent development
+release](http://hydra.nixos.org/job/nix/master/release/latest-finished#tabs-constituents).
+
+Alternatively, the most recent sources of Nix can be obtained from its
+[Git repository](https://github.com/NixOS/nix). For example, the
+following command will check out the latest revision into a directory
+called `nix`:
+
+ $ git clone https://github.com/NixOS/nix
+
+Likewise, specific releases can be obtained from the
+[tags](https://github.com/NixOS/nix/tags) of the repository.
diff --git a/doc/manual/src/installation/prerequisites-source.md b/doc/manual/src/installation/prerequisites-source.md
new file mode 100644
index 000000000..311961fe9
--- /dev/null
+++ b/doc/manual/src/installation/prerequisites-source.md
@@ -0,0 +1,80 @@
+# Prerequisites
+
+ - GNU Autoconf (<https://www.gnu.org/software/autoconf/>) and the
+ autoconf-archive macro collection
+ (<https://www.gnu.org/software/autoconf-archive/>). These are only
+ needed to run the bootstrap script, and are not necessary if your
+ source distribution came with a pre-built `./configure` script.
+
+ - GNU Make.
+
+ - Bash Shell. The `./configure` script relies on bashisms, so Bash is
+ required.
+
+ - A version of GCC or Clang that supports C++17.
+
+ - `pkg-config` to locate dependencies. If your distribution does not
+ provide it, you can get it from
+ <http://www.freedesktop.org/wiki/Software/pkg-config>.
+
+ - The OpenSSL library to calculate cryptographic hashes. If your
+ distribution does not provide it, you can get it from
+ <https://www.openssl.org>.
+
+ - The `libbrotlienc` and `libbrotlidec` libraries to provide
+ implementation of the Brotli compression algorithm. They are
+ available for download from the official repository
+ <https://github.com/google/brotli>.
+
+ - The bzip2 compressor program and the `libbz2` library. Thus you must
+ have bzip2 installed, including development headers and libraries.
+ If your distribution does not provide these, you can obtain bzip2
+ from
+ <https://web.archive.org/web/20180624184756/http://www.bzip.org/>.
+
+ - `liblzma`, which is provided by XZ Utils. If your distribution does
+ not provide this, you can get it from <https://tukaani.org/xz/>.
+
+ - cURL and its library. If your distribution does not provide it, you
+ can get it from <https://curl.haxx.se/>.
+
+ - The SQLite embedded database library, version 3.6.19 or higher. If
+ your distribution does not provide it, please install it from
+ <http://www.sqlite.org/>.
+
+ - The [Boehm garbage collector](http://www.hboehm.info/gc/) to reduce
+ the evaluator’s memory consumption (optional). To enable it, install
+ `pkgconfig` and the Boehm garbage collector, and pass the flag
+ `--enable-gc` to `configure`.
+
+ - The `boost` library of version 1.66.0 or higher. It can be obtained
+ from the official web site <https://www.boost.org/>.
+
+ - The `editline` library of version 1.14.0 or higher. It can be
+ obtained from the its repository
+ <https://github.com/troglobit/editline>.
+
+ - The `xmllint` and `xsltproc` programs to build this manual and the
+ man-pages. These are part of the `libxml2` and `libxslt` packages,
+ respectively. You also need the [DocBook XSL
+ stylesheets](http://docbook.sourceforge.net/projects/xsl/) and
+ optionally the [DocBook 5.0 RELAX NG
+ schemas](http://www.docbook.org/schemas/5x). Note that these are
+ only required if you modify the manual sources or when you are
+ building from the Git repository.
+
+ - Recent versions of Bison and Flex to build the parser. (This is
+ because Nix needs GLR support in Bison and reentrancy support in
+ Flex.) For Bison, you need version 2.6, which can be obtained from
+ the [GNU FTP server](ftp://alpha.gnu.org/pub/gnu/bison). For Flex,
+ you need version 2.5.35, which is available on
+ [SourceForge](http://lex.sourceforge.net/). Slightly older versions
+ may also work, but ancient versions like the ubiquitous 2.5.4a
+ won't. Note that these are only required if you modify the parser or
+ when you are building from the Git repository.
+
+ - The `libseccomp` is used to provide syscall filtering on Linux. This
+ is an optional dependency and can be disabled passing a
+ `--disable-seccomp-sandboxing` option to the `configure` script (Not
+ recommended unless your system doesn't support `libseccomp`). To get
+ the library, visit <https://github.com/seccomp/libseccomp>.
diff --git a/doc/manual/src/installation/single-user.md b/doc/manual/src/installation/single-user.md
new file mode 100644
index 000000000..f9a3b26ed
--- /dev/null
+++ b/doc/manual/src/installation/single-user.md
@@ -0,0 +1,9 @@
+# Single-User Mode
+
+In single-user mode, all Nix operations that access the database in
+`prefix/var/nix/db` or modify the Nix store in `prefix/store` must be
+performed under the user ID that owns those directories. This is
+typically root. (If you install from RPM packages, that’s in fact the
+default ownership.) However, on single-user machines, it is often
+convenient to `chown` those directories to your normal user account so
+that you don’t have to `su` to root all the time.
diff --git a/doc/manual/src/installation/supported-platforms.md b/doc/manual/src/installation/supported-platforms.md
new file mode 100644
index 000000000..8ef1f0e78
--- /dev/null
+++ b/doc/manual/src/installation/supported-platforms.md
@@ -0,0 +1,7 @@
+# Supported Platforms
+
+Nix is currently supported on the following platforms:
+
+ - Linux (i686, x86\_64, aarch64).
+
+ - macOS (x86\_64).
diff --git a/doc/manual/src/installation/upgrading.md b/doc/manual/src/installation/upgrading.md
new file mode 100644
index 000000000..24efc4681
--- /dev/null
+++ b/doc/manual/src/installation/upgrading.md
@@ -0,0 +1,14 @@
+# Upgrading Nix
+
+Multi-user Nix users on macOS can upgrade Nix by running: `sudo -i sh -c
+'nix-channel --update &&
+nix-env -iA nixpkgs.nix &&
+launchctl remove org.nixos.nix-daemon &&
+launchctl load /Library/LaunchDaemons/org.nixos.nix-daemon.plist'`
+
+Single-user installations of Nix should run this: `nix-channel --update;
+nix-env -iA nixpkgs.nix nixpkgs.cacert`
+
+Multi-user Nix users on Linux should run this with sudo: `nix-channel
+--update; nix-env -iA nixpkgs.nix nixpkgs.cacert; systemctl
+daemon-reload; systemctl restart nix-daemon`
diff --git a/doc/manual/src/package-management/basic-package-mgmt.md b/doc/manual/src/package-management/basic-package-mgmt.md
new file mode 100644
index 000000000..f5c550fd7
--- /dev/null
+++ b/doc/manual/src/package-management/basic-package-mgmt.md
@@ -0,0 +1,148 @@
+# Basic Package Management
+
+The main command for package management is [`nix-env`](#sec-nix-env).
+You can use it to install, upgrade, and erase packages, and to query
+what packages are installed or are available for installation.
+
+In Nix, different users can have different “views” on the set of
+installed applications. That is, there might be lots of applications
+present on the system (possibly in many different versions), but users
+can have a specific selection of those active — where “active” just
+means that it appears in a directory in the user’s PATH. Such a view on
+the set of installed applications is called a *user environment*, which
+is just a directory tree consisting of symlinks to the files of the
+active applications.
+
+Components are installed from a set of *Nix expressions* that tell Nix
+how to build those packages, including, if necessary, their
+dependencies. There is a collection of Nix expressions called the
+Nixpkgs package collection that contains packages ranging from basic
+development stuff such as GCC and Glibc, to end-user applications like
+Mozilla Firefox. (Nix is however not tied to the Nixpkgs package
+collection; you could write your own Nix expressions based on Nixpkgs,
+or completely new ones.)
+
+You can manually download the latest version of Nixpkgs from
+<http://nixos.org/nixpkgs/download.html>. However, it’s much more
+convenient to use the Nixpkgs *channel*, since it makes it easy to stay
+up to date with new versions of Nixpkgs. (Channels are described in more
+detail in [???](#sec-channels).) Nixpkgs is automatically added to your
+list of “subscribed” channels when you install Nix. If this is not the
+case for some reason, you can add it as follows:
+
+ $ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+ $ nix-channel --update
+
+> **Note**
+>
+> On NixOS, you’re automatically subscribed to a NixOS channel
+> corresponding to your NixOS major release (e.g.
+> <http://nixos.org/channels/nixos-14.12>). A NixOS channel is identical
+> to the Nixpkgs channel, except that it contains only Linux binaries
+> and is updated only if a set of regression tests succeed.
+
+You can view the set of available packages in Nixpkgs:
+
+ $ nix-env -qa
+ aterm-2.2
+ bash-3.0
+ binutils-2.15
+ bison-1.875d
+ blackdown-1.4.2
+ bzip2-1.0.2
+ …
+
+The flag `-q` specifies a query operation, and `-a` means that you want
+to show the “available” (i.e., installable) packages, as opposed to the
+installed packages. If you downloaded Nixpkgs yourself, or if you
+checked it out from GitHub, then you need to pass the path to your
+Nixpkgs tree using the `-f` flag:
+
+ $ nix-env -qaf /path/to/nixpkgs
+
+where /path/to/nixpkgs is where you’ve unpacked or checked out Nixpkgs.
+
+You can select specific packages by name:
+
+ $ nix-env -qa firefox
+ firefox-34.0.5
+ firefox-with-plugins-34.0.5
+
+and using regular expressions:
+
+ $ nix-env -qa 'firefox.*'
+
+It is also possible to see the *status* of available packages, i.e.,
+whether they are installed into the user environment and/or present in
+the system:
+
+ $ nix-env -qas
+ …
+ -PS bash-3.0
+ --S binutils-2.15
+ IPS bison-1.875d
+ …
+
+The first character (`I`) indicates whether the package is installed in
+your current user environment. The second (`P`) indicates whether it is
+present on your system (in which case installing it into your user
+environment would be a very quick operation). The last one (`S`)
+indicates whether there is a so-called *substitute* for the package,
+which is Nix’s mechanism for doing binary deployment. It just means that
+Nix knows that it can fetch a pre-built package from somewhere
+(typically a network server) instead of building it locally.
+
+You can install a package using `nix-env -i`. For instance,
+
+ $ nix-env -i subversion
+
+will install the package called `subversion` (which is, of course, the
+[Subversion version management system](http://subversion.tigris.org/)).
+
+> **Note**
+>
+> When you ask Nix to install a package, it will first try to get it in
+> pre-compiled form from a *binary cache*. By default, Nix will use the
+> binary cache <https://cache.nixos.org>; it contains binaries for most
+> packages in Nixpkgs. Only if no binary is available in the binary
+> cache, Nix will build the package from source. So if `nix-env
+> -i subversion` results in Nix building stuff from source, then either
+> the package is not built for your platform by the Nixpkgs build
+> servers, or your version of Nixpkgs is too old or too new. For
+> instance, if you have a very recent checkout of Nixpkgs, then the
+> Nixpkgs build servers may not have had a chance to build everything
+> and upload the resulting binaries to <https://cache.nixos.org>. The
+> Nixpkgs channel is only updated after all binaries have been uploaded
+> to the cache, so if you stick to the Nixpkgs channel (rather than
+> using a Git checkout of the Nixpkgs tree), you will get binaries for
+> most packages.
+
+Naturally, packages can also be uninstalled:
+
+ $ nix-env -e subversion
+
+Upgrading to a new version is just as easy. If you have a new release of
+Nix Packages, you can do:
+
+ $ nix-env -u subversion
+
+This will *only* upgrade Subversion if there is a “newer” version in the
+new set of Nix expressions, as defined by some pretty arbitrary rules
+regarding ordering of version numbers (which generally do what you’d
+expect of them). To just unconditionally replace Subversion with
+whatever version is in the Nix expressions, use `-i` instead of `-u`;
+`-i` will remove whatever version is already installed.
+
+You can also upgrade all packages for which there are newer versions:
+
+ $ nix-env -u
+
+Sometimes it’s useful to be able to ask what `nix-env` would do, without
+actually doing it. For instance, to find out what packages would be
+upgraded by `nix-env -u`, you can do
+
+ $ nix-env -u --dry-run
+ (dry run; not doing anything)
+ upgrading `libxslt-1.1.0' to `libxslt-1.1.10'
+ upgrading `graphviz-1.10' to `graphviz-1.12'
+ upgrading `coreutils-5.0' to `coreutils-5.2.1'
diff --git a/doc/manual/src/package-management/binary-cache-substituter.md b/doc/manual/src/package-management/binary-cache-substituter.md
new file mode 100644
index 000000000..44f0da238
--- /dev/null
+++ b/doc/manual/src/package-management/binary-cache-substituter.md
@@ -0,0 +1,42 @@
+# Serving a Nix store via HTTP
+
+You can easily share the Nix store of a machine via HTTP. This allows
+other machines to fetch store paths from that machine to speed up
+installations. It uses the same *binary cache* mechanism that Nix
+usually uses to fetch pre-built binaries from <https://cache.nixos.org>.
+
+The daemon that handles binary cache requests via HTTP, `nix-serve`, is
+not part of the Nix distribution, but you can install it from Nixpkgs:
+
+ $ nix-env -i nix-serve
+
+You can then start the server, listening for HTTP connections on
+whatever port you like:
+
+ $ nix-serve -p 8080
+
+To check whether it works, try the following on the client:
+
+ $ curl http://avalon:8080/nix-cache-info
+
+which should print something like:
+
+ StoreDir: /nix/store
+ WantMassQuery: 1
+ Priority: 30
+
+On the client side, you can tell Nix to use your binary cache using
+`--option extra-binary-caches`, e.g.:
+
+ $ nix-env -i firefox --option extra-binary-caches http://avalon:8080/
+
+The option `extra-binary-caches` tells Nix to use this binary cache in
+addition to your default caches, such as <https://cache.nixos.org>.
+Thus, for any path in the closure of Firefox, Nix will first check if
+the path is available on the server `avalon` or another binary caches.
+If not, it will fall back to building from source.
+
+You can also tell Nix to always use your binary cache by adding a line
+to the `nix.conf` configuration file like this:
+
+ binary-caches = http://avalon:8080/ https://cache.nixos.org/
diff --git a/doc/manual/src/package-management/channels.md b/doc/manual/src/package-management/channels.md
new file mode 100644
index 000000000..8a3e92d70
--- /dev/null
+++ b/doc/manual/src/package-management/channels.md
@@ -0,0 +1,42 @@
+# Channels
+
+If you want to stay up to date with a set of packages, it’s not very
+convenient to manually download the latest set of Nix expressions for
+those packages and upgrade using `nix-env`. Fortunately, there’s a
+better way: *Nix channels*.
+
+A Nix channel is just a URL that points to a place that contains a set
+of Nix expressions and a manifest. Using the command
+[`nix-channel`](#sec-nix-channel) you can automatically stay up to date
+with whatever is available at that URL.
+
+To see the list of official NixOS channels, visit
+<https://nixos.org/channels>.
+
+You can “subscribe” to a channel using `nix-channel --add`, e.g.,
+
+ $ nix-channel --add https://nixos.org/channels/nixpkgs-unstable
+
+subscribes you to a channel that always contains that latest version of
+the Nix Packages collection. (Subscribing really just means that the URL
+is added to the file `~/.nix-channels`, where it is read by subsequent
+calls to `nix-channel
+--update`.) You can “unsubscribe” using `nix-channel
+--remove`:
+
+ $ nix-channel --remove nixpkgs
+
+To obtain the latest Nix expressions available in a channel, do
+
+ $ nix-channel --update
+
+This downloads and unpacks the Nix expressions in every channel
+(downloaded from `url/nixexprs.tar.bz2`). It also makes the union of
+each channel’s Nix expressions available by default to `nix-env`
+operations (via the symlink `~/.nix-defexpr/channels`). Consequently,
+you can then say
+
+ $ nix-env -u
+
+to upgrade all packages in your profile to the latest versions available
+in the subscribed channels.
diff --git a/doc/manual/src/package-management/copy-closure.md b/doc/manual/src/package-management/copy-closure.md
new file mode 100644
index 000000000..6573862c0
--- /dev/null
+++ b/doc/manual/src/package-management/copy-closure.md
@@ -0,0 +1,34 @@
+# Copying Closures Via SSH
+
+The command `nix-copy-closure` copies a Nix store path along with all
+its dependencies to or from another machine via the SSH protocol. It
+doesn’t copy store paths that are already present on the target machine.
+For example, the following command copies Firefox with all its
+dependencies:
+
+ $ nix-copy-closure --to alice@itchy.example.org $(type -p firefox)
+
+See [???](#sec-nix-copy-closure) for details.
+
+With `nix-store
+--export` and `nix-store --import` you can write the closure of a store
+path (that is, the path and all its dependencies) to a file, and then
+unpack that file into another Nix store. For example,
+
+ $ nix-store --export $(nix-store -qR $(type -p firefox)) > firefox.closure
+
+writes the closure of Firefox to a file. You can then copy this file to
+another machine and install the closure:
+
+ $ nix-store --import < firefox.closure
+
+Any store paths in the closure that are already present in the target
+store are ignored. It is also possible to pipe the export into another
+command, e.g. to copy and install a closure directly to/on another
+machine:
+
+ $ nix-store --export $(nix-store -qR $(type -p firefox)) | bzip2 | \
+ ssh alice@itchy.example.org "bunzip2 | nix-store --import"
+
+However, `nix-copy-closure` is generally more efficient because it only
+copies paths that are not already present in the target Nix store.
diff --git a/doc/manual/src/package-management/garbage-collection.md b/doc/manual/src/package-management/garbage-collection.md
new file mode 100644
index 000000000..4c8799dfe
--- /dev/null
+++ b/doc/manual/src/package-management/garbage-collection.md
@@ -0,0 +1,61 @@
+# Garbage Collection
+
+`nix-env` operations such as upgrades (`-u`) and uninstall (`-e`) never
+actually delete packages from the system. All they do (as shown above)
+is to create a new user environment that no longer contains symlinks to
+the “deleted” packages.
+
+Of course, since disk space is not infinite, unused packages should be
+removed at some point. You can do this by running the Nix garbage
+collector. It will remove from the Nix store any package not used
+(directly or indirectly) by any generation of any profile.
+
+Note however that as long as old generations reference a package, it
+will not be deleted. After all, we wouldn’t be able to do a rollback
+otherwise. So in order for garbage collection to be effective, you
+should also delete (some) old generations. Of course, this should only
+be done if you are certain that you will not need to roll back.
