MOLGW package: fix dependence to threaded MKL (#39028 )

* molgw package.py * molgw package.py almost ready * bug fix in molgw package.py * MOLGW v3.2 * black pass * duplicated line eliminated * remove FIXME in the header * add me as a maintainer * fix previous commit * sort the imports in the order spack wants * chop the too-long lines * many fixes - variants before dependences - eliminate useless build and install stages - no openmp with intel-mkl was broken * after blackization * cleaning * Update var/spack/repos/builtin/packages/molgw/package.py Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com> * Update var/spack/repos/builtin/packages/molgw/package.py Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com> * Update var/spack/repos/builtin/packages/molgw/package.py Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com> * Update var/spack/repos/builtin/packages/molgw/package.py Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com> * Update var/spack/repos/builtin/packages/molgw/package.py Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com> * use threaded mkl when openmp is triggered --------- Co-authored-by: Massimiliano Culpo <massimiliano.culpo@gmail.com>
py-distributed: add missing tblib dependency. (#39123 )
2023-07-28 08:30:27 -04:00 · 2023-07-28 05:42:35 -04:00 · 2023-07-28 10:36:07 +02:00 · 2023-07-27 13:59:11 -07:00 · 2023-07-27 13:53:40 -07:00 · 2023-07-27 12:26:25 -07:00
1239 changed files with 25232 additions and 14304 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -5,3 +5,8 @@ updates:
    directory: "/"
    schedule:
      interval: "daily"
+  # Requirements to build documentation
+  - package-ecosystem: "pip"
+    directory: "/lib/spack/docs"
+    schedule:
+      interval: "daily"
--- a/.github/workflows/audit.yaml
+++ b/.github/workflows/audit.yaml
@@ -17,10 +17,13 @@ concurrency:
 jobs:
  # Run audits on all the packages in the built-in repository
  package-audits:
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.operating_system }}
+    strategy:
+      matrix:
+        operating_system: ["ubuntu-latest", "macos-latest"]
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: ${{inputs.python_version}}
    - name: Install Python packages
@@ -41,4 +44,4 @@ jobs:
    - uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d # @v2.1.0
      if: ${{ inputs.with_coverage == 'true' }}
      with:
-        flags: unittests,linux,audits
+        flags: unittests,audits
--- a/.github/workflows/bootstrap.yml
+++ b/.github/workflows/bootstrap.yml
@@ -24,7 +24,7 @@ jobs:
              make patch unzip which xz python3 python3-devel tree \
              cmake bison bison-devel libstdc++-static
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup non-root user
@@ -62,7 +62,7 @@ jobs:
              make patch unzip xz-utils python3 python3-dev tree \
              cmake bison
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup non-root user
@@ -99,7 +99,7 @@ jobs:
              bzip2 curl file g++ gcc gfortran git gnupg2 gzip \
              make patch unzip xz-utils python3 python3-dev tree
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup non-root user
@@ -133,7 +133,7 @@ jobs:
              make patch unzip which xz python3 python3-devel tree \
              cmake bison
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup repo
@@ -158,7 +158,7 @@ jobs:
        run: |
          brew install cmake bison@2.7 tree
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      - name: Bootstrap clingo
        run: |
          source share/spack/setup-env.sh
@@ -179,7 +179,7 @@ jobs:
        run: |
          brew install tree
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      - name: Bootstrap clingo
        run: |
          set -ex
@@ -204,7 +204,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup repo
@@ -247,7 +247,7 @@ jobs:
              bzip2 curl file g++ gcc patchelf gfortran git gzip \
              make patch unzip xz-utils python3 python3-dev tree
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup non-root user
@@ -283,7 +283,7 @@ jobs:
              make patch unzip xz-utils python3 python3-dev tree \
              gawk
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
        with:
          fetch-depth: 0
      - name: Setup non-root user
@@ -316,7 +316,7 @@ jobs:
          # Remove GnuPG since we want to bootstrap it
          sudo rm -rf /usr/local/bin/gpg
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      - name: Bootstrap GnuPG
        run: |
          source share/spack/setup-env.sh
@@ -333,7 +333,7 @@ jobs:
          # Remove GnuPG since we want to bootstrap it
          sudo rm -rf /usr/local/bin/gpg
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      - name: Bootstrap GnuPG
        run: |
          source share/spack/setup-env.sh
--- a/.github/workflows/build-containers.yml
+++ b/.github/workflows/build-containers.yml
@@ -49,14 +49,14 @@ jobs:
                     [almalinux8, 'linux/amd64,linux/arm64,linux/ppc64le', 'almalinux:8'],
                     [almalinux9, 'linux/amd64,linux/arm64,linux/ppc64le', 'almalinux:9'],
                     [rockylinux8, 'linux/amd64,linux/arm64', 'rockylinux:8'],
-                     [rockylinux9, 'linux/amd64,linux/arm64,linux/ppc64le', 'rockylinux:9'],
+                     [rockylinux9, 'linux/amd64,linux/arm64', 'rockylinux:9'],
                     [fedora37, 'linux/amd64,linux/arm64,linux/ppc64le', 'fedora:37'],
                     [fedora38, 'linux/amd64,linux/arm64,linux/ppc64le', 'fedora:38']]
    name: Build ${{ matrix.dockerfile[0] }}
    if: github.repository == 'spack/spack'
    steps:
      - name: Checkout
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2

      - name: Set Container Tag Normal (Nightly)
        run: |
@@ -92,13 +92,13 @@ jobs:
          path: dockerfiles

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # @v1
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # @v1

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # @v1
+        uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # @v1

      - name: Log in to GitHub Container Registry
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # @v1
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # @v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -106,13 +106,13 @@ jobs:

      - name: Log in to DockerHub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # @v1
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # @v1
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Build & Deploy ${{ matrix.dockerfile[0] }}
-        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # @v2
+        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # @v2
        with:
          context: dockerfiles/${{ matrix.dockerfile[0] }}
          platforms: ${{ matrix.dockerfile[1] }}
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -35,7 +35,7 @@ jobs:
      core: ${{ steps.filter.outputs.core }}
      packages: ${{ steps.filter.outputs.packages }}
    steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
        if: ${{ github.event_name == 'push' }}
        with:
          fetch-depth: 0
--- a/.github/workflows/nightly-win-builds.yml
+++ b/.github/workflows/nightly-win-builds.yml
@@ -14,10 +14,10 @@ jobs:
  build-paraview-deps:
    runs-on: windows-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
      with:
        python-version: 3.9
    - name: Install Python packages
--- a/.github/workflows/unit_tests.yaml
+++ b/.github/workflows/unit_tests.yaml
@@ -47,10 +47,10 @@ jobs:
          on_develop: false

    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install System packages
@@ -94,10 +94,10 @@ jobs:
  shell:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: '3.11'
    - name: Install System packages
@@ -133,7 +133,7 @@ jobs:
          dnf install -y \
              bzip2 curl file gcc-c++ gcc gcc-gfortran git gnupg2 gzip \
              make patch tcl unzip which xz
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
    - name: Setup repo and non-root user
      run: |
          git --version
@@ -152,10 +152,10 @@ jobs:
  clingo-cffi:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: '3.11'
    - name: Install System packages
@@ -186,10 +186,10 @@ jobs:
      matrix:
        python-version: ["3.10"]
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install Python packages
--- a/.github/workflows/valid-style.yml
+++ b/.github/workflows/valid-style.yml
@@ -18,8 +18,8 @@ jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: '3.11'
        cache: 'pip'
@@ -35,10 +35,10 @@ jobs:
  style:
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # @v2
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # @v2
      with:
        python-version: '3.11'
        cache: 'pip'
@@ -68,7 +68,7 @@ jobs:
          dnf install -y \
              bzip2 curl file gcc-c++ gcc gcc-gfortran git gnupg2 gzip \
              make patch tcl unzip which xz
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # @v2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # @v2
      - name: Setup repo and non-root user
        run: |
          git --version
@@ -81,6 +81,7 @@ jobs:
        shell: runuser -u spack-test -- bash {0}
        run: |
          source share/spack/setup-env.sh
+          spack debug report
          spack -d bootstrap now --dev
          spack style -t black
          spack unit-test -V
--- a/.github/workflows/windows_python.yml
+++ b/.github/workflows/windows_python.yml
@@ -15,10 +15,10 @@ jobs:
  unit-tests:
    runs-on: windows-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
      with:
        python-version: 3.9
    - name: Install Python packages
@@ -39,10 +39,10 @@ jobs:
  unit-tests-cmd:
    runs-on: windows-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
      with:
        python-version: 3.9
    - name: Install Python packages
@@ -63,10 +63,10 @@ jobs:
  build-abseil:
    runs-on: windows-latest
    steps:
-    - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+    - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
      with:
        fetch-depth: 0
-    - uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0
+    - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1
      with:
        python-version: 3.9
    - name: Install Python packages
--- a/.readthedocs.yml
+++ b/.readthedocs.yml
@@ -1,10 +1,16 @@
 version: 2

+build:
+  os: "ubuntu-22.04"
+  apt_packages:
+    - graphviz
+  tools:
+    python: "3.11"
+
 sphinx:
  configuration: lib/spack/docs/conf.py
  fail_on_warning: true

 python:
-  version: 3.7
  install:
    - requirements: lib/spack/docs/requirements.txt
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,21 @@
+# v0.20.1 (2023-07-10)
+
+## Spack Bugfixes
+
+- Spec removed from an environment where not actually removed if `--force` was not given (#37877)
+- Speed-up module file generation (#37739)
+- Hotfix for a few recipes that treat CMake as a link dependency (#35816)
+- Fix re-running stand-alone test a second time, which was getting a trailing spurious failure (#37840)
+- Fixed reading JSON manifest on Cray, reporting non-concrete specs (#37909)
+- Fixed a few bugs when generating Dockerfiles from Spack (#37766,#37769)
+- Fixed a few long-standing bugs when generating module files (#36678,#38347,#38465,#38455)
+- Fixed issues with building Python extensions using an external Python (#38186)
+- Fixed compiler removal from command line (#38057)
+- Show external status as [e] (#33792)
+- Backported `archspec` fixes (#37793)
+- Improved a few error messages (#37791)
+
+
 # v0.20.0 (2023-05-21)

 `v0.20.0` is a major feature release.
--- a/bin/spack
+++ b/bin/spack
@@ -25,8 +25,6 @@ exit 1
 # Line above is a shell no-op, and ends a python multi-line comment.
 # The code above runs this file with our preferred python interpreter.

