From edfcc8256ee232736e335d6cc315f98f6f40d1f3 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Sat, 11 Jun 2022 13:30:51 -0500
Subject: [PATCH 01/49] doc: add install test info to hacking.md

---
 doc/manual/src/contributing/hacking.md | 64 +++++++++++++++++++++++++-
 1 file changed, 63 insertions(+), 1 deletion(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 59ce5cac7..9a371afa7 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -83,7 +83,7 @@ by:
 $ nix develop
 ```
 
-## Testing
+## Testing Nix
 
 Nix comes with three different flavors of tests: unit, functional and integration.
 
@@ -108,3 +108,65 @@ These tests include everything that needs to interact with external services or
 Because these tests are expensive and require more than what the standard github-actions setup provides, they only run on the master branch (on <https://hydra.nixos.org/jobset/nix/master>).
 
 You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
+
+## Testing the install scripts
+
+Testing the install scripts has traditionally been tedious, but you can now do this much more easily via the GitHub Actions CI runs (at least for platforms that Github Actions supports).
+
+If you've already pushed to a fork of Nix on GitHub before, you may have noticed that the CI workflows in your fork list skipped "installer" and "installer_test" jobs. Once your Nix fork is set up correctly, pushing to it will also run these jobs.
+- The `installer` job will generate installers for these platforms: x86_64-linux, armv6l-linux, armv7l-linux, x86_64-darwin. While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
+- the `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
+
+### One-time setup
+1. Have a GitHub account with a fork of the Nix repo.
+2. At cachix.org:
+    - Create or log in to an account.
+    - Create a Cachix cache using the format `<github-username>-nix-install-tests`.
+    - Navigate to the new cache > Settings > Auth Tokens.
+    - Generate a new cachix auth token and copy the generated value.
+4. At github.com:
+    - Navigate to your Nix fork > Settings > Secrets > Actions > New repository secret.
+    - Name the secret `CACHIX_AUTH_TOKEN`
+    - Paste the copied value of the Cachix cache auth token.
+
+### Using the CI-generated installer for manual testing
+
+After the CI run completes, you can check the output to extract the installer url:
+1. Click into the detailed view of the CI run.
+2. Click into any `installer_test` run (the URL you're here to extract will be the same in all of them).
+3. Click into the `Run cachix/install-nix-action@v...` step and click the detail triangle next to the first log line (it will also be `Run cachix/install-nix-action@v...`)
+4. Copy the install_url
+5. To generate an install command, plug this install_url and your github username into this template:
+
+    ```console
+    sh <(curl -L <install_url>) --tarball-url-prefix https://<github-username>-nix-install-tests.cachix.org/serve
+    ```
+
+<!-- ### Manually generating test installers
+
+There's obviously a manual way to do this, and it's still the only way for
+platforms that lack GA runners.
+
+I did do this back in Fall 2020 (before the GA approach encouraged here). I'll
+sketch what I recall in case it encourages someone to fill in detail, but: I
+didn't know what I was doing at the time and had to fumble/ask around a lot--
+so I don't want to uphold any of it as "right". It may have been dumb or
+the _hard_ way from the getgo. Fundamentals may have changed since.
+
+Here's the build command I used to do this on and for x86_64-darwin:
+nix build --out-link /tmp/foo ".#checks.x86_64-darwin.binaryTarball"
+
+I used the stable out-link to make it easier to script the next steps:
+link=$(readlink /tmp/foo)
+cp $link/*-darwin.tar.xz ~/somewheres
+
+I've lost the last steps and am just going from memory:
+
+From here, I think I had to extract and modify the `install` script to point
+it at this tarball (which I scped to my own site, but it might make more sense
+to just share them locally). I extracted this script once and then just
+search/replaced in it for each new build.
+
+The installer now supports a `--tarball-url-prefix` flag which _may_ have
+solved this need?
+-->

From a5be5e01200a12cc34d0e3a2e3f964d5c95208b9 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 4 Aug 2022 14:07:06 -0700
Subject: [PATCH 02/49] doc/manual: define {local,remote} store, binary cache,
 substituter

Nix veterans intuitively know what the following terms mean.  They are
used in several places in the nix documentation, but never defined:

- local store
- remote store
- binary cache
- substituter

In particular, I found the last two terms to be confusingly similar.
Let's give definitions for them.
---
 doc/manual/src/SUMMARY.md.in                  |  1 +
 .../src/package-management/terminology.md     | 27 +++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 doc/manual/src/package-management/terminology.md

diff --git a/doc/manual/src/SUMMARY.md.in b/doc/manual/src/SUMMARY.md.in
index a47d39f31..f8da2247b 100644
--- a/doc/manual/src/SUMMARY.md.in
+++ b/doc/manual/src/SUMMARY.md.in
@@ -22,6 +22,7 @@
     - [Garbage Collector Roots](package-management/garbage-collector-roots.md)
   - [Channels](package-management/channels.md)
   - [Sharing Packages Between Machines](package-management/sharing-packages.md)
+    - [Terminology](package-management/terminology.md)
     - [Serving a Nix store via HTTP](package-management/binary-cache-substituter.md)
     - [Copying Closures via SSH](package-management/copy-closure.md)
     - [Serving a Nix store via SSH](package-management/ssh-substituter.md)
diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
new file mode 100644
index 000000000..28e2a1f0b
--- /dev/null
+++ b/doc/manual/src/package-management/terminology.md
@@ -0,0 +1,27 @@
+# Terminology
+
+A *local store* exists on the local filesystem of the machine where
+Nix is invoked.  The `/nix/store` directory is one example of a
+local store.  You can use other local stores by passing the
+`--store` flag to `nix`.
+
+A *remote store* is a store which exists anywhere other than the
+local filesystem.  One example is the `/nix/store` directory on
+another machine, accessed via `ssh` or served by the `nix-serve`
+Perl script.
+
+A *binary cache* is a remote store which is not the local store of
+any machine.  Examples of binary caches include S3 buckets and the
+[NixOS binary cache](https://cache.nixos.org).  Binary caches use a
+disk layout that is different from local stores; in particular, they
+keep metadata and signatures in `.narinfo` files rather than in
+`/nix/var/nix/db`.
+
+A *substituter* is a store other than `/nix/store` from which nix will
+copy the realisation of a derivation instead of building it.  Nix will
+not copy a realisation from a remote store unless one of the following
+is true:
+
+- the realisation is signed by one of the `trusted-public-key`s
+- the substituter is in the `trusted-substituters` list
+- the `no-require-sigs` option has been set to disable signature checking

From 56d4fc194ba90ee4e559a07a895f6bf4a61ef462 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 4 Aug 2022 14:14:24 -0700
Subject: [PATCH 03/49] fourth trust condition: FODs

---
 doc/manual/src/package-management/terminology.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 28e2a1f0b..1722a9fc8 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -25,3 +25,5 @@ is true:
 - the realisation is signed by one of the `trusted-public-key`s
 - the substituter is in the `trusted-substituters` list
 - the `no-require-sigs` option has been set to disable signature checking
+- the derivation is a fixed-output derivation
+

From 8f44d24c525160b2ddef5e18a4af4ce667e23e9f Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 4 Aug 2022 14:19:25 -0700
Subject: [PATCH 04/49] !fixup whitespace

---
 doc/manual/src/package-management/terminology.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 1722a9fc8..d800bafc1 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -26,4 +26,3 @@ is true:
 - the substituter is in the `trusted-substituters` list
 - the `no-require-sigs` option has been set to disable signature checking
 - the derivation is a fixed-output derivation
-

From 62674659ed7b7fc6a2c884f52df2474e344400f8 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 4 Aug 2022 14:21:17 -0700
Subject: [PATCH 05/49] !fixup capitalize Nix

---
 doc/manual/src/package-management/terminology.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index d800bafc1..8dc2ede33 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -17,7 +17,7 @@ disk layout that is different from local stores; in particular, they
 keep metadata and signatures in `.narinfo` files rather than in
 `/nix/var/nix/db`.
 
-A *substituter* is a store other than `/nix/store` from which nix will
+A *substituter* is a store other than `/nix/store` from which Nix will
 copy the realisation of a derivation instead of building it.  Nix will
 not copy a realisation from a remote store unless one of the following
 is true:

From 1b97f3872ed70d9ad5d19d27dc56b42ba4d26382 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 4 Aug 2022 14:22:14 -0700
Subject: [PATCH 06/49] !fixup: transposed characters

---
 doc/manual/src/package-management/terminology.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 8dc2ede33..6ad0f6833 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -22,7 +22,7 @@ copy the realisation of a derivation instead of building it.  Nix will
 not copy a realisation from a remote store unless one of the following
 is true:
 
-- the realisation is signed by one of the `trusted-public-key`s
+- the realisation is signed by one of the `trusted-public-keys`
 - the substituter is in the `trusted-substituters` list
 - the `no-require-sigs` option has been set to disable signature checking
 - the derivation is a fixed-output derivation