+
+To delete all old (non-current) generations of your current profile:
+
+ $ nix-env --delete-generations old
+
+Instead of `old` you can also specify a list of generations, e.g.,
+
+ $ nix-env --delete-generations 10 11 14
+
+To delete all generations older than a specified number of days (except
+the current generation), use the `d` suffix. For example,
+
+ $ nix-env --delete-generations 14d
+
+deletes all generations older than two weeks.
+
+After removing appropriate old generations you can run the garbage
+collector as follows:
+
+ $ nix-store --gc
+
+The behaviour of the gargage collector is affected by the
+`keep-derivations` (default: true) and `keep-outputs` (default: false)
+options in the Nix configuration file. The defaults will ensure that all
+derivations that are build-time dependencies of garbage collector roots
+will be kept and that all output paths that are runtime dependencies
+will be kept as well. All other derivations or paths will be collected.
+(This is usually what you want, but while you are developing it may make
+sense to keep outputs to ensure that rebuild times are quick.) If you
+are feeling uncertain, you can also first view what files would be
+deleted:
+
+ $ nix-store --gc --print-dead
+
+Likewise, the option `--print-live` will show the paths that *won’t* be
+deleted.
+
+There is also a convenient little utility `nix-collect-garbage`, which
+when invoked with the `-d` (`--delete-old`) switch deletes all old
+generations of all profiles in `/nix/var/nix/profiles`. So
+
+ $ nix-collect-garbage -d
+
+is a quick and easy way to clean up your system.
diff --git a/doc/manual/src/package-management/garbage-collector-roots.md b/doc/manual/src/package-management/garbage-collector-roots.md
new file mode 100644
index 000000000..6f4d48e80
--- /dev/null
+++ b/doc/manual/src/package-management/garbage-collector-roots.md
@@ -0,0 +1,16 @@
+# Garbage Collector Roots
+
+The roots of the garbage collector are all store paths to which there
+are symlinks in the directory `prefix/nix/var/nix/gcroots`. For
+instance, the following command makes the path
+`/nix/store/d718ef...-foo` a root of the collector:
+
+ $ ln -s /nix/store/d718ef...-foo /nix/var/nix/gcroots/bar
+
+That is, after this command, the garbage collector will not remove
+`/nix/store/d718ef...-foo` or any of its dependencies.
+
+Subdirectories of `prefix/nix/var/nix/gcroots` are also searched for
+symlinks. Symlinks to non-store paths are followed and searched for
+roots, but symlinks to non-store paths *inside* the paths reached in
+that way are not followed to prevent infinite recursion.
diff --git a/doc/manual/src/package-management/package-management.md b/doc/manual/src/package-management/package-management.md
new file mode 100644
index 000000000..a2d078c16
--- /dev/null
+++ b/doc/manual/src/package-management/package-management.md
@@ -0,0 +1,4 @@
+This chapter discusses how to do package management with Nix, i.e., how
+to obtain, install, upgrade, and erase packages. This is the “user’s”
+perspective of the Nix system — people who want to *create* packages
+should consult [???](#chap-writing-nix-expressions).
diff --git a/doc/manual/src/package-management/profiles.md b/doc/manual/src/package-management/profiles.md
new file mode 100644
index 000000000..c46adf538
--- /dev/null
+++ b/doc/manual/src/package-management/profiles.md
@@ -0,0 +1,119 @@
+# Profiles
+
+Profiles and user environments are Nix’s mechanism for implementing the
+ability to allow different users to have different configurations, and
+to do atomic upgrades and rollbacks. To understand how they work, it’s
+useful to know a bit about how Nix works. In Nix, packages are stored in
+unique locations in the *Nix store* (typically, `/nix/store`). For
+instance, a particular version of the Subversion package might be stored
+in a directory
+`/nix/store/dpmvp969yhdqs7lm2r1a3gng7pyq6vy4-subversion-1.1.3/`, while
+another version might be stored in
+`/nix/store/5mq2jcn36ldlmh93yj1n8s9c95pj7c5s-subversion-1.1.2`. The long
+strings prefixed to the directory names are cryptographic hashes\[1\] of
+*all* inputs involved in building the package — sources, dependencies,
+compiler flags, and so on. So if two packages differ in any way, they
+end up in different locations in the file system, so they don’t
+interfere with each other. [figure\_title](#fig-user-environments) shows
+a part of a typical Nix store.
+
+![User environments](../figures/user-environments.png)
+
+Of course, you wouldn’t want to type
+
+ $ /nix/store/dpmvp969yhdq...-subversion-1.1.3/bin/svn
+
+every time you want to run Subversion. Of course we could set up the
+PATH environment variable to include the `bin` directory of every
+package we want to use, but this is not very convenient since changing
+PATH doesn’t take effect for already existing processes. The solution
+Nix uses is to create directory trees of symlinks to *activated*
+packages. These are called *user environments* and they are packages
+themselves (though automatically generated by `nix-env`), so they too
+reside in the Nix store. For instance, in
+[figure\_title](#fig-user-environments) the user environment
+`/nix/store/0c1p5z4kda11...-user-env` contains a symlink to just
+Subversion 1.1.2 (arrows in the figure indicate symlinks). This would be
+what we would obtain if we had done
+
+ $ nix-env -i subversion
+
+on a set of Nix expressions that contained Subversion 1.1.2.
+
+This doesn’t in itself solve the problem, of course; you wouldn’t want
+to type `/nix/store/0c1p5z4kda11...-user-env/bin/svn` either. That’s why
+there are symlinks outside of the store that point to the user
+environments in the store; for instance, the symlinks `default-42-link`
+and `default-43-link` in the example. These are called *generations*
+since every time you perform a `nix-env` operation, a new user
+environment is generated based on the current one. For instance,
+generation 43 was created from generation 42 when we did
+
+ $ nix-env -i subversion firefox
+
+on a set of Nix expressions that contained Firefox and a new version of
+Subversion.
+
+Generations are grouped together into *profiles* so that different users
+don’t interfere with each other if they don’t want to. For example:
+
+ $ ls -l /nix/var/nix/profiles/
+ ...
+ lrwxrwxrwx 1 eelco ... default-42-link -> /nix/store/0c1p5z4kda11...-user-env
+ lrwxrwxrwx 1 eelco ... default-43-link -> /nix/store/3aw2pdyx2jfc...-user-env
+ lrwxrwxrwx 1 eelco ... default -> default-43-link
+
+This shows a profile called `default`. The file `default` itself is
+actually a symlink that points to the current generation. When we do a
+`nix-env` operation, a new user environment and generation link are
+created based on the current one, and finally the `default` symlink is
+made to point at the new generation. This last step is atomic on Unix,
+which explains how we can do atomic upgrades. (Note that the
+building/installing of new packages doesn’t interfere in any way with
+old packages, since they are stored in different locations in the Nix
+store.)
+
+If you find that you want to undo a `nix-env` operation, you can just do
+
+ $ nix-env --rollback
+
+which will just make the current generation link point at the previous
+link. E.g., `default` would be made to point at `default-42-link`. You
+can also switch to a specific generation:
+
+ $ nix-env --switch-generation 43
+
+which in this example would roll forward to generation 43 again. You can
+also see all available generations:
+
+ $ nix-env --list-generations
+
+You generally wouldn’t have `/nix/var/nix/profiles/some-profile/bin` in
+your PATH. Rather, there is a symlink `~/.nix-profile` that points to
+your current profile. This means that you should put
+`~/.nix-profile/bin` in your PATH (and indeed, that’s what the
+initialisation script `/nix/etc/profile.d/nix.sh` does). This makes it
+easier to switch to a different profile. You can do that using the
+command `nix-env --switch-profile`:
+
+ $ nix-env --switch-profile /nix/var/nix/profiles/my-profile
+
+ $ nix-env --switch-profile /nix/var/nix/profiles/default
+
+These commands switch to the `my-profile` and default profile,
+respectively. If the profile doesn’t exist, it will be created
+automatically. You should be careful about storing a profile in another
+location than the `profiles` directory, since otherwise it might not be
+used as a root of the garbage collector (see
+[???](#sec-garbage-collection)).
+
+All `nix-env` operations work on the profile pointed to by
+`~/.nix-profile`, but you can override this using the `--profile` option
+(abbreviation `-p`):
+
+ $ nix-env -p /nix/var/nix/profiles/other-profile -i subversion
+
+This will *not* change the `~/.nix-profile` symlink.
+
+1. 160-bit truncations of SHA-256 hashes encoded in a base-32 notation,
+ to be precise.
diff --git a/doc/manual/src/package-management/s3-substituter.md b/doc/manual/src/package-management/s3-substituter.md
new file mode 100644
index 000000000..4740b8b1c
--- /dev/null
+++ b/doc/manual/src/package-management/s3-substituter.md
@@ -0,0 +1,133 @@
+# Serving a Nix store via AWS S3 or S3-compatible Service
+
+Nix has built-in support for storing and fetching store paths from
+Amazon S3 and S3 compatible services. This uses the same *binary* cache
+mechanism that Nix usually uses to fetch prebuilt binaries from
+[cache.nixos.org](cache.nixos.org).
+
+The following options can be specified as URL parameters to the S3 URL:
+
+ - `profile`
+ The name of the AWS configuration profile to use. By default Nix
+ will use the `default` profile.
+
+ - `region`
+ The region of the S3 bucket. `us–east-1` by default.
+
+ If your bucket is not in `us–east-1`, you should always explicitly
+ specify the region parameter.
+
+ - `endpoint`
+ The URL to your S3-compatible service, for when not using Amazon S3.
+ Do not specify this value if you're using Amazon S3.
+
+ > **Note**
+ >
+ > This endpoint must support HTTPS and will use path-based
+ > addressing instead of virtual host based addressing.
+
+ - `scheme`
+ The scheme used for S3 requests, `https` (default) or `http`. This
+ option allows you to disable HTTPS for binary caches which don't
+ support it.
+
+ > **Note**
+ >
+ > HTTPS should be used if the cache might contain sensitive
+ > information.
+
+In this example we will use the bucket named `example-nix-cache`.
+
+## Anonymous Reads to your S3-compatible binary cache
+
+If your binary cache is publicly accessible and does not require
+authentication, the simplest and easiest way to use Nix with your S3
+compatible binary cache is to use the HTTP URL for that cache.
+
+For AWS S3 the binary cache URL for example bucket will be exactly
+<https://example-nix-cache.s3.amazonaws.com> or
+<s3://example-nix-cache>. For S3 compatible binary caches, consult that
+cache's documentation.
+
+Your bucket will need the following bucket policy:
+
+ {
+ "Id": "DirectReads",
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowDirectReads",
+ "Action": [
+ "s3:GetObject",
+ "s3:GetBucketLocation"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ "arn:aws:s3:::example-nix-cache",
+ "arn:aws:s3:::example-nix-cache/*"
+ ],
+ "Principal": "*"
+ }
+ ]
+ }
+
+## Authenticated Reads to your S3 binary cache
+
+For AWS S3 the binary cache URL for example bucket will be exactly
+<s3://example-nix-cache>.
+
+Nix will use the [default credential provider
+chain](https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html)
+for authenticating requests to Amazon S3.
+
+Nix supports authenticated reads from Amazon S3 and S3 compatible binary
+caches.
+
+Your bucket will need a bucket policy allowing the desired users to
+perform the `s3:GetObject` and `s3:GetBucketLocation` action on all
+objects in the bucket. The anonymous policy in [Anonymous Reads to your
+S3-compatible binary cache](#ssec-s3-substituter-anonymous-reads) can be
+updated to have a restricted `Principal` to support this.
+
+## Authenticated Writes to your S3-compatible binary cache
+
+Nix support fully supports writing to Amazon S3 and S3 compatible
+buckets. The binary cache URL for our example bucket will be
+<s3://example-nix-cache>.
+
+Nix will use the [default credential provider
+chain](https://docs.aws.amazon.com/sdk-for-cpp/v1/developer-guide/credentials.html)
+for authenticating requests to Amazon S3.
+
+Your account will need the following IAM policy to upload to the cache:
+
+ {
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "UploadToCache",
+ "Effect": "Allow",
+ "Action": [
+ "s3:AbortMultipartUpload",
+ "s3:GetBucketLocation",
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:ListBucketMultipartUploads",
+ "s3:ListMultipartUploadParts",
+ "s3:PutObject"
+ ],
+ "Resource": [
+ "arn:aws:s3:::example-nix-cache",
+ "arn:aws:s3:::example-nix-cache/*"
+ ]
+ }
+ ]
+ }
+
+`nix copy --to
+'s3://example-nix-cache?profile=cache-upload&region=eu-west-2'
+nixpkgs.hello`
+
+`nix copy --to
+'s3://example-nix-cache?profile=cache-upload&scheme=https&endpoint=minio.example.com'
+nixpkgs.hello`
diff --git a/doc/manual/src/package-management/sharing-packages.md b/doc/manual/src/package-management/sharing-packages.md
new file mode 100644
index 000000000..846ca6934
--- /dev/null
+++ b/doc/manual/src/package-management/sharing-packages.md
@@ -0,0 +1,6 @@
+# Sharing Packages Between Machines
+
+Sometimes you want to copy a package from one machine to another. Or,
+you want to install some packages and you know that another machine
+already has some or all of those packages or their dependencies. In that
+case there are mechanisms to quickly copy packages between machines.
diff --git a/doc/manual/src/package-management/ssh-substituter.md b/doc/manual/src/package-management/ssh-substituter.md
new file mode 100644
index 000000000..482844c7c
--- /dev/null
+++ b/doc/manual/src/package-management/ssh-substituter.md
@@ -0,0 +1,52 @@
+# Serving a Nix store via SSH
+
+You can tell Nix to automatically fetch needed binaries from a remote
+Nix store via SSH. For example, the following installs Firefox,
+automatically fetching any store paths in Firefox’s closure if they are
+available on the server `avalon`:
+
+ $ nix-env -i firefox --substituters ssh://alice@avalon
+
+This works similar to the binary cache substituter that Nix usually
+uses, only using SSH instead of HTTP: if a store path `P` is needed, Nix
+will first check if it’s available in the Nix store on `avalon`. If not,
+it will fall back to using the binary cache substituter, and then to
+building from source.
+
+> **Note**
+>
+> The SSH substituter currently does not allow you to enter an SSH
+> passphrase interactively. Therefore, you should use `ssh-add` to load
+> the decrypted private key into `ssh-agent`.
+
+You can also copy the closure of some store path, without installing it
+into your profile, e.g.
+
+ $ nix-store -r /nix/store/m85bxg…-firefox-34.0.5 --substituters ssh://alice@avalon
+
+This is essentially equivalent to doing
+
+ $ nix-copy-closure --from alice@avalon /nix/store/m85bxg…-firefox-34.0.5
+
+You can use SSH’s *forced command* feature to set up a restricted user
+account for SSH substituter access, allowing read-only access to the
+local Nix store, but nothing more. For example, add the following lines
+to `sshd_config` to restrict the user `nix-ssh`:
+
+ Match User nix-ssh
+ AllowAgentForwarding no
+ AllowTcpForwarding no
+ PermitTTY no
+ PermitTunnel no
+ X11Forwarding no
+ ForceCommand nix-store --serve
+ Match All
+
+On NixOS, you can accomplish the same by adding the following to your
+`configuration.nix`:
+
+ nix.sshServe.enable = true;
+ nix.sshServe.keys = [ "ssh-dss AAAAB3NzaC1k... bob@example.org" ];
+
+where the latter line lists the public keys of users that are allowed to
+connect.
diff --git a/doc/manual/src/release-notes/release-notes.md b/doc/manual/src/release-notes/release-notes.md
new file mode 100644
index 000000000..b05d5ee0a
--- /dev/null
+++ b/doc/manual/src/release-notes/release-notes.md
@@ -0,0 +1 @@
+# Nix Release Notes
diff --git a/doc/manual/src/release-notes/rl-0.10.1.md b/doc/manual/src/release-notes/rl-0.10.1.md
new file mode 100644
index 000000000..e1ed6558a
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.10.1.md
@@ -0,0 +1,5 @@
+# Release 0.10.1 (2006-10-11)
+
+This release fixes two somewhat obscure bugs that occur when evaluating
+Nix expressions that are stored inside the Nix store (`NIX-67`). These
+do not affect most users.
diff --git a/doc/manual/src/release-notes/rl-0.10.md b/doc/manual/src/release-notes/rl-0.10.md
new file mode 100644
index 000000000..bf0e59fad
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.10.md
@@ -0,0 +1,212 @@
+# Release 0.10 (2006-10-06)
+
+> **Note**
+>
+> This version of Nix uses Berkeley DB 4.4 instead of 4.3. The database
+> is upgraded automatically, but you should be careful not to use old
+> versions of Nix that still use Berkeley DB 4.3. In particular, if you
+> use a Nix installed through Nix, you should run
+>
+> $ nix-store --clear-substitutes
+>
+> first.
+
+> **Warning**
+>
+> Also, the database schema has changed slighted to fix a performance
+> issue (see below). When you run any Nix 0.10 command for the first
+> time, the database will be upgraded automatically. This is
+> irreversible.
+
+ - `nix-env` usability improvements:
+
+ - An option `--compare-versions` (or `-c`) has been added to
+ `nix-env
+ --query` to allow you to compare installed versions of packages
+ to available versions, or vice versa. An easy way to see if you
+ are up to date with what’s in your subscribed channels is
+ `nix-env -qc \*`.
+
+ - `nix-env --query` now takes as arguments a list of package names
+ about which to show information, just like `--install`, etc.:
+ for example, `nix-env -q gcc`. Note that to show all
+ derivations, you need to specify `\*`.
+
+ - `nix-env -i
+ pkgname` will now install the highest available version of
+ pkgname, rather than installing all available versions (which
+ would probably give collisions) (`NIX-31`).
+
+ - `nix-env (-i|-u) --dry-run` now shows exactly which missing
+ paths will be built or substituted.
+
+ - `nix-env -qa --description` shows human-readable descriptions of
+ packages, provided that they have a `meta.description` attribute
+ (which most packages in Nixpkgs don’t have yet).
+
+ - New language features:
+
+ - Reference scanning (which happens after each build) is much
+ faster and takes a constant amount of memory.
+
+ - String interpolation. Expressions like
+
+ "--with-freetype2-library=" + freetype + "/lib"
+
+ can now be written as
+
+ "--with-freetype2-library=${freetype}/lib"
+
+ You can write arbitrary expressions within `${...}`, not just
+ identifiers.
+
+ - Multi-line string literals.
+
+ - String concatenations can now involve derivations, as in the
+ example `"--with-freetype2-library="
+ + freetype + "/lib"`. This was not previously possible because
+ we need to register that a derivation that uses such a string is
+ dependent on `freetype`. The evaluator now properly propagates
+ this information. Consequently, the subpath operator (`~`) has
+ been deprecated.
+
+ - Default values of function arguments can now refer to other
+ function arguments; that is, all arguments are in scope in the
+ default values (`NIX-45`).