-from __future__ import print_function
-
 import os
 import os.path
 import sys
--- a/bin/spack.bat
+++ b/bin/spack.bat
@@ -214,7 +214,7 @@ goto :end_switch
 if defined _sp_args (
    if NOT "%_sp_args%"=="%_sp_args:--help=%" (
        goto :default_case
-    ) else if NOT "%_sp_args%"=="%_sp_args: -h=%" (
+    ) else if NOT "%_sp_args%"=="%_sp_args:-h=%" (
        goto :default_case
    ) else if NOT "%_sp_args%"=="%_sp_args:--bat=%" (
        goto :default_case
--- a/bin/spack.ps1
+++ b/bin/spack.ps1
@@ -0,0 +1,132 @@
+#  Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
+#  Spack Project Developers. See the top-level COPYRIGHT file for details.
+
+#  SPDX-License-Identifier: (Apache-2.0 OR MIT)
+# #######################################################################
+
+function Compare-CommonArgs {
+    $CMDArgs = $args[0]
+    # These aruments take precedence and call for no futher parsing of arguments
+    # invoke actual Spack entrypoint with that context and exit after
+    "--help", "-h", "--version", "-V" | ForEach-Object {
+        $arg_opt = $_
+        if(($CMDArgs) -and ([bool]($CMDArgs.Where({$_ -eq $arg_opt})))) {
+            return $true
+        }
+    }
+    return $false
+}
+
+function Read-SpackArgs {
+    $SpackCMD_params = @()
+    $SpackSubCommand = $NULL
+    $SpackSubCommandArgs = @()
+    $args_ = $args[0]
+    $args_ | ForEach-Object {
+        if (!$SpackSubCommand) {
+            if($_.SubString(0,1) -eq "-")
+            {
+                $SpackCMD_params += $_
+            }
+            else{
+                $SpackSubCommand = $_
+            }
+        }
+        else{
+            $SpackSubCommandArgs += $_
+        }
+    }
+    return $SpackCMD_params, $SpackSubCommand, $SpackSubCommandArgs
+}
+
+function Invoke-SpackCD {
+    if (Compare-CommonArgs $SpackSubCommandArgs) {
+        python $Env:SPACK_ROOT/bin/spack cd -h
+    }
+    else {
+        $LOC = $(python $Env:SPACK_ROOT/bin/spack location $SpackSubCommandArgs)
+        if (($NULL -ne $LOC)){
+            if ( Test-Path -Path $LOC){
+                Set-Location $LOC
+            }
+            else{
+                exit 1
+            }
+        }
+        else {
+            exit 1
+        }
+    }
+}
+
+function Invoke-SpackEnv {
+    if (Compare-CommonArgs $SpackSubCommandArgs[0]) {
+        python $Env:SPACK_ROOT/bin/spack env -h
+    }
+    else {
+        $SubCommandSubCommand = $SpackSubCommandArgs[0]
+        $SubCommandSubCommandArgs = $SpackSubCommandArgs[1..$SpackSubCommandArgs.Count]
+        switch ($SubCommandSubCommand) {
+            "activate" {
+                if (Compare-CommonArgs $SubCommandSubCommandArgs) {
+                    python $Env:SPACK_ROOT/bin/spack env activate $SubCommandSubCommandArgs
+                }
+                elseif ([bool]($SubCommandSubCommandArgs.Where({$_ -eq "--pwsh"}))) {
+                    python $Env:SPACK_ROOT/bin/spack env activate $SubCommandSubCommandArgs
+                }
+                elseif (!$SubCommandSubCommandArgs) {
+                    python $Env:SPACK_ROOT/bin/spack env activate $SubCommandSubCommandArgs
+                }
+                else {
+                    $SpackEnv = $(python $Env:SPACK_ROOT/bin/spack $SpackCMD_params env activate "--pwsh" $SubCommandSubCommandArgs)
+                    $ExecutionContext.InvokeCommand($SpackEnv)
+                }
+            }
+            "deactivate" {
+                if ([bool]($SubCommandSubCommandArgs.Where({$_ -eq "--pwsh"}))) {
+                    python $Env:SPACK_ROOT/bin/spack env deactivate $SubCommandSubCommandArgs
+                }
+                elseif($SubCommandSubCommandArgs) {
+                    python $Env:SPACK_ROOT/bin/spack env deactivate -h
+                }
+                else {
+                    $SpackEnv = $(python $Env:SPACK_ROOT/bin/spack $SpackCMD_params env deactivate --pwsh)
+                    $ExecutionContext.InvokeCommand($SpackEnv)
+                }
+            }
+            default {python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand $SpackSubCommandArgs}
+        }
+    }
+}
+
+function Invoke-SpackLoad {
+    if (Compare-CommonArgs $SpackSubCommandArgs) {
+        python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand $SpackSubCommandArgs
+    }
+    elseif ([bool]($SpackSubCommandArgs.Where({($_ -eq "--pwsh") -or ($_ -eq "--list")}))) {
+        python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand $SpackSubCommandArgs
+    }
+    else {
+        $SpackEnv = $(python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand "--pwsh" $SpackSubCommandArgs)
+        $ExecutionContext.InvokeCommand($SpackEnv)
+    }
+}
+
+
+$SpackCMD_params, $SpackSubCommand, $SpackSubCommandArgs = Read-SpackArgs $args
+
+if (Compare-CommonArgs $SpackCMD_params) {
+    python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand $SpackSubCommandArgs
+    exit $LASTEXITCODE
+}
+
+# Process Spack commands with special conditions
+# all other commands are piped directly to Spack
+switch($SpackSubCommand)
+{
+    "cd"     {Invoke-SpackCD}
+    "env"    {Invoke-SpackEnv}
+    "load"   {Invoke-SpackLoad}
+    "unload" {Invoke-SpackLoad}
+    default  {python $Env:SPACK_ROOT/bin/spack $SpackCMD_params $SpackSubCommand $SpackSubCommandArgs}
+}
--- a/etc/spack/defaults/config.yaml
+++ b/etc/spack/defaults/config.yaml
@@ -216,10 +216,11 @@ config:
  # manipulation by unprivileged user (e.g. AFS)
  allow_sgid: true

-  # Whether to set the terminal title to display status information during
-  # building and installing packages. This gives information about Spack's
-  # current progress as well as the current and total number of packages.
-  terminal_title: false
+  # Whether to show status information during building and installing packages.
+  # This gives information about Spack's current progress as well as the current
+  # and total number of packages. Information is shown both in the terminal
+  # title and inline.
+  install_status: true

  # Number of seconds a buildcache's index.json is cached locally before probing
  # for updates, within a single Spack invocation. Defaults to 10 minutes.
--- a/etc/spack/defaults/mirrors.yaml
+++ b/etc/spack/defaults/mirrors.yaml
@@ -1,2 +1,4 @@
 mirrors:
-  spack-public: https://mirror.spack.io
+  spack-public:
+    binary: false
+    url: https://mirror.spack.io
--- a/lib/spack/docs/_pygments/style.py
+++ b/lib/spack/docs/_pygments/style.py
@@ -0,0 +1,16 @@
+# Copyright 2013-2023 Lawrence Livermore National Security, LLC and other
+# Spack Project Developers. See the top-level COPYRIGHT file for details.
+#
+# SPDX-License-Identifier: (Apache-2.0 OR MIT)
+
+# The name of the Pygments (syntax highlighting) style to use.
+# We use our own extension of the default style with a few modifications
+from pygments.styles.default import DefaultStyle
+from pygments.token import Generic
+
+
+class SpackStyle(DefaultStyle):
+    styles = DefaultStyle.styles.copy()
+    background_color = "#f4f4f8"
+    styles[Generic.Output] = "#355"
+    styles[Generic.Prompt] = "bold #346ec9"
--- a/lib/spack/docs/binary_caches.rst
+++ b/lib/spack/docs/binary_caches.rst
@@ -48,14 +48,10 @@ Here is an example where a build cache is created in a local directory named

 .. code-block:: console

-    $ spack buildcache push --allow-root ./spack-cache ninja
+    $ spack buildcache push ./spack-cache ninja
    ==> Pushing binary packages to file:///home/spackuser/spack/spack-cache/build_cache

-Not that ``ninja`` must be installed locally for this to work.
-
-We're using the ``--allow-root`` flag to tell Spack that is OK when any of
-the binaries we're pushing contain references to the local Spack install
-directory.
+Note that ``ninja`` must be installed locally for this to work.

 Once you have a build cache, you can add it as a mirror, discussed next.

@@ -147,7 +143,7 @@ and then install from it exclusively, you would do:

    $ spack mirror add E4S https://cache.e4s.io
    $ spack buildcache keys --install --trust
-    $ spack install --use-buildache only <package>
+    $ spack install --use-buildcache only <package>

 We use ``--install`` and ``--trust`` to say that we are installing keys to our
 keyring, and trusting all downloaded keys.
--- a/lib/spack/docs/build_systems/inteloneapipackage.rst
+++ b/lib/spack/docs/build_systems/inteloneapipackage.rst
@@ -76,6 +76,53 @@ To build with with ``icx``, do ::

  spack install patchelf%oneapi

+
+Using oneAPI Spack environment
+-------------------------------
+
+In this example, we build lammps with ``icx`` using Spack environment for oneAPI packages created by Intel. The
+compilers are installed with Spack like in example above.
+
+Install the oneAPI compilers::
+
+  spack install intel-oneapi-compilers
+
+Add the compilers to your ``compilers.yaml`` so Spack can use them::
+
+  spack compiler add `spack location -i intel-oneapi-compilers`/compiler/latest/linux/bin/intel64
+  spack compiler add `spack location -i intel-oneapi-compilers`/compiler/latest/linux/bin
+
+Verify that the compilers are available::
+
+  spack compiler list
+
+Clone `spack-configs <https://github.com/spack/spack-configs>`_ repo and activate Intel oneAPI CPU environment::
+
+  git clone https://github.com/spack/spack-configs
+  spack env activate spack-configs/INTEL/CPU
+  spack concretize -f
+
+`Intel oneAPI CPU environment <https://github.com/spack/spack-configs/blob/main/INTEL/CPU/spack.yaml>`_  contains applications tested and validated by Intel, this list is constantly extended. And currently it supports:
+
+- `GROMACS <https://www.gromacs.org/>`_
+- `HPCG <https://www.hpcg-benchmark.org/>`_
+- `HPL <https://netlib.org/benchmark/hpl/>`_
+- `LAMMPS <https://www.lammps.org/#gsc.tab=0>`_
+- `OpenFOAM <https://www.openfoam.com/>`_
+- `STREAM <https://www.cs.virginia.edu/stream/>`_
+- `WRF <https://github.com/wrf-model/WRF>`_
+
+To build lammps with oneAPI compiler from this environment just run::
+
+  spack install lammps
+
+Compiled binaries can be find using::
+
+  spack cd -i lammps
+
+You can do the same for all other applications from this environment.
+
+
 Using oneAPI MPI to Satisfy a Virtual Dependence
 ------------------------------------------------------

--- a/lib/spack/docs/build_systems/sippackage.rst
+++ b/lib/spack/docs/build_systems/sippackage.rst
@@ -72,7 +72,7 @@ arguments to the configure phase, you can use:

 .. code-block:: python

-   def configure_args(self, spec, prefix):
+   def configure_args(self):
       return ['--no-python-dbus']


--- a/lib/spack/docs/conf.py
+++ b/lib/spack/docs/conf.py
@@ -97,9 +97,7 @@ class PatchedPythonDomain(PythonDomain):
    def resolve_xref(self, env, fromdocname, builder, typ, target, node, contnode):
        if "refspecific" in node:
            del node["refspecific"]
-        return super(PatchedPythonDomain, self).resolve_xref(
-            env, fromdocname, builder, typ, target, node, contnode
-        )
+        return super().resolve_xref(env, fromdocname, builder, typ, target, node, contnode)


 #
@@ -149,7 +147,6 @@ def setup(sphinx):
 # Get nice vector graphics
 graphviz_output_format = "svg"

-
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ["_templates"]

@@ -217,6 +214,7 @@ def setup(sphinx):
    # Spack classes that intersphinx is unable to resolve
    ("py:class", "spack.version.StandardVersion"),
    ("py:class", "spack.spec.DependencySpec"),
+    ("py:class", "spack.spec.SpecfileReaderBase"),
    ("py:class", "spack.install_test.Pb"),
 ]