From aae771cad26a3803ef0a0855c782823d22949cf3 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Fri, 5 Aug 2022 10:12:46 -0700
Subject: [PATCH 07/49] !implement
 https://github.com/NixOS/nix/pull/6870#discussion_r938912244

---
 doc/manual/src/package-management/terminology.md | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 6ad0f6833..241bb6c5a 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -18,11 +18,10 @@ keep metadata and signatures in `.narinfo` files rather than in
 `/nix/var/nix/db`.
 
 A *substituter* is a store other than `/nix/store` from which Nix will
-copy the realisation of a derivation instead of building it.  Nix will
-not copy a realisation from a remote store unless one of the following
-is true:
+copy a store path instead of building it.  Nix will not copy a store
+path from a remote store unless one of the following is true:
 
-- the realisation is signed by one of the `trusted-public-keys`
+- the store object is signed by one of the `trusted-public-keys`
 - the substituter is in the `trusted-substituters` list
 - the `no-require-sigs` option has been set to disable signature checking
-- the derivation is a fixed-output derivation
+- the store object is the realisation of a fixed-output derivation

From 2eb74c918dc7dc04ed36b3fdcd95406007d97690 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Fri, 5 Aug 2022 10:13:41 -0700
Subject: [PATCH 08/49] derivations do not need to be signed

---
 doc/manual/src/package-management/terminology.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 241bb6c5a..4b9e68de9 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -24,4 +24,5 @@ path from a remote store unless one of the following is true:
 - the store object is signed by one of the `trusted-public-keys`
 - the substituter is in the `trusted-substituters` list
 - the `no-require-sigs` option has been set to disable signature checking
+- the store object is a derivation
 - the store object is the realisation of a fixed-output derivation

From 66a93a76b9842ac18188b91f5a30c4ac4f2b6118 Mon Sep 17 00:00:00 2001
From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com>
Date: Fri, 5 Aug 2022 17:15:37 +0000
Subject: [PATCH 09/49] Update doc/manual/src/package-management/terminology.md

Co-authored-by: Attila Gulyas <toraritte@gmail.com>
---
 .../src/package-management/terminology.md     | 24 ++++++++++++-------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 4b9e68de9..564667f93 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -1,14 +1,22 @@
 # Terminology
 
-A *local store* exists on the local filesystem of the machine where
-Nix is invoked.  The `/nix/store` directory is one example of a
-local store.  You can use other local stores by passing the
-`--store` flag to `nix`.
+From   the  perspective   of   the  location   where  Nix   is
+invoked<sup><b>1</b></sup>, the  Nix store can be  referred to
+as a "_local_" or a "_remote_" one:
 
-A *remote store* is a store which exists anywhere other than the
-local filesystem.  One example is the `/nix/store` directory on
-another machine, accessed via `ssh` or served by the `nix-serve`
-Perl script.
+<sup>\[1]: Where "invoking Nix" means  an executing a Nix core
+action/operation on  a Nix store.  For example, using  any CLI
+commands from the `NixOS/nix` implementation.</sup>
+
++ A *local  store* exists  on the local  filesystem of
+  the machine where Nix is  invoked. You can use other
+  local stores  by passing  the `--store` flag  to the
+  `nix` command.
+
++ A  *remote store*  exists  anywhere  other than  the
+  local  filesystem. One  example is  the `/nix/store`
+  directory on another machine,  accessed via `ssh` or
+  served by the `nix-serve` Perl script.
 
 A *binary cache* is a remote store which is not the local store of
 any machine.  Examples of binary caches include S3 buckets and the

From d5506aa71200425b65cc1777077478f5ff8d2aff Mon Sep 17 00:00:00 2001
From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com>
Date: Fri, 5 Aug 2022 17:19:52 +0000
Subject: [PATCH 10/49] Update doc/manual/src/package-management/terminology.md

Co-authored-by: Attila Gulyas <toraritte@gmail.com>
---
 doc/manual/src/package-management/terminology.md | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index 564667f93..b3e9ea040 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -18,12 +18,10 @@ commands from the `NixOS/nix` implementation.</sup>
   directory on another machine,  accessed via `ssh` or
   served by the `nix-serve` Perl script.
 
-A *binary cache* is a remote store which is not the local store of
-any machine.  Examples of binary caches include S3 buckets and the
-[NixOS binary cache](https://cache.nixos.org).  Binary caches use a
-disk layout that is different from local stores; in particular, they
-keep metadata and signatures in `.narinfo` files rather than in
-`/nix/var/nix/db`.
+A *binary cache* is a specialized Nix store whose metadata and
+signatures are kept in `.narinfo` files rather than in the Nix
+database. Examples of binary caches include S3 buckets and the
+[NixOS binary cache](https://cache.nixos.org).
 
 A *substituter* is a store other than `/nix/store` from which Nix will
 copy a store path instead of building it.  Nix will not copy a store

From 4de95f7f565df71d8ebddb7434e2b0feb49a833b Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Fri, 5 Aug 2022 10:33:48 -0700
Subject: [PATCH 11/49] gesture at explanation of why binary caches exist

---
 doc/manual/src/package-management/terminology.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
index b3e9ea040..493f5f03e 100644
--- a/doc/manual/src/package-management/terminology.md
+++ b/doc/manual/src/package-management/terminology.md
@@ -18,10 +18,12 @@ commands from the `NixOS/nix` implementation.</sup>
   directory on another machine,  accessed via `ssh` or
   served by the `nix-serve` Perl script.
 
-A *binary cache* is a specialized Nix store whose metadata and
-signatures are kept in `.narinfo` files rather than in the Nix
-database. Examples of binary caches include S3 buckets and the
-[NixOS binary cache](https://cache.nixos.org).
+A *binary cache* is a Nix store which uses a different format: its
+metadata and signatures are kept in `.narinfo` files rather than in a
+Nix database.  This different format simplifies serving store objects
+over the network, but cannot host builds.  Examples of binary caches
+include S3 buckets and the [NixOS binary
+cache](https://cache.nixos.org).
 
 A *substituter* is a store other than `/nix/store` from which Nix will
 copy a store path instead of building it.  Nix will not copy a store

From 1d3b92e80ca1564bf2c5ee207df707e215188633 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Fri, 5 Aug 2022 10:39:43 -0700
Subject: [PATCH 12/49] move package-management/terminology into glossary.md

---
 doc/manual/src/SUMMARY.md.in                  |  1 -
 doc/manual/src/glossary.md                    | 37 +++++++++++++++++++
 .../src/package-management/terminology.md     | 36 ------------------
 3 files changed, 37 insertions(+), 37 deletions(-)
 delete mode 100644 doc/manual/src/package-management/terminology.md

diff --git a/doc/manual/src/SUMMARY.md.in b/doc/manual/src/SUMMARY.md.in
index f8da2247b..a47d39f31 100644
--- a/doc/manual/src/SUMMARY.md.in
+++ b/doc/manual/src/SUMMARY.md.in
@@ -22,7 +22,6 @@
     - [Garbage Collector Roots](package-management/garbage-collector-roots.md)
   - [Channels](package-management/channels.md)
   - [Sharing Packages Between Machines](package-management/sharing-packages.md)
-    - [Terminology](package-management/terminology.md)
     - [Serving a Nix store via HTTP](package-management/binary-cache-substituter.md)
     - [Copying Closures via SSH](package-management/copy-closure.md)
     - [Serving a Nix store via SSH](package-management/ssh-substituter.md)
diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index aa0ac78cb..f4c51588d 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -11,6 +11,32 @@
     The location in the file system where store objects live. Typically
     `/nix/store`.
 
+    From   the  perspective   of   the  location   where  Nix   is
+    invoked<sup><b>1</b></sup>, the  Nix store can be  referred to
+    as a "_local_" or a "_remote_" one:
+
+    <sup>\[1]: Where "invoking Nix" means  an executing a Nix core
+    action/operation on  a Nix store.  For example, using  any CLI
+    commands from the `NixOS/nix` implementation.</sup>
+
+    + A *local  store* exists  on the local  filesystem of
+      the machine where Nix is  invoked. You can use other
+      local stores  by passing  the `--store` flag  to the
+      `nix` command.
+
+    + A  *remote store*  exists  anywhere  other than  the
+      local  filesystem. One  example is  the `/nix/store`
+      directory on another machine,  accessed via `ssh` or
+      served by the `nix-serve` Perl script.
+
+  - [binary cache]{#binary-cache}\
+    A *binary cache* is a Nix store which uses a different format: its
+    metadata and signatures are kept in `.narinfo` files rather than in a
+    Nix database.  This different format simplifies serving store objects
+    over the network, but cannot host builds.  Examples of binary caches
+    include S3 buckets and the [NixOS binary
+    cache](https://cache.nixos.org).
+
   - [store path]{#gloss-store-path}\
     The location in the file system of a store object, i.e., an
     immediate child of the Nix store directory.
@@ -29,6 +55,17 @@
     store object by downloading a pre-built version of the store object
     from some server.
 
+  - [substituter]{#gloss-substituter}\
+    A *substituter* is a store other than `/nix/store` from which Nix will
+    copy a store path instead of building it.  Nix will not copy a store
+    path from a remote store unless one of the following is true:
+
+    - the store object is signed by one of the `trusted-public-keys`
+    - the substituter is in the `trusted-substituters` list
+    - the `no-require-sigs` option has been set to disable signature checking
