Merge remote-tracking branch 'upstream/master' into overlayfs-store

2025-07-10 04:43:53 +02:00 · 2023-12-11 13:12:09 -05:00 · 2023-12-11 13:12:09 -05:00 · 245af3ea02
commit 245af3ea02
parent 250c3541bb 8cddda4f89
538 changed files with 14282 additions and 7312 deletions
--- a/tests/functional/add.sh
+++ b/tests/functional/add.sh
@ -26,3 +26,20 @@ hash2=$(nix-hash --type sha256 --base32 ./dummy)
 echo $hash2

 test "$hash1" = "sha256:$hash2"
+
+#### New style commands
+
+clearStore
+
+(
+    path1=$(nix store add ./dummy)
+    path2=$(nix store add --mode nar ./dummy)
+    path3=$(nix store add-path ./dummy)
+    [[ "$path1" == "$path2" ]]
+    [[ "$path1" == "$path3" ]]
+)
+(
+    path1=$(nix store add --mode flat ./dummy)
+    path2=$(nix store add-file ./dummy)
+    [[ "$path1" == "$path2" ]]
+)
--- a/tests/functional/build-remote-trustless-should-fail-0.sh
+++ b/tests/functional/build-remote-trustless-should-fail-0.sh
@ -4,6 +4,7 @@ enableFeatures "daemon-trust-override"

 restartDaemon

+requireSandboxSupport
 [[ $busybox =~ busybox ]] || skipTest "no busybox"

 unset NIX_STORE_DIR
--- a/tests/functional/build-remote-with-mounted-ssh-ng.sh
+++ b/tests/functional/build-remote-with-mounted-ssh-ng.sh
@ -0,0 +1,22 @@
+source common.sh
+
+requireSandboxSupport
+[[ $busybox =~ busybox ]] || skipTest "no busybox"
+
+enableFeatures mounted-ssh-store
+
+nix build -Lvf simple.nix \
+  --arg busybox $busybox \
+  --out-link $TEST_ROOT/result-from-remote \
+  --store mounted-ssh-ng://localhost
+
+nix build -Lvf simple.nix \
+  --arg busybox $busybox \
+  --out-link $TEST_ROOT/result-from-remote-new-cli \
+  --store 'mounted-ssh-ng://localhost?remote-program=nix daemon'
+
+# This verifies that the out link was actually created and valid. The ability
+# to create out links (permanent gc roots) is the distinguishing feature of
+# the mounted-ssh-ng store.
+cat $TEST_ROOT/result-from-remote/hello | grepQuiet 'Hello World!'
+cat $TEST_ROOT/result-from-remote-new-cli/hello | grepQuiet 'Hello World!'
--- a/tests/functional/common/vars-and-functions.sh.in
+++ b/tests/functional/common/vars-and-functions.sh.in
@ -4,7 +4,7 @@ if [[ -z "${COMMON_VARS_AND_FUNCTIONS_SH_SOURCED-}" ]]; then

 COMMON_VARS_AND_FUNCTIONS_SH_SOURCED=1

-export PS4='+(${BASH_SOURCE[0]-$0}:$LINENO) '
+set +x

 export TEST_ROOT=$(realpath ${TMPDIR:-/tmp}/nix-test)/${TEST_NAME:-default/tests\/functional//}
 export NIX_STORE_DIR
--- a/tests/functional/completions.sh
+++ b/tests/functional/completions.sh
@ -44,15 +44,18 @@ EOF
 # Input override completion
 [[ "$(NIX_GET_COMPLETIONS=4 nix build ./foo --override-input '')" == $'normal\na\t' ]]
 [[ "$(NIX_GET_COMPLETIONS=5 nix flake show ./foo --override-input '')" == $'normal\na\t' ]]
+cd ./foo
+[[ "$(NIX_GET_COMPLETIONS=3 nix flake update '')" == $'normal\na\t' ]]
+cd ..
+[[ "$(NIX_GET_COMPLETIONS=5 nix flake update --flake './foo' '')" == $'normal\na\t' ]]
 ## With multiple input flakes
 [[ "$(NIX_GET_COMPLETIONS=5 nix build ./foo ./bar --override-input '')" == $'normal\na\t\nb\t' ]]
 ## With tilde expansion
 [[ "$(HOME=$PWD NIX_GET_COMPLETIONS=4 nix build '~/foo' --override-input '')" == $'normal\na\t' ]]
-[[ "$(HOME=$PWD NIX_GET_COMPLETIONS=5 nix flake show '~/foo' --update-input '')" == $'normal\na\t' ]]
-[[ "$(HOME=$PWD NIX_GET_COMPLETIONS=4 nix run '~/foo' --update-input '')" == $'normal\na\t' ]]
+[[ "$(HOME=$PWD NIX_GET_COMPLETIONS=5 nix flake update --flake '~/foo' '')" == $'normal\na\t' ]]
 ## Out of order
-[[ "$(NIX_GET_COMPLETIONS=3 nix build --update-input '' ./foo)" == $'normal\na\t' ]]
-[[ "$(NIX_GET_COMPLETIONS=4 nix build ./foo --update-input '' ./bar)" == $'normal\na\t\nb\t' ]]
+[[ "$(NIX_GET_COMPLETIONS=3 nix build --override-input '' '' ./foo)" == $'normal\na\t' ]]
+[[ "$(NIX_GET_COMPLETIONS=4 nix build ./foo --override-input '' '' ./bar)" == $'normal\na\t\nb\t' ]]

 # Cli flag completion
 NIX_GET_COMPLETIONS=2 nix build --log-form | grep -- "--log-format"
--- a/tests/functional/config.sh
+++ b/tests/functional/config.sh
@ -40,19 +40,20 @@ files=$(nix-build --verbose --version | grep "User config" | cut -d ':' -f2- | x
 # Test that it's possible to load the config from a custom location
 here=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")
 export NIX_USER_CONF_FILES=$here/config/nix-with-substituters.conf
-var=$(nix show-config | grep '^substituters =' | cut -d '=' -f 2 | xargs)
+var=$(nix config show | grep '^substituters =' | cut -d '=' -f 2 | xargs)
 [[ $var == https://example.com ]]

 # Test that it's possible to load config from the environment
-prev=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
+prev=$(nix config show | grep '^cores' | cut -d '=' -f 2 | xargs)
 export NIX_CONFIG="cores = 4242"$'\n'"experimental-features = nix-command flakes"
-exp_cores=$(nix show-config | grep '^cores' | cut -d '=' -f 2 | xargs)
-exp_features=$(nix show-config | grep '^experimental-features' | cut -d '=' -f 2 | xargs)
+exp_cores=$(nix config show | grep '^cores' | cut -d '=' -f 2 | xargs)
+exp_features=$(nix config show | grep '^experimental-features' | cut -d '=' -f 2 | xargs)
 [[ $prev != $exp_cores ]]
 [[ $exp_cores == "4242" ]]
-[[ $exp_features == "flakes nix-command" ]]
+# flakes implies fetch-tree
+[[ $exp_features == "fetch-tree flakes nix-command" ]]