@@ -233,30 +231,8 @@ def setup(sphinx):
 # If true, sectionauthor and moduleauthor directives will be shown in the
 # output. They are ignored by default.
 # show_authors = False
-
-# The name of the Pygments (syntax highlighting) style to use.
-# We use our own extension of the default style with a few modifications
-from pygments.style import Style
-from pygments.styles.default import DefaultStyle
-from pygments.token import Comment, Generic, Text
-
-
-class SpackStyle(DefaultStyle):
-    styles = DefaultStyle.styles.copy()
-    background_color = "#f4f4f8"
-    styles[Generic.Output] = "#355"
-    styles[Generic.Prompt] = "bold #346ec9"
-
-
-import pkg_resources
-
-dist = pkg_resources.Distribution(__file__)
-sys.path.append(".")  # make 'conf' module findable
-ep = pkg_resources.EntryPoint.parse("spack = conf:SpackStyle", dist=dist)
-dist._ep_map = {"pygments.styles": {"plugin1": ep}}
-pkg_resources.working_set.add(dist)
-
-pygments_style = "spack"
+sys.path.append("./_pygments")
+pygments_style = "style.SpackStyle"

 # A list of ignored prefixes for module index sorting.
 # modindex_common_prefix = []
@@ -341,16 +317,15 @@ class SpackStyle(DefaultStyle):
 # Output file base name for HTML help builder.
 htmlhelp_basename = "Spackdoc"

-
 # -- Options for LaTeX output --------------------------------------------------

 latex_elements = {
    # The paper size ('letterpaper' or 'a4paper').
-    #'papersize': 'letterpaper',
+    # 'papersize': 'letterpaper',
    # The font size ('10pt', '11pt' or '12pt').
-    #'pointsize': '10pt',
+    # 'pointsize': '10pt',
    # Additional stuff for the LaTeX preamble.
-    #'preamble': '',
+    # 'preamble': '',
 }

 # Grouping the document tree into LaTeX files. List of tuples
--- a/lib/spack/docs/config_yaml.rst
+++ b/lib/spack/docs/config_yaml.rst
@@ -292,12 +292,13 @@ It is also worth noting that:
         non_bindable_shared_objects = ["libinterface.so"]

 ----------------------
-``terminal_title``
+``install_status``
 ----------------------

-By setting this option to ``true``, Spack will update the terminal's title to
-provide information about its current progress as well as the current and
-total package numbers.
+When set to ``true``, Spack will show information about its current progress
+as well as the current and total package numbers. Progress is shown both
+in the terminal title and inline. Setting it to ``false`` will not show any
+progress information.

 To work properly, this requires your terminal to reset its title after
 Spack has finished its work, otherwise Spack's status information will
--- a/lib/spack/docs/containers.rst
+++ b/lib/spack/docs/containers.rst
@@ -636,7 +636,7 @@ to customize the generation of container recipes:
     - No
   * - ``os_packages:command``
     - Tool used to manage system packages
-     - ``apt``, ``yum``, ``zypper``, ``apk``, ``yum_amazon``
+     - ``apt``, ``yum``, ``dnf``, ``dnf_epel``, ``zypper``, ``apk``, ``yum_amazon``
     - Only with custom base images
   * - ``os_packages:update``
     - Whether or not to update the list of available packages
--- a/lib/spack/docs/environments.rst
+++ b/lib/spack/docs/environments.rst
@@ -916,9 +916,9 @@ function, as shown in the example below:
 .. code-block:: yaml

   projections:
-     zlib: {name}-{version}
-     ^mpi: {name}-{version}/{^mpi.name}-{^mpi.version}-{compiler.name}-{compiler.version}
-     all: {name}-{version}/{compiler.name}-{compiler.version}
+     zlib: "{name}-{version}"
+     ^mpi: "{name}-{version}/{^mpi.name}-{^mpi.version}-{compiler.name}-{compiler.version}"
+     all: "{name}-{version}/{compiler.name}-{compiler.version}"

 The entries in the projections configuration file must all be either
 specs or the keyword ``all``. For each spec, the projection used will
@@ -1132,11 +1132,11 @@ index once every package is pushed. Note how this target uses the generated
   example/push/%: example/install/%
   	@mkdir -p $(dir $@)
   	$(info About to push $(SPEC) to a buildcache)
-   	$(SPACK) -e . buildcache create --allow-root --only=package --directory $(BUILDCACHE_DIR) /$(HASH)
+   	$(SPACK) -e . buildcache push --allow-root --only=package $(BUILDCACHE_DIR) /$(HASH)
   	@touch $@

   push: $(addprefix example/push/,$(example/SPACK_PACKAGE_IDS))
   	$(info Updating the buildcache index)
-   	$(SPACK) -e . buildcache update-index --directory $(BUILDCACHE_DIR)
+   	$(SPACK) -e . buildcache update-index $(BUILDCACHE_DIR)
   	$(info Done!)
   	@touch $@
--- a/lib/spack/docs/index.rst
+++ b/lib/spack/docs/index.rst
@@ -76,6 +76,7 @@ or refer to the full manual below.
   chain
   extensions
   pipelines
+   signing

 .. toctree::
   :maxdepth: 2
--- a/lib/spack/docs/module_file_support.rst
+++ b/lib/spack/docs/module_file_support.rst
@@ -275,10 +275,12 @@ of the installed software. For instance, in the snippet below:
             set:
               BAR: 'bar'
         # This anonymous spec selects any package that
-         # depends on openmpi. The double colon at the
+         # depends on mpi. The double colon at the
         # end clears the set of rules that matched so far.
-         ^openmpi::
+         ^mpi::
           environment:
+             prepend_path:
+               PATH: '{^mpi.prefix}/bin'
             set:
               BAR: 'baz'
         # Selects any zlib package
@@ -293,7 +295,9 @@ of the installed software. For instance, in the snippet below:
             - FOOBAR

 you are instructing Spack to set the environment variable ``BAR=bar`` for every module,
-unless the associated spec satisfies ``^openmpi`` in which case ``BAR=baz``.
+unless the associated spec satisfies the abstract dependency ``^mpi`` in which case
+``BAR=baz``, and the directory containing the respective MPI executables is prepended
+to the ``PATH`` variable.
 In addition in any spec that satisfies ``zlib`` the value ``foo`` will be
 prepended to ``LD_LIBRARY_PATH`` and in any spec that satisfies ``zlib%gcc@4.8``
 the variable ``FOOBAR`` will be unset.
@@ -396,28 +400,30 @@ that are already in the Lmod hierarchy.


 .. note::
-   Tcl modules
-     Tcl modules also allow for explicit conflicts between modulefiles.
+   Tcl and Lua modules also allow for explicit conflicts between modulefiles.

-     .. code-block:: yaml
+   .. code-block:: yaml

-        modules:
-          default:
-            enable:
-              - tcl
-            tcl:
-              projections:
-                all: '{name}/{version}-{compiler.name}-{compiler.version}'
-              all:
-                conflict:
-                  - '{name}'
-                  - 'intel/14.0.1'
+      modules:
+        default:
+          enable:
+            - tcl
+          tcl:
+            projections:
+              all: '{name}/{version}-{compiler.name}-{compiler.version}'
+            all:
+              conflict:
+                - '{name}'
+                - 'intel/14.0.1'

-     will create module files that will conflict with ``intel/14.0.1`` and with the
-     base directory of the same module, effectively preventing the possibility to
-     load two or more versions of the same software at the same time. The tokens
-     that are available for use in this directive are the same understood by
-     the :meth:`~spack.spec.Spec.format` method.
+   will create module files that will conflict with ``intel/14.0.1`` and with the
+   base directory of the same module, effectively preventing the possibility to
+   load two or more versions of the same software at the same time. The tokens
+   that are available for use in this directive are the same understood by the
+   :meth:`~spack.spec.Spec.format` method.
+
+   For Lmod and Environment Modules versions prior 4.2, it is important to
+   express the conflict on both modulefiles conflicting with each other.


 .. note::
--- a/lib/spack/docs/packaging_guide.rst
+++ b/lib/spack/docs/packaging_guide.rst
@@ -121,7 +121,7 @@ Since v0.19, Spack supports  two ways of writing a package recipe. The most comm

       def url_for_version(self, version):
           if version >= Version("2.1.1"):
-               return super(Openjpeg, self).url_for_version(version)
+               return super().url_for_version(version)
           url_fmt = "https://github.com/uclouvain/openjpeg/archive/version.{0}.tar.gz"
           return url_fmt.format(version)

@@ -155,7 +155,7 @@ builder class explicitly. Using the same example as above, this reads:

       def url_for_version(self, version):
           if version >= Version("2.1.1"):
-               return super(Openjpeg, self).url_for_version(version)
+               return super().url_for_version(version)
           url_fmt = "https://github.com/uclouvain/openjpeg/archive/version.{0}.tar.gz"
           return url_fmt.format(version)

@@ -3071,7 +3071,7 @@ follows:
       # The library provided by the bar virtual package
       @property
       def bar_libs(self):
-           return find_libraries("libFooBar", root=sef.home, recursive=True)
+           return find_libraries("libFooBar", root=self.home, recursive=True)