+    - the store object is a derivation
+    - the store object is the realisation of a fixed-output derivation
+
   - [purity]{#gloss-purity}\
     The assumption that equal Nix derivations when run always produce
     the same output. This cannot be guaranteed in general (e.g., a
diff --git a/doc/manual/src/package-management/terminology.md b/doc/manual/src/package-management/terminology.md
deleted file mode 100644
index 493f5f03e..000000000
--- a/doc/manual/src/package-management/terminology.md
+++ /dev/null
@@ -1,36 +0,0 @@
-# Terminology
-
-From   the  perspective   of   the  location   where  Nix   is
-invoked<sup><b>1</b></sup>, the  Nix store can be  referred to
-as a "_local_" or a "_remote_" one:
-
-<sup>\[1]: Where "invoking Nix" means  an executing a Nix core
-action/operation on  a Nix store.  For example, using  any CLI
-commands from the `NixOS/nix` implementation.</sup>
-
-+ A *local  store* exists  on the local  filesystem of
-  the machine where Nix is  invoked. You can use other
-  local stores  by passing  the `--store` flag  to the
-  `nix` command.
-
-+ A  *remote store*  exists  anywhere  other than  the
-  local  filesystem. One  example is  the `/nix/store`
-  directory on another machine,  accessed via `ssh` or
-  served by the `nix-serve` Perl script.
-
-A *binary cache* is a Nix store which uses a different format: its
-metadata and signatures are kept in `.narinfo` files rather than in a
-Nix database.  This different format simplifies serving store objects
-over the network, but cannot host builds.  Examples of binary caches
-include S3 buckets and the [NixOS binary
-cache](https://cache.nixos.org).
-
-A *substituter* is a store other than `/nix/store` from which Nix will
-copy a store path instead of building it.  Nix will not copy a store
-path from a remote store unless one of the following is true:
-
-- the store object is signed by one of the `trusted-public-keys`
-- the substituter is in the `trusted-substituters` list
-- the `no-require-sigs` option has been set to disable signature checking
-- the store object is a derivation
-- the store object is the realisation of a fixed-output derivation

From b5d85f0922e0f4a9585a281f6d938ec67cd07349 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Fri, 5 Aug 2022 13:49:18 -0500
Subject: [PATCH 13/49] Apply suggestions from code review

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
 doc/manual/src/contributing/hacking.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 9a371afa7..86c6522f2 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -113,11 +113,12 @@ You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-
 
 Testing the install scripts has traditionally been tedious, but you can now do this much more easily via the GitHub Actions CI runs (at least for platforms that Github Actions supports).
 
-If you've already pushed to a fork of Nix on GitHub before, you may have noticed that the CI workflows in your fork list skipped "installer" and "installer_test" jobs. Once your Nix fork is set up correctly, pushing to it will also run these jobs.
-- The `installer` job will generate installers for these platforms: x86_64-linux, armv6l-linux, armv7l-linux, x86_64-darwin. While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
+If you've already pushed to a fork of Nix on GitHub before, you may have noticed that the CI workflows in your fork list skipped `installer` and `installer_test` jobs. Once your Nix fork is set up correctly, pushing to it will also run these jobs.
+- The `installer` job will generate installers for these platforms: `x86_64-linux`, `armv6l-linux`, `armv7l-linux`, `x86_64-darwin`. While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
 - the `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
 
 ### One-time setup
+
 1. Have a GitHub account with a fork of the Nix repo.
 2. At cachix.org:
     - Create or log in to an account.

From 9b7bd2dd1fc83f6df449fce3967a95cb098ca4b2 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Mon, 8 Aug 2022 10:04:27 -0500
Subject: [PATCH 14/49] Apply suggestions from code review

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
 doc/manual/src/contributing/hacking.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 86c6522f2..d8a8c8591 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -114,7 +114,13 @@ You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-
 Testing the install scripts has traditionally been tedious, but you can now do this much more easily via the GitHub Actions CI runs (at least for platforms that Github Actions supports).
 
 If you've already pushed to a fork of Nix on GitHub before, you may have noticed that the CI workflows in your fork list skipped `installer` and `installer_test` jobs. Once your Nix fork is set up correctly, pushing to it will also run these jobs.
-- The `installer` job will generate installers for these platforms: `x86_64-linux`, `armv6l-linux`, `armv7l-linux`, `x86_64-darwin`. While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
+- The `installer` job will generate installers for these platforms:
+  - `x86_64-linux`
+  - `armv6l-linux`
+  - `armv7l-linux`
+  - `x86_64-darwin`.
+  
+  While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
 - the `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
 
 ### One-time setup

From bac1e1bf8c359b5e6831c3974a05bdce867775a5 Mon Sep 17 00:00:00 2001
From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com>
Date: Mon, 8 Aug 2022 17:52:31 +0000
Subject: [PATCH 15/49] Update doc/manual/src/glossary.md

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
 doc/manual/src/glossary.md | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index f4c51588d..77de58965 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -12,13 +12,9 @@
     `/nix/store`.
 
     From   the  perspective   of   the  location   where  Nix   is
-    invoked<sup><b>1</b></sup>, the  Nix store can be  referred to
+    invoked, the  Nix store can be  referred to
     as a "_local_" or a "_remote_" one:
 
-    <sup>\[1]: Where "invoking Nix" means  an executing a Nix core
-    action/operation on  a Nix store.  For example, using  any CLI
-    commands from the `NixOS/nix` implementation.</sup>
-
     + A *local  store* exists  on the local  filesystem of
       the machine where Nix is  invoked. You can use other
       local stores  by passing  the `--store` flag  to the

From 520587b9a0327194371146f4dd25c9227a2c79e2 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 13:38:07 -0700
Subject: [PATCH 16/49] glossary: local store: clarify

---
 doc/manual/src/glossary.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 77de58965..d653a2ae4 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -15,10 +15,10 @@
     invoked, the  Nix store can be  referred to
     as a "_local_" or a "_remote_" one:
 
-    + A *local  store* exists  on the local  filesystem of
+    + A *local  store* exists  on the filesystem of
       the machine where Nix is  invoked. You can use other
       local stores  by passing  the `--store` flag  to the
-      `nix` command.
+      `nix` command.  Local stores can be used for building derivations.
 
     + A  *remote store*  exists  anywhere  other than  the
       local  filesystem. One  example is  the `/nix/store`

From 2812682ebee9d4419ba89690177b31564ce5ba77 Mon Sep 17 00:00:00 2001
From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com>
Date: Thu, 1 Sep 2022 20:40:39 +0000
Subject: [PATCH 17/49] Update doc/manual/src/glossary.md

Co-authored-by: John Ericson <git@JohnEricson.me>
---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index d653a2ae4..f072f35e1 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -52,7 +52,7 @@
     from some server.
 
   - [substituter]{#gloss-substituter}\
-    A *substituter* is a store other than `/nix/store` from which Nix will
+    A *substituter* is an additional store from which Nix will
     copy a store path instead of building it.  Nix will not copy a store
     path from a remote store unless one of the following is true:
 

From 9cb84121435e8ca6a51950b9d96a3d3be47c809e Mon Sep 17 00:00:00 2001
From: Adam Joseph <54836058+amjoseph-nixpkgs@users.noreply.github.com>
Date: Thu, 1 Sep 2022 20:41:04 +0000
Subject: [PATCH 18/49] Update doc/manual/src/glossary.md

Co-authored-by: John Ericson <git@JohnEricson.me>
---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index f072f35e1..91865c807 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -53,7 +53,7 @@
 
   - [substituter]{#gloss-substituter}\
     A *substituter* is an additional store from which Nix will
-    copy a store path instead of building it.  Nix will not copy a store
+    copy store objects it doesn't have. Nix will not copy a store
     path from a remote store unless one of the following is true:
 
     - the store object is signed by one of the `trusted-public-keys`

From 41153f30bd5ca1bd9fa10d18da7a6b5b78a94087 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 13:54:09 -0700
Subject: [PATCH 19/49] glossary: substituter: merge output-addressed cases

---
 doc/manual/src/glossary.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 91865c807..608beb8f8 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -59,8 +59,9 @@
     - the store object is signed by one of the `trusted-public-keys`
     - the substituter is in the `trusted-substituters` list
     - the `no-require-sigs` option has been set to disable signature checking
-    - the store object is a derivation
-    - the store object is the realisation of a fixed-output derivation
+    - the store object is *output-addressed*; this includes
+      derivations, the outputs of content-addressed derivations, and
+      the outputs of fixed-output derivations.
 
   - [purity]{#gloss-purity}\
     The assumption that equal Nix derivations when run always produce

From 1f56b5d77247d89a15a2c16ba2f5d1d672c835e8 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 14:09:06 -0700
