diff --git a/flake.nix b/flake.nix
index 83bdc5ecc..8edc2266f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -107,6 +107,7 @@
         in {
           inherit stdenvs native;
           static = native.pkgsStatic;
+          llvm = native.pkgsLLVM;
           cross = forAllCrossSystems (crossSystem: make-pkgs crossSystem "stdenv");
         });
 
@@ -282,6 +283,7 @@
               # These attributes go right into `packages.<system>`.
               "${pkgName}" = nixpkgsFor.${system}.native.nixComponents.${pkgName};
               "${pkgName}-static" = nixpkgsFor.${system}.static.nixComponents.${pkgName};
+              "${pkgName}-llvm" = nixpkgsFor.${system}.llvm.nixComponents.${pkgName};
             }
             // lib.optionalAttrs supportsCross (flatMapAttrs (lib.genAttrs crossSystems (_: { })) (crossSystem: {}: {
               # These attributes go right into `packages.<system>`.
@@ -321,6 +323,9 @@
             prefixAttrs "static" (forAllStdenvs (stdenvName: makeShell {
               pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsStatic;
             })) //
+            prefixAttrs "llvm" (forAllStdenvs (stdenvName: makeShell {
+              pkgs = nixpkgsFor.${system}.stdenvs."${stdenvName}Packages".pkgsLLVM;
+            })) //
             prefixAttrs "cross" (forAllCrossSystems (crossSystem: makeShell {
               pkgs = nixpkgsFor.${system}.cross.${crossSystem};
             }))
diff --git a/scripts/install-multi-user.sh b/scripts/install-multi-user.sh
index b65e08682..f051ccc46 100644
--- a/scripts/install-multi-user.sh
+++ b/scripts/install-multi-user.sh
@@ -562,7 +562,7 @@ create_build_user_for_core() {
         if [ "$actual_uid" != "$uid" ]; then
             failure <<EOF
 It seems the build user $username already exists, but with the UID
-with the UID '$actual_uid'. This script can't really handle that right
+'$actual_uid'. This script can't really handle that right
 now, so I'm going to give up.
 
 If you already created the users and you know they start from
diff --git a/src/libcmd/installables.cc b/src/libcmd/installables.cc
index 250cd1413..ab3ab3104 100644
--- a/src/libcmd/installables.cc
+++ b/src/libcmd/installables.cc
@@ -450,7 +450,7 @@ ref<eval_cache::EvalCache> openEvalCache(
     std::shared_ptr<flake::LockedFlake> lockedFlake)
 {
     auto fingerprint = evalSettings.useEvalCache && evalSettings.pureEval
-        ? lockedFlake->getFingerprint(state.store)
+        ? lockedFlake->getFingerprint(state.store, state.fetchSettings)
         : std::nullopt;
     auto rootLoader = [&state, lockedFlake]()
         {
diff --git a/src/libcmd/package.nix b/src/libcmd/package.nix
index 53e54d2f8..9244a780a 100644
--- a/src/libcmd/package.nix
+++ b/src/libcmd/package.nix
@@ -76,7 +76,7 @@ mkMesonLibrary (finalAttrs: {
     (lib.mesonOption "readline-flavor" readlineFlavor)
   ];
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libexpr/eval.cc b/src/libexpr/eval.cc
index 21dd5a294..345c09e7e 100644
--- a/src/libexpr/eval.cc
+++ b/src/libexpr/eval.cc
@@ -406,7 +406,7 @@ void EvalState::checkURI(const std::string & uri)
 
     /* If the URI is a path, then check it against allowedPaths as
        well. */
-    if (hasPrefix(uri, "/")) {
+    if (isAbsolute(uri)) {
         if (auto rootFS2 = rootFS.dynamic_pointer_cast<AllowListSourceAccessor>())
             rootFS2->checkAccess(CanonPath(uri));
         return;
diff --git a/src/libexpr/package.nix b/src/libexpr/package.nix
index 5171d70fd..9ef56b28c 100644
--- a/src/libexpr/package.nix
+++ b/src/libexpr/package.nix
@@ -96,7 +96,7 @@ mkMesonLibrary (finalAttrs: {
     # https://github.com/NixOS/nixpkgs/issues/86131.
     BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
     BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libexpr/primops/fetchTree.cc b/src/libexpr/primops/fetchTree.cc
index 47d1be1cc..fe42b88f1 100644
--- a/src/libexpr/primops/fetchTree.cc
+++ b/src/libexpr/primops/fetchTree.cc
@@ -182,7 +182,7 @@ static void fetchTree(
     if (!state.settings.pureEval && !input.isDirect() && experimentalFeatureSettings.isEnabled(Xp::Flakes))
         input = lookupInRegistries(state.store, input).first;
 