       # The baz virtual package home
       @property
--- a/lib/spack/docs/requirements.txt
+++ b/lib/spack/docs/requirements.txt
@@ -1,13 +1,13 @@
-# These dependencies should be installed using pip in order
-# to build the documentation.
-
-sphinx>=3.4,!=4.1.2,!=5.1.0
-sphinxcontrib-programoutput
-sphinx-design
-sphinx-rtd-theme
-python-levenshtein
-# Restrict to docutils <0.17 to workaround a list rendering issue in sphinx.
-# https://stackoverflow.com/questions/67542699
-docutils <0.17
-pygments <2.13
-urllib3 <2
+sphinx==6.2.1
+sphinxcontrib-programoutput==0.17
+sphinx_design==0.4.1
+sphinx-rtd-theme==1.2.2
+python-levenshtein==0.21.1
+docutils==0.18.1
+pygments==2.15.1
+urllib3==2.0.3
+pytest==7.4.0
+isort==5.12.0
+black==23.1.0
+flake8==6.0.0
+mypy==1.4.1
--- a/lib/spack/docs/signing.rst
+++ b/lib/spack/docs/signing.rst
@@ -0,0 +1,484 @@
+.. Copyright 2013-2022 Lawrence Livermore National Security, LLC and other
+   Spack Project Developers. See the top-level COPYRIGHT file for details.
+
+   SPDX-License-Identifier: (Apache-2.0 OR MIT)
+
+.. _signing:
+
+=====================
+Spack Package Signing
+=====================
+
+The goal of package signing in Spack is to provide data integrity
+assurances around official packages produced by the automated Spack CI
+pipelines. These assurances directly address the security of Spack’s
+software supply chain by explaining why a security-conscious user can
+be reasonably justified in the belief that packages installed via Spack
+have an uninterrupted auditable trail back to change management
+decisions judged to be appropriate by the Spack maintainers. This is
+achieved through cryptographic signing of packages built by Spack CI
+pipelines based on code that has been transparently reviewed and
+approved on GitHub. This document describes the signing process for
+interested users.
+
+.. _risks:
+
+------------------------------
+Risks, Impact and Threat Model
+------------------------------
+
+This document addresses the approach taken to safeguard Spack’s
+reputation with regard to the integrity of the package data produced by
+Spack’s CI pipelines. It does not address issues of data confidentiality
+(Spack is intended to be largely open source) or availability (efforts
+are described elsewhere). With that said the main reputational risk can
+be broadly categorized as a loss of faith in the data integrity due to a
+breach of the private key used to sign packages. Remediation of a
+private key breach would require republishing the public key with a
+revocation certificate, generating a new signing key, an assessment and
+potential rebuild/resigning of all packages since the key was breached,
+and finally direct intervention by every spack user to update their copy
+of Spack’s public keys used for local verification.
+
+The primary threat model used in mitigating the risks of these stated
+impacts is one of individual error not malicious intent or insider
+threat. The primary objective is to avoid the above impacts by making a
+private key breach nearly impossible due to oversight or configuration
+error. Obvious and straightforward measures are taken to mitigate issues
+of malicious interference in data integrity and insider threats but
+these attack vectors are not systematically addressed. It should be hard
+to exfiltrate the private key intentionally, and almost impossible to
+leak the key by accident.
+
+.. _overview:
+
+-----------------
+Pipeline Overview
+-----------------
+
+Spack pipelines build software through progressive stages where packages
+in later stages nominally depend on packages built in earlier stages.
+For both technical and design reasons these dependencies are not
+implemented through the default GitLab artifacts mechanism; instead
+built packages are uploaded to AWS S3 mirrors (buckets) where they are
+retrieved by subsequent stages in the pipeline. Two broad categories of
+pipelines exist: Pull Request (PR) pipelines and Develop/Release
+pipelines.
+
+-  PR pipelines are launched in response to pull requests made by
+   trusted and untrusted users. Packages built on these pipelines upload
+   code to quarantined AWS S3 locations which cache the built packages
+   for the purposes of review and iteration on the changes proposed in
+   the pull request. Packages built on PR pipelines can come from
+   untrusted users so signing of these pipelines is not implemented.
+   Jobs in these pipelines are executed via normal GitLab runners both
+   within the AWS GitLab infrastructure and at affiliated institutions.
+-  Develop and Release pipelines **sign** the packages they produce and carry
+   strong integrity assurances that trace back to auditable change management
+   decisions. These pipelines only run after members from a trusted group of
+   reviewers verify that the proposed changes in a pull request are appropriate.
+   Once the PR is merged, or a release is cut, a pipeline is run on protected
+   GitLab runners which provide access to the required signing keys within the
+   job. Intermediary keys are used to sign packages in each stage of the
+   pipeline as they are built and a final job officially signs each package
+   external to any specific packages’ build environment. An intermediate key
+   exists in the AWS infrastructure and for each affiliated instritution that
+   maintains protected runners. The runners that execute these pipelines
+   exclusively accept jobs from protected branches meaning the intermediate keys
+   are never exposed to unreviewed code and the official keys are never exposed
+   to any specific build environment.
+
+.. _key_architecture:
+
+----------------
+Key Architecture
+----------------
+
+Spack’s CI process uses public-key infrastructure (PKI) based on GNU Privacy
+Guard (gpg) keypairs to sign public releases of spack package metadata, also
+called specs. Two classes of GPG keys are involved in the process to reduce the
+impact of an individual private key compromise, these key classes are the
+*Intermediate CI Key* and *Reputational Key*. Each of these keys has signing
+sub-keys that are used exclusively for signing packages. This can be confusing
+so for the purpose of this explanation we’ll refer to Root and Signing keys.
+Each key has a private and a public component as well as one or more identities
+and zero or more signatures.
+
+-------------------
+Intermediate CI Key
+-------------------
+
+The Intermediate key class is used to sign and verify packages between stages
+within a develop or release pipeline. An intermediate key exists for the AWS
+infrastructure as well as each affiliated institution that maintains protected
+runners. These intermediate keys are made available to the GitLab execution
+environment building the package so that the package’s dependencies may be
+verified by the Signing Intermediate CI Public Key and the final package may be
+signed by the Signing Intermediate CI Private Key.
+
+
+---------------------------------------------------------------------------------------------------------+
+| **Intermediate CI Key (GPG)**                                                                           |
+==================================================+======================================================+
+| Root Intermediate CI Private Key (RSA 4096)#     |     Root Intermediate CI Public Key (RSA 4096)       |
+--------------------------------------------------+------------------------------------------------------+
+|   Signing Intermediate CI Private Key (RSA 4096) |        Signing Intermediate CI Public Key (RSA 4096) |
+--------------------------------------------------+------------------------------------------------------+
+| Identity: “Intermediate CI Key <maintainers@spack.io>”                                                  |
+---------------------------------------------------------------------------------------------------------+
+| Signatures: None                                                                                        |
+---------------------------------------------------------------------------------------------------------+
+
+
+The *Root intermediate CI Private Key*\ Is stripped out of the GPG key and
+stored offline completely separate from Spack’s infrastructure. This allows the
+core development team to append revocation certificates to the GPG key and
+issue new sub-keys for use in the pipeline. It is our expectation that this
+will happen on a semi regular basis. A corollary of this is that *this key
+should not be used to verify package integrity outside the internal CI process.*
+
+----------------
+Reputational Key
+----------------
+
+The Reputational Key is the public facing key used to sign complete groups of
+development and release packages. Only one key pair exsits in this class of
+keys. In contrast to the Intermediate CI Key the Reputational Key *should* be
+used to verify package integrity. At the end of develop and release pipeline a
+final pipeline job pulls down all signed package metadata built by the pipeline,
+verifies they were signed with an Intermediate CI Key, then strips the
+Intermediate CI Key signature from the package and re-signs them with the
+Signing Reputational Private Key. The officially signed packages are then
+uploaded back to the AWS S3 mirror. Please note that separating use of the
+reputational key into this final job is done to prevent leakage of the key in a
+spack package. Because the Signing Reputational Private Key is never exposed to
+a build job it cannot accidentally end up in any built package.
+
+
+---------------------------------------------------------------------------------------------------------+
+| **Reputational Key (GPG)**                                                                              |
+==================================================+======================================================+
+| Root Reputational Private Key (RSA 4096)#        |          Root Reputational Public Key (RSA 4096)     |
+--------------------------------------------------+------------------------------------------------------+
+| Signing Reputational Private Key (RSA 4096)      |          Signing Reputational Public Key (RSA 4096)  |
+--------------------------------------------------+------------------------------------------------------+
+| Identity: “Spack Project <maintainers@spack.io>”                                                        |
+---------------------------------------------------------------------------------------------------------+
+| Signatures: Signed by core development team [#f1]_                                                      |
+---------------------------------------------------------------------------------------------------------+
+
+The Root Reputational Private Key is stripped out of the GPG key and stored
+offline completely separate from Spack’s infrastructure. This allows the core
+development team to append revocation certificates to the GPG key in the
+unlikely event that the Signing Reputation Private Key is compromised. In
+general it is the expectation that rotating this key will happen infrequently if
+at all. This should allow relatively transparent verification for the end-user
+community without needing deep familiarity with GnuPG or Public Key
+Infrastructure.
+
+
+.. _build_cache_format:
+
+------------------
+Build Cache Format
+------------------
+
+A binary package consists of a metadata file unambiguously defining the
+built package (and including other details such as how to relocate it)
+and the installation directory of the package stored as a compressed
+archive file. The metadata files can either be unsigned, in which case
+the contents are simply the json-serialized concrete spec plus metadata,
+or they can be signed, in which case the json-serialized concrete spec
+plus metadata is wrapped in a gpg cleartext signature. Built package
+metadata files are named to indicate the operating system and
+architecture for which the package was built as well as the compiler
+used to build it and the packages name and version. For example::
+
+  linux-ubuntu18.04-haswell-gcc-7.5.0-zlib-1.2.12-llv2ysfdxnppzjrt5ldybb5c52qbmoow.spec.json.sig
+
+would contain the concrete spec and binary metadata for a binary package
+of ``zlib@1.2.12``, built for the ``ubuntu`` operating system and ``haswell``
+architecture. The id of the built package exists in the name of the file
+as well (after the package name and version) and in this case begins
+with ``llv2ys``. The id distinguishes a particular built package from all
+other built packages with the same os/arch, compiler, name, and version.
+Below is an example of a signed binary package metadata file. Such a
+file would live in the ``build_cache`` directory of a binary mirror::
+
+  -----BEGIN PGP SIGNED MESSAGE-----
+  Hash: SHA512
+
+  {
+    "spec": {
+      <concrete-spec-contents-omitted>
+    },
+
+    "buildcache_layout_version": 1,
+    "binary_cache_checksum": {
+      "hash_algorithm": "sha256",
+      "hash": "4f1e46452c35a5e61bcacca205bae1bfcd60a83a399af201a29c95b7cc3e1423"
+     },
+
+    "buildinfo": {
+      "relative_prefix":
+      "linux-ubuntu18.04-haswell/gcc-7.5.0/zlib-1.2.12-llv2ysfdxnppzjrt5ldybb5c52qbmoow",
+      "relative_rpaths": false
+    }
+  }
+
+  -----BEGIN PGP SIGNATURE-----
+  iQGzBAEBCgAdFiEETZn0sLle8jIrdAPLx/P+voVcifMFAmKAGvwACgkQx/P+voVc
+  ifNoVgv/VrhA+wurVs5GB9PhmMA1m5U/AfXZb4BElDRwpT8ZcTPIv5X8xtv60eyn
+  4EOneGVbZoMThVxgev/NKARorGmhFXRqhWf+jknJZ1dicpqn/qpv34rELKUpgXU+
+  QDQ4d1P64AIdTczXe2GI9ZvhOo6+bPvK7LIsTkBbtWmopkomVxF0LcMuxAVIbA6b
+  887yBvVO0VGlqRnkDW7nXx49r3AG2+wDcoU1f8ep8QtjOcMNaPTPJ0UnjD0VQGW6
+  4ZFaGZWzdo45MY6tF3o5mqM7zJkVobpoW3iUz6J5tjz7H/nMlGgMkUwY9Kxp2PVH
+  qoj6Zip3LWplnl2OZyAY+vflPFdFh12Xpk4FG7Sxm/ux0r+l8tCAPvtw+G38a5P7
+  QEk2JBr8qMGKASmnRlJUkm1vwz0a95IF3S9YDfTAA2vz6HH3PtsNLFhtorfx8eBi
+  Wn5aPJAGEPOawEOvXGGbsH4cDEKPeN0n6cy1k92uPEmBLDVsdnur8q42jk5c2Qyx
+  j3DXty57
+  =3gvm
+  -----END PGP SIGNATURE-----
+
+If a user has trusted the public key associated with the private key
+used to sign the above spec file, the signature can be verified with
+gpg, as follows::
+
+  $ gpg –verify linux-ubuntu18.04-haswell-gcc-7.5.0-zlib-1.2.12-llv2ysfdxnppzjrt5ldybb5c52qbmoow.spec.json.sig
+
+The metadata (regardless whether signed or unsigned) contains the checksum
+of the ``.spack`` file containing the actual installation. The checksum should
+be compared to a checksum computed locally on the ``.spack`` file to ensure the
+contents have not changed since the binary spec plus metadata were signed. The
+``.spack`` files are actually tarballs containing the compressed archive of the
+install tree.  These files, along with the metadata files, live within the
+``build_cache`` directory of the mirror, and together are organized as follows::
+
+  build_cache/
+    # unsigned metadata (for indexing, contains sha256 of .spack file)
+    <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json
+    # clearsigned metadata (same as above, but signed)
+    <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spec.json.sig
+    <arch>/
+      <compiler>/
+        <name>-<ver>/
+          # tar.gz-compressed prefix (may support more compression formats later)
+          <arch>-<compiler>-<name>-<ver>-24zvipcqgg2wyjpvdq2ajy5jnm564hen.spack
+
+Uncompressing and extracting the ``.spack`` file results in the install tree.
+This is in contrast to previous versions of spack, where the ``.spack`` file
+contained a (duplicated) metadata file, a signature file and a nested tarball
+containing the install tree.
+
+.. _internal_implementation:
+
+-----------------------
+Internal Implementation
+-----------------------
+
+The technical implementation of the pipeline signing process includes components
+defined in Amazon Web Services, the Kubernetes cluster, at affilicated
+institutions, and the GitLab/GitLab Runner deployment. We present the techincal
+implementation in two interdependent sections. The first addresses how secrets
+are managed through the lifecycle of a develop or release pipeline. The second
+section describes how Gitlab Runner and pipelines are configured and managed to
+support secure automated signing.
+
+Secrets Management
+^^^^^^^^^^^^^^^^^^
+
+As stated above the Root Private Keys (intermediate and reputational)
+are stripped from the GPG keys and stored outside Spack’s
+infrastructure.
+
+.. warning::
+  **TODO**
+    - Explanation here about where and how access is handled for these keys.
+    - Both Root private keys are protected with strong passwords
+    - Who has access to these and how?
+
+**Intermediate CI Key**
+-----------------------
+
+Multiple intermediate CI signing keys exist, one Intermediate CI Key for jobs
+run in AWS, and one key for each affiliated institution (e.g. Univerity of
+Oregon). Here we describe how the Intermediate CI Key is managed in AWS:
+
+The Intermediate CI Key (including the Signing Intermediate CI Private Key is
+exported as an ASCII armored file and stored in a Kubernetes secret called
+``spack-intermediate-ci-signing-key``. For convenience sake, this same secret
+contains an ASCII-armored export of just the *public* components of the
+Reputational Key. This secret also contains the *public* components of each of
+the affiliated institutions' Intermediate CI Key. These are potentially needed
+to verify dependent packages which may have been found in the public mirror or
+built by a protected job running on an affiliated institution's infrastrcuture
+in an earlier stage of the pipeline.
+
+Procedurally the ``spack-intermediate-ci-signing-key`` secret is used in
+the following way:
+
+1. A ``large-arm-prot`` or ``large-x86-prot`` protected runner picks up
+   a job tagged ``protected`` from a protected GitLab branch. (See
+   `Protected Runners and Reserved Tags <#_8bawjmgykv0b>`__).
+2. Based on its configuration, the runner creates a job Pod in the
+   pipeline namespace and mounts the spack-intermediate-ci-signing-key
+   Kubernetes secret into the build container
+3. The Intermediate CI Key, affiliated institutions' public key and the
+   Reputational Public Key are imported into a keyring by the ``spack gpg …``
+   sub-command. This is initiated by the job’s build script which is created by
+   the generate job at the beginning of the pipeline.
+4. Assuming the package has dependencies those specs are verified using
+   the keyring.
+5. The package is built and the spec.json is generated
+6. The spec.json is signed by the keyring and uploaded to the mirror’s
+   build cache.
+
+**Reputational Key**
+--------------------
+
+Because of the increased impact to end users in the case of a private
+key breach, the Reputational Key is managed separately from the
+Intermediate CI Keys and has additional controls. First, the Reputational
+Key was generated outside of Spack’s infrastructure and has been signed
+by the core development team. The Reputational Key (along with the
+Signing Reputational Private Key) was then ASCII armor exported to a
+file. Unlike the Intermediate CI Key this exported file is not stored as
+a base64 encoded secret in Kubernetes. Instead\ *the key file
+itself*\ is encrypted and stored in Kubernetes as the
+``spack-signing-key-encrypted`` secret in the pipeline namespace.
+
+The encryption of the exported Reputational Key (including the Signing
+Reputational Private Key) is handled by `AWS Key Management Store (KMS) data
+keys
+<https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys>`__.
+The private key material is decrypted and imported at the time of signing into a
+memory mounted temporary directory holding the keychain. The signing job uses
+the `AWS Encryption SDK
+<https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli.html>`__
+(i.e. ``aws-encryption-cli``) to decrypt the Reputational Key. Permission to
+decrypt the key is granted to the job Pod through a Kubernetes service account
+specifically used for this, and only this, function. Finally, for convenience
+sake, this same secret contains an ASCII-armored export of the *public*
+components of the Intermediate CI Keys and the Reputational Key. This allows the
+signing script to verify that packages were built by the pipeline (both on AWS
+or at affiliated institutions), or signed previously as a part of a different
+pipeline. This is is done *before* importing decrypting and importing the
+Signing Reputational Private Key material and officially signing the packages.
+
+Procedurally the ``spack-singing-key-encrypted`` secret is used in the
+following way:
+
+1.  The ``spack-package-signing-gitlab-runner`` protected runner picks
+    up a job tagged ``notary`` from a protected GitLab branch (See
+    `Protected Runners and Reserved Tags <#_8bawjmgykv0b>`__).
+2.  Based on its configuration, the runner creates a job pod in the
+    pipeline namespace. The job is run in a stripped down purpose-built
+    image ``ghcr.io/spack/notary:latest`` Docker image. The runner is
+    configured to only allow running jobs with this image.
+3.  The runner also mounts the ``spack-signing-key-encrypted`` secret to
+    a path on disk. Note that this becomes several files on disk, the
+    public components of the Intermediate CI Keys, the public components
+    of the Reputational CI, and an AWS KMS encrypted file containing the
+    Singing Reputational Private Key.
+4.  In addition to the secret, the runner creates a tmpfs memory mounted
+    directory where the GnuPG keyring will be created to verify, and
+    then resign the package specs.
+5.  The job script syncs all spec.json.sig files from the build cache to
+    a working directory in the job’s execution environment.
+6.  The job script then runs the ``sign.sh`` script built into the
+    notary Docker image.
+7.  The ``sign.sh`` script imports the public components of the
+    Reputational and Intermediate CI Keys and uses them to verify good
+    signatures on the spec.json.sig files. If any signed spec does not
+    verify the job immediately fails.
+8.  Assuming all specs are verified, the ``sign.sh`` script then unpacks
+    the spec json data from the signed file in preparation for being
+    re-signed with the Reputational Key.
+9.  The private components of the Reputational Key are decrypted to
+    standard out using ``aws-encryption-cli`` directly into a ``gpg
+    –import …`` statement which imports the key into the
+    keyring mounted in-memory.
+10. The private key is then used to sign each of the json specs and the
+    keyring is removed from disk.
+11. The re-signed json specs are resynced to the AWS S3 Mirror and the
+    public signing of the packages for the develop or release pipeline
+    that created them is complete.
+
+Non service-account access to the private components of the Reputational
+Key that are managed through access to the symmetric secret in KMS used
+to encrypt the data key (which in turn is used to encrypt the GnuPG key
+- See:\ `Encryption SDK
+Documentation <https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/crypto-cli-examples.html#cli-example-encrypt-file>`__).
+A small trusted subset of the core development team are the only
+individuals with access to this symmetric key.
+
+.. _protected_runners:
+
+Protected Runners and Reserved Tags
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Spack has a large number of Gitlab Runners operating in its build farm.
+These include runners deployed in the AWS Kubernetes cluster as well as
+runners deployed at affiliated institutions. The majority of runners are
+shared runners that operate across projects in gitlab.spack.io. These
+runners pick up jobs primarily from the spack/spack project and execute
+them in PR pipelines.
+
+A small number of runners operating on AWS and at affiliated institutions are
+registered as specific *protected* runners on the spack/spack project. In
+addition to protected runners there are protected branches on the spack/spack
+project. These are the ``develop`` branch, any release branch (i.e. managed with
+the ``releases/v*`` wildcard) and any tag branch (managed with the ``v*``
+wildcard) Finally Spack’s pipeline generation code reserves certain tags to make
+sure jobs are routed to the correct runners, these tags are ``public``,
+``protected``, and ``notary``. Understanding how all this works together to
+protect secrets and provide integrity assurances can be a little confusing so
+lets break these down:
+
+-  **Protected Branches**- Protected branches in Spack prevent anyone
+   other than Maintainers in GitLab from pushing code. In the case of
+   Spack the only Maintainer level entity pushing code to protected
+   branches is Spack bot. Protecting branches also marks them in such a
+   way that Protected Runners will only run jobs from those branches
+- **Protected Runners**- Protected Runners only run jobs from protected
+   branches. Because protected runners have access to secrets, it's critical
+   that they not run Jobs from untrusted code (i.e. PR branches). If they did it
+   would be possible for a PR branch to tag a job in such a way that a protected
+   runner executed that job and mounted secrets into a code execution
+   environment that had not been reviewed by Spack maintainers. Note however
+   that in the absence of tagging used to route jobs, public runners *could* run
+   jobs from protected branches. No secrets would be at risk of being breached
+   because non-protected runners do not have access to those secrets; lack of
+   secrets would, however, cause the jobs to fail.
+- **Reserved Tags**- To mitigate the issue of public runners picking up
+   protected jobs Spack uses a small set of “reserved” job tags (Note that these
+   are *job* tags not git tags). These tags are “public”, “private”, and
+   “notary.” The majority of jobs executed in Spack’s GitLab instance are
+   executed via a ``generate`` job. The generate job code systematically ensures
+   that no user defined configuration sets these tags. Instead, the ``generate``
+   job sets these tags based on rules related to the branch where this pipeline
+   originated. If the job is a part of a pipeline on a PR branch it sets the
+   ``public`` tag. If the job is part of a pipeline on a protected branch it
+   sets the ``protected`` tag. Finally if the job is the package signing job and
+   it is running on a pipeline that is part of a protected branch then it sets
+   the ``notary`` tag.
+
+Protected Runners are configured to only run jobs from protected branches. Only
+jobs running in pipelines on protected branches are tagged with ``protected`` or
+``notary`` tags. This tightly couples jobs on protected branches to protected
+runners that provide access to the secrets required to sign the built packages.
+The secrets are can **only** be accessed via:
+
+1. Runners under direct control of the core development team.
+2. Runners under direct control of trusted maintainers at affiliated institutions.
+3. By code running the automated pipeline that has been reviewed by the
+   Spack maintainers and judged to be appropriate.
+
+Other attempts (either through malicious intent or incompetence) can at
+worst grab jobs intended for protected runners which will cause those
+jobs to fail alerting both Spack maintainers and the core development
+team.
+
+.. [#f1]
+   The Reputational Key has also cross signed core development team
+   keys.
--- a/lib/spack/env/cc
+++ b/lib/spack/env/cc
@@ -416,30 +416,14 @@ input_command="$*"
 # The lists are all bell-separated to be as flexible as possible, as their
 # contents may come from the command line, from ' '-separated lists,
 # ':'-separated lists, etc.
-include_dirs_list=""
-lib_dirs_list=""
-rpath_dirs_list=""
-system_include_dirs_list=""
-system_lib_dirs_list=""
-system_rpath_dirs_list=""
-isystem_system_include_dirs_list=""
-isystem_include_dirs_list=""
-libs_list=""
-other_args_list=""
-
-# Global state for keeping track of -Wl,-rpath -Wl,/path
-wl_expect_rpath=no
-
-# Same, but for -Xlinker -rpath -Xlinker /path
-xlinker_expect_rpath=no