+
+ - Lots of new built-in primitives, such as functions for list
+ manipulation and integer arithmetic. See the manual for a
+ complete list. All primops are now available in the set
+ `builtins`, allowing one to test for the availability of primop
+ in a backwards-compatible way.
+
+ - Real let-expressions: `let x = ...;
+ ... z = ...; in ...`.
+
+ - New commands `nix-pack-closure` and `nix-unpack-closure` than can be
+ used to easily transfer a store path with all its dependencies to
+ another machine. Very convenient whenever you have some package on
+ your machine and you want to copy it somewhere else.
+
+ - XML support:
+
+ - `nix-env -q --xml` prints the installed or available packages in
+ an XML representation for easy processing by other tools.
+
+ - `nix-instantiate --eval-only
+ --xml` prints an XML representation of the resulting term. (The
+ new flag `--strict` forces ‘deep’ evaluation of the result,
+ i.e., list elements and attributes are evaluated recursively.)
+
+ - In Nix expressions, the primop `builtins.toXML` converts a term
+ to an XML representation. This is primarily useful for passing
+ structured information to builders.
+
+ - You can now unambiguously specify which derivation to build or
+ install in `nix-env`, `nix-instantiate` and `nix-build` using the
+ `--attr` / `-A` flags, which takes an attribute name as argument.
+ (Unlike symbolic package names such as `subversion-1.4.0`, attribute
+ names in an attribute set are unique.) For instance, a quick way to
+ perform a test build of a package in Nixpkgs is `nix-build
+ pkgs/top-level/all-packages.nix -A
+ foo`. `nix-env -q
+ --attr` shows the attribute names corresponding to each derivation.
+
+ - If the top-level Nix expression used by `nix-env`, `nix-instantiate`
+ or `nix-build` evaluates to a function whose arguments all have
+ default values, the function will be called automatically. Also, the
+ new command-line switch `--arg
+ name
+ value` can be used to specify function arguments on the command
+ line.
+
+ - `nix-install-package --url
+ URL` allows a package to be installed directly from the given URL.
+
+ - Nix now works behind an HTTP proxy server; just set the standard
+ environment variables http\_proxy, https\_proxy, ftp\_proxy or
+ all\_proxy appropriately. Functions such as `fetchurl` in Nixpkgs
+ also respect these variables.
+
+ - `nix-build -o
+ symlink` allows the symlink to the build result to be named
+ something other than `result`.
+
+ - Platform support:
+
+ - Support for 64-bit platforms, provided a [suitably patched ATerm
+ library](http://bugzilla.sen.cwi.nl:8080/show_bug.cgi?id=606) is
+ used. Also, files larger than 2 GiB are now supported.
+
+ - Added support for Cygwin (Windows, `i686-cygwin`), Mac OS X on
+ Intel (`i686-darwin`) and Linux on PowerPC (`powerpc-linux`).
+
+ - Users of SMP and multicore machines will appreciate that the
+ number of builds to be performed in parallel can now be
+ specified in the configuration file in the `build-max-jobs`
+ setting.
+
+ - Garbage collector improvements:
+
+ - Open files (such as running programs) are now used as roots of
+ the garbage collector. This prevents programs that have been
+ uninstalled from being garbage collected while they are still
+ running. The script that detects these additional runtime roots
+ (`find-runtime-roots.pl`) is inherently system-specific, but it
+ should work on Linux and on all platforms that have the `lsof`
+ utility.
+
+ - `nix-store --gc` (a.k.a. `nix-collect-garbage`) prints out the
+ number of bytes freed on standard output. `nix-store
+ --gc --print-dead` shows how many bytes would be freed by an
+ actual garbage collection.
+
+ - `nix-collect-garbage -d` removes all old generations of *all*
+ profiles before calling the actual garbage collector (`nix-store
+ --gc`). This is an easy way to get rid of all old packages in
+ the Nix store.
+
+ - `nix-store` now has an operation `--delete` to delete specific
+ paths from the Nix store. It won’t delete reachable
+ (non-garbage) paths unless `--ignore-liveness` is specified.
+
+ - Berkeley DB 4.4’s process registry feature is used to recover from
+ crashed Nix processes.
+
+ - A performance issue has been fixed with the `referer` table, which
+ stores the inverse of the `references` table (i.e., it tells you
+ what store paths refer to a given path). Maintaining this table
+ could take a quadratic amount of time, as well as a quadratic amount
+ of Berkeley DB log file space (in particular when running the
+ garbage collector) (`NIX-23`).
+
+ - Nix now catches the `TERM` and `HUP` signals in addition to the
+ `INT` signal. So you can now do a `killall
+ nix-store` without triggering a database recovery.
+
+ - `bsdiff` updated to version 4.3.
+
+ - Substantial performance improvements in expression evaluation and
+ `nix-env -qa`, all thanks to [Valgrind](http://valgrind.org/).
+ Memory use has been reduced by a factor 8 or so. Big speedup by
+ memoisation of path hashing.
+
+ - Lots of bug fixes, notably:
+
+ - Make sure that the garbage collector can run successfully when
+ the disk is full (`NIX-18`).
+
+ - `nix-env` now locks the profile to prevent races between
+ concurrent `nix-env` operations on the same profile (`NIX-7`).
+
+ - Removed misleading messages from `nix-env -i` (e.g.,
+ ``installing
+ `foo'`` followed by ``uninstalling
+ `foo'``) (`NIX-17`).
+
+ - Nix source distributions are a lot smaller now since we no longer
+ include a full copy of the Berkeley DB source distribution (but only
+ the bits we need).
+
+ - Header files are now installed so that external programs can use the
+ Nix libraries.
diff --git a/doc/manual/src/release-notes/rl-0.11.md b/doc/manual/src/release-notes/rl-0.11.md
new file mode 100644
index 000000000..d2f4d73aa
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.11.md
@@ -0,0 +1,167 @@
+# Release 0.11 (2007-12-31)
+
+Nix 0.11 has many improvements over the previous stable release. The
+most important improvement is secure multi-user support. It also
+features many usability enhancements and language extensions, many of
+them prompted by NixOS, the purely functional Linux distribution based
+on Nix. Here is an (incomplete) list:
+
+ - Secure multi-user support. A single Nix store can now be shared
+ between multiple (possible untrusted) users. This is an important
+ feature for NixOS, where it allows non-root users to install
+ software. The old setuid method for sharing a store between multiple
+ users has been removed. Details for setting up a multi-user store
+ can be found in the manual.
+
+ - The new command `nix-copy-closure` gives you an easy and efficient
+ way to exchange software between machines. It copies the missing
+ parts of the closure of a set of store path to or from a remote
+ machine via `ssh`.
+
+ - A new kind of string literal: strings between double single-quotes
+ (`''`) have indentation “intelligently” removed. This allows large
+ strings (such as shell scripts or configuration file fragments in
+ NixOS) to cleanly follow the indentation of the surrounding
+ expression. It also requires much less escaping, since `''` is less
+ common in most languages than `"`.
+
+ - `nix-env` `--set` modifies the current generation of a profile so
+ that it contains exactly the specified derivation, and nothing else.
+ For example, `nix-env -p /nix/var/nix/profiles/browser --set
+ firefox` lets the profile named `browser` contain just Firefox.
+
+ - `nix-env` now maintains meta-information about installed packages in
+ profiles. The meta-information is the contents of the `meta`
+ attribute of derivations, such as `description` or `homepage`. The
+ command `nix-env -q --xml
+ --meta` shows all meta-information.
+
+ - `nix-env` now uses the `meta.priority` attribute of derivations to
+ resolve filename collisions between packages. Lower priority values
+ denote a higher priority. For instance, the GCC wrapper package and
+ the Binutils package in Nixpkgs both have a file `bin/ld`, so
+ previously if you tried to install both you would get a collision.
+ Now, on the other hand, the GCC wrapper declares a higher priority
+ than Binutils, so the former’s `bin/ld` is symlinked in the user
+ environment.
+
+ - `nix-env -i / -u`: instead of breaking package ties by version,
+ break them by priority and version number. That is, if there are
+ multiple packages with the same name, then pick the package with the
+ highest priority, and only use the version if there are multiple
+ packages with the same priority.
+
+ This makes it possible to mark specific versions/variant in Nixpkgs
+ more or less desirable than others. A typical example would be a
+ beta version of some package (e.g., `gcc-4.2.0rc1`) which should not
+ be installed even though it is the highest version, except when it
+ is explicitly selected (e.g., `nix-env -i
+ gcc-4.2.0rc1`).
+
+ - `nix-env --set-flag` allows meta attributes of installed packages to
+ be modified. There are several attributes that can be usefully
+ modified, because they affect the behaviour of `nix-env` or the user
+ environment build script:
+
+ - `meta.priority` can be changed to resolve filename clashes (see
+ above).
+
+ - `meta.keep` can be set to `true` to prevent the package from
+ being upgraded or replaced. Useful if you want to hang on to an
+ older version of a package.
+
+ - `meta.active` can be set to `false` to “disable” the package.
+ That is, no symlinks will be generated to the files of the
+ package, but it remains part of the profile (so it won’t be
+ garbage-collected). Set it back to `true` to re-enable the
+ package.
+
+ - `nix-env -q` now has a flag `--prebuilt-only` (`-b`) that causes
+ `nix-env` to show only those derivations whose output is already in
+ the Nix store or that can be substituted (i.e., downloaded from
+ somewhere). In other words, it shows the packages that can be
+ installed “quickly”, i.e., don’t need to be built from source. The
+ `-b` flag is also available in `nix-env -i` and `nix-env -u` to
+ filter out derivations for which no pre-built binary is available.
+
+ - The new option `--argstr` (in `nix-env`, `nix-instantiate` and
+ `nix-build`) is like `--arg`, except that the value is a string. For
+ example, `--argstr system
+ i686-linux` is equivalent to `--arg system
+ \"i686-linux\"` (note that `--argstr` prevents annoying quoting
+ around shell arguments).
+
+ - `nix-store` has a new operation `--read-log` (`-l`) `paths` that
+ shows the build log of the given paths.
+
+ - Nix now uses Berkeley DB 4.5. The database is upgraded
+ automatically, but you should be careful not to use old versions of
+ Nix that still use Berkeley DB 4.4.
+
+ - The option `--max-silent-time` (corresponding to the configuration
+ setting `build-max-silent-time`) allows you to set a timeout on
+ builds — if a build produces no output on `stdout` or `stderr` for
+ the given number of seconds, it is terminated. This is useful for
+ recovering automatically from builds that are stuck in an infinite
+ loop.
+
+ - `nix-channel`: each subscribed channel is its own attribute in the
+ top-level expression generated for the channel. This allows
+ disambiguation (e.g. `nix-env
+ -i -A nixpkgs_unstable.firefox`).
+
+ - The substitutes table has been removed from the database. This makes
+ operations such as `nix-pull` and `nix-channel --update` much, much
+ faster.
+
+ - `nix-pull` now supports bzip2-compressed manifests. This speeds up
+ channels.
+
+ - `nix-prefetch-url` now has a limited form of caching. This is used
+ by `nix-channel` to prevent unnecessary downloads when the channel
+ hasn’t changed.
+
+ - `nix-prefetch-url` now by default computes the SHA-256 hash of the
+ file instead of the MD5 hash. In calls to `fetchurl` you should pass
+ the `sha256` attribute instead of `md5`. You can pass either a
+ hexadecimal or a base-32 encoding of the hash.
+
+ - Nix can now perform builds in an automatically generated “chroot”.
+ This prevents a builder from accessing stuff outside of the Nix
+ store, and thus helps ensure purity. This is an experimental
+ feature.
+
+ - The new command `nix-store
+ --optimise` reduces Nix store disk space usage by finding identical
+ files in the store and hard-linking them to each other. It typically
+ reduces the size of the store by something like 25-35%.
+
+ - `~/.nix-defexpr` can now be a directory, in which case the Nix
+ expressions in that directory are combined into an attribute set,
+ with the file names used as the names of the attributes. The command
+ `nix-env
+ --import` (which set the `~/.nix-defexpr` symlink) is removed.
+
+ - Derivations can specify the new special attribute
+ `allowedReferences` to enforce that the references in the output of
+ a derivation are a subset of a declared set of paths. For example,
+ if `allowedReferences` is an empty list, then the output must not
+ have any references. This is used in NixOS to check that generated
+ files such as initial ramdisks for booting Linux don’t have any
+ dependencies.
+
+ - The new attribute `exportReferencesGraph` allows builders access to
+ the references graph of their inputs. This is used in NixOS for
+ tasks such as generating ISO-9660 images that contain a Nix store
+ populated with the closure of certain paths.
+
+ - Fixed-output derivations (like `fetchurl`) can define the attribute
+ `impureEnvVars` to allow external environment variables to be passed
+ to builders. This is used in Nixpkgs to support proxy configuration,
+ among other things.
+
+ - Several new built-in functions: `builtins.attrNames`,
+ `builtins.filterSource`, `builtins.isAttrs`, `builtins.isFunction`,
+ `builtins.listToAttrs`, `builtins.stringLength`, `builtins.sub`,
+ `builtins.substring`, `throw`, `builtins.trace`,
+ `builtins.readFile`.
diff --git a/doc/manual/src/release-notes/rl-0.12.md b/doc/manual/src/release-notes/rl-0.12.md
new file mode 100644
index 000000000..0dc727b69
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.12.md
@@ -0,0 +1,123 @@
+# Release 0.12 (2008-11-20)
+
+ - Nix no longer uses Berkeley DB to store Nix store metadata. The
+ principal advantages of the new storage scheme are: it works
+ properly over decent implementations of NFS (allowing Nix stores to
+ be shared between multiple machines); no recovery is needed when a
+ Nix process crashes; no write access is needed for read-only
+ operations; no more running out of Berkeley DB locks on certain
+ operations.
+
+ You still need to compile Nix with Berkeley DB support if you want
+ Nix to automatically convert your old Nix store to the new schema.
+ If you don’t need this, you can build Nix with the `configure`
+ option `--disable-old-db-compat`.
+
+ After the automatic conversion to the new schema, you can delete the
+ old Berkeley DB files:
+
+ $ cd /nix/var/nix/db
+ $ rm __db* log.* derivers references referrers reserved validpaths DB_CONFIG
+
+ The new metadata is stored in the directories `/nix/var/nix/db/info`
+ and `/nix/var/nix/db/referrer`. Though the metadata is stored in
+ human-readable plain-text files, they are not intended to be
+ human-editable, as Nix is rather strict about the format.
+
+ The new storage schema may or may not require less disk space than
+ the Berkeley DB environment, mostly depending on the cluster size of
+ your file system. With 1 KiB clusters (which seems to be the `ext3`
+ default nowadays) it usually takes up much less space.
+
+ - There is a new substituter that copies paths directly from other
+ (remote) Nix stores mounted somewhere in the filesystem. For
+ instance, you can speed up an installation by mounting some remote
+ Nix store that already has the packages in question via NFS or
+ `sshfs`. The environment variable NIX\_OTHER\_STORES specifies the
+ locations of the remote Nix directories, e.g. `/mnt/remote-fs/nix`.
+
+ - New `nix-store` operations `--dump-db` and `--load-db` to dump and
+ reload the Nix database.
+
+ - The garbage collector has a number of new options to allow only some
+ of the garbage to be deleted. The option `--max-freed N` tells the
+ collector to stop after at least N bytes have been deleted. The
+ option `--max-links
+ N` tells it to stop after the link count on `/nix/store` has dropped
+ below N. This is useful for very large Nix stores on filesystems
+ with a 32000 subdirectories limit (like `ext3`). The option
+ `--use-atime` causes store paths to be deleted in order of ascending
+ last access time. This allows non-recently used stuff to be deleted.
+ The option `--max-atime time` specifies an upper limit to the last
+ accessed time of paths that may be deleted. For instance,
+
+ ```
+ $ nix-store --gc -v --max-atime $(date +%s -d "2 months ago")
+ ```
+
+ deletes everything that hasn’t been accessed in two months.
+
+ - `nix-env` now uses optimistic profile locking when performing an
+ operation like installing or upgrading, instead of setting an
+ exclusive lock on the profile. This allows multiple `nix-env -i / -u
+ / -e` operations on the same profile in parallel. If a `nix-env`
+ operation sees at the end that the profile was changed in the
+ meantime by another process, it will just restart. This is generally
+ cheap because the build results are still in the Nix store.
+
+ - The option `--dry-run` is now supported by `nix-store -r` and
+ `nix-build`.
+
+ - The information previously shown by `--dry-run` (i.e., which
+ derivations will be built and which paths will be substituted) is
+ now always shown by `nix-env`, `nix-store -r` and `nix-build`. The
+ total download size of substitutable paths is now also shown. For
+ instance, a build will show something like
+
+ the following derivations will be built:
+ /nix/store/129sbxnk5n466zg6r1qmq1xjv9zymyy7-activate-configuration.sh.drv
+ /nix/store/7mzy971rdm8l566ch8hgxaf89x7lr7ik-upstart-jobs.drv
+ ...
+ the following paths will be downloaded/copied (30.02 MiB):
+ /nix/store/4m8pvgy2dcjgppf5b4cj5l6wyshjhalj-samba-3.2.4
+ /nix/store/7h1kwcj29ip8vk26rhmx6bfjraxp0g4l-libunwind-0.98.6
+ ...
+
+ - Language features:
+
+ - @-patterns as in Haskell. For instance, in a function definition
+
+ f = args @ {x, y, z}: ...;
+
+ `args` refers to the argument as a whole, which is further
+ pattern-matched against the attribute set pattern `{x, y, z}`.
+
+ - “`...`” (ellipsis) patterns. An attribute set pattern can now
+ say `...` at the end of the attribute name list to specify that
+ the function takes *at least* the listed attributes, while
+ ignoring additional attributes. For instance,
+
+ {stdenv, fetchurl, fuse, ...}: ...
+
+ defines a function that accepts any attribute set that includes
+ at least the three listed attributes.
+
+ - New primops: `builtins.parseDrvName` (split a package name
+ string like `"nix-0.12pre12876"` into its name and version
+ components, e.g. `"nix"` and `"0.12pre12876"`),
+ `builtins.compareVersions` (compare two version strings using
+ the same algorithm that `nix-env` uses), `builtins.length`
+ (efficiently compute the length of a list), `builtins.mul`
+ (integer multiplication), `builtins.div` (integer division).
+
+ - `nix-prefetch-url` now supports `mirror://` URLs, provided that the
+ environment variable NIXPKGS\_ALL points at a Nixpkgs tree.
+
+ - Removed the commands `nix-pack-closure` and `nix-unpack-closure`.
+ You can do almost the same thing but much more efficiently by doing
+ `nix-store --export
+ $(nix-store -qR paths) > closure` and `nix-store --import <
+ closure`.