-    if (state.settings.pureEval && !input.isLocked()) {
+    if (state.settings.pureEval && !input.isConsideredLocked(state.fetchSettings)) {
         auto fetcher = "fetchTree";
         if (params.isFetchGit)
             fetcher = "fetchGit";
diff --git a/src/libfetchers/fetch-settings.hh b/src/libfetchers/fetch-settings.hh
index f7cb34a02..2ad8aa327 100644
--- a/src/libfetchers/fetch-settings.hh
+++ b/src/libfetchers/fetch-settings.hh
@@ -70,6 +70,22 @@ struct Settings : public Config
     Setting<bool> warnDirty{this, true, "warn-dirty",
         "Whether to warn about dirty Git/Mercurial trees."};
 
+    Setting<bool> allowDirtyLocks{
+        this,
+        false,
+        "allow-dirty-locks",
+        R"(
+          Whether to allow dirty inputs (such as dirty Git workdirs)
+          to be locked via their NAR hash. This is generally bad
+          practice since Nix has no way to obtain such inputs if they
+          are subsequently modified. Therefore lock files with dirty
+          locks should generally only be used for local testing, and
+          should not be pushed to other users.
+        )",
+        {},
+        true,
+        Xp::Flakes};
+
     Setting<bool> trustTarballsFromGitForges{
         this, true, "trust-tarballs-from-git-forges",
         R"(
diff --git a/src/libfetchers/fetchers.cc b/src/libfetchers/fetchers.cc
index 5a48b5bf8..1cfc48d52 100644
--- a/src/libfetchers/fetchers.cc
+++ b/src/libfetchers/fetchers.cc
@@ -4,6 +4,7 @@
 #include "fetch-to-store.hh"
 #include "json-utils.hh"
 #include "store-path-accessor.hh"
+#include "fetch-settings.hh"
 
 #include <nlohmann/json.hpp>
 
@@ -154,6 +155,12 @@ bool Input::isLocked() const
     return scheme && scheme->isLocked(*this);
 }
 
+bool Input::isConsideredLocked(
+    const Settings & settings) const
+{
+    return isLocked() || (settings.allowDirtyLocks && getNarHash());
+}
+
 bool Input::isFinal() const
 {
     return maybeGetBoolAttr(attrs, "__final").value_or(false);
diff --git a/src/libfetchers/fetchers.hh b/src/libfetchers/fetchers.hh
index 53d64adc9..87c7b08c0 100644
--- a/src/libfetchers/fetchers.hh
+++ b/src/libfetchers/fetchers.hh
@@ -90,6 +90,15 @@ public:
      */
     bool isLocked() const;
 
+    /**
+     * Return whether the input is either locked, or, if
+     * `allow-dirty-locks` is enabled, it has a NAR hash. In the
+     * latter case, we can verify the input but we may not be able to
+     * fetch it from anywhere.
+     */
+    bool isConsideredLocked(
+        const Settings & settings) const;
+
     /**
      * Only for relative path flakes, i.e. 'path:./foo', returns the
      * relative path, i.e. './foo'.
diff --git a/src/libfetchers/git.cc b/src/libfetchers/git.cc
index d894550c0..c4dfc27a2 100644
--- a/src/libfetchers/git.cc
+++ b/src/libfetchers/git.cc
@@ -426,7 +426,16 @@ struct GitInputScheme : InputScheme
         auto url = parseURL(getStrAttr(input.attrs, "url"));
         bool isBareRepository = url.scheme == "file" && !pathExists(url.path + "/.git");
         repoInfo.isLocal = url.scheme == "file" && !forceHttp && !isBareRepository;
-        repoInfo.url = repoInfo.isLocal ? url.path : url.to_string();
+        //
+        // FIXME: here we turn a possibly relative path into an absolute path.
+        // This allows relative git flake inputs to be resolved against the
+        // **current working directory** (as in POSIX), which tends to work out
+        // ok in the context of flakes, but is the wrong behavior,
+        // as it should resolve against the flake.nix base directory instead.
+        //
+        // See: https://discourse.nixos.org/t/57783 and #9708
+        //
+        repoInfo.url = repoInfo.isLocal ? std::filesystem::absolute(url.path).string() : url.to_string();
 