 # Test that it's possible to retrieve a single setting's value
-val=$(nix show-config | grep '^warn-dirty' | cut -d '=' -f  2 | xargs)
-val2=$(nix show-config warn-dirty)
+val=$(nix config show | grep '^warn-dirty' | cut -d '=' -f  2 | xargs)
+val2=$(nix config show warn-dirty)
 [[ $val == $val2 ]]
--- a/tests/functional/experimental-features.sh
+++ b/tests/functional/experimental-features.sh
@ -31,7 +31,7 @@ source common.sh
 NIX_CONFIG='
  experimental-features = nix-command
  accept-flake-config = true
-' nix show-config accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
+' nix config show accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
 grepQuiet "false" $TEST_ROOT/stdout
 grepQuiet "Ignoring setting 'accept-flake-config' because experimental feature 'flakes' is not enabled" $TEST_ROOT/stderr

@ -39,7 +39,7 @@ grepQuiet "Ignoring setting 'accept-flake-config' because experimental feature '
 NIX_CONFIG='
  accept-flake-config = true
  experimental-features = nix-command
-' nix show-config accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
+' nix config show accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
 grepQuiet "false" $TEST_ROOT/stdout
 grepQuiet "Ignoring setting 'accept-flake-config' because experimental feature 'flakes' is not enabled" $TEST_ROOT/stderr

@ -47,7 +47,7 @@ grepQuiet "Ignoring setting 'accept-flake-config' because experimental feature '
 NIX_CONFIG='
  experimental-features = nix-command flakes
  accept-flake-config = true
-' nix show-config accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
+' nix config show accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
 grepQuiet "true" $TEST_ROOT/stdout
 grepQuietInverse "Ignoring setting 'accept-flake-config'" $TEST_ROOT/stderr

@ -55,7 +55,7 @@ grepQuietInverse "Ignoring setting 'accept-flake-config'" $TEST_ROOT/stderr
 NIX_CONFIG='
  accept-flake-config = true
  experimental-features = nix-command flakes
-' nix show-config accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
+' nix config show accept-flake-config 1>$TEST_ROOT/stdout 2>$TEST_ROOT/stderr
 grepQuiet "true" $TEST_ROOT/stdout
 grepQuietInverse "Ignoring setting 'accept-flake-config'" $TEST_ROOT/stderr

--- a/tests/functional/fetchGit.sh
+++ b/tests/functional/fetchGit.sh
@ -51,9 +51,7 @@ git -C $repo add differentbranch
 git -C $repo commit -m 'Test2'
 git -C $repo checkout master
 devrev=$(git -C $repo rev-parse devtest)
-out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; }" 2>&1) || status=$?
-[[ $status == 1 ]]
-[[ $out =~ 'Cannot find Git revision' ]]
+nix eval --impure --raw --expr "builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; }"

 [[ $(nix eval --raw --expr "builtins.readFile (builtins.fetchGit { url = file://$repo; rev = \"$devrev\"; allRefs = true; } + \"/differentbranch\")") = 'different file' ]]

@ -185,11 +183,7 @@ path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref =
 # Nuke the cache
 rm -rf $TEST_HOME/.cache/nix

-# Try again, but without 'git' on PATH. This should fail.
-NIX=$(command -v nix)
-(! PATH= $NIX eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath" )
-
-# Try again, with 'git' available.  This should work.
+# Try again. This should work.
 path5=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = $repo; ref = \"dev\"; }).outPath")
 [[ $path3 = $path5 ]]

@ -241,6 +235,7 @@ rm -rf $repo/.git

 # should succeed for a repo without commits
 git init $repo
+git -C $repo add hello # need to add at least one file to cause the root of the repo to be visible
 path10=$(nix eval --impure --raw --expr "(builtins.fetchGit \"file://$repo\").outPath")

 # should succeed for a path with a space
--- a/tests/functional/fetchGitSubmodules.sh
+++ b/tests/functional/fetchGitSubmodules.sh
@ -118,11 +118,3 @@ cloneRepo=$TEST_ROOT/a/b/gitSubmodulesClone # NB /a/b to make the relative path
 git clone $rootRepo $cloneRepo
 pathIndirect=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
 [[ $pathIndirect = $pathWithRelative ]]
-
-# Test that if the clone has the submodule already, we're not fetching
-# it again.
-git -C $cloneRepo submodule update --init
-rm $TEST_HOME/.cache/nix/fetcher-cache*
-rm -rf $subRepo
-pathSubmoduleGone=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
-[[ $pathSubmoduleGone = $pathWithRelative ]]
--- a/tests/functional/fetchGitVerification.sh
+++ b/tests/functional/fetchGitVerification.sh
@ -0,0 +1,82 @@
+source common.sh
+
+requireGit
+[[ $(type -p ssh-keygen) ]] || skipTest "ssh-keygen not installed" # require ssh-keygen
+
+enableFeatures "verified-fetches"
+
+clearStore
+
+repo="$TEST_ROOT/git"
+
+# generate signing keys
+keysDir=$TEST_ROOT/.ssh
+mkdir -p "$keysDir"
+ssh-keygen -f "$keysDir/testkey1" -t ed25519 -P "" -C "test key 1"
+key1File="$keysDir/testkey1.pub"
+publicKey1=$(awk '{print $2}' "$key1File")
+ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
+key2File="$keysDir/testkey2.pub"
+publicKey2=$(awk '{print $2}' "$key2File")
+
+git init $repo
+git -C $repo config user.email "foobar@example.com"
+git -C $repo config user.name "Foobar"
+git -C $repo config gpg.format ssh
+
+echo 'hello' > $repo/text
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
+
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
+
+echo 'hello world' > $repo/text
+
+# Verification on a dirty repo should fail.
+out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'dirty' ]]
+
+git -C $repo add text
+git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
+
+[[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
+
+# Flake input test
+flakeDir="$TEST_ROOT/flake"
+mkdir -p "$flakeDir"
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKeys = [
+      { type = "ssh-rsa"; key = "$publicKey2"; }
+    ];
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+nix build --out-link "$flakeDir/result" "$flakeDir#test"
+[[ $(cat "$flakeDir/result/text") = 'hello world' ]]
+
+cat > "$flakeDir/flake.nix" <<EOF
+{
+  inputs.test = {
+    type = "git";
+    url = "file://$repo";
+    flake = false;
+    publicKey= "$publicKey1";
+  };
+
+  outputs = { test, ... }: { test = test.outPath; };
+}
+EOF
+out=$(nix build "$flakeDir#test" 2>&1) || status=$?
+[[ $status == 1 ]]
+[[ $out =~ 'No principal matched.' ]]
--- a/tests/functional/flakes/circular.sh
+++ b/tests/functional/flakes/circular.sh
@ -42,7 +42,8 @@ git -C $flakeB commit -a -m 'Foo'
 sed -i $flakeB/flake.nix -e 's/456/789/'
 git -C $flakeB commit -a -m 'Foo'

-[[ $(nix eval --update-input b $flakeA#foo) = 1912 ]]
+nix flake update b --flake $flakeA
+[[ $(nix eval $flakeA#foo) = 1912 ]]