+
+ - Lots of bug fixes, including a big performance bug in the handling
+ of `with`-expressions.
diff --git a/doc/manual/src/release-notes/rl-0.13.md b/doc/manual/src/release-notes/rl-0.13.md
new file mode 100644
index 000000000..21f33e3db
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.13.md
@@ -0,0 +1,55 @@
+# Release 0.13 (2009-11-05)
+
+This is primarily a bug fix release. It has some new features:
+
+ - Syntactic sugar for writing nested attribute sets. Instead of
+
+ {
+ foo = {
+ bar = 123;
+ xyzzy = true;
+ };
+ a = { b = { c = "d"; }; };
+ }
+
+ you can write
+
+ {
+ foo.bar = 123;
+ foo.xyzzy = true;
+ a.b.c = "d";
+ }
+
+ This is useful, for instance, in NixOS configuration files.
+
+ - Support for Nix channels generated by Hydra, the Nix-based
+ continuous build system. (Hydra generates NAR archives on the fly,
+ so the size and hash of these archives isn’t known in advance.)
+
+ - Support `i686-linux` builds directly on `x86_64-linux` Nix
+ installations. This is implemented using the `personality()`
+ syscall, which causes `uname` to return `i686` in child processes.
+
+ - Various improvements to the `chroot` support. Building in a `chroot`
+ works quite well now.
+
+ - Nix no longer blocks if it tries to build a path and another process
+ is already building the same path. Instead it tries to build another
+ buildable path first. This improves parallelism.
+
+ - Support for large (\> 4 GiB) files in NAR archives.
+
+ - Various (performance) improvements to the remote build mechanism.
+
+ - New primops: `builtins.addErrorContext` (to add a string to stack
+ traces — useful for debugging), `builtins.isBool`,
+ `builtins.isString`, `builtins.isInt`, `builtins.intersectAttrs`.
+
+ - OpenSolaris support (Sander van der Burg).
+
+ - Stack traces are no longer displayed unless the `--show-trace`
+ option is used.
+
+ - The scoping rules for `inherit
+ (e) ...` in recursive attribute sets have changed. The expression e
+ can now refer to the attributes defined in the containing set.
diff --git a/doc/manual/src/release-notes/rl-0.14.md b/doc/manual/src/release-notes/rl-0.14.md
new file mode 100644
index 000000000..9d58f2072
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.14.md
@@ -0,0 +1,21 @@
+# Release 0.14 (2010-02-04)
+
+This release has the following improvements:
+
+ - The garbage collector now starts deleting garbage much faster than
+ before. It no longer determines liveness of all paths in the store,
+ but does so on demand.
+
+ - Added a new operation, `nix-store --query
+ --roots`, that shows the garbage collector roots that directly or
+ indirectly point to the given store paths.
+
+ - Removed support for converting Berkeley DB-based Nix databases to
+ the new schema.
+
+ - Removed the `--use-atime` and `--max-atime` garbage collector
+ options. They were not very useful in practice.
+
+ - On Windows, Nix now requires Cygwin 1.7.x.
+
+ - A few bug fixes.
diff --git a/doc/manual/src/release-notes/rl-0.15.md b/doc/manual/src/release-notes/rl-0.15.md
new file mode 100644
index 000000000..48e2a6f1b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.15.md
@@ -0,0 +1,5 @@
+# Release 0.15 (2010-03-17)
+
+This is a bug-fix release. Among other things, it fixes building on Mac
+OS X (Snow Leopard), and improves the contents of `/etc/passwd` and
+`/etc/group` in `chroot` builds.
diff --git a/doc/manual/src/release-notes/rl-0.16.md b/doc/manual/src/release-notes/rl-0.16.md
new file mode 100644
index 000000000..121bbde28
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.16.md
@@ -0,0 +1,25 @@
+# Release 0.16 (2010-08-17)
+
+This release has the following improvements:
+
+ - The Nix expression evaluator is now much faster in most cases:
+ typically, [3 to 8 times compared to the old
+ implementation](http://www.mail-archive.com/nix-dev@cs.uu.nl/msg04113.html).
+ It also uses less memory. It no longer depends on the ATerm library.
+
+ - Support for configurable parallelism inside builders. Build scripts
+ have always had the ability to perform multiple build actions in
+ parallel (for instance, by running `make -j
+ 2`), but this was not desirable because the number of actions to be
+ performed in parallel was not configurable. Nix now has an option
+ `--cores
+ N` as well as a configuration setting `build-cores =
+ N` that causes the environment variable NIX\_BUILD\_CORES to be set
+ to N when the builder is invoked. The builder can use this at its
+ discretion to perform a parallel build, e.g., by calling `make -j
+ N`. In Nixpkgs, this can be enabled on a per-package basis by
+ setting the derivation attribute `enableParallelBuilding` to `true`.
+
+ - `nix-store -q` now supports XML output through the `--xml` flag.
+
+ - Several bug fixes.
diff --git a/doc/manual/src/release-notes/rl-0.5.md b/doc/manual/src/release-notes/rl-0.5.md
new file mode 100644
index 000000000..5cff2da0b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.5.md
@@ -0,0 +1,3 @@
+# Release 0.5 and earlier
+
+Please refer to the Subversion commit log messages.
diff --git a/doc/manual/src/release-notes/rl-0.6.md b/doc/manual/src/release-notes/rl-0.6.md
new file mode 100644
index 000000000..c816c9851
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.6.md
@@ -0,0 +1,64 @@
+# Release 0.6 (2004-11-14)
+
+ - Rewrite of the normalisation engine.
+
+ - Multiple builds can now be performed in parallel (option `-j`).
+
+ - Distributed builds. Nix can now call a shell script to forward
+ builds to Nix installations on remote machines, which may or may
+ not be of the same platform type.
+
+ - Option `--fallback` allows recovery from broken substitutes.
+
+ - Option `--keep-going` causes building of other (unaffected)
+ derivations to continue if one failed.
+
+ - Improvements to the garbage collector (i.e., it should actually work
+ now).
+
+ - Setuid Nix installations allow a Nix store to be shared among
+ multiple users.
+
+ - Substitute registration is much faster now.
+
+ - A utility `nix-build` to build a Nix expression and create a symlink
+ to the result int the current directory; useful for testing Nix
+ derivations.
+
+ - Manual updates.
+
+ - `nix-env` changes:
+
+ - Derivations for other platforms are filtered out (which can be
+ overridden using `--system-filter`).
+
+ - `--install` by default now uninstall previous derivations with
+ the same name.
+
+ - `--upgrade` allows upgrading to a specific version.
+
+ - New operation `--delete-generations` to remove profile
+ generations (necessary for effective garbage collection).
+
+ - Nicer output (sorted, columnised).
+
+ - More sensible verbosity levels all around (builder output is now
+ shown always, unless `-Q` is given).
+
+ - Nix expression language changes:
+
+ - New language construct: `with
+ E1;
+ E2` brings all attributes defined in the attribute set E1 in
+ scope in E2.
+
+ - Added a `map` function.
+
+ - Various new operators (e.g., string concatenation).
+
+ - Expression evaluation is much faster.
+
+ - An Emacs mode for editing Nix expressions (with syntax highlighting
+ and indentation) has been added.
+
+ - Many bug fixes.
diff --git a/doc/manual/src/release-notes/rl-0.7.md b/doc/manual/src/release-notes/rl-0.7.md
new file mode 100644
index 000000000..d873fe890
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.7.md
@@ -0,0 +1,21 @@
+# Release 0.7 (2005-01-12)
+
+ - Binary patching. When upgrading components using pre-built binaries
+ (through nix-pull / nix-channel), Nix can automatically download and
+ apply binary patches to already installed components instead of full
+ downloads. Patching is “smart”: if there is a *sequence* of patches
+ to an installed component, Nix will use it. Patches are currently
+ generated automatically between Nixpkgs (pre-)releases.
+
+ - Simplifications to the substitute mechanism.
+
+ - Nix-pull now stores downloaded manifests in
+ `/nix/var/nix/manifests`.
+
+ - Metadata on files in the Nix store is canonicalised after builds:
+ the last-modified timestamp is set to 0 (00:00:00 1/1/1970), the
+ mode is set to 0444 or 0555 (readable and possibly executable by
+ all; setuid/setgid bits are dropped), and the group is set to the
+ default. This ensures that the result of a build and an installation
+ through a substitute is the same; and that timestamp dependencies
+ are revealed.
diff --git a/doc/manual/src/release-notes/rl-0.8.1.md b/doc/manual/src/release-notes/rl-0.8.1.md
new file mode 100644
index 000000000..7629f81cb
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.8.1.md
@@ -0,0 +1,8 @@
+# Release 0.8.1 (2005-04-13)
+
+This is a bug fix release.
+
+ - Patch downloading was broken.
+
+ - The garbage collector would not delete paths that had references
+ from invalid (but substitutable) paths.
diff --git a/doc/manual/src/release-notes/rl-0.8.md b/doc/manual/src/release-notes/rl-0.8.md
new file mode 100644
index 000000000..626c0c92b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.8.md
@@ -0,0 +1,166 @@
+# Release 0.8 (2005-04-11)
+
+NOTE: the hashing scheme in Nix 0.8 changed (as detailed below). As a
+result, `nix-pull` manifests and channels built for Nix 0.7 and below
+will not work anymore. However, the Nix expression language has not
+changed, so you can still build from source. Also, existing user
+environments continue to work. Nix 0.8 will automatically upgrade the
+database schema of previous installations when it is first run.
+
+If you get the error message
+
+ you have an old-style manifest `/nix/var/nix/manifests/[...]'; please
+ delete it
+
+you should delete previously downloaded manifests:
+
+ $ rm /nix/var/nix/manifests/*
+
+If `nix-channel` gives the error message
+
+ manifest `http://catamaran.labs.cs.uu.nl/dist/nix/channels/[channel]/MANIFEST'
+ is too old (i.e., for Nix <= 0.7)
+
+then you should unsubscribe from the offending channel (`nix-channel
+--remove
+URL`; leave out `/MANIFEST`), and subscribe to the same URL, with
+`channels` replaced by `channels-v3` (e.g.,
+<http://catamaran.labs.cs.uu.nl/dist/nix/channels-v3/nixpkgs-unstable>).
+
+Nix 0.8 has the following improvements:
+
+ - The cryptographic hashes used in store paths are now 160 bits long,
+ but encoded in base-32 so that they are still only 32 characters
+ long (e.g.,
+ `/nix/store/csw87wag8bqlqk7ipllbwypb14xainap-atk-1.9.0`). (This is
+ actually a 160 bit truncation of a SHA-256 hash.)
+
+ - Big cleanups and simplifications of the basic store semantics. The
+ notion of “closure store expressions” is gone (and so is the notion
+ of “successors”); the file system references of a store path are now
+ just stored in the database.
+
+ For instance, given any store path, you can query its closure:
+
+ $ nix-store -qR $(which firefox)
+ ... lots of paths ...
+
+ Also, Nix now remembers for each store path the derivation that
+ built it (the “deriver”):
+
+ $ nix-store -qR $(which firefox)
+ /nix/store/4b0jx7vq80l9aqcnkszxhymsf1ffa5jd-firefox-1.0.1.drv
+
+ So to see the build-time dependencies, you can do
+
+ $ nix-store -qR $(nix-store -qd $(which firefox))
+
+ or, in a nicer format:
+
+ $ nix-store -q --tree $(nix-store -qd $(which firefox))
+
+ File system references are also stored in reverse. For instance, you
+ can query all paths that directly or indirectly use a certain Glibc:
+
+ $ nix-store -q --referrers-closure \
+ /nix/store/8lz9yc6zgmc0vlqmn2ipcpkjlmbi51vv-glibc-2.3.4
+
+ - The concept of fixed-output derivations has been formalised.
+ Previously, functions such as `fetchurl` in Nixpkgs used a hack
+ (namely, explicitly specifying a store path hash) to prevent changes
+ to, say, the URL of the file from propagating upwards through the
+ dependency graph, causing rebuilds of everything. This can now be
+ done cleanly by specifying the `outputHash` and `outputHashAlgo`
+ attributes. Nix itself checks that the content of the output has the
+ specified hash. (This is important for maintaining certain
+ invariants necessary for future work on secure shared stores.)
+
+ - One-click installation :-) It is now possible to install any
+ top-level component in Nixpkgs directly, through the web — see,
+ e.g., <http://catamaran.labs.cs.uu.nl/dist/nixpkgs-0.8/>. All you
+ have to do is associate `/nix/bin/nix-install-package` with the MIME
+ type `application/nix-package` (or the extension `.nixpkg`), and
+ clicking on a package link will cause it to be installed, with all
+ appropriate dependencies. If you just want to install some specific
+ application, this is easier than subscribing to a channel.
+
+ - `nix-store -r
+ PATHS` now builds all the derivations PATHS in parallel. Previously
+ it did them sequentially (though exploiting possible parallelism
+ between subderivations). This is nice for build farms.
+
+ - `nix-channel` has new operations `--list` and `--remove`.
+
+ - New ways of installing components into user environments:
+
+ - Copy from another user environment:
+
+ $ nix-env -i --from-profile .../other-profile firefox
+
+ - Install a store derivation directly (bypassing the Nix
+ expression language entirely):
+
+ $ nix-env -i /nix/store/z58v41v21xd3...-aterm-2.3.1.drv
+
+ (This is used to implement `nix-install-package`, which is
+ therefore immune to evolution in the Nix expression language.)
+
+ - Install an already built store path directly:
+
+ $ nix-env -i /nix/store/hsyj5pbn0d9i...-aterm-2.3.1
+
+ - Install the result of a Nix expression specified as a
+ command-line argument:
+
+ $ nix-env -f .../i686-linux.nix -i -E 'x: x.firefoxWrapper'
+
+ The difference with the normal installation mode is that `-E`
+ does not use the `name` attributes of derivations. Therefore,
+ this can be used to disambiguate multiple derivations with the
+ same name.
+
+ - A hash of the contents of a store path is now stored in the database
+ after a successful build. This allows you to check whether store
+ paths have been tampered with: `nix-store
+ --verify --check-contents`.
+
+ - Implemented a concurrent garbage collector. It is now always safe to
+ run the garbage collector, even if other Nix operations are
+ happening simultaneously.
+
+ However, there can still be GC races if you use `nix-instantiate`
+ and `nix-store
+ --realise` directly to build things. To prevent races, use the
+ `--add-root` flag of those commands.
+
+ - The garbage collector now finally deletes paths in the right order
+ (i.e., topologically sorted under the “references” relation), thus
+ making it safe to interrupt the collector without risking a store
+ that violates the closure invariant.
+
+ - Likewise, the substitute mechanism now downloads files in the right
+ order, thus preserving the closure invariant at all times.
+
+ - The result of `nix-build` is now registered as a root of the garbage
+ collector. If the `./result` link is deleted, the GC root disappears
+ automatically.
+
+ - The behaviour of the garbage collector can be changed globally by
+ setting options in `/nix/etc/nix/nix.conf`.
+
+ - `gc-keep-derivations` specifies whether deriver links should be
+ followed when searching for live paths.
+
+ - `gc-keep-outputs` specifies whether outputs of derivations
+ should be followed when searching for live paths.
+
+ - `env-keep-derivations` specifies whether user environments
+ should store the paths of derivations when they are added (thus
+ keeping the derivations alive).
+
+ - New `nix-env` query flags `--drv-path` and `--out-path`.
+
+ - `fetchurl` allows SHA-1 and SHA-256 in addition to MD5. Just specify
+ the attribute `sha1` or `sha256` instead of `md5`.
+
+ - Manual updates.
diff --git a/doc/manual/src/release-notes/rl-0.9.1.md b/doc/manual/src/release-notes/rl-0.9.1.md
new file mode 100644
index 000000000..9c20eed1b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.9.1.md
@@ -0,0 +1,4 @@
+# Release 0.9.1 (2005-09-20)
+
+This bug fix release addresses a problem with the ATerm library when the
+`--with-aterm` flag in `configure` was *not* used.
diff --git a/doc/manual/src/release-notes/rl-0.9.2.md b/doc/manual/src/release-notes/rl-0.9.2.md
new file mode 100644
index 000000000..0caaf28de
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.9.2.md
@@ -0,0 +1,11 @@
+# Release 0.9.2 (2005-09-21)
+
+This bug fix release fixes two problems on Mac OS X:
+
+ - If Nix was linked against statically linked versions of the ATerm or
+ Berkeley DB library, there would be dynamic link errors at runtime.
+
+ - `nix-pull` and `nix-push` intermittently failed due to race
+ conditions involving pipes and child processes with error messages
+ such as `open2: open(GLOB(0x180b2e4), >&=9) failed: Bad
+ file descriptor at /nix/bin/nix-pull line 77` (issue `NIX-14`).
diff --git a/doc/manual/src/release-notes/rl-0.9.md b/doc/manual/src/release-notes/rl-0.9.md
new file mode 100644
index 000000000..8c3e1b28e
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-0.9.md
@@ -0,0 +1,72 @@
+# Release 0.9 (2005-09-16)
+
+NOTE: this version of Nix uses Berkeley DB 4.3 instead of 4.2. The
+database is upgraded automatically, but you should be careful not to use
+old versions of Nix that still use Berkeley DB 4.2. In particular, if
+you use a Nix installed through Nix, you should run
+
+ $ nix-store --clear-substitutes
+
+first.
+
+ - Unpacking of patch sequences is much faster now since we no longer
+ do redundant unpacking and repacking of intermediate paths.
+
+ - Nix now uses Berkeley DB 4.3.
+
+ - The `derivation` primitive is lazier. Attributes of dependent
+ derivations can mutually refer to each other (as long as there are
+ no data dependencies on the `outPath` and `drvPath` attributes
+ computed by `derivation`).
+
+ For example, the expression `derivation
+ attrs` now evaluates to (essentially)
+
+ attrs // {
+ type = "derivation";
+ outPath = derivation! attrs;
+ drvPath = derivation! attrs;
+ }
+
+ where `derivation!` is a primop that does the actual derivation
+ instantiation (i.e., it does what `derivation` used to do). The
+ advantage is that it allows commands such as `nix-env -qa` and
+ `nix-env -i` to be much faster since they no longer need to
+ instantiate all derivations, just the `name` attribute.
+
+ Also, it allows derivations to cyclically reference each other, for
+ example,
+
+ webServer = derivation {
+ ...
+ hostName = "svn.cs.uu.nl";
+ services = [svnService];
+ };
+
+ svnService = derivation {
+ ...
+ hostName = webServer.hostName;
+ };
+
+ Previously, this would yield a black hole (infinite recursion).
+
+ - `nix-build` now defaults to using `./default.nix` if no Nix
+ expression is specified.