         // If this is a local directory and no ref or revision is
         // given, then allow the use of an unclean working tree.
diff --git a/src/libfetchers/package.nix b/src/libfetchers/package.nix
index 7dad00025..86d505fbf 100644
--- a/src/libfetchers/package.nix
+++ b/src/libfetchers/package.nix
@@ -49,7 +49,7 @@ mkMesonLibrary (finalAttrs: {
       echo ${version} > ../../.version
     '';
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libfetchers/path.cc b/src/libfetchers/path.cc
index 0b5bc0b4f..9691cc9c5 100644
--- a/src/libfetchers/path.cc
+++ b/src/libfetchers/path.cc
@@ -97,7 +97,7 @@ struct PathInputScheme : InputScheme
     std::optional<std::string> isRelative(const Input & input) const override
     {
         auto path = getStrAttr(input.attrs, "path");
-        if (hasPrefix(path, "/"))
+        if (isAbsolute(path))
             return std::nullopt;
         else
             return path;
diff --git a/src/libfetchers/registry.cc b/src/libfetchers/registry.cc
index 171afcea7..c18e12d23 100644
--- a/src/libfetchers/registry.cc
+++ b/src/libfetchers/registry.cc
@@ -153,7 +153,7 @@ static std::shared_ptr<Registry> getGlobalRegistry(const Settings & settings, re
             return std::make_shared<Registry>(settings, Registry::Global); // empty registry
         }
 
-        if (!hasPrefix(path, "/")) {
+        if (!isAbsolute(path)) {
             auto storePath = downloadFile(store, path, "flake-registry.json").storePath;
             if (auto store2 = store.dynamic_pointer_cast<LocalFSStore>())
                 store2->addPermRoot(storePath, getCacheDir() + "/flake-registry.json");
diff --git a/src/libflake/flake/flake.cc b/src/libflake/flake/flake.cc
index 4f0b922ab..4e70b4089 100644
--- a/src/libflake/flake/flake.cc
+++ b/src/libflake/flake/flake.cc
@@ -367,6 +367,7 @@ Flake getFlake(EvalState & state, const FlakeRef & originalRef, bool allowLookup
 }
 
 static LockFile readLockFile(
+    const Settings & settings,
     const fetchers::Settings & fetchSettings,
     const SourcePath & lockFilePath)
 {
@@ -402,6 +403,7 @@ LockedFlake lockFlake(
         }
 
         auto oldLockFile = readLockFile(
+            settings,
             state.fetchSettings,
             lockFlags.referenceLockFilePath.value_or(
                 flake.lockFilePath()));
@@ -690,7 +692,7 @@ LockedFlake lockFlake(
                                 inputFlake.inputs, childNode, inputPath,
                                 oldLock
                                 ? std::dynamic_pointer_cast<const Node>(oldLock)
-                                : readLockFile(state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
+                                : readLockFile(settings, state.fetchSettings, inputFlake.lockFilePath()).root.get_ptr(),
                                 oldLock ? lockRootPath : inputPath,
                                 inputFlake.path,
                                 false);
@@ -758,9 +760,11 @@ LockedFlake lockFlake(
 
             if (lockFlags.writeLockFile) {
                 if (sourcePath || lockFlags.outputLockFilePath) {
-                    if (auto unlockedInput = newLockFile.isUnlocked()) {
+                    if (auto unlockedInput = newLockFile.isUnlocked(state.fetchSettings)) {
                         if (lockFlags.failOnUnlocked)
-                            throw Error("cannot write lock file of flake '%s' because it has an unlocked input ('%s').\n", topRef, *unlockedInput);
+                            throw Error(
+                                "Will not write lock file of flake '%s' because it has an unlocked input ('%s'). "
+                                "Use '--allow-dirty-locks' to allow this anyway.", topRef, *unlockedInput);
                         if (state.fetchSettings.warnDirty)
                             warn("will not write lock file of flake '%s' because it has an unlocked input ('%s')", topRef, *unlockedInput);
                     } else {
@@ -1059,9 +1063,11 @@ static RegisterPrimOp r4({
 