 # Test list-inputs with circular dependencies
 nix flake metadata $flakeA
--- a/tests/functional/flakes/common.sh
+++ b/tests/functional/flakes/common.sh
@ -11,6 +11,7 @@ writeSimpleFlake() {
  outputs = inputs: rec {
    packages.$system = rec {
      foo = import ./simple.nix;
+      fooScript = (import ./shell.nix {}).foo;
      default = foo;
    };
    packages.someOtherSystem = rec {
@ -24,13 +25,13 @@ writeSimpleFlake() {
 }
 EOF

-    cp ../simple.nix ../simple.builder.sh ../config.nix $flakeDir/
+    cp ../simple.nix ../shell.nix ../simple.builder.sh ../config.nix $flakeDir/
 }

 createSimpleGitFlake() {
    local flakeDir="$1"
    writeSimpleFlake $flakeDir
-    git -C $flakeDir add flake.nix simple.nix simple.builder.sh config.nix
+    git -C $flakeDir add flake.nix simple.nix shell.nix simple.builder.sh config.nix
    git -C $flakeDir commit -m 'Initial'
 }

--- a/tests/functional/flakes/flake-in-submodule.sh
+++ b/tests/functional/flakes/flake-in-submodule.sh
@ -46,7 +46,16 @@ echo '"expression in root repo"' > $rootRepo/root.nix
 git -C $rootRepo add root.nix
 git -C $rootRepo commit -m "Add root.nix"

+flakeref=git+file://$rootRepo\?submodules=1\&dir=submodule
+
 # Flake can live inside a submodule and can be accessed via ?dir=submodule
-[[ $(nix eval --json git+file://$rootRepo\?submodules=1\&dir=submodule#sub ) = '"expression in submodule"' ]]
+[[ $(nix eval --json $flakeref#sub ) = '"expression in submodule"' ]]
+
 # The flake can access content outside of the submodule
-[[ $(nix eval --json git+file://$rootRepo\?submodules=1\&dir=submodule#root ) = '"expression in root repo"' ]]
+[[ $(nix eval --json $flakeref#root ) = '"expression in root repo"' ]]
+
+# Check that dirtying a submodule makes the entire thing dirty.
+[[ $(nix flake metadata --json $flakeref | jq -r .locked.rev) != null ]]
+echo '"foo"' > $rootRepo/submodule/sub.nix
+[[ $(nix eval --json $flakeref#sub ) = '"foo"' ]]
+[[ $(nix flake metadata --json $flakeref | jq -r .locked.rev) = null ]]
--- a/tests/functional/flakes/flakes.sh
+++ b/tests/functional/flakes/flakes.sh
@ -66,9 +66,82 @@ cat > "$nonFlakeDir/README.md" <<EOF
 FNORD
 EOF

-git -C "$nonFlakeDir" add README.md
+cat > "$nonFlakeDir/shebang.sh" <<EOF
+#! $(type -P env) nix
+#! nix --offline shell
+#! nix flake1#fooScript
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "\$@"
+EOF
+chmod +x "$nonFlakeDir/shebang.sh"
+
+git -C "$nonFlakeDir" add README.md shebang.sh
 git -C "$nonFlakeDir" commit -m 'Initial'

+# this also tests a fairly trivial double backtick quoted string, ``--command``
+cat > $nonFlakeDir/shebang-comments.sh <<EOF
+#! $(type -P env) nix
+# some comments
+# some comments
+# some comments
+#! nix --offline shell
+#! nix flake1#fooScript
+#! nix --no-write-lock-file ``--command`` bash
+foo
+EOF
+chmod +x $nonFlakeDir/shebang-comments.sh
+
+cat > $nonFlakeDir/shebang-reject.sh <<EOF
+#! $(type -P env) nix
+# some comments
+# some comments
+# some comments
+#! nix --offline shell *
+#! nix flake1#fooScript
+#! nix --no-write-lock-file --command bash
+foo
+EOF
+chmod +x $nonFlakeDir/shebang-reject.sh
+
+cat > $nonFlakeDir/shebang-inline-expr.sh <<EOF
+#! $(type -P env) nix
+EOF
+cat >> $nonFlakeDir/shebang-inline-expr.sh <<"EOF"
+#! nix --offline shell
+#! nix --impure --expr ``
+#! nix let flake = (builtins.getFlake (toString ../flake1)).packages;
+#! nix     fooScript = flake.${builtins.currentSystem}.fooScript;
+#! nix     /* just a comment !@#$%^&*()__+ # */
+#! nix  in fooScript
+#! nix ``
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "$@"
+EOF
+chmod +x $nonFlakeDir/shebang-inline-expr.sh
+
+cat > $nonFlakeDir/fooScript.nix <<"EOF"
+let flake = (builtins.getFlake (toString ../flake1)).packages;
+    fooScript = flake.${builtins.currentSystem}.fooScript;
+ in fooScript
+EOF
+
+cat > $nonFlakeDir/shebang-file.sh <<EOF
+#! $(type -P env) nix
+EOF
+cat >> $nonFlakeDir/shebang-file.sh <<"EOF"
+#! nix --offline shell
+#! nix --impure --file ./fooScript.nix
+#! nix --no-write-lock-file --command bash
+set -ex
+foo
+echo "$@"
+EOF
+chmod +x $nonFlakeDir/shebang-file.sh
+
 # Construct a custom registry, additionally test the --registry flag
 nix registry add --registry "$registry" flake1 "git+file://$flake1Dir"
 nix registry add --registry "$registry" flake2 "git+file://$percentEncodedFlake2Dir"
@ -300,7 +373,7 @@ nix build -o "$TEST_ROOT/result" flake4#xyzzy
 nix flake lock "$flake3Dir"
 [[ -z $(git -C "$flake3Dir" diff master || echo failed) ]]

-nix flake update "$flake3Dir" --override-flake flake2 nixpkgs
+nix flake update --flake "$flake3Dir" --override-flake flake2 nixpkgs
 [[ ! -z $(git -C "$flake3Dir" diff master || echo failed) ]]

 # Make branch "removeXyzzy" where flake3 doesn't have xyzzy anymore
@ -437,7 +510,7 @@ cat > "$flake3Dir/flake.nix" <<EOF
 }
 EOF

-nix flake update "$flake3Dir"
+nix flake update --flake "$flake3Dir"
 [[ $(jq -c .nodes.flake2.inputs.flake1 "$flake3Dir/flake.lock") =~ '["foo"]' ]]
 [[ $(jq .nodes.foo.locked.url "$flake3Dir/flake.lock") =~ flake7 ]]

@ -480,7 +553,7 @@ nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1/master/$hash1
 nix flake lock "$flake3Dir"
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") = $hash1 ]]

-nix flake lock "$flake3Dir" --update-input flake2/flake1
+nix flake update flake2/flake1 --flake "$flake3Dir"
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") =~ $hash2 ]]

 # Test 'nix flake metadata --json'.
@ -511,3 +584,11 @@ nix flake metadata "$flake2Dir" --reference-lock-file $TEST_ROOT/flake2-overridd