+
+ - `nix-instantiate`, when applied to a Nix expression that evaluates
+ to a function, will call the function automatically if all its
+ arguments have defaults.
+
+ - Nix now uses libtool to build dynamic libraries. This reduces the
+ size of executables.
+
+ - A new list concatenation operator `++`. For example, `[1 2 3] ++
+ [4 5
+ 6]` evaluates to `[1 2 3 4 5
+ 6]`.
+
+ - Some currently undocumented primops to support low-level build
+ management using Nix (i.e., using Nix as a Make replacement). See
+ the commit messages for `r3578` and `r3580`.
+
+ - Various bug fixes and performance improvements.
diff --git a/doc/manual/src/release-notes/rl-1.0.md b/doc/manual/src/release-notes/rl-1.0.md
new file mode 100644
index 000000000..025f827d9
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.0.md
@@ -0,0 +1,68 @@
+# Release 1.0 (2012-05-11)
+
+There have been numerous improvements and bug fixes since the previous
+release. Here are the most significant:
+
+ - Nix can now optionally use the Boehm garbage collector. This
+ significantly reduces the Nix evaluator’s memory footprint,
+ especially when evaluating large NixOS system configurations. It can
+ be enabled using the `--enable-gc` configure option.
+
+ - Nix now uses SQLite for its database. This is faster and more
+ flexible than the old *ad hoc* format. SQLite is also used to cache
+ the manifests in `/nix/var/nix/manifests`, resulting in a
+ significant speedup.
+
+ - Nix now has an search path for expressions. The search path is set
+ using the environment variable NIX\_PATH and the `-I` command line
+ option. In Nix expressions, paths between angle brackets are used to
+ specify files that must be looked up in the search path. For
+ instance, the expression `<nixpkgs/default.nix>` looks for a file
+ `nixpkgs/default.nix` relative to every element in the search path.
+
+ - The new command `nix-build --run-env` builds all dependencies of a
+ derivation, then starts a shell in an environment containing all
+ variables from the derivation. This is useful for reproducing the
+ environment of a derivation for development.
+
+ - The new command `nix-store --verify-path` verifies that the contents
+ of a store path have not changed.
+
+ - The new command `nix-store --print-env` prints out the environment
+ of a derivation in a format that can be evaluated by a shell.
+
+ - Attribute names can now be arbitrary strings. For instance, you can
+ write `{ "foo-1.2" = …; "bla bla" = …; }."bla
+ bla"`.
+
+ - Attribute selection can now provide a default value using the `or`
+ operator. For instance, the expression `x.y.z or e` evaluates to the
+ attribute `x.y.z` if it exists, and `e` otherwise.
+
+ - The right-hand side of the `?` operator can now be an attribute
+ path, e.g., `attrs ?
+ a.b.c`.
+
+ - On Linux, Nix will now make files in the Nix store immutable on
+ filesystems that support it. This prevents accidental modification
+ of files in the store by the root user.
+
+ - Nix has preliminary support for derivations with multiple outputs.
+ This is useful because it allows parts of a package to be deployed
+ and garbage-collected separately. For instance, development parts of
+ a package such as header files or static libraries would typically
+ not be part of the closure of an application, resulting in reduced
+ disk usage and installation time.
+
+ - The Nix store garbage collector is faster and holds the global lock
+ for a shorter amount of time.
+
+ - The option `--timeout` (corresponding to the configuration setting
+ `build-timeout`) allows you to set an absolute timeout on builds —
+ if a build runs for more than the given number of seconds, it is
+ terminated. This is useful for recovering automatically from builds
+ that are stuck in an infinite loop but keep producing output, and
+ for which `--max-silent-time` is ineffective.
+
+ - Nix development has moved to GitHub
+ (<https://github.com/NixOS/nix>).
diff --git a/doc/manual/src/release-notes/rl-1.1.md b/doc/manual/src/release-notes/rl-1.1.md
new file mode 100644
index 000000000..1e658fe15
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.1.md
@@ -0,0 +1,61 @@
+# Release 1.1 (2012-07-18)
+
+This release has the following improvements:
+
+ - On Linux, when doing a chroot build, Nix now uses various namespace
+ features provided by the Linux kernel to improve build isolation.
+ Namely:
+
+ - The private network namespace ensures that builders cannot talk
+ to the outside world (or vice versa): each build only sees a
+ private loopback interface. This also means that two concurrent
+ builds can listen on the same port (e.g. as part of a test)
+ without conflicting with each other.
+
+ - The PID namespace causes each build to start as PID 1. Processes
+ outside of the chroot are not visible to those on the inside. On
+ the other hand, processes inside the chroot *are* visible from
+ the outside (though with different PIDs).
+
+ - The IPC namespace prevents the builder from communicating with
+ outside processes using SysV IPC mechanisms (shared memory,
+ message queues, semaphores). It also ensures that all IPC
+ objects are destroyed when the builder exits.
+
+ - The UTS namespace ensures that builders see a hostname of
+ `localhost` rather than the actual hostname.
+
+ - The private mount namespace was already used by Nix to ensure
+ that the bind-mounts used to set up the chroot are cleaned up
+ automatically.
+
+ - Build logs are now compressed using `bzip2`. The command `nix-store
+ -l` decompresses them on the fly. This can be disabled by setting
+ the option `build-compress-log` to `false`.
+
+ - The creation of build logs in `/nix/var/log/nix/drvs` can be
+ disabled by setting the new option `build-keep-log` to `false`. This
+ is useful, for instance, for Hydra build machines.
+
+ - Nix now reserves some space in `/nix/var/nix/db/reserved` to ensure
+ that the garbage collector can run successfully if the disk is full.
+ This is necessary because SQLite transactions fail if the disk is
+ full.
+
+ - Added a basic `fetchurl` function. This is not intended to replace
+ the `fetchurl` in Nixpkgs, but is useful for bootstrapping; e.g., it
+ will allow us to get rid of the bootstrap binaries in the Nixpkgs
+ source tree and download them instead. You can use it by doing
+ `import <nix/fetchurl.nix> { url =
+ url; sha256 =
+ "hash"; }`. (Shea Levy)
+
+ - Improved RPM spec file. (Michel Alexandre Salim)
+
+ - Support for on-demand socket-based activation in the Nix daemon with
+ `systemd`.
+
+ - Added a manpage for nix.conf5.
+
+ - When using the Nix daemon, the `-s` flag in `nix-env -qa` is now
+ much faster.
diff --git a/doc/manual/src/release-notes/rl-1.10.md b/doc/manual/src/release-notes/rl-1.10.md
new file mode 100644
index 000000000..2bb859536
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.10.md
@@ -0,0 +1,31 @@
+# Release 1.10 (2015-09-03)
+
+This is primarily a bug fix release. It also has a number of new
+features:
+
+ - A number of builtin functions have been added to reduce
+ Nixpkgs/NixOS evaluation time and memory consumption: `all`, `any`,
+ `concatStringsSep`, `foldl’`, `genList`, `replaceStrings`, `sort`.
+
+ - The garbage collector is more robust when the disk is full.
+
+ - Nix supports a new API for building derivations that doesn’t require
+ a `.drv` file to be present on disk; it only requires an in-memory
+ representation of the derivation. This is used by the Hydra
+ continuous build system to make remote builds more efficient.
+
+ - The function `<nix/fetchurl.nix>` now uses a *builtin* builder (i.e.
+ it doesn’t require starting an external process; the download is
+ performed by Nix itself). This ensures that derivation paths don’t
+ change when Nix is upgraded, and obviates the need for ugly hacks to
+ support chroot execution.
+
+ - `--version -v` now prints some configuration information, in
+ particular what compile-time optional features are enabled, and the
+ paths of various directories.
+
+ - Build users have their supplementary groups set correctly.
+
+This release has contributions from Eelco Dolstra, Guillaume Maudoux,
+Iwan Aucamp, Jaka Hudoklin, Kirill Elagin, Ludovic Courtès, Manolis
+Ragkousis, Nicolas B. Pierron and Shea Levy.
diff --git a/doc/manual/src/release-notes/rl-1.11.10.md b/doc/manual/src/release-notes/rl-1.11.10.md
new file mode 100644
index 000000000..d1efe1d0b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.11.10.md
@@ -0,0 +1,21 @@
+# Release 1.11.10 (2017-06-12)
+
+This release fixes a security bug in Nix’s “build user” build isolation
+mechanism. Previously, Nix builders had the ability to create setuid
+binaries owned by a `nixbld` user. Such a binary could then be used by
+an attacker to assume a `nixbld` identity and interfere with subsequent
+builds running under the same UID.
+
+To prevent this issue, Nix now disallows builders to create setuid and
+setgid binaries. On Linux, this is done using a seccomp BPF filter. Note
+that this imposes a small performance penalty (e.g. 1% when building GNU
+Hello). Using seccomp, we now also prevent the creation of extended
+attributes and POSIX ACLs since these cannot be represented in the NAR
+format and (in the case of POSIX ACLs) allow bypassing regular Nix store
+permissions. On macOS, the restriction is implemented using the existing
+sandbox mechanism, which now uses a minimal “allow all except the
+creation of setuid/setgid binaries” profile when regular sandboxing is
+disabled. On other platforms, the “build user” mechanism is now
+disabled.
+
+Thanks go to Linus Heckemann for discovering and reporting this bug.
diff --git a/doc/manual/src/release-notes/rl-1.11.md b/doc/manual/src/release-notes/rl-1.11.md
new file mode 100644
index 000000000..381887bd8
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.11.md
@@ -0,0 +1,87 @@
+# Release 1.11 (2016-01-19)
+
+This is primarily a bug fix release. It also has a number of new
+features:
+
+ - `nix-prefetch-url` can now download URLs specified in a Nix
+ expression. For example,
+
+ $ nix-prefetch-url -A hello.src
+
+ will prefetch the file specified by the `fetchurl` call in the
+ attribute `hello.src` from the Nix expression in the current
+ directory, and print the cryptographic hash of the resulting file on
+ stdout. This differs from `nix-build -A
+ hello.src` in that it doesn't verify the hash, and is thus useful
+ when you’re updating a Nix expression.
+
+ You can also prefetch the result of functions that unpack a tarball,
+ such as `fetchFromGitHub`. For example:
+
+ $ nix-prefetch-url --unpack https://github.com/NixOS/patchelf/archive/0.8.tar.gz
+
+ or from a Nix expression:
+
+ $ nix-prefetch-url -A nix-repl.src
+
+ - The builtin function `<nix/fetchurl.nix>` now supports downloading
+ and unpacking NARs. This removes the need to have multiple downloads
+ in the Nixpkgs stdenv bootstrap process (like a separate busybox
+ binary for Linux, or curl/mkdir/sh/bzip2 for Darwin). Now all those
+ files can be combined into a single NAR, optionally compressed using
+ `xz`.
+
+ - Nix now supports SHA-512 hashes for verifying fixed-output
+ derivations, and in `builtins.hashString`.
+
+ - The new flag `--option build-repeat
+ N` will cause every build to be executed N+1 times. If the build
+ output differs between any round, the build is rejected, and the
+ output paths are not registered as valid. This is primarily useful
+ to verify build determinism. (We already had a `--check` option to
+ repeat a previously succeeded build. However, with `--check`,
+ non-deterministic builds are registered in the DB. Preventing that
+ is useful for Hydra to ensure that non-deterministic builds don't
+ end up getting published to the binary cache.)
+
+ - The options `--check` and `--option
+ build-repeat N`, if they detect a difference between two runs of the
+ same derivation and `-K` is given, will make the output of the other
+ run available under `store-path-check`. This makes it easier to
+ investigate the non-determinism using tools like `diffoscope`, e.g.,
+
+ $ nix-build pkgs/stdenv/linux -A stage1.pkgs.zlib --check -K
+ error: derivation ‘/nix/store/l54i8wlw2265…-zlib-1.2.8.drv’ may not
+ be deterministic: output ‘/nix/store/11a27shh6n2i…-zlib-1.2.8’
+ differs from ‘/nix/store/11a27shh6n2i…-zlib-1.2.8-check’
+
+ $ diffoscope /nix/store/11a27shh6n2i…-zlib-1.2.8 /nix/store/11a27shh6n2i…-zlib-1.2.8-check
+ …
+ ├── lib/libz.a
+ │ ├── metadata
+ │ │ @@ -1,15 +1,15 @@
+ │ │ -rw-r--r-- 30001/30000 3096 Jan 12 15:20 2016 adler32.o
+ …
+ │ │ +rw-r--r-- 30001/30000 3096 Jan 12 15:28 2016 adler32.o
+ …
+
+ - Improved FreeBSD support.
+
+ - `nix-env -qa --xml --meta` now prints license information.
+
+ - The maximum number of parallel TCP connections that the binary cache
+ substituter will use has been decreased from 150 to 25. This should
+ prevent upsetting some broken NAT routers, and also improves
+ performance.
+
+ - All "chroot"-containing strings got renamed to "sandbox". In
+ particular, some Nix options got renamed, but the old names are
+ still accepted as lower-priority aliases.
+
+This release has contributions from Anders Claesson, Anthony Cowley,
+Bjørn Forsman, Brian McKenna, Danny Wilson, davidak, Eelco Dolstra,
+Fabian Schmitthenner, FrankHB, Ilya Novoselov, janus, Jim Garrison, John
+Ericson, Jude Taylor, Ludovic Courtès, Manuel Jacob, Mathnerd314, Pascal
+Wittmann, Peter Simons, Philip Potter, Preston Bennes, Rommel M.
+Martinez, Sander van der Burg, Shea Levy, Tim Cuthbertson, Tuomas
+Tynkkynen, Utku Demir and Vladimír Čunát.
diff --git a/doc/manual/src/release-notes/rl-1.2.md b/doc/manual/src/release-notes/rl-1.2.md
new file mode 100644
index 000000000..e62b2dac9
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.2.md
@@ -0,0 +1,97 @@
+# Release 1.2 (2012-12-06)
+
+This release has the following improvements and changes:
+
+ - Nix has a new binary substituter mechanism: the *binary cache*. A
+ binary cache contains pre-built binaries of Nix packages. Whenever
+ Nix wants to build a missing Nix store path, it will check a set of
+ binary caches to see if any of them has a pre-built binary of that
+ path. The configuration setting `binary-caches` contains a list of
+ URLs of binary caches. For instance, doing
+
+ $ nix-env -i thunderbird --option binary-caches http://cache.nixos.org
+
+ will install Thunderbird and its dependencies, using the available
+ pre-built binaries in <http://cache.nixos.org>. The main advantage
+ over the old “manifest”-based method of getting pre-built binaries
+ is that you don’t have to worry about your manifest being in sync
+ with the Nix expressions you’re installing from; i.e., you don’t
+ need to run `nix-pull` to update your manifest. It’s also more
+ scalable because you don’t need to redownload a giant manifest file
+ every time.
+
+ A Nix channel can provide a binary cache URL that will be used
+ automatically if you subscribe to that channel. If you use the
+ Nixpkgs or NixOS channels (<http://nixos.org/channels>) you
+ automatically get the cache <http://cache.nixos.org>.
+
+ Binary caches are created using `nix-push`. For details on the
+ operation and format of binary caches, see the `nix-push` manpage.
+ More details are provided in [this nix-dev
+ posting](https://nixos.org/nix-dev/2012-September/009826.html).
+
+ - Multiple output support should now be usable. A derivation can
+ declare that it wants to produce multiple store paths by saying
+ something like
+
+ outputs = [ "lib" "headers" "doc" ];
+
+ This will cause Nix to pass the intended store path of each output
+ to the builder through the environment variables `lib`, `headers`
+ and `doc`. Other packages can refer to a specific output by
+ referring to `pkg.output`, e.g.
+
+ buildInputs = [ pkg.lib pkg.headers ];
+
+ If you install a package with multiple outputs using `nix-env`, each
+ output path will be symlinked into the user environment.
+
+ - Dashes are now valid as part of identifiers and attribute names.
+
+ - The new operation `nix-store --repair-path` allows corrupted or
+ missing store paths to be repaired by redownloading them. `nix-store
+ --verify --check-contents
+ --repair` will scan and repair all paths in the Nix store.
+ Similarly, `nix-env`, `nix-build`, `nix-instantiate` and `nix-store
+ --realise` have a `--repair` flag to detect and fix bad paths by
+ rebuilding or redownloading them.
+
+ - Nix no longer sets the immutable bit on files in the Nix store.
+ Instead, the recommended way to guard the Nix store against
+ accidental modification on Linux is to make it a read-only bind
+ mount, like this:
+
+ $ mount --bind /nix/store /nix/store
+ $ mount -o remount,ro,bind /nix/store
+
+ Nix will automatically make `/nix/store` writable as needed (using a
+ private mount namespace) to allow modifications.
+
+ - Store optimisation (replacing identical files in the store with hard
+ links) can now be done automatically every time a path is added to
+ the store. This is enabled by setting the configuration option
+ `auto-optimise-store` to `true` (disabled by default).
+
+ - Nix now supports `xz` compression for NARs in addition to `bzip2`.
+ It compresses about 30% better on typical archives and decompresses
+ about twice as fast.
+
+ - Basic Nix expression evaluation profiling: setting the environment
+ variable NIX\_COUNT\_CALLS to `1` will cause Nix to print how many
+ times each primop or function was executed.
+
+ - New primops: `concatLists`, `elem`, `elemAt` and `filter`.
+
+ - The command `nix-copy-closure` has a new flag `--use-substitutes`
+ (`-s`) to download missing paths on the target machine using the
+ substitute mechanism.
+
+ - The command `nix-worker` has been renamed to `nix-daemon`. Support
+ for running the Nix worker in “slave” mode has been removed.
+
+ - The `--help` flag of every Nix command now invokes `man`.
+
+ - Chroot builds are now supported on systemd machines.
+
+This release has contributions from Eelco Dolstra, Florian Friesdorf,
+Mats Erik Andersson and Shea Levy.
diff --git a/doc/manual/src/release-notes/rl-1.3.md b/doc/manual/src/release-notes/rl-1.3.md
new file mode 100644
index 000000000..0c7b48380
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.3.md
@@ -0,0 +1,10 @@
+# Release 1.3 (2013-01-04)
+
+This is primarily a bug fix release. When this version is first run on
+Linux, it removes any immutable bits from the Nix store and increases
+the schema version of the Nix store. (The previous release removed
+support for setting the immutable bit; this release clears any remaining
+immutable bits to make certain operations more efficient.)