 }
 
-std::optional<Fingerprint> LockedFlake::getFingerprint(ref<Store> store) const
+std::optional<Fingerprint> LockedFlake::getFingerprint(
+    ref<Store> store,
+    const fetchers::Settings & fetchSettings) const
 {
-    if (lockFile.isUnlocked()) return std::nullopt;
+    if (lockFile.isUnlocked(fetchSettings)) return std::nullopt;
 
     auto fingerprint = flake.lockedRef.input.getFingerprint(store);
     if (!fingerprint) return std::nullopt;
diff --git a/src/libflake/flake/flake.hh b/src/libflake/flake/flake.hh
index 0dfd9440d..f85671a41 100644
--- a/src/libflake/flake/flake.hh
+++ b/src/libflake/flake/flake.hh
@@ -129,7 +129,9 @@ struct LockedFlake
      */
     std::map<ref<Node>, SourcePath> nodePaths;
 
-    std::optional<Fingerprint> getFingerprint(ref<Store> store) const;
+    std::optional<Fingerprint> getFingerprint(
+        ref<Store> store,
+        const fetchers::Settings & fetchSettings) const;
 };
 
 struct LockFlags
diff --git a/src/libflake/flake/flakeref.cc b/src/libflake/flake/flakeref.cc
index 573cd0d8e..720f771ab 100644
--- a/src/libflake/flake/flakeref.cc
+++ b/src/libflake/flake/flakeref.cc
@@ -104,8 +104,8 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(
 
     if (baseDir) {
         /* Check if 'url' is a path (either absolute or relative
-            to 'baseDir'). If so, search upward to the root of the
-            repo (i.e. the directory containing .git). */
+           to 'baseDir'). If so, search upward to the root of the
+           repo (i.e. the directory containing .git). */
 
         path = absPath(path, baseDir);
 
@@ -180,7 +180,7 @@ std::pair<FlakeRef, std::string> parsePathFlakeRefWithFragment(
         }
 
     } else {
-        if (!preserveRelativePaths && !hasPrefix(path, "/"))
+        if (!preserveRelativePaths && !isAbsolute(path))
             throw BadURL("flake reference '%s' is not an absolute path", url);
     }
 
@@ -231,7 +231,12 @@ std::optional<std::pair<FlakeRef, std::string>> parseURLFlakeRef(
     bool isFlake)
 {
     try {
-        return fromParsedURL(fetchSettings, parseURL(url), isFlake);
+        auto parsed = parseURL(url);
+        if (baseDir
+            && (parsed.scheme == "path" || parsed.scheme == "git+file")
+            && !isAbsolute(parsed.path))
+            parsed.path = absPath(parsed.path, *baseDir);
+        return fromParsedURL(fetchSettings, std::move(parsed), isFlake);
     } catch (BadURL &) {
         return std::nullopt;
     }
diff --git a/src/libflake/flake/lockfile.cc b/src/libflake/flake/lockfile.cc
index 6e1cd89c1..67af108b8 100644
--- a/src/libflake/flake/lockfile.cc
+++ b/src/libflake/flake/lockfile.cc
@@ -10,6 +10,7 @@
 #include <nlohmann/json.hpp>
 
 #include "strings.hh"
+#include "flake/settings.hh"
 
 namespace nix::flake {
 
@@ -44,8 +45,8 @@ LockedNode::LockedNode(
     , isFlake(json.find("flake") != json.end() ? (bool) json["flake"] : true)
     , parentPath(json.find("parent") != json.end() ? (std::optional<InputPath>) json["parent"] : std::nullopt)
 {
-    if (!lockedRef.input.isLocked() && !lockedRef.input.isRelative())
-        throw Error("lock file contains unlocked input '%s'",
+    if (!lockedRef.input.isConsideredLocked(fetchSettings) && !lockedRef.input.isRelative())
+        throw Error("Lock file contains unlocked input '%s'. Use '--allow-dirty-locks' to accept this lock file.",
             fetchers::attrsToJSON(lockedRef.input.toAttrs()));
 