 parse_Wl() {
    while [ $# -ne 0 ]; do
    if [ "$wl_expect_rpath" = yes ]; then
        if system_dir "$1"; then
-            append system_rpath_dirs_list "$1"
+            append return_system_rpath_dirs_list "$1"
        else
-            append rpath_dirs_list "$1"
+            append return_rpath_dirs_list "$1"
        fi
        wl_expect_rpath=no
    else
@@ -449,9 +433,9 @@ parse_Wl() {
                if [ -z "$arg" ]; then
                    shift; continue
                elif system_dir "$arg"; then
-                    append system_rpath_dirs_list "$arg"
+                    append return_system_rpath_dirs_list "$arg"
                else
-                    append rpath_dirs_list "$arg"
+                    append return_rpath_dirs_list "$arg"
                fi
                ;;
            --rpath=*)
@@ -459,9 +443,9 @@ parse_Wl() {
                if [ -z "$arg" ]; then
                    shift; continue
                elif system_dir "$arg"; then
-                    append system_rpath_dirs_list "$arg"
+                    append return_system_rpath_dirs_list "$arg"
                else
-                    append rpath_dirs_list "$arg"
+                    append return_rpath_dirs_list "$arg"
                fi
                ;;
            -rpath|--rpath)
@@ -475,7 +459,7 @@ parse_Wl() {
                return 1
                ;;
            *)
-                append other_args_list "-Wl,$1"
+                append return_other_args_list "-Wl,$1"
                ;;
        esac
    fi
@@ -483,177 +467,210 @@ parse_Wl() {
    done
 }