 # reference-lock-file can only be used if allow-dirty is set.
 expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock
+
+# Test shebang
+[[ $($nonFlakeDir/shebang.sh) = "foo" ]]
+[[ $($nonFlakeDir/shebang.sh "bar") = "foo"$'\n'"bar" ]]
+[[ $($nonFlakeDir/shebang-comments.sh ) = "foo" ]]
+[[ $($nonFlakeDir/shebang-inline-expr.sh baz) = "foo"$'\n'"baz" ]]
+[[ $($nonFlakeDir/shebang-file.sh baz) = "foo"$'\n'"baz" ]]
+expect 1 $nonFlakeDir/shebang-reject.sh 2>&1 | grepQuiet -F 'error: unsupported unquoted character in nix shebang: *. Use double backticks to escape?'
--- a/tests/functional/flakes/follow-paths.sh
+++ b/tests/functional/flakes/follow-paths.sh
@ -77,7 +77,7 @@ git -C $flakeFollowsA add flake.nix flakeB/flake.nix \

 nix flake metadata $flakeFollowsA

-nix flake update $flakeFollowsA
+nix flake update --flake $flakeFollowsA

 nix flake lock $flakeFollowsA

@ -228,7 +228,7 @@ git -C "$flakeFollowsOverloadA" add flake.nix flakeB/flake.nix \
  flakeB/flakeC/flake.nix flakeB/flakeC/flakeD/flake.nix

 nix flake metadata "$flakeFollowsOverloadA"
-nix flake update "$flakeFollowsOverloadA"
+nix flake update --flake "$flakeFollowsOverloadA"
 nix flake lock "$flakeFollowsOverloadA"

 # Now test follow cycle detection
@ -260,3 +260,79 @@ EOF

 checkRes=$(nix flake lock "$flakeFollowCycle" 2>&1 && fail "nix flake lock should have failed." || true)
 echo $checkRes | grep -F "error: follow cycle detected: [baz -> foo -> bar -> baz]"
+
+
+# Test transitive input url locking
+# This tests the following lockfile issue: https://github.com/NixOS/nix/issues/9143
+#
+# We construct the following graph, where p->q means p has input q.
+#
+# A -> B -> C
+#
+# And override B/C to flake D, first in A's flake.nix and then with --override-input.
+#
+# A -> B -> D
+flakeFollowsCustomUrlA="$TEST_ROOT/follows/custom-url/flakeA"
+flakeFollowsCustomUrlB="$TEST_ROOT/follows/custom-url/flakeA/flakeB"
+flakeFollowsCustomUrlC="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeC"
+flakeFollowsCustomUrlD="$TEST_ROOT/follows/custom-url/flakeA/flakeB/flakeD"
+
+
+createGitRepo "$flakeFollowsCustomUrlA"
+mkdir -p "$flakeFollowsCustomUrlB"
+mkdir -p "$flakeFollowsCustomUrlC"
+mkdir -p "$flakeFollowsCustomUrlD"
+
+cat > "$flakeFollowsCustomUrlD/flake.nix" <<EOF
+{
+    description = "Flake D";
+    inputs = {};
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlC/flake.nix" <<EOF
+{
+    description = "Flake C";
+    inputs = {};
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlB/flake.nix" <<EOF
+{
+    description = "Flake B";
+    inputs = {
+        C = {
+            url = "path:./flakeC";
+        };
+    };
+    outputs = { ... }: {};
+}
+EOF
+
+cat > "$flakeFollowsCustomUrlA/flake.nix" <<EOF
+{
+    description = "Flake A";
+    inputs = {
+        B = {
+            url = "path:./flakeB";
+            inputs.C.url = "path:./flakeB/flakeD";
+        };
+    };
+    outputs = { ... }: {};
+}
+EOF
+
+git -C "$flakeFollowsCustomUrlA" add flake.nix flakeB/flake.nix \
+  flakeB/flakeC/flake.nix flakeB/flakeD/flake.nix
+
+# lock "original" entry should contain overridden url
+json=$(nix flake metadata "$flakeFollowsCustomUrlA" --json)
+[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeB/flakeD' ]]
+rm "$flakeFollowsCustomUrlA"/flake.lock
+
+# if override-input is specified, lock "original" entry should contain original url
+json=$(nix flake metadata "$flakeFollowsCustomUrlA" --override-input B/C "path:./flakeB/flakeD" --json)
+echo "$json" | jq .locks.nodes.C.original
+[[ $(echo "$json" | jq -r .locks.nodes.C.original.path) = './flakeC' ]]
--- a/tests/functional/hash.sh
+++ b/tests/functional/hash.sh
@ -81,27 +81,106 @@ rm $TEST_ROOT/hash-path/hello
 ln -s x $TEST_ROOT/hash-path/hello
 try2 md5 "f78b733a68f5edbdf9413899339eaa4a"