     // For backward compatibility, lock file entries are implicitly final.
@@ -231,7 +232,7 @@ std::ostream & operator <<(std::ostream & stream, const LockFile & lockFile)
     return stream;
 }
 
-std::optional<FlakeRef> LockFile::isUnlocked() const
+std::optional<FlakeRef> LockFile::isUnlocked(const fetchers::Settings & fetchSettings) const
 {
     std::set<ref<const Node>> nodes;
 
@@ -251,7 +252,8 @@ std::optional<FlakeRef> LockFile::isUnlocked() const
         if (i == ref<const Node>(root)) continue;
         auto node = i.dynamic_pointer_cast<const LockedNode>();
         if (node
-            && (!node->lockedRef.input.isLocked() || !node->lockedRef.input.isFinal())
+            && (!node->lockedRef.input.isConsideredLocked(fetchSettings)
+                || !node->lockedRef.input.isFinal())
             && !node->lockedRef.input.isRelative())
             return node->lockedRef;
     }
diff --git a/src/libflake/flake/lockfile.hh b/src/libflake/flake/lockfile.hh
index c4fd36d44..cb7c8da5a 100644
--- a/src/libflake/flake/lockfile.hh
+++ b/src/libflake/flake/lockfile.hh
@@ -79,7 +79,7 @@ struct LockFile
      * Check whether this lock file has any unlocked or non-final
      * inputs. If so, return one.
      */
-    std::optional<FlakeRef> isUnlocked() const;
+    std::optional<FlakeRef> isUnlocked(const fetchers::Settings & fetchSettings) const;
 
     bool operator ==(const LockFile & other) const;
 
diff --git a/src/libflake/flake/settings.hh b/src/libflake/flake/settings.hh
index fee247a7d..991eaca1f 100644
--- a/src/libflake/flake/settings.hh
+++ b/src/libflake/flake/settings.hh
@@ -29,7 +29,7 @@ struct Settings : public Config
         this,
         false,
         "accept-flake-config",
-        "Whether to accept nix configuration from a flake without prompting.",
+        "Whether to accept Nix configuration settings from a flake without prompting.",
         {},
         true,
         Xp::Flakes};
diff --git a/src/libflake/package.nix b/src/libflake/package.nix
index 92445739f..29c9fdd80 100644
--- a/src/libflake/package.nix
+++ b/src/libflake/package.nix
@@ -48,7 +48,7 @@ mkMesonLibrary (finalAttrs: {
       echo ${version} > ../../.version
     '';
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libmain/package.nix b/src/libmain/package.nix
index 7d9d99b61..ede1f005b 100644
--- a/src/libmain/package.nix
+++ b/src/libmain/package.nix
@@ -45,7 +45,7 @@ mkMesonLibrary (finalAttrs: {
       echo ${version} > ../../.version
     '';
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libstore/package.nix b/src/libstore/package.nix
index 47a203f83..195efbb8a 100644
--- a/src/libstore/package.nix
+++ b/src/libstore/package.nix
@@ -87,7 +87,7 @@ mkMesonLibrary (finalAttrs: {
     # https://github.com/NixOS/nixpkgs/issues/86131.
     BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
     BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libutil/file-system.cc b/src/libutil/file-system.cc
index 923220fd0..a86f1ba4f 100644
--- a/src/libutil/file-system.cc
+++ b/src/libutil/file-system.cc
@@ -31,12 +31,7 @@ namespace nix {
 
 namespace fs { using namespace std::filesystem; }
 
-/**
- * Treat the string as possibly an absolute path, by inspecting the
- * start of it. Return whether it was probably intended to be
- * absolute.
- */
-static bool isAbsolute(PathView path)
+bool isAbsolute(PathView path)
 {
     return fs::path { path }.is_absolute();
 }
diff --git a/src/libutil/file-system.hh b/src/libutil/file-system.hh
index 7fdaba811..204907339 100644
--- a/src/libutil/file-system.hh
+++ b/src/libutil/file-system.hh
@@ -42,6 +42,11 @@ namespace nix {
 struct Sink;
 struct Source;
 