+categorize_arguments() {

-while [ $# -ne 0 ]; do
+    unset IFS

-    # an RPATH to be added after the case statement.
-    rp=""
+    return_other_args_list=""
+    return_isystem_was_used=""
+    return_isystem_system_include_dirs_list=""
+    return_isystem_include_dirs_list=""
+    return_system_include_dirs_list=""
+    return_include_dirs_list=""
+    return_system_lib_dirs_list=""
+    return_lib_dirs_list=""
+    return_system_rpath_dirs_list=""
+    return_rpath_dirs_list=""

-    # Multiple consecutive spaces in the command line can
-    # result in blank arguments
-    if [ -z "$1" ]; then
-        shift
-        continue
-    fi
+    # Global state for keeping track of -Wl,-rpath -Wl,/path
+    wl_expect_rpath=no

-    if [ -n "${SPACK_COMPILER_FLAGS_KEEP}" ] ; then
-        # NOTE: the eval is required to allow `|` alternatives inside the variable
-        eval "\
-        case \"\$1\" in
-            $SPACK_COMPILER_FLAGS_KEEP)
-                append other_args_list \"\$1\"
+    # Same, but for -Xlinker -rpath -Xlinker /path
+    xlinker_expect_rpath=no
+
+    while [ $# -ne 0 ]; do
+
+        # an RPATH to be added after the case statement.
+        rp=""
+
+        # Multiple consecutive spaces in the command line can
+        # result in blank arguments
+        if [ -z "$1" ]; then
+            shift
+            continue
+        fi
+
+        if [ -n "${SPACK_COMPILER_FLAGS_KEEP}" ] ; then
+            # NOTE: the eval is required to allow `|` alternatives inside the variable
+            eval "\
+            case \"\$1\" in
+                $SPACK_COMPILER_FLAGS_KEEP)
+                    append return_other_args_list \"\$1\"
+                    shift
+                    continue
+                    ;;
+            esac
+            "
+        fi
+        # the replace list is a space-separated list of pipe-separated pairs,
+        # the first in each pair is the original prefix to be matched, the
+        # second is the replacement prefix
+        if [ -n "${SPACK_COMPILER_FLAGS_REPLACE}" ] ; then
+            for rep in ${SPACK_COMPILER_FLAGS_REPLACE} ; do
+                before=${rep%|*}
+                after=${rep#*|}
+                eval "\
+                stripped=\"\${1##$before}\"
+                "
+                if [ "$stripped" = "$1" ] ; then
+                    continue
+                fi
+
+                replaced="$after$stripped" 
+
+                # it matched, remove it
                shift
-                continue
+
+                if [ -z "$replaced" ] ; then
+                    # completely removed, continue OUTER loop
+                    continue 2
+                fi
+
+                # re-build argument list with replacement
+                set -- "$replaced" "$@"
+            done
+        fi
+
+        case "$1" in
+            -isystem*)
+                arg="${1#-isystem}"
+                return_isystem_was_used=true
+                if [ -z "$arg" ]; then shift; arg="$1"; fi
+                if system_dir "$arg"; then
+                    append return_isystem_system_include_dirs_list "$arg"
+                else
+                    append return_isystem_include_dirs_list "$arg"
+                fi
+                ;;
+            -I*)
+                arg="${1#-I}"
+                if [ -z "$arg" ]; then shift; arg="$1"; fi
+                if system_dir "$arg"; then
+                    append return_system_include_dirs_list "$arg"
+                else
+                    append return_include_dirs_list "$arg"
+                fi
+                ;;
+            -L*)
+                arg="${1#-L}"
+                if [ -z "$arg" ]; then shift; arg="$1"; fi
+                if system_dir "$arg"; then
+                    append return_system_lib_dirs_list "$arg"
+                else
+                    append return_lib_dirs_list "$arg"
+                fi
+                ;;
+            -l*)
+                # -loopopt=0 is generated erroneously in autoconf <= 2.69,
+                # and passed by ifx to the linker, which confuses it with a
+                # library. Filter it out.
+                # TODO: generalize filtering of args with an env var, so that
+                # TODO: we do not have to special case this here.
+                if { [ "$mode" = "ccld" ] || [ $mode = "ld" ]; } \
+                    && [ "$1" != "${1#-loopopt}" ]; then
+                    shift
+                    continue
+                fi
+                arg="${1#-l}"
+                if [ -z "$arg" ]; then shift; arg="$1"; fi
+                append return_other_args_list "-l$arg"
+                ;;
+            -Wl,*)
+                IFS=,
+                if ! parse_Wl ${1#-Wl,}; then
+                    append return_other_args_list "$1"
+                fi
+                unset IFS
+                ;;
+            -Xlinker)
+                shift
+                if [ $# -eq 0 ]; then
+                    # -Xlinker without value: let the compiler error about it.
+                    append return_other_args_list -Xlinker
+                    xlinker_expect_rpath=no
+                    break
+                elif [ "$xlinker_expect_rpath" = yes ]; then
+                    # Register the path of -Xlinker -rpath <other args> -Xlinker <path>
+                    if system_dir "$1"; then
+                        append return_system_rpath_dirs_list "$1"
+                    else
+                        append return_rpath_dirs_list "$1"
+                    fi
+                    xlinker_expect_rpath=no
+                else
+                    case "$1" in
+                        -rpath=*)
+                            arg="${1#-rpath=}"
+                            if system_dir "$arg"; then
+                                append return_system_rpath_dirs_list "$arg"
+                            else
+                                append return_rpath_dirs_list "$arg"
+                            fi
+                            ;;
+                        --rpath=*)
+                            arg="${1#--rpath=}"
+                            if system_dir "$arg"; then
+                                append return_system_rpath_dirs_list "$arg"
+                            else
+                                append return_rpath_dirs_list "$arg"
+                            fi
+                            ;;
+                        -rpath|--rpath)
+                            xlinker_expect_rpath=yes
+                            ;;
+                        "$dtags_to_strip")
+                            ;;
+                        *)
+                            append return_other_args_list -Xlinker
+                            append return_other_args_list "$1"
+                            ;;
+                    esac
+                fi
+                ;;
+            "$dtags_to_strip")
+                ;;
+            *)
+                append return_other_args_list "$1"
                ;;
        esac
-        "
-    fi
-    # the replace list is a space-separated list of pipe-separated pairs,
-    # the first in each pair is the original prefix to be matched, the
-    # second is the replacement prefix
-    if [ -n "${SPACK_COMPILER_FLAGS_REPLACE}" ] ; then
-        for rep in ${SPACK_COMPILER_FLAGS_REPLACE} ; do
-            before=${rep%|*}
-            after=${rep#*|}
-            eval "\
-            stripped=\"\${1##$before}\"
-            "
-            if [ "$stripped" = "$1" ] ; then
-                continue
-            fi
+        shift
+    done

-            replaced="$after$stripped" 
-
-            # it matched, remove it
-            shift
-
-            if [ -z "$replaced" ] ; then
-                # completely removed, continue OUTER loop
-                continue 2
-            fi
-
-            # re-build argument list with replacement
-            set -- "$replaced" "$@"
-        done
+    # We found `-Xlinker -rpath` but no matching value `-Xlinker /path`. Just append
+    # `-Xlinker -rpath` again and let the compiler or linker handle the error during arg
+    # parsing.
+    if [ "$xlinker_expect_rpath" = yes ]; then
+        append return_other_args_list -Xlinker
+        append return_other_args_list -rpath
    fi

-    case "$1" in
-        -isystem*)
-            arg="${1#-isystem}"
-            isystem_was_used=true
-            if [ -z "$arg" ]; then shift; arg="$1"; fi
-            if system_dir "$arg"; then
-                append isystem_system_include_dirs_list "$arg"
-            else
-                append isystem_include_dirs_list "$arg"
-            fi
-            ;;
-        -I*)
-            arg="${1#-I}"
-            if [ -z "$arg" ]; then shift; arg="$1"; fi
-            if system_dir "$arg"; then
-                append system_include_dirs_list "$arg"
-            else
-                append include_dirs_list "$arg"
-            fi
-            ;;
-        -L*)
-            arg="${1#-L}"
-            if [ -z "$arg" ]; then shift; arg="$1"; fi
-            if system_dir "$arg"; then
-                append system_lib_dirs_list "$arg"
-            else
-                append lib_dirs_list "$arg"
-            fi
-            ;;
-        -l*)
-            # -loopopt=0 is generated erroneously in autoconf <= 2.69,
-            # and passed by ifx to the linker, which confuses it with a
-            # library. Filter it out.
-            # TODO: generalize filtering of args with an env var, so that
-            # TODO: we do not have to special case this here.
-            if { [ "$mode" = "ccld" ] || [ $mode = "ld" ]; } \
-                && [ "$1" != "${1#-loopopt}" ]; then
-                shift
-                continue
-            fi
-            arg="${1#-l}"
-            if [ -z "$arg" ]; then shift; arg="$1"; fi
-            append other_args_list "-l$arg"
-            ;;
-        -Wl,*)
-            IFS=,
-            if ! parse_Wl ${1#-Wl,}; then
-                append other_args_list "$1"
-            fi
-            unset IFS
-            ;;
-        -Xlinker)
-            shift
-            if [ $# -eq 0 ]; then
-                # -Xlinker without value: let the compiler error about it.
-                append other_args_list -Xlinker
-                xlinker_expect_rpath=no
-                break
-            elif [ "$xlinker_expect_rpath" = yes ]; then
-                # Register the path of -Xlinker -rpath <other args> -Xlinker <path>
-                if system_dir "$1"; then
-                    append system_rpath_dirs_list "$1"
-                else
-                    append rpath_dirs_list "$1"
-                fi
-                xlinker_expect_rpath=no
-            else
-                case "$1" in
-                    -rpath=*)
-                        arg="${1#-rpath=}"
-                        if system_dir "$arg"; then
-                            append system_rpath_dirs_list "$arg"
-                        else
-                            append rpath_dirs_list "$arg"
-                        fi
-                        ;;
-                    --rpath=*)
-                        arg="${1#--rpath=}"
-                        if system_dir "$arg"; then
-                            append system_rpath_dirs_list "$arg"
-                        else
-                            append rpath_dirs_list "$arg"
-                        fi
-                        ;;
-                    -rpath|--rpath)
-                        xlinker_expect_rpath=yes
-                        ;;
-                    "$dtags_to_strip")
-                        ;;
-                    *)
-                        append other_args_list -Xlinker
-                        append other_args_list "$1"
-                        ;;
-                esac
-            fi
-            ;;
-        "$dtags_to_strip")
-            ;;
-        *)
-            append other_args_list "$1"
-            ;;
-    esac
-    shift
-done
+    # Same, but for -Wl flags.
+    if [ "$wl_expect_rpath" = yes ]; then
+        append return_other_args_list -Wl,-rpath
+    fi
+}