+
+This release has contributions from Eelco Dolstra and Stuart
+Pernsteiner.
diff --git a/doc/manual/src/release-notes/rl-1.4.md b/doc/manual/src/release-notes/rl-1.4.md
new file mode 100644
index 000000000..d6d2227f8
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.4.md
@@ -0,0 +1,22 @@
+# Release 1.4 (2013-02-26)
+
+This release fixes a security bug in multi-user operation. It was
+possible for derivations to cause the mode of files outside of the Nix
+store to be changed to 444 (read-only but world-readable) by creating
+hard links to those files
+([details](https://github.com/NixOS/nix/commit/5526a282b5b44e9296e61e07d7d2626a79141ac4)).
+
+There are also the following improvements:
+
+ - New built-in function: `builtins.hashString`.
+
+ - Build logs are now stored in `/nix/var/log/nix/drvs/XX/`, where XX
+ is the first two characters of the derivation. This is useful on
+ machines that keep a lot of build logs (such as Hydra servers).
+
+ - The function `corepkgs/fetchurl` can now make the downloaded file
+ executable. This will allow getting rid of all bootstrap binaries in
+ the Nixpkgs source tree.
+
+ - Language change: The expression `"${./path}
+ ..."` now evaluates to a string instead of a path.
diff --git a/doc/manual/src/release-notes/rl-1.5.1.md b/doc/manual/src/release-notes/rl-1.5.1.md
new file mode 100644
index 000000000..72b29518e
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.5.1.md
@@ -0,0 +1,4 @@
+# Release 1.5.1 (2013-02-28)
+
+The bug fix to the bug fix had a bug itself, of course. But this time it
+will work for sure\!
diff --git a/doc/manual/src/release-notes/rl-1.5.2.md b/doc/manual/src/release-notes/rl-1.5.2.md
new file mode 100644
index 000000000..508580554
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.5.2.md
@@ -0,0 +1,4 @@
+# Release 1.5.2 (2013-05-13)
+
+This is primarily a bug fix release. It has contributions from Eelco
+Dolstra, Lluís Batlle i Rossell and Shea Levy.
diff --git a/doc/manual/src/release-notes/rl-1.5.md b/doc/manual/src/release-notes/rl-1.5.md
new file mode 100644
index 000000000..d2ccf8a5d
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.5.md
@@ -0,0 +1,4 @@
+# Release 1.5 (2013-02-27)
+
+This is a brown paper bag release to fix a regression introduced by the
+hard link security fix in 1.4.
diff --git a/doc/manual/src/release-notes/rl-1.6.1.md b/doc/manual/src/release-notes/rl-1.6.1.md
new file mode 100644
index 000000000..ed974fe0b
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.6.1.md
@@ -0,0 +1,32 @@
+# Release 1.6.1 (2013-10-28)
+
+This is primarily a bug fix release. Changes of interest are:
+
+ - Nix 1.6 accidentally changed the semantics of antiquoted paths in
+ strings, such as `"${/foo}/bar"`. This release reverts to the Nix
+ 1.5.3 behaviour.
+
+ - Previously, Nix optimised expressions such as `"${expr}"` to expr.
+ Thus it neither checked whether expr could be coerced to a string,
+ nor applied such coercions. This meant that `"${123}"` evaluatued to
+ `123`, and `"${./foo}"` evaluated to `./foo` (even though `"${./foo}
+ "` evaluates to `"/nix/store/hash-foo "`). Nix now checks the type
+ of antiquoted expressions and applies coercions.
+
+ - Nix now shows the exact position of undefined variables. In
+ particular, undefined variable errors in a `with` previously didn't
+ show *any* position information, so this makes it a lot easier to
+ fix such errors.
+
+ - Undefined variables are now treated consistently. Previously, the
+ `tryEval` function would catch undefined variables inside a `with`
+ but not outside. Now `tryEval` never catches undefined variables.
+
+ - Bash completion in `nix-shell` now works correctly.
+
+ - Stack traces are less verbose: they no longer show calls to builtin
+ functions and only show a single line for each derivation on the
+ call stack.
+
+ - New built-in function: `builtins.typeOf`, which returns the type of
+ its argument as a string.
diff --git a/doc/manual/src/release-notes/rl-1.6.md b/doc/manual/src/release-notes/rl-1.6.md
new file mode 100644
index 000000000..a4583f4e6
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.6.md
@@ -0,0 +1,72 @@
+# Release 1.6 (2013-09-10)
+
+In addition to the usual bug fixes, this release has several new
+features:
+
+ - The command `nix-build --run-env` has been renamed to `nix-shell`.
+
+ - `nix-shell` now sources `$stdenv/setup` *inside* the interactive
+ shell, rather than in a parent shell. This ensures that shell
+ functions defined by `stdenv` can be used in the interactive shell.
+
+ - `nix-shell` has a new flag `--pure` to clear the environment, so you
+ get an environment that more closely corresponds to the “real” Nix
+ build.
+
+ - `nix-shell` now sets the shell prompt (PS1) to ensure that Nix
+ shells are distinguishable from your regular shells.
+
+ - `nix-env` no longer requires a `*` argument to match all packages,
+ so `nix-env -qa` is equivalent to `nix-env
+ -qa '*'`.
+
+ - `nix-env -i` has a new flag `--remove-all` (`-r`) to remove all
+ previous packages from the profile. This makes it easier to do
+ declarative package management similar to NixOS’s
+ `environment.systemPackages`. For instance, if you have a
+ specification `my-packages.nix` like this:
+
+ with import <nixpkgs> {};
+ [ thunderbird
+ geeqie
+ ...
+ ]
+
+ then after any change to this file, you can run:
+
+ $ nix-env -f my-packages.nix -ir
+
+ to update your profile to match the specification.
+
+ - The ‘`with`’ language construct is now more lazy. It only evaluates
+ its argument if a variable might actually refer to an attribute in
+ the argument. For instance, this now works:
+
+ let
+ pkgs = with pkgs; { foo = "old"; bar = foo; } // overrides;
+ overrides = { foo = "new"; };
+ in pkgs.bar
+
+ This evaluates to `"new"`, while previously it gave an “infinite
+ recursion” error.
+
+ - Nix now has proper integer arithmetic operators. For instance, you
+ can write `x + y` instead of `builtins.add x y`, or `x <
+ y` instead of `builtins.lessThan x y`. The comparison operators also
+ work on strings.
+
+ - On 64-bit systems, Nix integers are now 64 bits rather than 32 bits.
+
+ - When using the Nix daemon, the `nix-daemon` worker process now runs
+ on the same CPU as the client, on systems that support setting CPU
+ affinity. This gives a significant speedup on some systems.
+
+ - If a stack overflow occurs in the Nix evaluator, you now get a
+ proper error message (rather than “Segmentation fault”) on some
+ systems.
+
+ - In addition to directories, you can now bind-mount regular files in
+ chroots through the (now misnamed) option `build-chroot-dirs`.
+
+This release has contributions from Domen Kožar, Eelco Dolstra, Florian
+Friesdorf, Gergely Risko, Ivan Kozik, Ludovic Courtès and Shea Levy.
diff --git a/doc/manual/src/release-notes/rl-1.7.md b/doc/manual/src/release-notes/rl-1.7.md
new file mode 100644
index 000000000..71a327ed6
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.7.md
@@ -0,0 +1,140 @@
+# Release 1.7 (2014-04-11)
+
+In addition to the usual bug fixes, this release has the following new
+features:
+
+ - Antiquotation is now allowed inside of quoted attribute names (e.g.
+ `set."${foo}"`). In the case where the attribute name is just a
+ single antiquotation, the quotes can be dropped (e.g. the above
+ example can be written `set.${foo}`). If an attribute name inside of
+ a set declaration evaluates to `null` (e.g. `{ ${null} = false; }`),
+ then that attribute is not added to the set.
+
+ - Experimental support for cryptographically signed binary caches. See
+ [the commit for
+ details](https://github.com/NixOS/nix/commit/0fdf4da0e979f992db75cc17376e455ddc5a96d8).
+
+ - An experimental new substituter, `download-via-ssh`, that fetches
+ binaries from remote machines via SSH. Specifying the flags
+ `--option
+ use-ssh-substituter true --option ssh-substituter-hosts
+ user@hostname` will cause Nix to download binaries from the
+ specified machine, if it has them.
+
+ - `nix-store -r` and `nix-build` have a new flag, `--check`, that
+ builds a previously built derivation again, and prints an error
+ message if the output is not exactly the same. This helps to verify
+ whether a derivation is truly deterministic. For example:
+
+ $ nix-build '<nixpkgs>' -A patchelf
+ …
+ $ nix-build '<nixpkgs>' -A patchelf --check
+ …
+ error: derivation `/nix/store/1ipvxs…-patchelf-0.6' may not be deterministic:
+ hash mismatch in output `/nix/store/4pc1dm…-patchelf-0.6.drv'
+
+ - The `nix-instantiate` flags `--eval-only` and `--parse-only` have
+ been renamed to `--eval` and `--parse`, respectively.
+
+ - `nix-instantiate`, `nix-build` and `nix-shell` now have a flag
+ `--expr` (or `-E`) that allows you to specify the expression to be
+ evaluated as a command line argument. For instance, `nix-instantiate
+ --eval -E
+ '1 + 2'` will print `3`.
+
+ - `nix-shell` improvements:
+
+ - It has a new flag, `--packages` (or `-p`), that sets up a build
+ environment containing the specified packages from Nixpkgs. For
+ example, the command
+
+ $ nix-shell -p sqlite xorg.libX11 hello
+
+ will start a shell in which the given packages are present.
+
+ - It now uses `shell.nix` as the default expression, falling back
+ to `default.nix` if the former doesn’t exist. This makes it
+ convenient to have a `shell.nix` in your project to set up a
+ nice development environment.
+
+ - It evaluates the derivation attribute `shellHook`, if set. Since
+ `stdenv` does not normally execute this hook, it allows you to
+ do `nix-shell`-specific setup.
+
+ - It preserves the user’s timezone setting.
+
+ - In chroots, Nix now sets up a `/dev` containing only a minimal set
+ of devices (such as `/dev/null`). Note that it only does this if you
+ *don’t* have `/dev` listed in your `build-chroot-dirs` setting;
+ otherwise, it will bind-mount the `/dev` from outside the chroot.
+
+ Similarly, if you don’t have `/dev/pts` listed in
+ `build-chroot-dirs`, Nix will mount a private `devpts` filesystem on
+ the chroot’s `/dev/pts`.
+
+ - New built-in function: `builtins.toJSON`, which returns a JSON
+ representation of a value.
+
+ - `nix-env -q` has a new flag `--json` to print a JSON representation
+ of the installed or available packages.
+
+ - `nix-env` now supports meta attributes with more complex values,
+ such as attribute sets.
+
+ - The `-A` flag now allows attribute names with dots in them, e.g.
+
+ $ nix-instantiate --eval '<nixos>' -A 'config.systemd.units."nscd.service".text'
+
+ - The `--max-freed` option to `nix-store --gc` now accepts a unit
+ specifier. For example, `nix-store --gc --max-freed
+ 1G` will free up to 1 gigabyte of disk space.
+
+ - `nix-collect-garbage` has a new flag `--delete-older-than` N`d`,
+ which deletes all user environment generations older than N days.
+ Likewise, `nix-env
+ --delete-generations` accepts a N`d` age limit.
+
+ - Nix now heuristically detects whether a build failure was due to a
+ disk-full condition. In that case, the build is not flagged as
+ “permanently failed”. This is mostly useful for Hydra, which needs
+ to distinguish between permanent and transient build failures.
+
+ - There is a new symbol `__curPos` that expands to an attribute set
+ containing its file name and line and column numbers, e.g. `{ file =
+ "foo.nix"; line = 10;
+ column = 5; }`. There also is a new builtin function,
+ `unsafeGetAttrPos`, that returns the position of an attribute. This
+ is used by Nixpkgs to provide location information in error
+ messages, e.g.
+
+ $ nix-build '<nixpkgs>' -A libreoffice --argstr system x86_64-darwin
+ error: the package ‘libreoffice-4.0.5.2’ in ‘.../applications/office/libreoffice/default.nix:263’
+ is not supported on ‘x86_64-darwin’
+
+ - The garbage collector is now more concurrent with other Nix
+ processes because it releases certain locks earlier.
+
+ - The binary tarball installer has been improved. You can now install
+ Nix by running:
+
+ $ bash <(curl https://nixos.org/nix/install)
+
+ - More evaluation errors include position information. For instance,
+ selecting a missing attribute will print something like
+
+ error: attribute `nixUnstabl' missing, at /etc/nixos/configurations/misc/eelco/mandark.nix:216:15
+
+ - The command `nix-setuid-helper` is gone.
+
+ - Nix no longer uses Automake, but instead has a non-recursive, GNU
+ Make-based build system.
+
+ - All installed libraries now have the prefix `libnix`. In particular,
+ this gets rid of `libutil`, which could clash with libraries with
+ the same name from other packages.
+
+ - Nix now requires a compiler that supports C++11.
+
+This release has contributions from Danny Wilson, Domen Kožar, Eelco
+Dolstra, Ian-Woo Kim, Ludovic Courtès, Maxim Ivanov, Petr Rockai,
+Ricardo M. Correia and Shea Levy.
diff --git a/doc/manual/src/release-notes/rl-1.8.md b/doc/manual/src/release-notes/rl-1.8.md
new file mode 100644
index 000000000..10a82d52a
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.8.md
@@ -0,0 +1,88 @@
+# Release 1.8 (2014-12-14)
+
+ - Breaking change: to address a race condition, the remote build hook
+ mechanism now uses `nix-store
+ --serve` on the remote machine. This requires build slaves to be
+ updated to Nix 1.8.
+
+ - Nix now uses HTTPS instead of HTTP to access the default binary
+ cache, `cache.nixos.org`.
+
+ - `nix-env` selectors are now regular expressions. For instance, you
+ can do
+
+ $ nix-env -qa '.*zip.*'
+
+ to query all packages with a name containing `zip`.
+
+ - `nix-store --read-log` can now fetch remote build logs. If a build
+ log is not available locally, then ‘nix-store -l’ will now try to
+ download it from the servers listed in the ‘log-servers’ option in
+ nix.conf. For instance, if you have the configuration option
+
+ log-servers = http://hydra.nixos.org/log
+
+ then it will try to get logs from `http://hydra.nixos.org/log/base
+ name of the
+ store path`. This allows you to do things like:
+
+ $ nix-store -l $(which xterm)
+
+ and get a log even if `xterm` wasn't built locally.
+
+ - New builtin functions: `attrValues`, `deepSeq`, `fromJSON`,
+ `readDir`, `seq`.
+
+ - `nix-instantiate --eval` now has a `--json` flag to print the
+ resulting value in JSON format.
+
+ - `nix-copy-closure` now uses `nix-store --serve` on the remote side
+ to send or receive closures. This fixes a race condition between
+ `nix-copy-closure` and the garbage collector.
+
+ - Derivations can specify the new special attribute
+ `allowedRequisites`, which has a similar meaning to
+ `allowedReferences`. But instead of only enforcing to explicitly
+ specify the immediate references, it requires the derivation to
+ specify all the dependencies recursively (hence the name,
+ requisites) that are used by the resulting output.
+
+ - On Mac OS X, Nix now handles case collisions when importing closures
+ from case-sensitive file systems. This is mostly useful for running
+ NixOps on Mac OS X.
+
+ - The Nix daemon has new configuration options `allowed-users`
+ (specifying the users and groups that are allowed to connect to the
+ daemon) and `trusted-users` (specifying the users and groups that
+ can perform privileged operations like specifying untrusted binary
+ caches).
+
+ - The configuration option `build-cores` now defaults to the number of
+ available CPU cores.
+
+ - Build users are now used by default when Nix is invoked as root.
+ This prevents builds from accidentally running as root.
+
+ - Nix now includes systemd units and Upstart jobs.
+
+ - Speed improvements to `nix-store
+ --optimise`.
+
+ - Language change: the `==` operator now ignores string contexts (the
+ “dependencies” of a string).
+
+ - Nix now filters out Nix-specific ANSI escape sequences on standard
+ error. They are supposed to be invisible, but some terminals show
+ them anyway.
+
+ - Various commands now automatically pipe their output into the pager
+ as specified by the PAGER environment variable.
+
+ - Several improvements to reduce memory consumption in the evaluator.
+
+This release has contributions from Adam Szkoda, Aristid Breitkreuz, Bob
+van der Linden, Charles Strahan, darealshinji, Eelco Dolstra, Gergely
+Risko, Joel Taylor, Ludovic Courtès, Marko Durkovic, Mikey Ariel, Paul
+Colomiets, Ricardo M. Correia, Ricky Elrod, Robert Helgesson, Rob
+Vermaas, Russell O'Connor, Shea Levy, Shell Turner, Sönke Hahn, Steve
+Purcell, Vladimír Čunát and Wout Mertens.
diff --git a/doc/manual/src/release-notes/rl-1.9.md b/doc/manual/src/release-notes/rl-1.9.md
new file mode 100644
index 000000000..01b067aab
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-1.9.md
@@ -0,0 +1,143 @@
+# Release 1.9 (2015-06-12)
+
+In addition to the usual bug fixes, this release has the following new
+features:
+
+ - Signed binary cache support. You can enable signature checking by
+ adding the following to `nix.conf`:
+
+ signed-binary-caches = *
+ binary-cache-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+
+ This will prevent Nix from downloading any binary from the cache
+ that is not signed by one of the keys listed in
+ `binary-cache-public-keys`.
+
+ Signature checking is only supported if you built Nix with the
+ `libsodium` package.
+
+ Note that while Nix has had experimental support for signed binary
+ caches since version 1.7, this release changes the signature format
+ in a backwards-incompatible way.
+
+ - Automatic downloading of Nix expression tarballs. In various places,
+ you can now specify the URL of a tarball containing Nix expressions
+ (such as Nixpkgs), which will be downloaded and unpacked
+ automatically. For example:
+
+ - In `nix-env`:
+
+ $ nix-env -f https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz -iA firefox
+
+ This installs Firefox from the latest tested and built revision
+ of the NixOS 14.12 channel.
+
+ - In `nix-build` and `nix-shell`:
+
+ $ nix-build https://github.com/NixOS/nixpkgs/archive/master.tar.gz -A hello
+
+ This builds GNU Hello from the latest revision of the Nixpkgs
+ master branch.
+
+ - In the Nix search path (as specified via NIX\_PATH or `-I`). For
+ example, to start a shell containing the Pan package from a
+ specific version of Nixpkgs:
+
+ $ nix-shell -p pan -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/8a3eea054838b55aca962c3fbde9c83c102b8bf2.tar.gz
+
+ - In `nixos-rebuild` (on NixOS):
+
+ $ nixos-rebuild test -I nixpkgs=https://github.com/NixOS/nixpkgs-channels/archive/nixos-unstable.tar.gz
+
+ - In Nix expressions, via the new builtin function `fetchTarball`:
+
+ with import (fetchTarball https://github.com/NixOS/nixpkgs-channels/archive/nixos-14.12.tar.gz) {}; …
+
+ (This is not allowed in restricted mode.)