Subject: [PATCH 20/49] doc/manual: un-inline definitions from `substitute`

---
 doc/manual/src/glossary.md | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 608beb8f8..8dff4646c 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -7,6 +7,14 @@
     translated into low-level *store derivations* (implicitly by
     `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
 
+  - [content-addressed derivation]{#gloss-fixed-output-derivation}
+    FIXME
+
+  - [fixed-output derivation]{#gloss-fixed-output-derivation}
+    A derivation which includes the `__outHash` attribute; the output
+    of such derivations must exactly match the hash.  All fixed-output
+    derivations are [content-addressed derivations](#gloss-content-addressed-derivation).
+
   - [store]{#gloss-store}\
     The location in the file system where store objects live. Typically
     `/nix/store`.
@@ -44,6 +52,16 @@
     derivation outputs (objects produced by running a build action), or
     derivations (files describing a build action).
 
+  - [input-addressed store object]{#gloss-input-addressed-store-object}\
+    Store objects produced by building a
+    non-[content-addressed](#gloss-content-addressed-derivation)
+    derivation.
+
+  - [output-addressed store object]{#gloss-output-addressed-store-object}\
+    A store object whose store path hashes its content.  This
+    includes derivations and the outputs of
+    [content-addressed derivations](#gloss-content-addressed-derivation)
+
   - [substitute]{#gloss-substitute}\
     A substitute is a command invocation stored in the Nix database that
     describes how to build a store object, bypassing the normal build
@@ -59,9 +77,7 @@
     - the store object is signed by one of the `trusted-public-keys`
     - the substituter is in the `trusted-substituters` list
     - the `no-require-sigs` option has been set to disable signature checking
-    - the store object is *output-addressed*; this includes
-      derivations, the outputs of content-addressed derivations, and
-      the outputs of fixed-output derivations.
+    - the store object is [output-addressed](#gloss-output-addressed-store-object)
 
   - [purity]{#gloss-purity}\
     The assumption that equal Nix derivations when run always produce

From 0a98d564b3d8d195c023429e5f7faf63e20b5d93 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 14:41:27 -0700
Subject: [PATCH 21/49] glossary: resolve FIXME in
 #gloss-fixed-output-derivation

---
 doc/manual/src/glossary.md | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 8dff4646c..473aef03c 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -7,13 +7,14 @@
     translated into low-level *store derivations* (implicitly by
     `nix-env` and `nix-build`, or explicitly by `nix-instantiate`).
 
-  - [content-addressed derivation]{#gloss-fixed-output-derivation}
-    FIXME
+  - [content-addressed derivation]{#gloss-content-addressed-derivation}\
+    A derivation which has the
+    [`__contentAddressed`](language/advanced-attributes.md#contentAddressed)
+    attribute set to `true`.
 
-  - [fixed-output derivation]{#gloss-fixed-output-derivation}
-    A derivation which includes the `__outHash` attribute; the output
-    of such derivations must exactly match the hash.  All fixed-output
-    derivations are [content-addressed derivations](#gloss-content-addressed-derivation).
+  - [fixed-output derivation]{#gloss-fixed-output-derivation}\
+    A derivation which includes the `__outputHash` attribute; the output
+    of such derivations must exactly match the hash.
 
   - [store]{#gloss-store}\
     The location in the file system where store objects live. Typically
@@ -59,8 +60,10 @@
 
   - [output-addressed store object]{#gloss-output-addressed-store-object}\
     A store object whose store path hashes its content.  This
-    includes derivations and the outputs of
-    [content-addressed derivations](#gloss-content-addressed-derivation)
+    includes derivations, the outputs of
+    [content-addressed derivations](#gloss-content-addressed-derivation),
+    and the outputs of
+    [fixed-output derivations](#gloss-fixed-output-derivation).
 
   - [substitute]{#gloss-substitute}\
     A substitute is a command invocation stored in the Nix database that

From 1b2b8c39fd64871b3df261c05ed001fcd1057a6c Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 14:47:17 -0700
Subject: [PATCH 22/49] fix link to
 language/advanced-attributes.md#adv-attr-contentAddressed

---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 473aef03c..bf1d0cf05 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -9,7 +9,7 @@
 
   - [content-addressed derivation]{#gloss-content-addressed-derivation}\
     A derivation which has the
-    [`__contentAddressed`](language/advanced-attributes.md#contentAddressed)
+    [`__contentAddressed`](language/advanced-attributes.md#adv-attr-contentAddressed)
     attribute set to `true`.
 
   - [fixed-output derivation]{#gloss-fixed-output-derivation}\

From def4fb9a0f73046efbf9fdb4f1e35898fb27ca34 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 14:47:33 -0700
Subject: [PATCH 23/49] __outputHash: add link

---
 doc/manual/src/glossary.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index bf1d0cf05..d61cfc823 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -13,8 +13,8 @@
     attribute set to `true`.
 
   - [fixed-output derivation]{#gloss-fixed-output-derivation}\
-    A derivation which includes the `__outputHash` attribute; the output
-    of such derivations must exactly match the hash.
+    A derivation which includes the
+    [`__outputHash`](language/advanced-attributes.md#adv-attr-outputHash) attribute.
 
   - [store]{#gloss-store}\
     The location in the file system where store objects live. Typically

From 8139bbe2ba767458cba4158627ee3d58f4a35d7d Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 15:01:07 -0700
Subject: [PATCH 24/49] implement
 https://github.com/NixOS/nix/pull/6870#pullrequestreview-1093700220

---
 doc/manual/src/glossary.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index d61cfc823..b30633833 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -74,8 +74,8 @@
 
   - [substituter]{#gloss-substituter}\
     A *substituter* is an additional store from which Nix will
-    copy store objects it doesn't have. Nix will not copy a store
-    path from a remote store unless one of the following is true:
+    copy store objects it doesn't have. Nix will copy a store
+    path from a remote store only if one of the following is true:
 
     - the store object is signed by one of the `trusted-public-keys`
     - the substituter is in the `trusted-substituters` list

From 57f12df5e4cde436566d3c4f0226d329e6eedf1a Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 15:09:10 -0700
Subject: [PATCH 25/49] input-addressed store object: include FODOs

---
 doc/manual/src/glossary.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index b30633833..89a9b94a1 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -54,8 +54,9 @@
     derivations (files describing a build action).
 
   - [input-addressed store object]{#gloss-input-addressed-store-object}\
-    Store objects produced by building a
-    non-[content-addressed](#gloss-content-addressed-derivation)
+    A store object produced by building a
+    non-[content-addressed](#gloss-content-addressed-derivation),
+    non-[fixed-output](#gloss-fixed-output-derivation),
     derivation.
 
   - [output-addressed store object]{#gloss-output-addressed-store-object}\

From d5e064d8162e377556dc9daba99868085561a080 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 17:46:31 -0700
Subject: [PATCH 26/49] glossary: fix broken link

---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 89a9b94a1..1aebdaa67 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -9,7 +9,7 @@
 
   - [content-addressed derivation]{#gloss-content-addressed-derivation}\
     A derivation which has the
-    [`__contentAddressed`](language/advanced-attributes.md#adv-attr-contentAddressed)
+    [`__contentAddressed`](language/advanced-attributes.md#adv-attr-__contentAddressed)
     attribute set to `true`.
 
   - [fixed-output derivation]{#gloss-fixed-output-derivation}\

From 887e922be29d37d377ef766c7fe7a2103f43ca21 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 17:47:13 -0700
Subject: [PATCH 27/49] glossary: outputHash, not __outputHash

---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 1aebdaa67..73e209103 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -14,7 +14,7 @@
 
   - [fixed-output derivation]{#gloss-fixed-output-derivation}\
     A derivation which includes the
-    [`__outputHash`](language/advanced-attributes.md#adv-attr-outputHash) attribute.
+    [`outputHash`](language/advanced-attributes.md#adv-attr-outputHash) attribute.
 
   - [store]{#gloss-store}\
     The location in the file system where store objects live. Typically

From f6c750e8b2f299e9876fd8f2578f9093682f6d7f Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 17:48:34 -0700
Subject: [PATCH 28/49] glossary: remove extraneous comma

---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 73e209103..7ba595ba0 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -56,7 +56,7 @@
   - [input-addressed store object]{#gloss-input-addressed-store-object}\
     A store object produced by building a
     non-[content-addressed](#gloss-content-addressed-derivation),
-    non-[fixed-output](#gloss-fixed-output-derivation),
+    non-[fixed-output](#gloss-fixed-output-derivation)
     derivation.
 
   - [output-addressed store object]{#gloss-output-addressed-store-object}\

From 59dc8346ca53f49ccdbbd6709b12a479376d1464 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 17:51:56 -0700
Subject: [PATCH 29/49] move substituter signature-checking conditions to
 configuration file documentation

---
 doc/manual/src/glossary.md | 9 ++-------
 src/libstore/globals.hh    | 8 ++++++++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 7ba595ba0..6bf041e7c 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -75,13 +75,8 @@
 