-# We found `-Xlinker -rpath` but no matching value `-Xlinker /path`. Just append
-# `-Xlinker -rpath` again and let the compiler or linker handle the error during arg
-# parsing.
-if [ "$xlinker_expect_rpath" = yes ]; then
-    append other_args_list -Xlinker
-    append other_args_list -rpath
-fi
-
-# Same, but for -Wl flags.
-if [ "$wl_expect_rpath" = yes ]; then
-    append other_args_list -Wl,-rpath
-fi
+categorize_arguments "$@"
+    include_dirs_list="$return_include_dirs_list"
+    lib_dirs_list="$return_lib_dirs_list"
+    rpath_dirs_list="$return_rpath_dirs_list"
+    system_include_dirs_list="$return_system_include_dirs_list"
+    system_lib_dirs_list="$return_system_lib_dirs_list"
+    system_rpath_dirs_list="$return_system_rpath_dirs_list"
+    isystem_was_used="$return_isystem_was_used"
+    isystem_system_include_dirs_list="$return_isystem_system_include_dirs_list"
+    isystem_include_dirs_list="$return_isystem_include_dirs_list"
+    other_args_list="$return_other_args_list"

 #
 # Add flags from Spack's cppflags, cflags, cxxflags, fcflags, fflags, and
@@ -673,12 +690,14 @@ elif [ "$SPACK_ADD_DEBUG_FLAGS" = "custom" ]; then
    extend flags_list SPACK_DEBUG_FLAGS
 fi

+spack_flags_list=""
+
 # Fortran flags come before CPPFLAGS
 case "$mode" in
    cc|ccld)
        case $lang_flags in
            F)
-                extend flags_list SPACK_FFLAGS
+                extend spack_flags_list SPACK_FFLAGS
                ;;
        esac
        ;;
@@ -687,7 +706,7 @@ esac
 # C preprocessor flags come before any C/CXX flags
 case "$mode" in
    cpp|as|cc|ccld)
-        extend flags_list SPACK_CPPFLAGS
+        extend spack_flags_list SPACK_CPPFLAGS
        ;;
 esac

@@ -697,10 +716,10 @@ case "$mode" in
    cc|ccld)
        case $lang_flags in
            C)
-                extend flags_list SPACK_CFLAGS
+                extend spack_flags_list SPACK_CFLAGS
                ;;
            CXX)
-                extend flags_list SPACK_CXXFLAGS
+                extend spack_flags_list SPACK_CXXFLAGS
                ;;
        esac

@@ -712,10 +731,25 @@ esac
 # Linker flags
 case "$mode" in
    ld|ccld)
-        extend flags_list SPACK_LDFLAGS
+        extend spack_flags_list SPACK_LDFLAGS
        ;;
 esac

+IFS="$lsep"
+    categorize_arguments $spack_flags_list
+unset IFS
+        spack_flags_include_dirs_list="$return_include_dirs_list"
+        spack_flags_lib_dirs_list="$return_lib_dirs_list"
+        spack_flags_rpath_dirs_list="$return_rpath_dirs_list"
+        spack_flags_system_include_dirs_list="$return_system_include_dirs_list"
+        spack_flags_system_lib_dirs_list="$return_system_lib_dirs_list"
+        spack_flags_system_rpath_dirs_list="$return_system_rpath_dirs_list"
+        spack_flags_isystem_was_used="$return_isystem_was_used"
+        spack_flags_isystem_system_include_dirs_list="$return_isystem_system_include_dirs_list"
+        spack_flags_isystem_include_dirs_list="$return_isystem_include_dirs_list"
+        spack_flags_other_args_list="$return_other_args_list"
+
+
 # On macOS insert headerpad_max_install_names linker flag
 if [ "$mode" = ld ] || [ "$mode" = ccld ]; then
    if [ "${SPACK_SHORT_SPEC#*darwin}" != "${SPACK_SHORT_SPEC}" ]; then
@@ -741,6 +775,8 @@ if [ "$mode" = ccld ] || [ "$mode" = ld ]; then
    extend lib_dirs_list SPACK_LINK_DIRS
 fi

+libs_list=""
+
 # add RPATHs if we're in in any linking mode
 case "$mode" in
    ld|ccld)
@@ -769,12 +805,16 @@ args_list="$flags_list"

 # Insert include directories just prior to any system include directories
 # NOTE: adding ${lsep} to the prefix here turns every added element into two
+extend args_list spack_flags_include_dirs_list "-I"
 extend args_list include_dirs_list "-I"
+extend args_list spack_flags_isystem_include_dirs_list "-isystem${lsep}"
 extend args_list isystem_include_dirs_list "-isystem${lsep}"

 case "$mode" in
    cpp|cc|as|ccld)
-        if [ "$isystem_was_used" = "true" ]; then
+        if [ "$spack_flags_isystem_was_used" = "true" ]; then
+            extend args_list SPACK_INCLUDE_DIRS "-isystem${lsep}"
+        elif [ "$isystem_was_used" = "true" ]; then
            extend args_list SPACK_INCLUDE_DIRS "-isystem${lsep}"
        else
            extend args_list SPACK_INCLUDE_DIRS "-I"
@@ -782,11 +822,15 @@ case "$mode" in
        ;;
 esac

+extend args_list spack_flags_system_include_dirs_list -I
 extend args_list system_include_dirs_list -I
+extend args_list spack_flags_isystem_system_include_dirs_list "-isystem${lsep}"
 extend args_list isystem_system_include_dirs_list "-isystem${lsep}"

 # Library search paths
+extend args_list spack_flags_lib_dirs_list "-L"
 extend args_list lib_dirs_list "-L"
+extend args_list spack_flags_system_lib_dirs_list "-L"
 extend args_list system_lib_dirs_list "-L"

 # RPATHs arguments
@@ -795,20 +839,25 @@ case "$mode" in
        if [ -n "$dtags_to_add" ] ; then
            append args_list "$linker_arg$dtags_to_add"
        fi
+        extend args_list spack_flags_rpath_dirs_list "$rpath"
        extend args_list rpath_dirs_list "$rpath"
+        extend args_list spack_flags_system_rpath_dirs_list "$rpath"
        extend args_list system_rpath_dirs_list "$rpath"
        ;;
    ld)
        if [ -n "$dtags_to_add" ] ; then
            append args_list "$dtags_to_add"
        fi
+        extend args_list spack_flags_rpath_dirs_list "-rpath${lsep}"
        extend args_list rpath_dirs_list "-rpath${lsep}"
+        extend args_list spack_flags_system_rpath_dirs_list "-rpath${lsep}"
        extend args_list system_rpath_dirs_list "-rpath${lsep}"
        ;;
 esac

 # Other arguments from the input command
 extend args_list other_args_list
+extend args_list spack_flags_other_args_list

 # Inject SPACK_LDLIBS, if supplied
 extend args_list libs_list "-l"
@@ -864,3 +913,4 @@ fi
 # Execute the full command, preserving spaces with IFS set
 # to the alarm bell separator.
 IFS="$lsep"; exec $full_command_list
+
--- a/lib/spack/external/ctest_log_parser.py
+++ b/lib/spack/external/ctest_log_parser.py
@@ -65,9 +65,6 @@
 up to date with CTest, just make sure the ``*_matches`` and
 ``*_exceptions`` lists are kept up to date with CTest's build handler.
 """
-from __future__ import print_function
-from __future__ import division
-
 import re
 import math
 import multiprocessing
@@ -211,7 +208,7 @@
 ]


-class LogEvent(object):
+class LogEvent:
    """Class representing interesting events (e.g., errors) in a build log."""
    def __init__(self, text, line_no,
                 source_file=None, source_line_no=None,
@@ -348,7 +345,7 @@ def _parse_unpack(args):
    return _parse(*args)


-class CTestLogParser(object):
+class CTestLogParser:
    """Log file parser that extracts errors and warnings."""
    def __init__(self, profile=False):
        # whether to record timing information
--- a/lib/spack/llnl/util/argparsewriter.py
+++ b/lib/spack/llnl/util/argparsewriter.py
@@ -3,33 +3,42 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
+import abc
 import argparse
-import errno
 import io
 import re
 import sys
+from argparse import ArgumentParser
+from typing import IO, Any, Iterable, List, Optional, Sequence, Tuple, Union


-class Command(object):
+class Command:
    """Parsed representation of a command from argparse.

-    This is a single command from an argparse parser. ``ArgparseWriter``
-    creates these and returns them from ``parse()``, and it passes one of
-    these to each call to ``format()`` so that we can take an action for
-    a single command.
-
-    Parts of a Command:
-      - prog: command name (str)
-      - description: command description (str)
-      - usage: command usage (str)
-      - positionals: list of positional arguments (list)
-      - optionals: list of optional arguments (list)
-      - subcommands: list of subcommand parsers (list)
+    This is a single command from an argparse parser. ``ArgparseWriter`` creates these and returns
+    them from ``parse()``, and it passes one of these to each call to ``format()`` so that we can
+    take an action for a single command.
    """

-    def __init__(self, prog, description, usage, positionals, optionals, subcommands):
+    def __init__(
+        self,
+        prog: str,
+        description: Optional[str],
+        usage: str,
+        positionals: List[Tuple[str, Optional[Iterable[Any]], Union[int, str, None], str]],
+        optionals: List[Tuple[Sequence[str], List[str], str, Union[int, str, None], str]],
+        subcommands: List[Tuple[ArgumentParser, str, str]],
+    ) -> None:
+        """Initialize a new Command instance.
+
+        Args:
+            prog: Program name.
+            description: Command description.
+            usage: Command usage.
+            positionals: List of positional arguments.
+            optionals: List of optional arguments.
+            subcommands: List of subcommand parsers.
+        """
        self.prog = prog
        self.description = description
        self.usage = usage
@@ -38,35 +47,34 @@ def __init__(self, prog, description, usage, positionals, optionals, subcommands
        self.subcommands = subcommands


-# NOTE: The only reason we subclass argparse.HelpFormatter is to get access
-# to self._expand_help(), ArgparseWriter is not intended to be used as a
-# formatter_class.
-class ArgparseWriter(argparse.HelpFormatter):
-    """Analyzes an argparse ArgumentParser for easy generation of help."""
+# NOTE: The only reason we subclass argparse.HelpFormatter is to get access to self._expand_help(),
+# ArgparseWriter is not intended to be used as a formatter_class.
+class ArgparseWriter(argparse.HelpFormatter, abc.ABC):
+    """Analyze an argparse ArgumentParser for easy generation of help."""

-    def __init__(self, prog, out=None, aliases=False):
-        """Initializes a new ArgparseWriter instance.
+    def __init__(self, prog: str, out: IO = sys.stdout, aliases: bool = False) -> None:
+        """Initialize a new ArgparseWriter instance.

-        Parameters:
-            prog (str): the program name
-            out (file object): the file to write to (default sys.stdout)
-            aliases (bool): whether or not to include subparsers for aliases
+        Args:
+            prog: Program name.
+            out: File object to write to.
+            aliases: Whether or not to include subparsers for aliases.
        """
-        super(ArgparseWriter, self).__init__(prog)
+        super().__init__(prog)
        self.level = 0
        self.prog = prog
-        self.out = sys.stdout if out is None else out
+        self.out = out
        self.aliases = aliases

-    def parse(self, parser, prog):
-        """Parses the parser object and returns the relavent components.
+    def parse(self, parser: ArgumentParser, prog: str) -> Command:
+        """Parse the parser object and return the relavent components.

-        Parameters:
-            parser (argparse.ArgumentParser): the parser
-            prog (str): the command name
+        Args:
+            parser: Command parser.
+            prog: Program name.