-# Conversion.
+# Conversion with `nix hash` `nix-hash` and `nix hash convert`
 try3() {
+    # $1 = hash algo
+    # $2 = expected hash in base16
+    # $3 = expected hash in base32
+    # $4 = expected hash in base64
+    h64=$(nix hash convert --algo "$1" --to base64 "$2")
+    [ "$h64" = "$4" ]
    h64=$(nix-hash --type "$1" --to-base64 "$2")
    [ "$h64" = "$4" ]
+    # Deprecated experiment
    h64=$(nix hash to-base64 --type "$1" "$2")
    [ "$h64" = "$4" ]
+
+    sri=$(nix hash convert --algo "$1" --to sri "$2")
+    [ "$sri" = "$1-$4" ]
    sri=$(nix-hash --type "$1" --to-sri "$2")
    [ "$sri" = "$1-$4" ]
    sri=$(nix hash to-sri --type "$1" "$2")
    [ "$sri" = "$1-$4" ]
+    h32=$(nix hash convert --algo "$1" --to base32 "$2")
+    [ "$h32" = "$3" ]
    h32=$(nix-hash --type "$1" --to-base32 "$2")
    [ "$h32" = "$3" ]
    h32=$(nix hash to-base32 --type "$1" "$2")
    [ "$h32" = "$3" ]
    h16=$(nix-hash --type "$1" --to-base16 "$h32")
    [ "$h16" = "$2" ]
+
+    h16=$(nix hash convert --algo "$1" --to base16 "$h64")
+    [ "$h16" = "$2" ]
    h16=$(nix hash to-base16 --type "$1" "$h64")
    [ "$h16" = "$2" ]
+    h16=$(nix hash convert --to base16 "$sri")
+    [ "$h16" = "$2" ]
    h16=$(nix hash to-base16 "$sri")
    [ "$h16" = "$2" ]
+
+    #
+    # Converting from SRI
+    #
+
+    # Input hash algo auto-detected from SRI and output defaults to SRI as well.
+    sri=$(nix hash convert "$1-$4")
+    [ "$sri" = "$1-$4" ]
+
+    sri=$(nix hash convert --from sri "$1-$4")
+    [ "$sri" = "$1-$4" ]
+
+    sri=$(nix hash convert --to sri "$1-$4")
+    [ "$sri" = "$1-$4" ]
+
+    sri=$(nix hash convert --from sri --to sri "$1-$4")
+    [ "$sri" = "$1-$4" ]
+
+    sri=$(nix hash convert --to base64 "$1-$4")
+    [ "$sri" = "$4" ]
+
+    #
+    # Auto-detecting the input from algo and length.
+    #
+
+    sri=$(nix hash convert --algo "$1" "$2")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" "$3")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" "$4")
+    [ "$sri" = "$1-$4" ]
+
+    sri=$(nix hash convert --algo "$1" "$2")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" "$3")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" "$4")
+    [ "$sri" = "$1-$4" ]
+
+    #
+    # Asserting input format succeeds.
+    #
+
+    sri=$(nix hash convert --algo "$1" --from base16 "$2")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" --from nix32 "$3")
+    [ "$sri" = "$1-$4" ]
+    sri=$(nix hash convert --algo "$1" --from base64 "$4")
+    [ "$sri" = "$1-$4" ]
+
+    #
+    # Asserting input format fails.
+    #
+
+    fail=$(nix hash convert --algo "$1" --from nix32 "$2" 2>&1 || echo "exit: $?")
+    [[ "$fail" == *"error: input hash"*"exit: 1" ]]
+    fail=$(nix hash convert --algo "$1" --from base16 "$3" 2>&1 || echo "exit: $?")
+    [[ "$fail" == *"error: input hash"*"exit: 1" ]]
+    fail=$(nix hash convert --algo "$1" --from nix32 "$4" 2>&1 || echo "exit: $?")
+    [[ "$fail" == *"error: input hash"*"exit: 1" ]]
+
 }
+
 try3 sha1 "800d59cfcd3c05e900cb4e214be48f6b886a08df" "vw46m23bizj4n8afrc0fj19wrp7mj3c0" "gA1Zz808BekAy04hS+SPa4hqCN8="
 try3 sha256 "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" "1b8m03r63zqhnjf7l5wnldhh7c134ap5vpj0850ymkq1iyzicy5s" "ungWv48Bz+pBQUDeXa4iI7ADYaOWF3qctBD/YfIAFa0="
 try3 sha512 "204a8fc6dda82f0a0ced7beb8e08a41657c16ef468b228a8279be331a703c33596fd15c13b1b07f9aa1d3bea57789ca031ad85c7a71dd70354ec631238ca3445" "12k9jiq29iyqm03swfsgiw5mlqs173qazm3n7daz43infy12pyrcdf30fkk3qwv4yl2ick8yipc2mqnlh48xsvvxl60lbx8vp38yji0" "IEqPxt2oLwoM7XvrjgikFlfBbvRosiioJ5vjMacDwzWW/RXBOxsH+aodO+pXeJygMa2Fx6cd1wNU7GMSOMo0RQ=="
--- a/tests/functional/init.sh
+++ b/tests/functional/init.sh
@ -20,7 +20,7 @@ cat > "$NIX_CONF_DIR"/nix.conf <<EOF
 build-users-group =
 keep-derivations = false
 sandbox = false
-experimental-features = nix-command flakes
+experimental-features = nix-command
 gc-reserved-space = 0
 substituters =
 flake-registry = $TEST_ROOT/registry.json
@ -31,6 +31,7 @@ EOF

 cat > "$NIX_CONF_DIR"/nix.conf.extra <<EOF
 fsync-metadata = false
+extra-experimental-features = flakes
 !include nix.conf.extra.not-there
 EOF

--- a/tests/functional/lang.sh
+++ b/tests/functional/lang.sh
@ -23,6 +23,7 @@ nix-instantiate --trace-verbose --eval -E 'builtins.traceVerbose "Hello" 123' 2>
 nix-instantiate --eval -E 'builtins.traceVerbose "Hello" 123' 2>&1 | grepQuietInverse Hello
 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" 123' 2>&1 | grepQuietInverse Hello
 expectStderr 1 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello" (throw "Foo")' | grepQuiet Hello
+expectStderr 1 nix-instantiate --show-trace --eval -E 'builtins.addErrorContext "Hello %" (throw "Foo")' | grepQuiet 'Hello %'