   - [substituter]{#gloss-substituter}\
     A *substituter* is an additional store from which Nix will
-    copy store objects it doesn't have. Nix will copy a store
-    path from a remote store only if one of the following is true:
-
-    - the store object is signed by one of the `trusted-public-keys`
-    - the substituter is in the `trusted-substituters` list
-    - the `no-require-sigs` option has been set to disable signature checking
-    - the store object is [output-addressed](#gloss-output-addressed-store-object)
+    copy store objects it doesn't have.  For details, see the
+    [`substituters` option](command-ref/conf-file.html#conf-substituters).
 
   - [purity]{#gloss-purity}\
     The assumption that equal Nix derivations when run always produce
diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index d7f351166..a659036e2 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -613,6 +613,14 @@ public:
           are tried based on their Priority value, which each substituter can set
           independently. Lower value means higher priority.
           The default is `https://cache.nixos.org`, with a Priority of 40.
+
+          Nix will copy a store path from a remote store only if one
+          of the following is true:
+
+          - the store object is signed by one of the `trusted-public-keys`
+          - the substituter is in the `trusted-substituters` list
+          - the `no-require-sigs` option has been set to disable signature checking
+          - the store object is [output-addressed](#gloss-output-addressed-store-object)
         )",
         {"binary-caches"}};
 

From 1ab913467ef8e9ff946e64bd31841775d743b2d6 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 17:54:23 -0700
Subject: [PATCH 30/49] linkify mention of other options

---
 src/libstore/globals.hh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/libstore/globals.hh b/src/libstore/globals.hh
index a659036e2..a4db3bf08 100644
--- a/src/libstore/globals.hh
+++ b/src/libstore/globals.hh
@@ -617,10 +617,10 @@ public:
           Nix will copy a store path from a remote store only if one
           of the following is true:
 
-          - the store object is signed by one of the `trusted-public-keys`
-          - the substituter is in the `trusted-substituters` list
-          - the `no-require-sigs` option has been set to disable signature checking
-          - the store object is [output-addressed](#gloss-output-addressed-store-object)
+          - the store object is signed by one of the [`trusted-public-keys`](#conf-trusted-public-keys)
+          - the substituter is in the [`trusted-substituters`](#conf-trusted-substituters) list
+          - the [`require-sigs`](#conf-require-sigs) option has been set to `false`
+          - the store object is [output-addressed](glossary.md#gloss-output-addressed-store-object)
         )",
         {"binary-caches"}};
 

From e6f5352e71a1811eb2eb3bfb989e109de590c7a7 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 18:27:00 -0700
Subject: [PATCH 31/49] #binary-cache -> #gloss-binary-cache

---
 doc/manual/src/glossary.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index 6bf041e7c..a34b8a60c 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -34,7 +34,7 @@
       directory on another machine,  accessed via `ssh` or
       served by the `nix-serve` Perl script.
 
-  - [binary cache]{#binary-cache}\
+  - [binary cache]{#gloss-binary-cache}\
     A *binary cache* is a Nix store which uses a different format: its
     metadata and signatures are kept in `.narinfo` files rather than in a
     Nix database.  This different format simplifies serving store objects

From e90f2fcfc71ca997f254c86f8ed12fc143374752 Mon Sep 17 00:00:00 2001
From: Adam Joseph <adam@westernsemico.com>
Date: Thu, 1 Sep 2022 18:28:05 -0700
Subject: [PATCH 32/49] glossary: add entry for `chroot store` (used 11 times
 in nix)

---
 doc/manual/src/glossary.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/doc/manual/src/glossary.md b/doc/manual/src/glossary.md
index a34b8a60c..70a0eb994 100644
--- a/doc/manual/src/glossary.md
+++ b/doc/manual/src/glossary.md
@@ -34,6 +34,9 @@
       directory on another machine,  accessed via `ssh` or
       served by the `nix-serve` Perl script.
 
+  - [chroot store]{#gloss-chroot-store}\
+    A local store whose canonical path is anything other than `/nix/store`.
+
   - [binary cache]{#gloss-binary-cache}\
     A *binary cache* is a Nix store which uses a different format: its
     metadata and signatures are kept in `.narinfo` files rather than in a

From 47fa1087c8864654f6cfae84e25ac6db318ed1d4 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 16 Sep 2022 09:36:20 +0200
Subject: [PATCH 33/49] Update doc/manual/src/contributing/hacking.md

---
 doc/manual/src/contributing/hacking.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index d8a8c8591..628744bf2 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -142,8 +142,8 @@ After the CI run completes, you can check the output to extract the installer ur
 1. Click into the detailed view of the CI run.
 2. Click into any `installer_test` run (the URL you're here to extract will be the same in all of them).
 3. Click into the `Run cachix/install-nix-action@v...` step and click the detail triangle next to the first log line (it will also be `Run cachix/install-nix-action@v...`)
-4. Copy the install_url
-5. To generate an install command, plug this install_url and your github username into this template:
+4. Copy the value of `install_url`
+5. To generate an install command, plug this `install_url` and your GitHub username into this template:
 
     ```console
     sh <(curl -L <install_url>) --tarball-url-prefix https://<github-username>-nix-install-tests.cachix.org/serve

From 0a4bd9fe88807cbae51b8b8b51c4897a76991d20 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 16 Sep 2022 09:36:30 +0200
Subject: [PATCH 34/49] Update doc/manual/src/contributing/hacking.md

---
 doc/manual/src/contributing/hacking.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 628744bf2..9e4e679e6 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -138,7 +138,7 @@ If you've already pushed to a fork of Nix on GitHub before, you may have noticed
 
 ### Using the CI-generated installer for manual testing
 
-After the CI run completes, you can check the output to extract the installer url:
+After the CI run completes, you can check the output to extract the installer URL:
 1. Click into the detailed view of the CI run.
 2. Click into any `installer_test` run (the URL you're here to extract will be the same in all of them).
 3. Click into the `Run cachix/install-nix-action@v...` step and click the detail triangle next to the first log line (it will also be `Run cachix/install-nix-action@v...`)

From 1ae974120a24f70eba12e073dbba4b7bac73eedf Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 16 Sep 2022 09:36:37 +0200
Subject: [PATCH 35/49] Update doc/manual/src/contributing/hacking.md

---
 doc/manual/src/contributing/hacking.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 9e4e679e6..7f3905d38 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -121,7 +121,7 @@ If you've already pushed to a fork of Nix on GitHub before, you may have noticed
   - `x86_64-darwin`.
   
   While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
-- the `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
+- The `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
 
 ### One-time setup
 

From dc8c0b173c2cc5bd0fe4273f741fda5591ba4133 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 16 Sep 2022 09:36:55 +0200
Subject: [PATCH 36/49] Update doc/manual/src/contributing/hacking.md

---
 doc/manual/src/contributing/hacking.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 7f3905d38..f4aeda871 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -130,7 +130,7 @@ If you've already pushed to a fork of Nix on GitHub before, you may have noticed
     - Create or log in to an account.
     - Create a Cachix cache using the format `<github-username>-nix-install-tests`.
     - Navigate to the new cache > Settings > Auth Tokens.
-    - Generate a new cachix auth token and copy the generated value.
+    - Generate a new Cachix auth token and copy the generated value.
 4. At github.com:
     - Navigate to your Nix fork > Settings > Secrets > Actions > New repository secret.
     - Name the secret `CACHIX_AUTH_TOKEN`

From 4bd52bf6c4c88e2f8a9b703d75c3db5ad062353c Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Sat, 17 Sep 2022 13:20:11 -0500
Subject: [PATCH 37/49] Apply suggestions from code review

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
 doc/manual/src/contributing/hacking.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index f4aeda871..5fad34763 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -85,8 +85,6 @@ $ nix develop
 
 ## Testing Nix
 
-Nix comes with three different flavors of tests: unit, functional and integration.
-
 ### Unit-tests
 
 The unit-tests for each Nix library (`libexpr`, `libstore`, etc..) are defined

From 84bdb0e3ade70be722087b95beb7f460e0d3da8d Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Sun, 18 Sep 2022 12:58:28 -0500
Subject: [PATCH 38/49] address review feedback

Mainly:
- Try to triangulate between narrative that framed this as
  a new/easy process and the need for a reference that will
  not quickly grow stale.
- Fix a ~continuity issue where the text was talking about
  "your Cachix cache" before saying that you'd need to make
  a Cachix cache to enable the installer tests.
- Adopt suggestion on titling, and nest subtitles in the
  installer test section.
---
 doc/manual/src/contributing/hacking.md | 28 +++++++++++++-------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index 5fad34763..f67660ab2 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -83,7 +83,7 @@ by:
 $ nix develop
 ```
 