+
+ - `nix-shell` improvements:
+
+ - `nix-shell` now has a flag `--run` to execute a command in the
+ `nix-shell` environment, e.g. `nix-shell --run make`. This is
+ like the existing `--command` flag, except that it uses a
+ non-interactive shell (ensuring that hitting Ctrl-C won’t drop
+ you into the child shell).
+
+ - `nix-shell` can now be used as a `#!`-interpreter. This allows
+ you to write scripts that dynamically fetch their own
+ dependencies. For example, here is a Haskell script that, when
+ invoked, first downloads GHC and the Haskell packages on which
+ it depends:
+
+ #! /usr/bin/env nix-shell
+ #! nix-shell -i runghc -p haskellPackages.ghc haskellPackages.HTTP
+
+ import Network.HTTP
+
+ main = do
+ resp <- Network.HTTP.simpleHTTP (getRequest "http://nixos.org/")
+ body <- getResponseBody resp
+ print (take 100 body)
+
+ Of course, the dependencies are cached in the Nix store, so the
+ second invocation of this script will be much faster.
+
+ - Chroot improvements:
+
+ - Chroot builds are now supported on Mac OS X (using its sandbox
+ mechanism).
+
+ - If chroots are enabled, they are now used for all derivations,
+ including fixed-output derivations (such as `fetchurl`). The
+ latter do have network access, but can no longer access the host
+ filesystem. If you need the old behaviour, you can set the
+ option `build-use-chroot` to `relaxed`.
+
+ - On Linux, if chroots are enabled, builds are performed in a
+ private PID namespace once again. (This functionality was lost
+ in Nix 1.8.)
+
+ - Store paths listed in `build-chroot-dirs` are now automatically
+ expanded to their closure. For instance, if you want
+ `/nix/store/…-bash/bin/sh` mounted in your chroot as `/bin/sh`,
+ you only need to say `build-chroot-dirs =
+ /bin/sh=/nix/store/…-bash/bin/sh`; it is no longer necessary to
+ specify the dependencies of Bash.
+
+ - The new derivation attribute `passAsFile` allows you to specify that
+ the contents of derivation attributes should be passed via files
+ rather than environment variables. This is useful if you need to
+ pass very long strings that exceed the size limit of the
+ environment. The Nixpkgs function `writeTextFile` uses this.
+
+ - You can now use `~` in Nix file names to refer to your home
+ directory, e.g. `import
+ ~/.nixpkgs/config.nix`.
+
+ - Nix has a new option `restrict-eval` that allows limiting what paths
+ the Nix evaluator has access to. By passing `--option restrict-eval
+ true` to Nix, the evaluator will throw an exception if an attempt is
+ made to access any file outside of the Nix search path. This is
+ primarily intended for Hydra to ensure that a Hydra jobset only
+ refers to its declared inputs (and is therefore reproducible).
+
+ - `nix-env` now only creates a new “generation” symlink in
+ `/nix/var/nix/profiles` if something actually changed.
+
+ - The environment variable NIX\_PAGER can now be set to override
+ PAGER. You can set it to `cat` to disable paging for Nix commands
+ only.
+
+ - Failing `<...>` lookups now show position information.
+
+ - Improved Boehm GC use: we disabled scanning for interior pointers,
+ which should reduce the “`Repeated
+ allocation of very large block`” warnings and associated retention
+ of memory.
+
+This release has contributions from aszlig, Benjamin Staffin, Charles
+Strahan, Christian Theune, Daniel Hahler, Danylo Hlynskyi Daniel
+Peebles, Dan Peebles, Domen Kožar, Eelco Dolstra, Harald van Dijk, Hoang
+Xuan Phu, Jaka Hudoklin, Jeff Ramnani, j-keck, Linquize, Luca Bruno,
+Michael Merickel, Oliver Dunkl, Rob Vermaas, Rok Garbas, Shea Levy,
+Tobias Geerinckx-Rice and William A. Kennington III.
diff --git a/doc/manual/src/release-notes/rl-2.0.md b/doc/manual/src/release-notes/rl-2.0.md
new file mode 100644
index 000000000..0ce985b2f
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-2.0.md
@@ -0,0 +1,557 @@
+# Release 2.0 (2018-02-22)
+
+The following incompatible changes have been made:
+
+ - The manifest-based substituter mechanism
+ (`download-using-manifests`) has been
+ [removed](https://github.com/NixOS/nix/commit/867967265b80946dfe1db72d40324b4f9af988ed).
+ It has been superseded by the binary cache substituter mechanism
+ since several years. As a result, the following programs have been
+ removed:
+
+ - `nix-pull`
+
+ - `nix-generate-patches`
+
+ - `bsdiff`
+
+ - `bspatch`
+
+ - The “copy from other stores” substituter mechanism
+ (`copy-from-other-stores` and the NIX\_OTHER\_STORES environment
+ variable) has been removed. It was primarily used by the NixOS
+ installer to copy available paths from the installation medium. The
+ replacement is to use a chroot store as a substituter (e.g.
+ `--substituters /mnt`), or to build into a chroot store (e.g.
+ `--store /mnt --substituters /`).
+
+ - The command `nix-push` has been removed as part of the effort to
+ eliminate Nix's dependency on Perl. You can use `nix copy` instead,
+ e.g. `nix copy
+ --to file:///tmp/my-binary-cache paths…`
+
+ - The “nested” log output feature (`--log-type
+ pretty`) has been removed. As a result, `nix-log2xml` was also
+ removed.
+
+ - OpenSSL-based signing has been
+ [removed](https://github.com/NixOS/nix/commit/f435f8247553656774dd1b2c88e9de5d59cab203).
+ This feature was never well-supported. A better alternative is
+ provided by the `secret-key-files` and `trusted-public-keys`
+ options.
+
+ - Failed build caching has been
+ [removed](https://github.com/NixOS/nix/commit/8cffec84859cec8b610a2a22ab0c4d462a9351ff).
+ This feature was introduced to support the Hydra continuous build
+ system, but Hydra no longer uses it.
+
+ - `nix-mode.el` has been removed from Nix. It is now [a separate
+ repository](https://github.com/NixOS/nix-mode) and can be installed
+ through the MELPA package repository.
+
+This release has the following new features:
+
+ - It introduces a new command named `nix`, which is intended to
+ eventually replace all `nix-*` commands with a more consistent and
+ better designed user interface. It currently provides replacements
+ for some (but not all) of the functionality provided by `nix-store`,
+ `nix-build`, `nix-shell -p`, `nix-env -qa`, `nix-instantiate
+ --eval`, `nix-push` and `nix-copy-closure`. It has the following
+ major features:
+
+ - Unlike the legacy commands, it has a consistent way to refer to
+ packages and package-like arguments (like store paths). For
+ example, the following commands all copy the GNU Hello package
+ to a remote machine:
+
+ nix copy --to ssh://machine nixpkgs.hello
+
+ nix copy --to ssh://machine /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
+
+ nix copy --to ssh://machine '(with import <nixpkgs> {}; hello)'
+
+ By contrast, `nix-copy-closure` only accepted store paths as
+ arguments.
+
+ - It is self-documenting: `--help` shows all available
+ command-line arguments. If `--help` is given after a subcommand,
+ it shows examples for that subcommand. `nix
+ --help-config` shows all configuration options.
+
+ - It is much less verbose. By default, it displays a single-line
+ progress indicator that shows how many packages are left to be
+ built or downloaded, and (if there are running builds) the most
+ recent line of builder output. If a build fails, it shows the
+ last few lines of builder output. The full build log can be
+ retrieved using `nix
+ log`.
+
+ - It
+ [provides](https://github.com/NixOS/nix/commit/b8283773bd64d7da6859ed520ee19867742a03ba)
+ all `nix.conf` configuration options as command line flags. For
+ example, instead of `--option
+ http-connections 100` you can write `--http-connections 100`.
+ Boolean options can be written as `--foo` or `--no-foo` (e.g.
+ `--no-auto-optimise-store`).
+
+ - Many subcommands have a `--json` flag to write results to stdout
+ in JSON format.
+
+ > **Warning**
+ >
+ > Please note that the `nix` command is a work in progress and the
+ > interface is subject to change.
+
+ It provides the following high-level (“porcelain”) subcommands:
+
+ - `nix build` is a replacement for `nix-build`.
+
+ - `nix run` executes a command in an environment in which the
+ specified packages are available. It is (roughly) a replacement
+ for `nix-shell
+ -p`. Unlike that command, it does not execute the command in a
+ shell, and has a flag (`-c`) that specifies the unquoted command
+ line to be executed.
+
+ It is particularly useful in conjunction with chroot stores,
+ allowing Linux users who do not have permission to install Nix
+ in `/nix/store` to still use binary substitutes that assume
+ `/nix/store`. For example,
+
+ nix run --store ~/my-nix nixpkgs.hello -c hello --greeting 'Hi everybody!'
+
+ downloads (or if not substitutes are available, builds) the GNU
+ Hello package into `~/my-nix/nix/store`, then runs `hello` in a
+ mount namespace where `~/my-nix/nix/store` is mounted onto
+ `/nix/store`.
+
+ - `nix search` replaces `nix-env
+ -qa`. It searches the available packages for occurrences of a
+ search string in the attribute name, package name or
+ description. Unlike `nix-env -qa`, it has a cache to speed up
+ subsequent searches.
+
+ - `nix copy` copies paths between arbitrary Nix stores,
+ generalising `nix-copy-closure` and `nix-push`.
+
+ - `nix repl` replaces the external program `nix-repl`. It provides
+ an interactive environment for evaluating and building Nix
+ expressions. Note that it uses `linenoise-ng` instead of GNU
+ Readline.
+
+ - `nix upgrade-nix` upgrades Nix to the latest stable version.
+ This requires that Nix is installed in a profile. (Thus it won’t
+ work on NixOS, or if it’s installed outside of the Nix store.)
+
+ - `nix verify` checks whether store paths are unmodified and/or
+ “trusted” (see below). It replaces `nix-store --verify` and
+ `nix-store
+ --verify-path`.
+
+ - `nix log` shows the build log of a package or path. If the build
+ log is not available locally, it will try to obtain it from the
+ configured substituters (such as
+ [cache.nixos.org](cache.nixos.org), which now provides build
+ logs).
+
+ - `nix edit` opens the source code of a package in your editor.
+
+ - `nix eval` replaces `nix-instantiate --eval`.
+
+ - `nix
+ why-depends` shows why one store path has another in its
+ closure. This is primarily useful to finding the causes of
+ closure bloat. For example,
+
+ nix why-depends nixpkgs.vlc nixpkgs.libdrm.dev
+
+ shows a chain of files and fragments of file contents that cause
+ the VLC package to have the “dev” output of `libdrm` in its
+ closure — an undesirable situation.
+
+ - `nix path-info` shows information about store paths, replacing
+ `nix-store -q`. A useful feature is the option `--closure-size`
+ (`-S`). For example, the following command show the closure
+ sizes of every path in the current NixOS system closure, sorted
+ by size:
+
+ nix path-info -rS /run/current-system | sort -nk2
+
+ - `nix optimise-store` replaces `nix-store --optimise`. The main
+ difference is that it has a progress indicator.
+
+ A number of low-level (“plumbing”) commands are also available:
+
+ - `nix ls-store` and `nix
+ ls-nar` list the contents of a store path or NAR file. The
+ former is primarily useful in conjunction with remote stores,
+ e.g.
+
+ nix ls-store --store https://cache.nixos.org/ -lR /nix/store/0i2jd68mp5g6h2sa5k9c85rb80sn8hi9-hello-2.10
+
+ lists the contents of path in a binary cache.
+
+ - `nix cat-store` and `nix
+ cat-nar` allow extracting a file from a store path or NAR file.
+
+ - `nix dump-path` writes the contents of a store path to stdout in
+ NAR format. This replaces `nix-store --dump`.
+
+ - `nix
+ show-derivation` displays a store derivation in JSON format.
+ This is an alternative to `pp-aterm`.
+
+ - `nix
+ add-to-store` replaces `nix-store
+ --add`.
+
+ - `nix sign-paths` signs store paths.
+
+ - `nix copy-sigs` copies signatures from one store to another.
+
+ - `nix show-config` shows all configuration options and their
+ current values.
+
+ - The store abstraction that Nix has had for a long time to support
+ store access via the Nix daemon has been extended significantly. In
+ particular, substituters (which used to be external programs such as
+ `download-from-binary-cache`) are now subclasses of the abstract
+ `Store` class. This allows many Nix commands to operate on such
+ store types. For example, `nix path-info` shows information about
+ paths in your local Nix store, while `nix path-info --store
+ https://cache.nixos.org/` shows information about paths in the
+ specified binary cache. Similarly, `nix-copy-closure`, `nix-push`
+ and substitution are all instances of the general notion of copying
+ paths between different kinds of Nix stores.
+
+ Stores are specified using an URI-like syntax, e.g.
+ <https://cache.nixos.org/> or <ssh://machine>. The following store
+ types are supported:
+
+ - `LocalStore` (stori URI `local` or an absolute path) and the
+ misnamed `RemoteStore` (`daemon`) provide access to a local Nix
+ store, the latter via the Nix daemon. You can use `auto` or the
+ empty string to auto-select a local or daemon store depending on
+ whether you have write permission to the Nix store. It is no
+ longer necessary to set the NIX\_REMOTE environment variable to
+ use the Nix daemon.
+
+ As noted above, `LocalStore` now supports chroot builds,
+ allowing the “physical” location of the Nix store (e.g.
+ `/home/alice/nix/store`) to differ from its “logical” location
+ (typically `/nix/store`). This allows non-root users to use Nix
+ while still getting the benefits from prebuilt binaries from
+ [cache.nixos.org](cache.nixos.org).
+
+ - `BinaryCacheStore` is the abstract superclass of all binary
+ cache stores. It supports writing build logs and NAR content
+ listings in JSON format.
+
+ - `HttpBinaryCacheStore` (`http://`, `https://`) supports binary
+ caches via HTTP or HTTPS. If the server supports `PUT` requests,
+ it supports uploading store paths via commands such as `nix
+ copy`.
+
+ - `LocalBinaryCacheStore` (`file://`) supports binary caches in
+ the local filesystem.
+
+ - `S3BinaryCacheStore` (`s3://`) supports binary caches stored in
+ Amazon S3, if enabled at compile time.
+
+ - `LegacySSHStore` (`ssh://`) is used to implement remote builds
+ and `nix-copy-closure`.
+
+ - `SSHStore` (`ssh-ng://`) supports arbitrary Nix operations on a
+ remote machine via the same protocol used by `nix-daemon`.
+
+ - Security has been improved in various ways:
+
+ - Nix now stores signatures for local store paths. When paths are
+ copied between stores (e.g., copied from a binary cache to a
+ local store), signatures are propagated.
+
+ Locally-built paths are signed automatically using the secret
+ keys specified by the `secret-key-files` store option.
+ Secret/public key pairs can be generated using `nix-store
+ --generate-binary-cache-key`.
+
+ In addition, locally-built store paths are marked as “ultimately
+ trusted”, but this bit is not propagated when paths are copied
+ between stores.
+
+ - Content-addressable store paths no longer require signatures —
+ they can be imported into a store by unprivileged users even if
+ they lack signatures.
+
+ - The command `nix verify` checks whether the specified paths are
+ trusted, i.e., have a certain number of trusted signatures, are
+ ultimately trusted, or are content-addressed.
+
+ - Substitutions from binary caches
+ [now](https://github.com/NixOS/nix/commit/ecbc3fedd3d5bdc5a0e1a0a51b29062f2874ac8b)
+ require signatures by default. This was already the case on
+ NixOS.
+
+ - In Linux sandbox builds, we
+ [now](https://github.com/NixOS/nix/commit/eba840c8a13b465ace90172ff76a0db2899ab11b)
+ use `/build` instead of `/tmp` as the temporary build directory.
+ This fixes potential security problems when a build accidentally
+ stores its TMPDIR in some security-sensitive place, such as an
+ RPATH.
+
+ - *Pure evaluation mode*. With the `--pure-eval` flag, Nix enables a
+ variant of the existing restricted evaluation mode that forbids
+ access to anything that could cause different evaluations of the
+ same command line arguments to produce a different result. This
+ includes builtin functions such as `builtins.getEnv`, but more
+ importantly, *all* filesystem or network access unless a content
+ hash or commit hash is specified. For example, calls to
+ `builtins.fetchGit` are only allowed if a `rev` attribute is
+ specified.
+
+ The goal of this feature is to enable true reproducibility and
+ traceability of builds (including NixOS system configurations) at
+ the evaluation level. For example, in the future, `nixos-rebuild`
+ might build configurations from a Nix expression in a Git repository
+ in pure mode. That expression might fetch other repositories such as
+ Nixpkgs via `builtins.fetchGit`. The commit hash of the top-level
+ repository then uniquely identifies a running system, and, in
+ conjunction with that repository, allows it to be reproduced or
+ modified.
+
+ - There are several new features to support binary reproducibility
+ (i.e. to help ensure that multiple builds of the same derivation
+ produce exactly the same output). When `enforce-determinism` is set
+ to `false`, it’s [no
+ longer](https://github.com/NixOS/nix/commit/8bdf83f936adae6f2c907a6d2541e80d4120f051)
+ a fatal error if build rounds produce different output. Also, a hook
+ named `diff-hook` is
+ [provided](https://github.com/NixOS/nix/commit/9a313469a4bdea2d1e8df24d16289dc2a172a169)
+ to allow you to run tools such as `diffoscope` when build rounds
+ produce different output.
+
+ - Configuring remote builds is a lot easier now. Provided you are not
+ using the Nix daemon, you can now just specify a remote build
+ machine on the command line, e.g. `--option builders
+ 'ssh://my-mac x86_64-darwin'`. The environment variable
+ NIX\_BUILD\_HOOK has been removed and is no longer needed. The
+ environment variable NIX\_REMOTE\_SYSTEMS is still supported for
+ compatibility, but it is also possible to specify builders in
+ `nix.conf` by setting the option `builders =
+ @path`.
+
+ - If a fixed-output derivation produces a result with an incorrect
+ hash, the output path is moved to the location corresponding to the
+ actual hash and registered as valid. Thus, a subsequent build of the
+ fixed-output derivation with the correct hash is unnecessary.
+
+ - `nix-shell`
+ [now](https://github.com/NixOS/nix/commit/ea59f39326c8e9dc42dfed4bcbf597fbce58797c)
+ sets the `IN_NIX_SHELL` environment variable during evaluation and
+ in the shell itself. This can be used to perform different actions
+ depending on whether you’re in a Nix shell or in a regular build.
+ Nixpkgs provides `lib.inNixShell` to check this variable during
+ evaluation.