+/**
+ * Return whether the path denotes an absolute path.
+ */
+bool isAbsolute(PathView path);
+
 /**
  * @return An absolutized path, resolving paths relative to the
  * specified directory, or the current directory otherwise.  The path
diff --git a/src/libutil/fs-sink.cc b/src/libutil/fs-sink.cc
index dd979f83f..fadba5972 100644
--- a/src/libutil/fs-sink.cc
+++ b/src/libutil/fs-sink.cc
@@ -112,7 +112,7 @@ void RestoreSink::createRegularFile(const CanonPath & path, std::function<void(C
     crf.startFsync = startFsync;
     crf.fd =
 #ifdef _WIN32
-        CreateFileW(p.c_str(), GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL)
+        CreateFileW(p.c_str(), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, CREATE_NEW, FILE_ATTRIBUTE_NORMAL, NULL)
 #else
         open(p.c_str(), O_CREAT | O_EXCL | O_WRONLY | O_CLOEXEC, 0666)
 #endif
diff --git a/src/libutil/package.nix b/src/libutil/package.nix
index 0a9f65782..11f7249ee 100644
--- a/src/libutil/package.nix
+++ b/src/libutil/package.nix
@@ -72,7 +72,7 @@ mkMesonLibrary (finalAttrs: {
     # https://github.com/NixOS/nixpkgs/issues/86131.
     BOOST_INCLUDEDIR = "${lib.getDev boost}/include";
     BOOST_LIBRARYDIR = "${lib.getLib boost}/lib";
-  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  } // lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM or false)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/src/libutil/source-accessor.cc b/src/libutil/source-accessor.cc
index aa8dcf9fd..78f038cf3 100644
--- a/src/libutil/source-accessor.cc
+++ b/src/libutil/source-accessor.cc
@@ -115,7 +115,7 @@ CanonPath SourceAccessor::resolveSymlinks(
                         throw Error("infinite symlink recursion in path '%s'", showPath(path));
                     auto target = readLink(res);
                     res.pop();
-                    if (hasPrefix(target, "/"))
+                    if (isAbsolute(target))
                         res = CanonPath::root;
                     todo.splice(todo.begin(), tokenizeString<std::list<std::string>>(target, "/"));
                 }
diff --git a/src/nix/flake.cc b/src/nix/flake.cc
index 3da194bcc..4d5cad1a8 100644
--- a/src/nix/flake.cc
+++ b/src/nix/flake.cc
@@ -238,7 +238,7 @@ struct CmdFlakeMetadata : FlakeCommand, MixJSON
                 j["lastModified"] = *lastModified;
             j["path"] = storePath;
             j["locks"] = lockedFlake.lockFile.toJSON().first;
-            if (auto fingerprint = lockedFlake.getFingerprint(store))
+            if (auto fingerprint = lockedFlake.getFingerprint(store, fetchSettings))
                 j["fingerprint"] = fingerprint->to_string(HashFormat::Base16, false);
             logger->cout("%s", j.dump());
         } else {
@@ -272,7 +272,7 @@ struct CmdFlakeMetadata : FlakeCommand, MixJSON
                 logger->cout(
                     ANSI_BOLD "Last modified:" ANSI_NORMAL " %s",
                     std::put_time(std::localtime(&*lastModified), "%F %T"));
-            if (auto fingerprint = lockedFlake.getFingerprint(store))
+            if (auto fingerprint = lockedFlake.getFingerprint(store, fetchSettings))
                 logger->cout(
                     ANSI_BOLD "Fingerprint:" ANSI_NORMAL "   %s",
                     fingerprint->to_string(HashFormat::Base16, false));
diff --git a/src/nix/package.nix b/src/nix/package.nix
index 9bc139c3b..67bf79f3f 100644
--- a/src/nix/package.nix
+++ b/src/nix/package.nix
@@ -99,7 +99,7 @@ mkMesonExecutable (finalAttrs: {
   mesonFlags = [
   ];
 