-## Testing Nix
+## Running tests
 
 ### Unit-tests
 
@@ -107,21 +107,21 @@ Because these tests are expensive and require more than what the standard github
 
 You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-build -A hydraJobs.tests.{testName}`
 
-## Testing the install scripts
+### Installer tests
 
-Testing the install scripts has traditionally been tedious, but you can now do this much more easily via the GitHub Actions CI runs (at least for platforms that Github Actions supports).
+With just a little one-time setup, the Nix repository's GitHub Actions continuous integration (CI) workflow can easily test the installer each time you push to a branch.
 
-If you've already pushed to a fork of Nix on GitHub before, you may have noticed that the CI workflows in your fork list skipped `installer` and `installer_test` jobs. Once your Nix fork is set up correctly, pushing to it will also run these jobs.
-- The `installer` job will generate installers for these platforms:
+Creating a Cachix cache for your installer tests and adding its authorization token to GitHub enables [two installer-specific jobs in the CI workflow](https://github.com/NixOS/nix/blob/88a45d6149c0e304f6eb2efcc2d7a4d0d569f8af/.github/workflows/ci.yml#L50-L91):
+
+- The `installer` job generates installers for the platforms below and uploads them to your Cachix cache:
   - `x86_64-linux`
   - `armv6l-linux`
   - `armv7l-linux`
-  - `x86_64-darwin`.
-  
-  While this installer is in your Cachix cache, you can use it for manual testing on any of these platforms.
-- The `installer_test` job will try to use this installer and run a trivial Nix command on `ubuntu-latest` and `macos-latest`.
+  - `x86_64-darwin`
 
-### One-time setup
+- The `installer_test` job (which runs on `ubuntu-latest` and `macos-latest`) will try to install Nix with the cached installer and run a trivial Nix command.
+
+#### One-time setup
 
 1. Have a GitHub account with a fork of the Nix repo.
 2. At cachix.org:
@@ -129,12 +129,12 @@ If you've already pushed to a fork of Nix on GitHub before, you may have noticed
     - Create a Cachix cache using the format `<github-username>-nix-install-tests`.
     - Navigate to the new cache > Settings > Auth Tokens.
     - Generate a new Cachix auth token and copy the generated value.
-4. At github.com:
+3. At github.com:
     - Navigate to your Nix fork > Settings > Secrets > Actions > New repository secret.
-    - Name the secret `CACHIX_AUTH_TOKEN`
+    - Name the secret `CACHIX_AUTH_TOKEN`.
     - Paste the copied value of the Cachix cache auth token.
 
-### Using the CI-generated installer for manual testing
+#### Using the CI-generated installer for manual testing
 
 After the CI run completes, you can check the output to extract the installer URL:
 1. Click into the detailed view of the CI run.
@@ -147,7 +147,7 @@ After the CI run completes, you can check the output to extract the installer UR
     sh <(curl -L <install_url>) --tarball-url-prefix https://<github-username>-nix-install-tests.cachix.org/serve
     ```
 
-<!-- ### Manually generating test installers
+<!-- #### Manually generating test installers
 
 There's obviously a manual way to do this, and it's still the only way for
 platforms that lack GA runners.

From 223f8dace091a0549f86b966b1d935c42bb01efd Mon Sep 17 00:00:00 2001
From: squalus <squalus@squalus.net>
Date: Thu, 22 Sep 2022 12:47:43 -0700
Subject: [PATCH 39/49] archive: check close errors when extracting nars

---
 src/libstore/nar-accessor.cc | 3 +++
 src/libutil/archive.cc       | 7 +++++++
 src/libutil/archive.hh       | 1 +
 3 files changed, 11 insertions(+)

diff --git a/src/libstore/nar-accessor.cc b/src/libstore/nar-accessor.cc
index 72d41cc94..398147fc3 100644
--- a/src/libstore/nar-accessor.cc
+++ b/src/libstore/nar-accessor.cc
@@ -75,6 +75,9 @@ struct NarAccessor : public FSAccessor
             createMember(path, {FSAccessor::Type::tRegular, false, 0, 0});
         }
 
+        void closeRegularFile() override
+        { }
+
         void isExecutable() override
         {
             parents.top()->isExecutable = true;
diff --git a/src/libutil/archive.cc b/src/libutil/archive.cc
index 30b471af5..4b0636129 100644
--- a/src/libutil/archive.cc
+++ b/src/libutil/archive.cc
@@ -234,6 +234,7 @@ static void parse(ParseSink & sink, Source & source, const Path & path)
 
         else if (s == "contents" && type == tpRegular) {
             parseContents(sink, source, path);
+            sink.closeRegularFile();
         }
 
         else if (s == "executable" && type == tpRegular) {
@@ -324,6 +325,12 @@ struct RestoreSink : ParseSink
         if (!fd) throw SysError("creating file '%1%'", p);
     }
 
+    void closeRegularFile() override
+    {
+        /* Call close explicitly to make sure the error is checked */
+        fd.close();
+    }
+
     void isExecutable() override
     {
         struct stat st;
diff --git a/src/libutil/archive.hh b/src/libutil/archive.hh
index 79ce08df0..ac4183bf5 100644
--- a/src/libutil/archive.hh
+++ b/src/libutil/archive.hh
@@ -60,6 +60,7 @@ struct ParseSink
     virtual void createDirectory(const Path & path) { };
 
     virtual void createRegularFile(const Path & path) { };
+    virtual void closeRegularFile() { };
     virtual void isExecutable() { };
     virtual void preallocateContents(uint64_t size) { };
     virtual void receiveContents(std::string_view data) { };

From 847cd49909d24dde08f004ba1fb7a72c7f7a7b8c Mon Sep 17 00:00:00 2001
From: Solene Rapenne <solene@perso.pw>
Date: Wed, 28 Sep 2022 01:03:46 +0200
Subject: [PATCH 40/49] nix-copy-closure: improve wording

---
 doc/manual/src/command-ref/nix-copy-closure.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/command-ref/nix-copy-closure.md b/doc/manual/src/command-ref/nix-copy-closure.md
index 7047d3012..9a29030bd 100644
--- a/doc/manual/src/command-ref/nix-copy-closure.md
+++ b/doc/manual/src/command-ref/nix-copy-closure.md
@@ -30,8 +30,8 @@ Since `nix-copy-closure` calls `ssh`, you may be asked to type in the
 appropriate password or passphrase.  In fact, you may be asked _twice_
 because `nix-copy-closure` currently connects twice to the remote
 machine, first to get the set of paths missing on the target machine,
-and second to send the dump of those paths.  If this bothers you, use
-`ssh-agent`.
+and second to send the dump of those paths.  When using public key
+authentication, you can avoid typing the passphrase with `ssh-agent`.
 
 # Options
 

From 62d53bc8a4ce7fdb8d52e6805ff900d9e77e1ae0 Mon Sep 17 00:00:00 2001
From: Solene Rapenne <solene.rapenne@tweag.io>
Date: Wed, 28 Sep 2022 15:54:45 +0200
Subject: [PATCH 41/49] tests/build-dry: re-enable some test

---
 tests/build-dry.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/tests/build-dry.sh b/tests/build-dry.sh
index f0f38e9a0..5f29239dc 100644
--- a/tests/build-dry.sh
+++ b/tests/build-dry.sh
@@ -18,9 +18,6 @@ nix-build --no-out-link dependencies.nix --dry-run 2>&1 | grep "will be built"
 # Now new command:
 nix build -f dependencies.nix --dry-run 2>&1 | grep "will be built"
 
-# TODO: XXX: FIXME: #1793
-# Disable this part of the test until the problem is resolved:
-if [ -n "$ISSUE_1795_IS_FIXED" ]; then
 clearStore
 clearCache
 
@@ -28,7 +25,6 @@ clearCache
 nix build -f dependencies.nix --dry-run 2>&1 | grep "will be built"
 # Now old command:
 nix-build --no-out-link dependencies.nix --dry-run 2>&1 | grep "will be built"
-fi
 
 ###################################################
 # Check --dry-run doesn't create links with --dry-run

From 6b56bb4a79a3aa20160c21ec7e5e17e9c4b2b6c3 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 26 Aug 2022 17:08:20 +0200
Subject: [PATCH 42/49] use indented strings where appropriate

---
 doc/manual/generate-manpage.nix | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 17701c3a3..7b1ca8c11 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -8,12 +8,18 @@ let
   showCommand =
     { command, def, filename }:
     ''
-      **Warning**: This program is **experimental** and its interface is subject to change.
+      > **Warning**
+      > This program is **experimental** and its interface is subject to change.
+
+      # Name
+
+      `${command}` - ${def.description}
+
+      # Synopsis
+
+      ${showSynopsis { inherit command; args = def.args; }}
+
     ''
-    + "# Name\n\n"
-    + "`${command}` - ${def.description}\n\n"
-    + "# Synopsis\n\n"
-    + showSynopsis { inherit command; args = def.args; }
     + (if def.commands or {} != {}
        then
          let
@@ -24,8 +30,10 @@ let
                + "[`${command} ${name}`](./${appendName filename name}.md)"
                + " - ${cmds.${name}.description}\n")
                (attrNames cmds));
-         in
-         "where *subcommand* is one of the following:\n\n"
+         in ''
+         where *subcommand* is one of the following:
+
+         ''
          # FIXME: group by category
          + (if length categories > 1
             then
@@ -76,7 +84,7 @@ let
   showSynopsis =
     { command, args }:
     "`${command}` [*option*...] ${concatStringsSep " "
-      (map (arg: "*${arg.label}*" + (if arg ? arity then "" else "...")) args)}\n\n";
+      (map (arg: "*${arg.label}*" + (if arg ? arity then "" else "...")) args)}";
 
   processCommand = { command, def, filename }:
     [ { name = filename + ".md"; value = showCommand { inherit command def filename; }; inherit command; } ]