 nix-instantiate --eval -E 'let x = builtins.trace { x = x; } true; in x' \
  2>&1 | grepQuiet -E 'trace: { x = «potential infinite recursion»; }'
--- a/tests/functional/lang/eval-fail-attr-name-type.err.exp
+++ b/tests/functional/lang/eval-fail-attr-name-type.err.exp
@ -0,0 +1,20 @@
+error:
+       … while evaluating the attribute 'puppy."${key}"'
+
+         at /pwd/lang/eval-fail-attr-name-type.nix:3:5:
+
+            2|   attrs = {
+            3|     puppy.doggy = {};
+             |     ^
+            4|   };
+
+       … while evaluating an attribute name
+
+         at /pwd/lang/eval-fail-attr-name-type.nix:7:17:
+
+            6| in
+            7|   attrs.puppy.${key}
+             |                 ^
+            8|
+
+       error: value is an integer while a string was expected
--- a/tests/functional/lang/eval-fail-attr-name-type.nix
+++ b/tests/functional/lang/eval-fail-attr-name-type.nix
@ -0,0 +1,7 @@
+let
+  attrs = {
+    puppy.doggy = {};
+  };
+  key = 1;
+in
+  attrs.puppy.${key}
--- a/tests/functional/lang/eval-fail-bad-string-interpolation-2.err.exp
+++ b/tests/functional/lang/eval-fail-bad-string-interpolation-2.err.exp
@ -1 +1 @@
-error: getting status of '/pwd/lang/fnord': No such file or directory
+error: path '/pwd/lang/fnord' does not exist
--- a/tests/functional/lang/eval-fail-bad-string-interpolation-4.err.exp
+++ b/tests/functional/lang/eval-fail-bad-string-interpolation-4.err.exp
@ -0,0 +1,11 @@
+error:
+       … while evaluating a path segment
+
+         at /pwd/lang/eval-fail-bad-string-interpolation-4.nix:9:3:
+
+            8| # The error message should not be too long.
+            9| ''${pkgs}''
+             |   ^
+           10|
+
+       error: cannot coerce a set to a string
--- a/tests/functional/lang/eval-fail-bad-string-interpolation-4.nix
+++ b/tests/functional/lang/eval-fail-bad-string-interpolation-4.nix
@ -0,0 +1,9 @@
+let
+  # Basically a "billion laughs" attack, but toned down to simulated `pkgs`.
+  ha = x: y: { a = x y; b = x y; c = x y; d = x y; e = x y; f = x y; g = x y; h = x y; j = x y; };
+  has = ha (ha (ha (ha (x: x)))) "ha";
+  # A large structure that has already been evaluated.
+  pkgs = builtins.deepSeq has has;
+in
+# The error message should not be too long.
+''${pkgs}''
--- a/tests/functional/lang/eval-fail-call-primop.err.exp
+++ b/tests/functional/lang/eval-fail-call-primop.err.exp
@ -0,0 +1,12 @@
+error:
+       … while calling the 'length' builtin
+
+         at /pwd/lang/eval-fail-call-primop.nix:1:1:
+
+            1| builtins.length 1
+             | ^
+            2|
+
+       … while evaluating the first argument passed to builtins.length
+
+       error: value is an integer while a list was expected
--- a/tests/functional/lang/eval-fail-call-primop.nix
+++ b/tests/functional/lang/eval-fail-call-primop.nix
@ -0,0 +1 @@
+builtins.length 1
--- a/tests/functional/lang/eval-fail-nonexist-path.err.exp
+++ b/tests/functional/lang/eval-fail-nonexist-path.err.exp
@ -1 +1 @@
-error: getting status of '/pwd/lang/fnord': No such file or directory
+error: path '/pwd/lang/fnord' does not exist
--- a/tests/functional/lang/eval-fail-not-throws.err.exp
+++ b/tests/functional/lang/eval-fail-not-throws.err.exp
@ -0,0 +1,18 @@
+error:
+       … in the argument of the not operator
+
+         at /pwd/lang/eval-fail-not-throws.nix:1:4:
+
+            1| ! (throw "uh oh!")
+             |    ^
+            2|
+
+       … while calling the 'throw' builtin
+
+         at /pwd/lang/eval-fail-not-throws.nix:1:4:
+
+            1| ! (throw "uh oh!")
+             |    ^
+            2|
+
+       error: uh oh!
--- a/tests/functional/lang/eval-fail-not-throws.nix
+++ b/tests/functional/lang/eval-fail-not-throws.nix
@ -0,0 +1 @@
+! (throw "uh oh!")
--- a/tests/functional/lang/eval-fail-using-set-as-attr-name.err.exp
+++ b/tests/functional/lang/eval-fail-using-set-as-attr-name.err.exp
@ -0,0 +1,11 @@
+error:
+       … while evaluating an attribute name
+
+         at /pwd/lang/eval-fail-using-set-as-attr-name.nix:5:10:
+
+            4| in
+            5|   attr.${key}
+             |          ^
+            6|
+
+       error: value is a set while a string was expected
--- a/tests/functional/lang/eval-fail-using-set-as-attr-name.nix
+++ b/tests/functional/lang/eval-fail-using-set-as-attr-name.nix
@ -0,0 +1,5 @@
+let
+  attr = {foo = "bar";};
+  key = {};
+in
+  attr.${key}
--- a/tests/functional/lang/eval-okay-convertHash.err.exp
+++ b/tests/functional/lang/eval-okay-convertHash.err.exp
@ -0,0 +1,108 @@
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
+warning: "base32" is a deprecated alias for hash format "nix32".
--- a/tests/functional/lang/eval-okay-convertHash.exp
+++ b/tests/functional/lang/eval-okay-convertHash.exp
@ -1 +1 @@
-{ hashesBase16 = [ "d41d8cd98f00b204e9800998ecf8427e" "6c69ee7f211c640419d5366cc076ae46" "bb3438fbabd460ea6dbd27d153e2233b" "da39a3ee5e6b4b0d3255bfef95601890afd80709" "cd54e8568c1b37cf1e5badb0779bcbf382212189" "6d12e10b1d331dad210e47fd25d4f260802b7e77" "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" "900a4469df00ccbfd0c145c6d1e4b7953dd0afafadd7534e3a4019e8d38fc663" "ad0387b3bd8652f730ca46d25f9c170af0fd589f42e7f23f5a9e6412d97d7e56" "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" "9d0886f8c6b389398a16257bc79780fab9831c7fc11c8ab07fa732cb7b348feade382f92617c9c5305fefba0af02ab5fd39a587d330997ff5bd0db19f7666653" "21644b72aa259e5a588cd3afbafb1d4310f4889680f6c83b9d531596a5a284f34dbebff409d23bcc86aee6bad10c891606f075c6f4755cb536da27db5693f3a7" ]; hashesBase32 = [ "3y8bwfr609h3lh9ch0izcqq7fl" "26mrvc0v1nslch8r0w45zywsbc" "1v4gi57l97pmnylq6lmgxkhd5v" "143xibwh31h9bvxzalr0sjvbbvpa6ffs" "i4hj30pkrfdpgc5dbcgcydqviibfhm6d" "fxz2p030yba2bza71qhss79k3l5y24kd" "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73" "0qy6iz9yh6a079757mxdmypx0gcmnzjd3ij5q78bzk00vxll82lh" "0mkygpci4r4yb8zz5rs2kxcgvw0a2yf5zlj6r8qgfll6pnrqf0xd" "0zdl9zrg8r3i9c1g90lgg9ip5ijzv3yhz91i0zzn3r8ap9ws784gkp9dk9j3aglhgf1amqb0pj21mh7h1nxcl18akqvvf7ggqsy30yg" "19ncrpp37dx0nzzjw4k6zaqkb9mzaq2myhgpzh5aff7qqcj5wwdxslg6ixwncm7gyq8l761gwf87fgsh2bwfyr52s53k2dkqvw8c24x" "2kz74snvckxldmmbisz9ikmy031d28cs6xfdbl6rhxx42glpyz4vww4lajrc5akklxwixl0js4g84233pxvmbykiic5m7i5m9r4nr11" ]; hashesBase64 = [ "1B2M2Y8AsgTpgAmY7PhCfg==" "bGnufyEcZAQZ1TZswHauRg==" "uzQ4+6vUYOptvSfRU+IjOw==" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "zVToVowbN88eW62wd5vL84IhIYk=" "bRLhCx0zHa0hDkf9JdTyYIArfnc=" "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; hashesSRI = [ "md5-1B2M2Y8AsgTpgAmY7PhCfg==" "md5-bGnufyEcZAQZ1TZswHauRg==" "md5-uzQ4+6vUYOptvSfRU+IjOw==" "sha1-2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "sha1-zVToVowbN88eW62wd5vL84IhIYk=" "sha1-bRLhCx0zHa0hDkf9JdTyYIArfnc=" "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "sha256-kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "sha256-rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "sha512-nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "sha512-IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; }