+
+ - NIX\_PATH is now lazy, so URIs in the path are only downloaded if
+ they are needed for evaluation.
+
+ - You can now use <channel:> as a short-hand for
+ <https://nixos.org/channels//nixexprs.tar.xz>. For example,
+ `nix-build channel:nixos-15.09 -A hello` will build the GNU Hello
+ package from the `nixos-15.09` channel. In the future, this may use
+ Git to fetch updates more efficiently.
+
+ - When `--no-build-output` is given, the last 10 lines of the build
+ log will be shown if a build fails.
+
+ - Networking has been improved:
+
+ - HTTP/2 is now supported. This makes binary cache lookups [much
+ more
+ efficient](https://github.com/NixOS/nix/commit/90ad02bf626b885a5dd8967894e2eafc953bdf92).
+
+ - We now retry downloads on many HTTP errors, making binary caches
+ substituters more resilient to temporary failures.
+
+ - HTTP credentials can now be configured via the standard `netrc`
+ mechanism.
+
+ - If S3 support is enabled at compile time, <s3://> URIs are
+ [supported](https://github.com/NixOS/nix/commit/9ff9c3f2f80ba4108e9c945bbfda2c64735f987b)
+ in all places where Nix allows URIs.
+
+ - Brotli compression is now supported. In particular,
+ [cache.nixos.org](cache.nixos.org) build logs are now compressed
+ using Brotli.
+
+ - `nix-env`
+ [now](https://github.com/NixOS/nix/commit/b0cb11722626e906a73f10dd9a0c9eea29faf43a)
+ ignores packages with bad derivation names (in particular those
+ starting with a digit or containing a dot).
+
+ - Many configuration options have been renamed, either because they
+ were unnecessarily verbose (e.g. `build-use-sandbox` is now just
+ `sandbox`) or to reflect generalised behaviour (e.g. `binary-caches`
+ is now `substituters` because it allows arbitrary store URIs). The
+ old names are still supported for compatibility.
+
+ - The `max-jobs` option can
+ [now](https://github.com/NixOS/nix/commit/7251d048fa812d2551b7003bc9f13a8f5d4c95a5)
+ be set to `auto` to use the number of CPUs in the system.
+
+ - Hashes can
+ [now](https://github.com/NixOS/nix/commit/c0015e87af70f539f24d2aa2bc224a9d8b84276b)
+ be specified in base-64 format, in addition to base-16 and the
+ non-standard base-32.
+
+ - `nix-shell` now uses `bashInteractive` from Nixpkgs, rather than the
+ `bash` command that happens to be in the caller’s PATH. This is
+ especially important on macOS where the `bash` provided by the
+ system is seriously outdated and cannot execute `stdenv`’s setup
+ script.
+
+ - Nix can now automatically trigger a garbage collection if free disk
+ space drops below a certain level during a build. This is configured
+ using the `min-free` and `max-free` options.
+
+ - `nix-store -q --roots` and `nix-store --gc --print-roots` now show
+ temporary and in-memory roots.
+
+ - Nix can now be extended with plugins. See the documentation of the
+ `plugin-files` option for more details.
+
+The Nix language has the following new features:
+
+ - It supports floating point numbers. They are based on the C++
+ `float` type and are supported by the existing numerical operators.
+ Export and import to and from JSON and XML works, too.
+
+ - Derivation attributes can now reference the outputs of the
+ derivation using the `placeholder` builtin function. For example,
+ the attribute
+
+ configureFlags = "--prefix=${placeholder "out"} --includedir=${placeholder "dev"}";
+
+ will cause the configureFlags environment variable to contain the
+ actual store paths corresponding to the `out` and `dev` outputs.
+
+The following builtin functions are new or extended:
+
+ - `builtins.fetchGit` allows Git repositories to be fetched at
+ evaluation time. Thus it differs from the `fetchgit` function in
+ Nixpkgs, which fetches at build time and cannot be used to fetch Nix
+ expressions during evaluation. A typical use case is to import
+ external NixOS modules from your configuration, e.g.
+
+ imports = [ (builtins.fetchGit https://github.com/edolstra/dwarffs + "/module.nix") ];
+
+ - Similarly, `builtins.fetchMercurial` allows you to fetch Mercurial
+ repositories.
+
+ - `builtins.path` generalises `builtins.filterSource` and path
+ literals (e.g. `./foo`). It allows specifying a store path name that
+ differs from the source path name (e.g. `builtins.path { path =
+ ./foo; name = "bar";
+ }`) and also supports filtering out unwanted files.
+
+ - `builtins.fetchurl` and `builtins.fetchTarball` now support `sha256`
+ and `name` attributes.
+
+ - `builtins.split` splits a string using a POSIX extended regular
+ expression as the separator.
+
+ - `builtins.partition` partitions the elements of a list into two
+ lists, depending on a Boolean predicate.
+
+ - `<nix/fetchurl.nix>` now uses the content-addressable tarball cache
+ at <http://tarballs.nixos.org/>, just like `fetchurl` in Nixpkgs.
+ (f2682e6e18a76ecbfb8a12c17e3a0ca15c084197)
+
+ - In restricted and pure evaluation mode, builtin functions that
+ download from the network (such as `fetchGit`) are permitted to
+ fetch underneath a list of URI prefixes specified in the option
+ `allowed-uris`.
+
+The Nix build environment has the following changes:
+
+ - Values such as Booleans, integers, (nested) lists and attribute sets
+ can
+ [now](https://github.com/NixOS/nix/commit/6de33a9c675b187437a2e1abbcb290981a89ecb1)
+ be passed to builders in a non-lossy way. If the special attribute
+ `__structuredAttrs` is set to `true`, the other derivation
+ attributes are serialised in JSON format and made available to the
+ builder via the file .attrs.json in the builder’s temporary
+ directory. This obviates the need for `passAsFile` since JSON files
+ have no size restrictions, unlike process environments.
+
+ [As a convenience to Bash
+ builders](https://github.com/NixOS/nix/commit/2d5b1b24bf70a498e4c0b378704cfdb6471cc699),
+ Nix writes a script named .attrs.sh to the builder’s directory that
+ initialises shell variables corresponding to all attributes that are
+ representable in Bash. This includes non-nested (associative)
+ arrays. For example, the attribute `hardening.format =
+ true` ends up as the Bash associative array element
+ `${hardening[format]}`.
+
+ - Builders can
+ [now](https://github.com/NixOS/nix/commit/88e6bb76de5564b3217be9688677d1c89101b2a3)
+ communicate what build phase they are in by writing messages to the
+ file descriptor specified in NIX\_LOG\_FD. The current phase is
+ shown by the `nix` progress indicator.
+
+ - In Linux sandbox builds, we
+ [now](https://github.com/NixOS/nix/commit/a2d92bb20e82a0957067ede60e91fab256948b41)
+ provide a default `/bin/sh` (namely `ash` from BusyBox).
+
+ - In structured attribute mode, `exportReferencesGraph`
+ [exports](https://github.com/NixOS/nix/commit/c2b0d8749f7e77afc1c4b3e8dd36b7ee9720af4a)
+ extended information about closures in JSON format. In particular,
+ it includes the sizes and hashes of paths. This is primarily useful
+ for NixOS image builders.
+
+ - Builds are
+ [now](https://github.com/NixOS/nix/commit/21948deed99a3295e4d5666e027a6ca42dc00b40)
+ killed as soon as Nix receives EOF on the builder’s stdout or
+ stderr. This fixes a bug that allowed builds to hang Nix
+ indefinitely, regardless of timeouts.
+
+ - The `sandbox-paths` configuration option can now specify optional
+ paths by appending a `?`, e.g. `/dev/nvidiactl?` will bind-mount
+ `/dev/nvidiactl` only if it exists.
+
+ - On Linux, builds are now executed in a user namespace with UID 1000
+ and GID 100.
+
+A number of significant internal changes were made:
+
+ - Nix no longer depends on Perl and all Perl components have been
+ rewritten in C++ or removed. The Perl bindings that used to be part
+ of Nix have been moved to a separate package, `nix-perl`.
+
+ - All `Store` classes are now thread-safe. `RemoteStore` supports
+ multiple concurrent connections to the daemon. This is primarily
+ useful in multi-threaded programs such as `hydra-queue-runner`.
+
+This release has contributions from Adrien Devresse, Alexander Ried,
+Alex Cruice, Alexey Shmalko, AmineChikhaoui, Andy Wingo, Aneesh Agrawal,
+Anthony Cowley, Armijn Hemel, aszlig, Ben Gamari, Benjamin Hipple,
+Benjamin Staffin, Benno Fünfstück, Bjørn Forsman, Brian McKenna, Charles
+Strahan, Chase Adams, Chris Martin, Christian Theune, Chris Warburton,
+Daiderd Jordan, Dan Connolly, Daniel Peebles, Dan Peebles, davidak,
+David McFarland, Dmitry Kalinkin, Domen Kožar, Eelco Dolstra, Emery
+Hemingway, Eric Litak, Eric Wolf, Fabian Schmitthenner, Frederik
+Rietdijk, Gabriel Gonzalez, Giorgio Gallo, Graham Christensen, Guillaume
+Maudoux, Harmen, Iavael, James Broadhead, James Earl Douglas, Janus
+Troelsen, Jeremy Shaw, Joachim Schiele, Joe Hermaszewski, Joel Moberg,
+Johannes 'fish' Ziemke, Jörg Thalheim, Jude Taylor, kballou, Keshav
+Kini, Kjetil Orbekk, Langston Barrett, Linus Heckemann, Ludovic Courtès,
+Manav Rathi, Marc Scholten, Markus Hauck, Matt Audesse, Matthew Bauer,
+Matthias Beyer, Matthieu Coudron, N1X, Nathan Zadoks, Neil Mayhew,
+Nicolas B. Pierron, Niklas Hambüchen, Nikolay Amiantov, Ole Jørgen
+Brønner, Orivej Desh, Peter Simons, Peter Stuart, Pyry Jahkola, regnat,
+Renzo Carbonara, Rhys, Robert Vollmert, Scott Olson, Scott R. Parish,
+Sergei Trofimovich, Shea Levy, Sheena Artrip, Spencer Baugh, Stefan
+Junker, Susan Potter, Thomas Tuegel, Timothy Allen, Tristan Hume, Tuomas
+Tynkkynen, tv, Tyson Whitehead, Vladimír Čunát, Will Dietz, wmertens,
+Wout Mertens, zimbatm and Zoran Plesivčak.
diff --git a/doc/manual/src/release-notes/rl-2.1.md b/doc/manual/src/release-notes/rl-2.1.md
new file mode 100644
index 000000000..08986ef9d
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-2.1.md
@@ -0,0 +1,49 @@
+# Release 2.1 (2018-09-02)
+
+This is primarily a bug fix release. It also reduces memory consumption
+in certain situations. In addition, it has the following new features:
+
+ - The Nix installer will no longer default to the Multi-User
+ installation for macOS. You can still [instruct the installer to run
+ in multi-user mode](#sect-multi-user-installation).
+
+ - The Nix installer now supports performing a Multi-User installation
+ for Linux computers which are running systemd. You can [select a
+ Multi-User installation](#sect-multi-user-installation) by passing
+ the `--daemon` flag to the installer: `sh <(curl
+ https://nixos.org/nix/install) --daemon`.
+
+ The multi-user installer cannot handle systems with SELinux. If your
+ system has SELinux enabled, you can [force the installer to run in
+ single-user mode](#sect-single-user-installation).
+
+ - New builtin functions: `builtins.bitAnd`, `builtins.bitOr`,
+ `builtins.bitXor`, `builtins.fromTOML`, `builtins.concatMap`,
+ `builtins.mapAttrs`.
+
+ - The S3 binary cache store now supports uploading NARs larger than 5
+ GiB.
+
+ - The S3 binary cache store now supports uploading to S3-compatible
+ services with the `endpoint` option.
+
+ - The flag `--fallback` is no longer required to recover from
+ disappeared NARs in binary caches.
+
+ - `nix-daemon` now respects `--store`.
+
+ - `nix run` now respects `nix-support/propagated-user-env-packages`.
+
+This release has contributions from Adrien Devresse, Aleksandr Pashkov,
+Alexandre Esteves, Amine Chikhaoui, Andrew Dunham, Asad Saeeduddin,
+aszlig, Ben Challenor, Ben Gamari, Benjamin Hipple, Bogdan Seniuc, Corey
+O'Connor, Daiderd Jordan, Daniel Peebles, Daniel Poelzleithner, Danylo
+Hlynskyi, Dmitry Kalinkin, Domen Kožar, Doug Beardsley, Eelco Dolstra,
+Erik Arvstedt, Félix Baylac-Jacqué, Gleb Peregud, Graham Christensen,
+Guillaume Maudoux, Ivan Kozik, John Arnold, Justin Humm, Linus
+Heckemann, Lorenzo Manacorda, Matthew Justin Bauer, Matthew O'Gorman,
+Maximilian Bosch, Michael Bishop, Michael Fiano, Michael Mercier,
+Michael Raskin, Michael Weiss, Nicolas Dudebout, Peter Simons, Ryan
+Trinkle, Samuel Dionne-Riel, Sean Seefried, Shea Levy, Symphorien Gibol,
+Tim Engler, Tim Sears, Tuomas Tynkkynen, volth, Will Dietz, Yorick van
+Pelt and zimbatm.
diff --git a/doc/manual/src/release-notes/rl-2.2.md b/doc/manual/src/release-notes/rl-2.2.md
new file mode 100644
index 000000000..3667a48dc
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-2.2.md
@@ -0,0 +1,82 @@
+# Release 2.2 (2019-01-11)
+
+This is primarily a bug fix release. It also has the following changes:
+
+ - In derivations that use structured attributes (i.e. that specify set
+ the `__structuredAttrs` attribute to `true` to cause all attributes
+ to be passed to the builder in JSON format), you can now specify
+ closure checks per output, e.g.:
+
+ outputChecks."out" = {
+ # The closure of 'out' must not be larger than 256 MiB.
+ maxClosureSize = 256 * 1024 * 1024;
+
+ # It must not refer to C compiler or to the 'dev' output.
+ disallowedRequisites = [ stdenv.cc "dev" ];
+ };
+
+ outputChecks."dev" = {
+ # The 'dev' output must not be larger than 128 KiB.
+ maxSize = 128 * 1024;
+ };
+
+ - The derivation attribute `requiredSystemFeatures` is now enforced
+ for local builds, and not just to route builds to remote builders.
+ The supported features of a machine can be specified through the
+ configuration setting `system-features`.
+
+ By default, `system-features` includes `kvm` if `/dev/kvm` exists.
+ For compatibility, it also includes the pseudo-features
+ `nixos-test`, `benchmark` and `big-parallel` which are used by
+ Nixpkgs to route builds to particular Hydra build machines.
+
+ - Sandbox builds are now enabled by default on Linux.
+
+ - The new command `nix doctor` shows potential issues with your Nix
+ installation.
+
+ - The `fetchGit` builtin function now uses a caching scheme that puts
+ different remote repositories in distinct local repositories, rather
+ than a single shared repository. This may require more disk space
+ but is faster.
+
+ - The `dirOf` builtin function now works on relative paths.
+
+ - Nix now supports [SRI hashes](https://www.w3.org/TR/SRI/), allowing
+ the hash algorithm and hash to be specified in a single string. For
+ example, you can write:
+
+ import <nix/fetchurl.nix> {
+ url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz;
+ hash = "sha256-XSLa0FjVyADWWhFfkZ2iKTjFDda6mMXjoYMXLRSYQKQ=";
+ };
+
+ instead of
+
+ import <nix/fetchurl.nix> {
+ url = https://nixos.org/releases/nix/nix-2.1.3/nix-2.1.3.tar.xz;
+ sha256 = "5d22dad058d5c800d65a115f919da22938c50dd6ba98c5e3a183172d149840a4";
+ };
+
+ In fixed-output derivations, the `outputHashAlgo` attribute is no
+ longer mandatory if `outputHash` specifies the hash.
+
+ `nix hash-file` and `nix
+ hash-path` now print hashes in SRI format by default. They also use
+ SHA-256 by default instead of SHA-512 because that's what we use
+ most of the time in Nixpkgs.
+
+ - Integers are now 64 bits on all platforms.
+
+ - The evaluator now prints profiling statistics (enabled via the
+ NIX\_SHOW\_STATS and NIX\_COUNT\_CALLS environment variables) in
+ JSON format.
+
+ - The option `--xml` in `nix-store
+ --query` has been removed. Instead, there now is an option
+ `--graphml` to output the dependency graph in GraphML format.
+
+ - All `nix-*` commands are now symlinks to `nix`. This saves a bit of
+ disk space.
+
+ - `nix repl` now uses `libeditline` or `libreadline`.
diff --git a/doc/manual/src/release-notes/rl-2.3.md b/doc/manual/src/release-notes/rl-2.3.md
new file mode 100644
index 000000000..a4bb6ebb0
--- /dev/null
+++ b/doc/manual/src/release-notes/rl-2.3.md
@@ -0,0 +1,44 @@
+# Release 2.3 (2019-09-04)
+
+This is primarily a bug fix release. However, it makes some incompatible
+changes:
+
+ - Nix now uses BSD file locks instead of POSIX file locks. Because of
+ this, you should not use Nix 2.3 and previous releases at the same
+ time on a Nix store.
+
+It also has the following changes:
+
+ - `builtins.fetchGit`'s `ref` argument now allows specifying an
+ absolute remote ref. Nix will automatically prefix `ref` with
+ `refs/heads` only if `ref` doesn't already begin with `refs/`.
+
+ - The installer now enables sandboxing by default on Linux when the
+ system has the necessary kernel support.
+
+ - The `max-jobs` setting now defaults to 1.
+
+ - New builtin functions: `builtins.isPath`, `builtins.hashFile`.
+
+ - The `nix` command has a new `--print-build-logs` (`-L`) flag to
+ print build log output to stderr, rather than showing the last log
+ line in the progress bar. To distinguish between concurrent builds,
+ log lines are prefixed by the name of the package.
+
+ - Builds are now executed in a pseudo-terminal, and the TERM
+ environment variable is set to `xterm-256color`. This allows many
+ programs (e.g. `gcc`, `clang`, `cmake`) to print colorized log
+ output.
+
+ - Add `--no-net` convenience flag. This flag disables substituters;
+ sets the `tarball-ttl` setting to infinity (ensuring that any
+ previously downloaded files are considered current); and disables
+ retrying downloads and sets the connection timeout to the minimum.
+ This flag is enabled automatically if there are no configured
+ non-loopback network interfaces.
+
+ - Add a `post-build-hook` setting to run a program after a build has
+ succeeded.
+
+ - Add a `trace-function-calls` setting to log the duration of Nix
+ function calls to stderr.