From 4655563470b59e0ef50a33af003058c2b54db778 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 26 Aug 2022 17:40:34 +0200
Subject: [PATCH 43/49] refactor rendering command documentation to markdown

idea:
- make document structure visible, like in a template
- order functions by descending abstraction
- avoid nested let bindings
---
 doc/manual/generate-manpage.nix | 138 ++++++++++++++++----------------
 1 file changed, 70 insertions(+), 68 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 7b1ca8c11..c8290685a 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -5,10 +5,70 @@ with import ./utils.nix;
 
 let
 
-  showCommand =
-    { command, def, filename }:
-    ''
-      > **Warning**
+  showCommand = { command, def, filename }:
+    let
+      showSynopsis = command: args:
+        let
+          showArgument = arg: "*${arg.label}*" + (if arg ? arity then "" else "...");
+          arguments = concatStringsSep " " (map showArgument args);
+        in ''
+         `${command}` [*option*...] ${arguments}
+        '';
+      maybeSubcommands = if def ? commands && def.commands != {}
+        then ''
+           where *subcommand* is one of the following:
+
+           ${subcommands}
+         ''
+        else "";
+      subcommands = if length categories > 1
+        then listCategories
+        else listSubcommands def.commands;
+      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues def.commands)));
+      listCategories = concatStrings (map showCategory categories);
+      showCategory = cat: ''
+        **${toString cat.description}:**
+
+        ${listSubcommands (filterAttrs (n: v: v.category == cat) def.commands)}
+      '';
+      listSubcommands = cmds: concatStrings (attrValues (mapAttrs showSubcommand cmds));
+      showSubcommand = name: subcmd: ''
+        * [`${command} ${name}`](./${appendName filename name}.md) - ${subcmd.description}
+      '';
+      maybeDocumentation = if def ? doc then def.doc else "";
+      maybeOptions = if def.flags == {} then "" else ''
+        # Options
+
+        ${showOptions def.flags}
+      '';
+      showOptions = flags:
+        let
+          categories = sort builtins.lessThan (unique (map (cmd: cmd.category) (attrValues flags)));
+        in
+          concatStrings (map
+            (cat:
+              (if cat != ""
+               then "**${cat}:**\n\n"
+               else "")
+              + concatStrings
+                (map (longName:
+                  let
+                    flag = flags.${longName};
+                  in
+                    "  - `--${longName}`"
+                    + (if flag ? shortName then " / `-${flag.shortName}`" else "")
+                    + (if flag ? labels then " " + (concatStringsSep " " (map (s: "*${s}*") flag.labels)) else "")
+                    + "  \n"
+                    + "    " + flag.description + "\n\n"
+                ) (attrNames (filterAttrs (n: v: v.category == cat) flags))))
+            categories);
+      squash = string: # squash more than two repeated newlines
+        let
+          replaced = replaceStrings [ "\n\n\n" ] [ "\n\n" ] string;
+        in
+          if replaced == string then string else squash replaced;
+    in squash ''
+      > **Warning** \
       > This program is **experimental** and its interface is subject to change.
 
       # Name
@@ -17,75 +77,17 @@ let
 
       # Synopsis
 
-      ${showSynopsis { inherit command; args = def.args; }}
+      ${showSynopsis command def.args}
 
-    ''
-    + (if def.commands or {} != {}
-       then
-         let
-           categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues def.commands)));
-           listCommands = cmds:
-             concatStrings (map (name:
-               "* "
-               + "[`${command} ${name}`](./${appendName filename name}.md)"
-               + " - ${cmds.${name}.description}\n")
-               (attrNames cmds));
-         in ''
-         where *subcommand* is one of the following:
+      ${maybeSubcommands}
 
-         ''
-         # FIXME: group by category
-         + (if length categories > 1
-            then
-              concatStrings (map
-                (cat:
-                  "**${toString cat.description}:**\n\n"
-                  + listCommands (filterAttrs (n: v: v.category == cat) def.commands)
-                  + "\n"
-                ) categories)
-              + "\n"
-            else
-              listCommands def.commands
-              + "\n")
-       else "")
-    + (if def ? doc
-       then def.doc + "\n\n"
-       else "")
-    + (let s = showOptions def.flags; in
-       if s != ""
-       then "# Options\n\n${s}"
-       else "")
-  ;
+      ${maybeDocumentation}
+
+      ${maybeOptions}
+    '';
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 
-  showOptions = flags:
-    let
-      categories = sort builtins.lessThan (unique (map (cmd: cmd.category) (attrValues flags)));
-    in
-      concatStrings (map
-        (cat:
-          (if cat != ""
-           then "**${cat}:**\n\n"
-           else "")
-          + concatStrings
-            (map (longName:
-              let
-                flag = flags.${longName};
-              in
-                "  - `--${longName}`"
-                + (if flag ? shortName then " / `-${flag.shortName}`" else "")
-                + (if flag ? labels then " " + (concatStringsSep " " (map (s: "*${s}*") flag.labels)) else "")
-                + "  \n"
-                + "    " + flag.description + "\n\n"
-            ) (attrNames (filterAttrs (n: v: v.category == cat) flags))))
-        categories);
-
-  showSynopsis =
-    { command, args }:
-    "`${command}` [*option*...] ${concatStringsSep " "
-      (map (arg: "*${arg.label}*" + (if arg ? arity then "" else "...")) args)}";
-
   processCommand = { command, def, filename }:
     [ { name = filename + ".md"; value = showCommand { inherit command def filename; }; inherit command; } ]
     ++ concatMap

From a85df04fcb2876591ac39d55e920c7cd15411431 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 26 Aug 2022 23:09:19 +0200
Subject: [PATCH 44/49] refactor showOptions

it was quite a pain to manipulate strings just with `builtins`
---
 doc/manual/generate-manpage.nix | 45 ++++++++++++++-------------------
 doc/manual/utils.nix            | 26 +++++++++++++++++++
 2 files changed, 45 insertions(+), 26 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index c8290685a..82aae8b46 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -41,33 +41,26 @@ let
 
         ${showOptions def.flags}
       '';
-      showOptions = flags:
+      showOptions = options:
         let
-          categories = sort builtins.lessThan (unique (map (cmd: cmd.category) (attrValues flags)));
-        in
-          concatStrings (map
-            (cat:
-              (if cat != ""
-               then "**${cat}:**\n\n"
-               else "")
-              + concatStrings
-                (map (longName:
-                  let
-                    flag = flags.${longName};
-                  in
-                    "  - `--${longName}`"
-                    + (if flag ? shortName then " / `-${flag.shortName}`" else "")
-                    + (if flag ? labels then " " + (concatStringsSep " " (map (s: "*${s}*") flag.labels)) else "")
-                    + "  \n"
-                    + "    " + flag.description + "\n\n"
-                ) (attrNames (filterAttrs (n: v: v.category == cat) flags))))
-            categories);
-      squash = string: # squash more than two repeated newlines
-        let
-          replaced = replaceStrings [ "\n\n\n" ] [ "\n\n" ] string;
-        in
-          if replaced == string then string else squash replaced;
-    in squash ''
+          showCategory = cat: ''
+            ${if cat != "" then "**${cat}:**" else ""}
+
+            ${listOptions (filterAttrs (n: v: v.category == cat) options)}
+            '';
+          listOptions = opts: concatStringsSep "\n" (attrValues (mapAttrs showOption opts));
+          showOption = name: option:
+            let
+              shortName = if option ? shortName then "/ `-${option.shortName}`" else "";
+              labels = if option ? labels then (concatStringsSep " " (map (s: "*${s}*") option.labels)) else "";
+            in trim ''
+              - `--${name}` ${shortName} ${labels}
+
+                ${option.description}
+            '';
+          categories = sort builtins.lessThan (unique (map (cmd: cmd.category) (attrValues options)));
+        in concatStrings (map showCategory categories);
+    in squash  ''
       > **Warning** \
       > This program is **experimental** and its interface is subject to change.
 
diff --git a/doc/manual/utils.nix b/doc/manual/utils.nix
index d4b18472f..d0643ef46 100644
--- a/doc/manual/utils.nix
+++ b/doc/manual/utils.nix
@@ -5,6 +5,32 @@ rec {
 
   concatStrings = concatStringsSep "";
 
+  replaceStringsRec = from: to: string:
+    # recursively replace occurrences of `from` with `to` within `string`
+    # example:
+    #     replaceStringRec "--" "-" "hello-----world"
+    #     => "hello-world"
+    let
+      replaced = replaceStrings [ from ] [ to ] string;
+    in
+      if replaced == string then string else replaceStringsRec from to replaced;
+
+  squash = replaceStringsRec "\n\n\n" "\n\n";
+
+  trim = string:
+    # trim trailing spaces and squash non-leading spaces
+    let
+      trimLine = line:
+        let
+          # separate leading spaces from the rest
+          parts = split "(^ *)" line;
+          spaces = head (elemAt parts 1);
+          rest = elemAt parts 2;
+          # drop trailing spaces
+          body = head (split " *$" rest);
+        in spaces + replaceStringsRec "  " " " body;
+    in concatStringsSep "\n" (map trimLine (splitLines string));
+
   # FIXME: O(n^2)
   unique = foldl' (acc: e: if elem e acc then acc else acc ++ [ e ]) [];
 