+{ hashesBase16 = [ "d41d8cd98f00b204e9800998ecf8427e" "6c69ee7f211c640419d5366cc076ae46" "bb3438fbabd460ea6dbd27d153e2233b" "da39a3ee5e6b4b0d3255bfef95601890afd80709" "cd54e8568c1b37cf1e5badb0779bcbf382212189" "6d12e10b1d331dad210e47fd25d4f260802b7e77" "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" "900a4469df00ccbfd0c145c6d1e4b7953dd0afafadd7534e3a4019e8d38fc663" "ad0387b3bd8652f730ca46d25f9c170af0fd589f42e7f23f5a9e6412d97d7e56" "cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" "9d0886f8c6b389398a16257bc79780fab9831c7fc11c8ab07fa732cb7b348feade382f92617c9c5305fefba0af02ab5fd39a587d330997ff5bd0db19f7666653" "21644b72aa259e5a588cd3afbafb1d4310f4889680f6c83b9d531596a5a284f34dbebff409d23bcc86aee6bad10c891606f075c6f4755cb536da27db5693f3a7" ]; hashesBase32 = [ "3y8bwfr609h3lh9ch0izcqq7fl" "26mrvc0v1nslch8r0w45zywsbc" "1v4gi57l97pmnylq6lmgxkhd5v" "143xibwh31h9bvxzalr0sjvbbvpa6ffs" "i4hj30pkrfdpgc5dbcgcydqviibfhm6d" "fxz2p030yba2bza71qhss79k3l5y24kd" "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73" "0qy6iz9yh6a079757mxdmypx0gcmnzjd3ij5q78bzk00vxll82lh" "0mkygpci4r4yb8zz5rs2kxcgvw0a2yf5zlj6r8qgfll6pnrqf0xd" "0zdl9zrg8r3i9c1g90lgg9ip5ijzv3yhz91i0zzn3r8ap9ws784gkp9dk9j3aglhgf1amqb0pj21mh7h1nxcl18akqvvf7ggqsy30yg" "19ncrpp37dx0nzzjw4k6zaqkb9mzaq2myhgpzh5aff7qqcj5wwdxslg6ixwncm7gyq8l761gwf87fgsh2bwfyr52s53k2dkqvw8c24x" "2kz74snvckxldmmbisz9ikmy031d28cs6xfdbl6rhxx42glpyz4vww4lajrc5akklxwixl0js4g84233pxvmbykiic5m7i5m9r4nr11" ]; hashesBase64 = [ "1B2M2Y8AsgTpgAmY7PhCfg==" "bGnufyEcZAQZ1TZswHauRg==" "uzQ4+6vUYOptvSfRU+IjOw==" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "zVToVowbN88eW62wd5vL84IhIYk=" "bRLhCx0zHa0hDkf9JdTyYIArfnc=" "47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; hashesNix32 = [ "3y8bwfr609h3lh9ch0izcqq7fl" "26mrvc0v1nslch8r0w45zywsbc" "1v4gi57l97pmnylq6lmgxkhd5v" "143xibwh31h9bvxzalr0sjvbbvpa6ffs" "i4hj30pkrfdpgc5dbcgcydqviibfhm6d" "fxz2p030yba2bza71qhss79k3l5y24kd" "0mdqa9w1p6cmli6976v4wi0sw9r4p5prkj7lzfd1877wk11c9c73" "0qy6iz9yh6a079757mxdmypx0gcmnzjd3ij5q78bzk00vxll82lh" "0mkygpci4r4yb8zz5rs2kxcgvw0a2yf5zlj6r8qgfll6pnrqf0xd" "0zdl9zrg8r3i9c1g90lgg9ip5ijzv3yhz91i0zzn3r8ap9ws784gkp9dk9j3aglhgf1amqb0pj21mh7h1nxcl18akqvvf7ggqsy30yg" "19ncrpp37dx0nzzjw4k6zaqkb9mzaq2myhgpzh5aff7qqcj5wwdxslg6ixwncm7gyq8l761gwf87fgsh2bwfyr52s53k2dkqvw8c24x" "2kz74snvckxldmmbisz9ikmy031d28cs6xfdbl6rhxx42glpyz4vww4lajrc5akklxwixl0js4g84233pxvmbykiic5m7i5m9r4nr11" ]; hashesSRI = [ "md5-1B2M2Y8AsgTpgAmY7PhCfg==" "md5-bGnufyEcZAQZ1TZswHauRg==" "md5-uzQ4+6vUYOptvSfRU+IjOw==" "sha1-2jmj7l5rSw0yVb/vlWAYkK/YBwk=" "sha1-zVToVowbN88eW62wd5vL84IhIYk=" "sha1-bRLhCx0zHa0hDkf9JdTyYIArfnc=" "sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=" "sha256-kApEad8AzL/QwUXG0eS3lT3Qr6+t11NOOkAZ6NOPxmM=" "sha256-rQOHs72GUvcwykbSX5wXCvD9WJ9C5/I/Wp5kEtl9flY=" "sha512-z4PhNX7vuL3xVChQ1m2AB9Yg5AULVxXcg/SpIdNs6c5H0NE8XYXysP+DGNKHfuwvY7kxvUdBeoGlODJ6+SfaPg==" "sha512-nQiG+MaziTmKFiV7x5eA+rmDHH/BHIqwf6cyy3s0j+reOC+SYXycUwX++6CvAqtf05pYfTMJl/9b0NsZ92ZmUw==" "sha512-IWRLcqolnlpYjNOvuvsdQxD0iJaA9sg7nVMVlqWihPNNvr/0CdI7zIau5rrRDIkWBvB1xvR1XLU22ifbVpPzpw==" ]; }
--- a/tests/functional/lang/eval-okay-convertHash.nix
+++ b/tests/functional/lang/eval-okay-convertHash.nix
@ -5,12 +5,14 @@ let
  map2' = f: fsts: snds: map2 f { inherit fsts snds; };
  getOutputHashes = hashes: {
    hashesBase16 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base16";}) hashAlgos hashes;
+    hashesNix32 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "nix32";}) hashAlgos hashes;
    hashesBase32 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base32";}) hashAlgos hashes;
    hashesBase64 = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "base64";}) hashAlgos hashes;
    hashesSRI    = map2' (hashAlgo: hash: builtins.convertHash { inherit hash hashAlgo; toHashFormat = "sri"   ;}) hashAlgos hashes;
  };
  getOutputHashesColon = hashes: {
    hashesBase16 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base16";}) hashAlgos hashes;
+    hashesNix32 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "nix32";}) hashAlgos hashes;
    hashesBase32 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base32";}) hashAlgos hashes;
    hashesBase64 = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "base64";}) hashAlgos hashes;
    hashesSRI    = map2' (hashAlgo: hashBody: builtins.convertHash { hash = hashAlgo + ":" + hashBody; toHashFormat = "sri"   ;}) hashAlgos hashes;
--- a/tests/functional/lang/eval-okay-symlink-resolution.exp
+++ b/tests/functional/lang/eval-okay-symlink-resolution.exp
@ -0,0 +1 @@
+"test"
--- a/tests/functional/lang/eval-okay-symlink-resolution.nix
+++ b/tests/functional/lang/eval-okay-symlink-resolution.nix
@ -0,0 +1 @@
+import symlink-resolution/foo/overlays/overlay.nix
--- a/tests/functional/lang/symlink-resolution/foo/lib/default.nix
+++ b/tests/functional/lang/symlink-resolution/foo/lib/default.nix
@ -0,0 +1 @@
+"test"
--- a/tests/functional/lang/symlink-resolution/foo/overlays
+++ b/tests/functional/lang/symlink-resolution/foo/overlays
@ -0,0 +1 @@
+../overlays
--- a/tests/functional/lang/symlink-resolution/overlays/overlay.nix
+++ b/tests/functional/lang/symlink-resolution/overlays/overlay.nix
@ -0,0 +1 @@
+import ../lib
--- a/tests/functional/local.mk
+++ b/tests/functional/local.mk
@ -55,6 +55,7 @@ nix_tests = \
  secure-drv-outputs.sh \
  restricted.sh \
  fetchGitSubmodules.sh \
+  fetchGitVerification.sh \
  flakes/search-root.sh \
  readfile-context.sh \
  nix-channel.sh \
@ -68,6 +69,7 @@ nix_tests = \
  build-remote-trustless-should-pass-2.sh \
  build-remote-trustless-should-pass-3.sh \
  build-remote-trustless-should-fail-0.sh \
+  build-remote-with-mounted-ssh-ng.sh \
  nar-access.sh \
  pure-eval.sh \
  eval.sh \
@ -119,6 +121,7 @@ nix_tests = \
  flakes/show.sh \
  impure-derivations.sh \
  path-from-hash-part.sh \
+  path-info.sh \
  toString-path.sh \
  read-only-store.sh \
  nested-sandboxing.sh \
@ -137,9 +140,9 @@ ifeq ($(ENABLE_BUILD), yes)
 endif