-  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux")) {
+  env = lib.optionalAttrs (stdenv.isLinux && !(stdenv.hostPlatform.isStatic && stdenv.system == "aarch64-linux") && !(stdenv.hostPlatform.useLLVM)) {
     LDFLAGS = "-fuse-ld=gold";
   };
 
diff --git a/tests/functional/flakes/flake-in-submodule.sh b/tests/functional/flakes/flake-in-submodule.sh
index 643d729ff..f98c19aa8 100755
--- a/tests/functional/flakes/flake-in-submodule.sh
+++ b/tests/functional/flakes/flake-in-submodule.sh
@@ -76,3 +76,21 @@ git -C "$rootRepo" commit -m "Add flake.nix"
 
 storePath=$(nix flake metadata --json "$rootRepo?submodules=1" | jq -r .path)
 [[ -e "$storePath/submodule" ]]
+
+# The root repo may use the submodule repo as an input
+# through the relative path. This may change in the future;
+# see: https://discourse.nixos.org/t/57783 and #9708.
+cat > "$rootRepo"/flake.nix <<EOF
+{
+    inputs.subRepo.url = "git+file:./submodule";
+    outputs = { ... }: { };
+}
+EOF
+git -C "$rootRepo" add flake.nix
+git -C "$rootRepo" commit -m "Add subRepo input"
+(
+  cd "$rootRepo"
+  # The submodule must be locked to the relative path,
+  # _not_ the absolute path:
+  [[ $(nix flake metadata --json | jq -r .locks.nodes.subRepo.locked.url) = "file:./submodule" ]]
+)
diff --git a/tests/functional/flakes/flakes.sh b/tests/functional/flakes/flakes.sh
index 6c466a0c7..d8c9f254d 100755
--- a/tests/functional/flakes/flakes.sh
+++ b/tests/functional/flakes/flakes.sh
@@ -97,6 +97,9 @@ nix build -o "$TEST_ROOT/result" flake1
 
 nix build -o "$TEST_ROOT/result" "$flake1Dir"
 nix build -o "$TEST_ROOT/result" "git+file://$flake1Dir"
+(cd "$flake1Dir" && nix build -o "$TEST_ROOT/result" ".")
+(cd "$flake1Dir" && nix build -o "$TEST_ROOT/result" "path:.")
+(cd "$flake1Dir" && nix build -o "$TEST_ROOT/result" "git+file:.")
 
 # Test explicit packages.default.
 nix build -o "$TEST_ROOT/result" "$flake1Dir#default"
@@ -106,6 +109,15 @@ nix build -o "$TEST_ROOT/result" "git+file://$flake1Dir#default"
 nix build -o "$TEST_ROOT/result" "$flake1Dir?ref=HEAD#default"
 nix build -o "$TEST_ROOT/result" "git+file://$flake1Dir?ref=HEAD#default"
 
+# Check that relative paths are allowed for git flakes.
+# This may change in the future once git submodule support is refined.
+# See: https://discourse.nixos.org/t/57783 and #9708.
+(
+  # This `cd` should not be required and is indicative of aforementioned bug.
+  cd "$flake1Dir/.."
+  nix build -o "$TEST_ROOT/result" "git+file:./$(basename "$flake1Dir")"
+)
+
 # Check that store symlinks inside a flake are not interpreted as flakes.
 nix build -o "$flake1Dir/result" "git+file://$flake1Dir"
 nix path-info "$flake1Dir/result"
diff --git a/tests/functional/flakes/unlocked-override.sh b/tests/functional/flakes/unlocked-override.sh
index ebad332d0..dcb427a8f 100755
--- a/tests/functional/flakes/unlocked-override.sh
+++ b/tests/functional/flakes/unlocked-override.sh
@@ -31,5 +31,14 @@ echo 456 > "$flake1Dir"/x.nix
 
 [[ $(nix eval --json "$flake2Dir#x" --override-input flake1 "$TEST_ROOT/flake1") = 456 ]]
 
+# Dirty overrides require --allow-dirty-locks.
 expectStderr 1 nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" |
-  grepQuiet "cannot write lock file.*because it has an unlocked input"
+  grepQuiet "Will not write lock file.*because it has an unlocked input"
+
+nix flake lock "$flake2Dir" --override-input flake1 "$TEST_ROOT/flake1" --allow-dirty-locks
+
+# Using a lock file with a dirty lock requires --allow-dirty-locks as well.
+expectStderr 1 nix eval "$flake2Dir#x" |
+  grepQuiet "Lock file contains unlocked input"
+
+[[ $(nix eval "$flake2Dir#x" --allow-dirty-locks) = 456 ]]