From 0e0f1832de10bf200bca2b2b3e886c7255999216 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Sat, 27 Aug 2022 02:43:57 +0200
Subject: [PATCH 45/49] remove superfluous let-in pair

---
 doc/manual/generate-manpage.nix | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 82aae8b46..2428ee1b3 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -91,9 +91,6 @@ let
       })
       (attrNames def.commands or {});
 
-in
-
-let
   manpages = processCommand { filename = "nix"; command = "nix"; def = builtins.fromJSON command; };
   summary = concatStrings (map (manpage: "    - [${manpage.command}](command-ref/new-cli/${manpage.name})\n") manpages);
 in

From 61188cb820cd71d7f0ea74f11791c208e69aa632 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Sat, 27 Aug 2022 02:44:54 +0200
Subject: [PATCH 46/49] move final template to the top

this allows readers to enter the code starting with what is visible from
the outside, instead of working themselves up from purely technical details.
---
 doc/manual/generate-manpage.nix | 37 +++++++++++++++++----------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 2428ee1b3..273b6bce3 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -7,6 +7,24 @@ let
 
   showCommand = { command, def, filename }:
     let
+      result = ''
+        > **Warning** \
+        > This program is **experimental** and its interface is subject to change.
+
+        # Name
+
+        `${command}` - ${def.description}
+
+        # Synopsis
+
+        ${showSynopsis command def.args}
+
+        ${maybeSubcommands}
+
+        ${maybeDocumentation}
+
+        ${maybeOptions}
+      '';
       showSynopsis = command: args:
         let
           showArgument = arg: "*${arg.label}*" + (if arg ? arity then "" else "...");
@@ -60,24 +78,7 @@ let
             '';
           categories = sort builtins.lessThan (unique (map (cmd: cmd.category) (attrValues options)));
         in concatStrings (map showCategory categories);
-    in squash  ''
-      > **Warning** \
-      > This program is **experimental** and its interface is subject to change.
-
-      # Name
-
-      `${command}` - ${def.description}
-
-      # Synopsis
-
-      ${showSynopsis command def.args}
-
-      ${maybeSubcommands}
-
-      ${maybeDocumentation}
-
-      ${maybeOptions}
-    '';
+    in squash result;
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 

From 70eea9774230c5264ced249c9b81e28498027b05 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Sat, 27 Aug 2022 03:25:12 +0200
Subject: [PATCH 47/49] use more self-explanatory names

---
 doc/manual/generate-manpage.nix | 58 ++++++++++++++++++++-------------
 1 file changed, 35 insertions(+), 23 deletions(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 273b6bce3..19943b698 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -5,7 +5,7 @@ with import ./utils.nix;
 
 let
 
-  showCommand = { command, def, filename }:
+  showCommand = { command, details, filename }:
     let
       result = ''
         > **Warning** \
@@ -13,11 +13,11 @@ let
 
         # Name
 
-        `${command}` - ${def.description}
+        `${command}` - ${details.description}
 
         # Synopsis
 
-        ${showSynopsis command def.args}
+        ${showSynopsis command details.args}
 
         ${maybeSubcommands}
 
@@ -32,7 +32,7 @@ let
         in ''
          `${command}` [*option*...] ${arguments}
         '';
-      maybeSubcommands = if def ? commands && def.commands != {}
+      maybeSubcommands = if details ? commands && details.commands != {}
         then ''
            where *subcommand* is one of the following:
 
@@ -41,23 +41,23 @@ let
         else "";
       subcommands = if length categories > 1
         then listCategories
-        else listSubcommands def.commands;
-      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues def.commands)));
+        else listSubcommands details.commands;
+      categories = sort (x: y: x.id < y.id) (unique (map (cmd: cmd.category) (attrValues details.commands)));
       listCategories = concatStrings (map showCategory categories);
       showCategory = cat: ''
         **${toString cat.description}:**
 
-        ${listSubcommands (filterAttrs (n: v: v.category == cat) def.commands)}
+        ${listSubcommands (filterAttrs (n: v: v.category == cat) details.commands)}
       '';
       listSubcommands = cmds: concatStrings (attrValues (mapAttrs showSubcommand cmds));
       showSubcommand = name: subcmd: ''
         * [`${command} ${name}`](./${appendName filename name}.md) - ${subcmd.description}
       '';
-      maybeDocumentation = if def ? doc then def.doc else "";
-      maybeOptions = if def.flags == {} then "" else ''
+      maybeDocumentation = if details ? doc then details.doc else "";
+      maybeOptions = if details.flags == {} then "" else ''
         # Options
 
-        ${showOptions def.flags}
+        ${showOptions details.flags}
       '';
       showOptions = options:
         let
@@ -82,17 +82,29 @@ let
 
   appendName = filename: name: (if filename == "nix" then "nix3" else filename) + "-" + name;
 
-  processCommand = { command, def, filename }:
-    [ { name = filename + ".md"; value = showCommand { inherit command def filename; }; inherit command; } ]
-    ++ concatMap
-      (name: processCommand {
-        filename = appendName filename name;
-        command = command + " " + name;
-        def = def.commands.${name};
-      })
-      (attrNames def.commands or {});
+  processCommand = { command, details, filename }:
+    let
+      cmd = {
+        inherit command;
+        name = filename + ".md";
+        value = showCommand { inherit command details filename; };
+      };
+      subcommand = subCmd: processCommand {
+        command = command + " " + subCmd;
+        details = details.commands.${subCmd};
+        filename = appendName filename subCmd;
+      };
+    in [ cmd ] ++ concatMap subcommand (attrNames details.commands or {});
 
-  manpages = processCommand { filename = "nix"; command = "nix"; def = builtins.fromJSON command; };
-  summary = concatStrings (map (manpage: "    - [${manpage.command}](command-ref/new-cli/${manpage.name})\n") manpages);
-in
-(listToAttrs manpages) // { "SUMMARY.md" = summary; }
+  manpages = processCommand {
+    command = "nix";
+    details = builtins.fromJSON command;
+    filename = "nix";
+  };
+
+  tableOfContents = let
+    showEntry = page:
+      "    - [${page.command}](command-ref/new-cli/${page.name})";
+    in concatStringsSep "\n" (map showEntry manpages);
+
+in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }

From d8bef7358f67d11eeef46ae015291a92f8ba1b72 Mon Sep 17 00:00:00 2001
From: Valentin Gagarin <valentin.gagarin@tweag.io>
Date: Fri, 30 Sep 2022 01:41:56 +0200
Subject: [PATCH 48/49] bring back lost newline

---
 doc/manual/generate-manpage.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/manual/generate-manpage.nix b/doc/manual/generate-manpage.nix
index 19943b698..18a1a8bfe 100644
--- a/doc/manual/generate-manpage.nix
+++ b/doc/manual/generate-manpage.nix
@@ -105,6 +105,6 @@ let
   tableOfContents = let
     showEntry = page:
       "    - [${page.command}](command-ref/new-cli/${page.name})";
-    in concatStringsSep "\n" (map showEntry manpages);
+    in concatStringsSep "\n" (map showEntry manpages) + "\n";
 
 in (listToAttrs manpages) // { "SUMMARY.md" = tableOfContents; }

From e1418430ac57767906b617a8a558d305ca651980 Mon Sep 17 00:00:00 2001
From: "Travis A. Everett" <travis.a.everett@gmail.com>
Date: Wed, 5 Oct 2022 09:52:53 -0500
Subject: [PATCH 49/49] Apply suggestions from code review

Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
---
 doc/manual/src/contributing/hacking.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/manual/src/contributing/hacking.md b/doc/manual/src/contributing/hacking.md
index f67660ab2..5bee7932b 100644
--- a/doc/manual/src/contributing/hacking.md
+++ b/doc/manual/src/contributing/hacking.md
@@ -109,7 +109,7 @@ You can run them manually with `nix build .#hydraJobs.tests.{testName}` or `nix-
 
 ### Installer tests
 
-With just a little one-time setup, the Nix repository's GitHub Actions continuous integration (CI) workflow can easily test the installer each time you push to a branch.
+After a one-time setup, the Nix repository's GitHub Actions continuous integration (CI) workflow can test the installer each time you push to a branch.
 
 Creating a Cachix cache for your installer tests and adding its authorization token to GitHub enables [two installer-specific jobs in the CI workflow](https://github.com/NixOS/nix/blob/88a45d6149c0e304f6eb2efcc2d7a4d0d569f8af/.github/workflows/ci.yml#L50-L91):
 
@@ -123,7 +123,7 @@ Creating a Cachix cache for your installer tests and adding its authorization to
 
 #### One-time setup
 
-1. Have a GitHub account with a fork of the Nix repo.
+1. Have a GitHub account with a fork of the [Nix repository](https://github.com/NixOS/nix).
 2. At cachix.org:
     - Create or log in to an account.
     - Create a Cachix cache using the format `<github-username>-nix-install-tests`.