 $(d)/test-libstoreconsumer.sh.test $(d)/test-libstoreconsumer.sh.test-debug: \
-  $(d)/test-libstoreconsumer/test-libstoreconsumer
+  $(buildprefix)$(d)/test-libstoreconsumer/test-libstoreconsumer
 $(d)/plugins.sh.test $(d)/plugins.sh.test-debug: \
-  $(d)/plugins/libplugintest.$(SO_EXT)
+  $(buildprefix)$(d)/plugins/libplugintest.$(SO_EXT)

 install-tests += $(foreach x, $(nix_tests), $(d)/$(x))

--- a/tests/functional/nar-access.sh
+++ b/tests/functional/nar-access.sh
@ -25,6 +25,11 @@ diff -u baz.cat-nar $storePath/foo/baz
 nix store cat $storePath/foo/baz > baz.cat-nar
 diff -u baz.cat-nar $storePath/foo/baz

+# Check that 'nix store cat' fails on invalid store paths.
+invalidPath="$(dirname $storePath)/99999999999999999999999999999999-foo"
+cp -r $storePath $invalidPath
+expect 1 nix store cat $invalidPath/foo/baz
+
 # Test --json.
 diff -u \
    <(nix nar ls --json $narFile / | jq -S) \
@ -46,7 +51,7 @@ diff -u \
    <(echo '{"type":"regular","size":0}' | jq -S)

 # Test missing files.
-expect 1 nix store ls --json -R $storePath/xyzzy 2>&1 | grep 'does not exist in NAR'
+expect 1 nix store ls --json -R $storePath/xyzzy 2>&1 | grep 'does not exist'
 expect 1 nix store ls $storePath/xyzzy 2>&1 | grep 'does not exist'

 # Test failure to dump.
--- a/tests/functional/path-info.sh
+++ b/tests/functional/path-info.sh
@ -0,0 +1,23 @@
+source common.sh
+
+echo foo > $TEST_ROOT/foo
+foo=$(nix store add-file $TEST_ROOT/foo)
+
+echo bar > $TEST_ROOT/bar
+bar=$(nix store add-file $TEST_ROOT/bar)
+
+echo baz > $TEST_ROOT/baz
+baz=$(nix store add-file $TEST_ROOT/baz)
+nix-store --delete "$baz"
+
+diff --unified --color=always \
+    <(nix path-info --json "$foo" "$bar" "$baz" |
+        jq --sort-keys 'map_values(.narHash)') \
+    <(jq --sort-keys <<-EOF
+        {
+          "$foo": "sha256-QvtAMbUl/uvi+LCObmqOhvNOapHdA2raiI4xG5zI5pA=",
+          "$bar": "sha256-9fhYGu9fqxcQC2Kc81qh2RMo1QcLBUBo8U+pPn+jthQ=",
+          "$baz": null
+        }
+EOF
+    )
--- a/tests/functional/restricted.sh
+++ b/tests/functional/restricted.sh
@ -14,8 +14,8 @@ nix-instantiate --restrict-eval --eval -E 'builtins.readFile ./simple.nix' -I sr
 (! nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../../src/nix-channel')
 nix-instantiate --restrict-eval --eval -E 'builtins.readDir ../../src/nix-channel' -I src=../../src

-(! nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>')
-nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in <foo>' -I src=.
+expectStderr 1 nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' | grepQuiet "forbidden in restricted mode"
+nix-instantiate --restrict-eval --eval -E 'let __nixPath = [ { prefix = "foo"; path = ./.; } ]; in builtins.readFile <foo/simple.nix>' -I src=.

 p=$(nix eval --raw --expr "builtins.fetchurl file://$(pwd)/restricted.sh" --impure --restrict-eval --allowed-uris "file://$(pwd)")
 cmp $p restricted.sh
@ -39,6 +39,18 @@ nix-instantiate --eval --restrict-eval $TEST_ROOT/restricted.nix -I $TEST_ROOT -

 [[ $(nix eval --raw --impure --restrict-eval -I . --expr 'builtins.readFile "${import ./simple.nix}/hello"') == 'Hello World!' ]]

+# Check that we can't follow a symlink outside of the allowed paths.
+mkdir -p $TEST_ROOT/tunnel.d $TEST_ROOT/foo2
+ln -sfn .. $TEST_ROOT/tunnel.d/tunnel
+echo foo > $TEST_ROOT/bar
+
+expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readFile <foo/tunnel/bar>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode"
+
+expectStderr 1 nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel/foo2>" -I $TEST_ROOT/tunnel.d | grepQuiet "forbidden in restricted mode"
+
+# Reading the parents of allowed paths should show only the ancestors of the allowed paths.
+[[ $(nix-instantiate --restrict-eval --eval -E "let __nixPath = [ { prefix = \"foo\"; path = $TEST_ROOT/tunnel.d; } ]; in builtins.readDir <foo/tunnel>" -I $TEST_ROOT/tunnel.d) == '{ "tunnel.d" = "directory"; }' ]]
+
 # Check whether we can leak symlink information through directory traversal.
 traverseDir="$(pwd)/restricted-traverse-me"
 ln -sfn "$(pwd)/restricted-secret" "$(pwd)/restricted-innocent"
--- a/tests/functional/tarball.sh
+++ b/tests/functional/tarball.sh
@ -18,7 +18,7 @@ test_tarball() {
    local compressor="$2"

    tarball=$TEST_ROOT/tarball.tar$ext
-    (cd $TEST_ROOT && tar cf - tarball) | $compressor > $tarball
+    (cd $TEST_ROOT && GNUTAR_REPRODUCIBLE= tar --mtime=$tarroot/default.nix --owner=0 --group=0 --numeric-owner --sort=name -c -f - tarball) | $compressor > $tarball

    nix-env -f file://$tarball -qa --out-path | grepQuiet dependencies

--- a/tests/functional/user-envs.sh
+++ b/tests/functional/user-envs.sh
@ -26,6 +26,7 @@ nix-env -f ./user-envs.nix -qa --json --out-path | jq -e '.[] | select(.name ==
    .outputName == "out",
    (.outputs.out | test("'$NIX_STORE_DIR'.*-0\\.1"))
 ] | all'
+nix-env -f ./user-envs.nix -qa --json --drv-path | jq -e '.[] | select(.name == "bar-0.1") | (.drvPath | test("'$NIX_STORE_DIR'.*-0\\.1\\.drv"))'

 # Query descriptions.
 nix-env -f ./user-envs.nix -qa '*' --description | grepQuiet silly
				`@ -0,0 +1 @@`
				`import symlink-resolution/foo/overlays/overlay.nix`