        Returns:
-            (Command) information about the command from the parser
+            Information about the command from the parser.
        """
        self.parser = parser

@@ -80,8 +88,7 @@ def parse(self, parser, prog):
        groups = parser._mutually_exclusive_groups
        usage = fmt._format_usage(None, actions, groups, "").strip()

-        # Go through actions and split them into optionals, positionals,
-        # and subcommands
+        # Go through actions and split them into optionals, positionals, and subcommands
        optionals = []
        positionals = []
        subcommands = []
@@ -89,74 +96,97 @@ def parse(self, parser, prog):
            if action.option_strings:
                flags = action.option_strings
                dest_flags = fmt._format_action_invocation(action)
-                help = self._expand_help(action) if action.help else ""
-                help = help.replace("\n", " ")
-                optionals.append((flags, dest_flags, help))
+                nargs = action.nargs
+                help = (
+                    self._expand_help(action)
+                    if action.help and action.help != argparse.SUPPRESS
+                    else ""
+                )
+                help = help.split("\n")[0]
+
+                if action.choices is not None:
+                    dest = [str(choice) for choice in action.choices]
+                else:
+                    dest = [action.dest]
+
+                optionals.append((flags, dest, dest_flags, nargs, help))
            elif isinstance(action, argparse._SubParsersAction):
                for subaction in action._choices_actions:
                    subparser = action._name_parser_map[subaction.dest]
-                    subcommands.append((subparser, subaction.dest))
+                    help = (
+                        self._expand_help(subaction)
+                        if subaction.help and action.help != argparse.SUPPRESS
+                        else ""
+                    )
+                    help = help.split("\n")[0]
+                    subcommands.append((subparser, subaction.dest, help))

                    # Look for aliases of the form 'name (alias, ...)'
-                    if self.aliases:
+                    if self.aliases and isinstance(subaction.metavar, str):
                        match = re.match(r"(.*) \((.*)\)", subaction.metavar)
                        if match:
                            aliases = match.group(2).split(", ")
                            for alias in aliases:
                                subparser = action._name_parser_map[alias]
-                                subcommands.append((subparser, alias))
+                                help = (
+                                    self._expand_help(subaction)
+                                    if subaction.help and action.help != argparse.SUPPRESS
+                                    else ""
+                                )
+                                help = help.split("\n")[0]
+                                subcommands.append((subparser, alias, help))
            else:
                args = fmt._format_action_invocation(action)
-                help = self._expand_help(action) if action.help else ""
-                help = help.replace("\n", " ")
-                positionals.append((args, help))
+                help = (
+                    self._expand_help(action)
+                    if action.help and action.help != argparse.SUPPRESS
+                    else ""
+                )
+                help = help.split("\n")[0]
+                positionals.append((args, action.choices, action.nargs, help))

        return Command(prog, description, usage, positionals, optionals, subcommands)

-    def format(self, cmd):
-        """Returns the string representation of a single node in the
-        parser tree.
+    @abc.abstractmethod
+    def format(self, cmd: Command) -> str:
+        """Return the string representation of a single node in the parser tree.

-        Override this in subclasses to define how each subcommand
-        should be displayed.
+        Override this in subclasses to define how each subcommand should be displayed.

-        Parameters:
-            (Command): parsed information about a command or subcommand
+        Args:
+            cmd: Parsed information about a command or subcommand.

        Returns:
-            str: the string representation of this subcommand
+            String representation of this subcommand.
        """
-        raise NotImplementedError

-    def _write(self, parser, prog, level=0):
-        """Recursively writes a parser.
+    def _write(self, parser: ArgumentParser, prog: str, level: int = 0) -> None:
+        """Recursively write a parser.

-        Parameters:
-            parser (argparse.ArgumentParser): the parser
-            prog (str): the command name
-            level (int): the current level
+        Args:
+            parser: Command parser.
+            prog: Program name.
+            level: Current level.
        """
        self.level = level

        cmd = self.parse(parser, prog)
        self.out.write(self.format(cmd))

-        for subparser, prog in cmd.subcommands:
+        for subparser, prog, help in cmd.subcommands:
            self._write(subparser, prog, level=level + 1)

-    def write(self, parser):
+    def write(self, parser: ArgumentParser) -> None:
        """Write out details about an ArgumentParser.

        Args:
-            parser (argparse.ArgumentParser): the parser
+            parser: Command parser.
        """
        try:
            self._write(parser, self.prog)
-        except IOError as e:
+        except BrokenPipeError:
            # Swallow pipe errors
-            # Raises IOError in Python 2 and BrokenPipeError in Python 3
-            if e.errno != errno.EPIPE:
-                raise
+            pass


 _rst_levels = ["=", "-", "^", "~", ":", "`"]
@@ -165,21 +195,33 @@ def write(self, parser):
 class ArgparseRstWriter(ArgparseWriter):
    """Write argparse output as rst sections."""

-    def __init__(self, prog, out=None, aliases=False, rst_levels=_rst_levels):
-        """Create a new ArgparseRstWriter.
+    def __init__(
+        self,
+        prog: str,
+        out: IO = sys.stdout,
+        aliases: bool = False,
+        rst_levels: Sequence[str] = _rst_levels,
+    ) -> None:
+        """Initialize a new ArgparseRstWriter instance.

-        Parameters:
-            prog (str): program name
-            out (file object): file to write to
-            aliases (bool): whether or not to include subparsers for aliases
-            rst_levels (list of str): list of characters
-                for rst section headings
+        Args:
+            prog: Program name.
+            out: File object to write to.
+            aliases: Whether or not to include subparsers for aliases.
+            rst_levels: List of characters for rst section headings.
        """
-        out = sys.stdout if out is None else out
-        super(ArgparseRstWriter, self).__init__(prog, out, aliases)
+        super().__init__(prog, out, aliases)
        self.rst_levels = rst_levels

-    def format(self, cmd):
+    def format(self, cmd: Command) -> str:
+        """Return the string representation of a single node in the parser tree.
+
+        Args:
+            cmd: Parsed information about a command or subcommand.
+
+        Returns:
+            String representation of a node.
+        """
        string = io.StringIO()
        string.write(self.begin_command(cmd.prog))

@@ -190,13 +232,13 @@ def format(self, cmd):

        if cmd.positionals:
            string.write(self.begin_positionals())
-            for args, help in cmd.positionals:
+            for args, choices, nargs, help in cmd.positionals:
                string.write(self.positional(args, help))
            string.write(self.end_positionals())

        if cmd.optionals:
            string.write(self.begin_optionals())
-            for flags, dest_flags, help in cmd.optionals:
+            for flags, dest, dest_flags, nargs, help in cmd.optionals:
                string.write(self.optional(dest_flags, help))
            string.write(self.end_optionals())

@@ -205,7 +247,15 @@ def format(self, cmd):

        return string.getvalue()

-    def begin_command(self, prog):
+    def begin_command(self, prog: str) -> str:
+        """Text to print before a command.
+
+        Args:
+            prog: Program name.
+
+        Returns:
+            Text before a command.
+        """
        return """
 ----

@@ -218,10 +268,26 @@ def begin_command(self, prog):
            prog.replace(" ", "-"), prog, self.rst_levels[self.level] * len(prog)
        )

-    def description(self, description):
+    def description(self, description: str) -> str:
+        """Description of a command.
+
+        Args:
+            description: Command description.
+
+        Returns:
+            Description of a command.
+        """
        return description + "\n\n"

-    def usage(self, usage):
+    def usage(self, usage: str) -> str:
+        """Example usage of a command.
+
+        Args:
+            usage: Command usage.
+
+        Returns:
+            Usage of a command.
+        """
        return """\
 .. code-block:: console

@@ -231,10 +297,24 @@ def usage(self, usage):
            usage
        )

-    def begin_positionals(self):
+    def begin_positionals(self) -> str:
+        """Text to print before positional arguments.
+
+        Returns:
+            Positional arguments header.
+        """
        return "\n**Positional arguments**\n\n"

-    def positional(self, name, help):
+    def positional(self, name: str, help: str) -> str:
+        """Description of a positional argument.
+
+        Args:
+            name: Argument name.
+            help: Help text.
+
+        Returns:
+            Positional argument description.
+        """
        return """\
 {0}
  {1}
@@ -243,13 +323,32 @@ def positional(self, name, help):
            name, help
        )

-    def end_positionals(self):
+    def end_positionals(self) -> str:
+        """Text to print after positional arguments.
+
+        Returns:
+            Positional arguments footer.
+        """
        return ""

-    def begin_optionals(self):
+    def begin_optionals(self) -> str:
+        """Text to print before optional arguments.
+
+        Returns:
+            Optional arguments header.
+        """
        return "\n**Optional arguments**\n\n"

-    def optional(self, opts, help):
+    def optional(self, opts: str, help: str) -> str:
+        """Description of an optional argument.
+
+        Args:
+            opts: Optional argument.
+            help: Help text.
+
+        Returns:
+            Optional argument description.
+        """
        return """\
 ``{0}``
  {1}
@@ -258,10 +357,23 @@ def optional(self, opts, help):
            opts, help
        )

-    def end_optionals(self):
+    def end_optionals(self) -> str:
+        """Text to print after optional arguments.
+
+        Returns:
+            Optional arguments footer.
+        """
        return ""

-    def begin_subcommands(self, subcommands):
+    def begin_subcommands(self, subcommands: List[Tuple[ArgumentParser, str, str]]) -> str:
+        """Table with links to other subcommands.
+
+        Arguments:
+            subcommands: List of subcommands.
+
+        Returns:
+            Subcommand linking text.
+        """
        string = """
 **Subcommands**

@@ -270,116 +382,8 @@ def begin_subcommands(self, subcommands):

 """

-        for cmd, _ in subcommands:
+        for cmd, _, _ in subcommands:
            prog = re.sub(r"^[^ ]* ", "", cmd.prog)
            string += "   * :ref:`{0} <{1}>`\n".format(prog, cmd.prog.replace(" ", "-"))

        return string + "\n"
-
-
-class ArgparseCompletionWriter(ArgparseWriter):
-    """Write argparse output as shell programmable tab completion functions."""
-
-    def format(self, cmd):
-        """Returns the string representation of a single node in the
-        parser tree.
-
-        Override this in subclasses to define how each subcommand
-        should be displayed.
-
-        Parameters:
-            (Command): parsed information about a command or subcommand
-
-        Returns:
-            str: the string representation of this subcommand
-        """
-
-        assert cmd.optionals  # we should always at least have -h, --help
-        assert not (cmd.positionals and cmd.subcommands)  # one or the other
-
-        # We only care about the arguments/flags, not the help messages
-        positionals = []
-        if cmd.positionals:
-            positionals, _ = zip(*cmd.positionals)
-        optionals, _, _ = zip(*cmd.optionals)
-        subcommands = []
-        if cmd.subcommands:
-            _, subcommands = zip(*cmd.subcommands)
-
-        # Flatten lists of lists
-        optionals = [x for xx in optionals for x in xx]
-
-        return (
-            self.start_function(cmd.prog)
-            + self.body(positionals, optionals, subcommands)
-            + self.end_function(cmd.prog)
-        )
-
-    def start_function(self, prog):
-        """Returns the syntax needed to begin a function definition.
-
-        Parameters:
-            prog (str): the command name
-
-        Returns:
-            str: the function definition beginning
-        """
-        name = prog.replace("-", "_").replace(" ", "_")
-        return "\n_{0}() {{".format(name)
-
-    def end_function(self, prog=None):
-        """Returns the syntax needed to end a function definition.
-
-        Parameters:
-            prog (str or None): the command name
-
-        Returns:
-            str: the function definition ending
-        """
-        return "}\n"
-
-    def body(self, positionals, optionals, subcommands):
-        """Returns the body of the function.
-
-        Parameters:
-            positionals (list): list of positional arguments
-            optionals (list): list of optional arguments
-            subcommands (list): list of subcommand parsers
-
-        Returns:
-            str: the function body
-        """
-        return ""
-
-    def positionals(self, positionals):
-        """Returns the syntax for reporting positional arguments.
-
-        Parameters:
-            positionals (list): list of positional arguments
-
-        Returns:
-            str: the syntax for positional arguments
-        """
-        return ""
-
-    def optionals(self, optionals):
-        """Returns the syntax for reporting optional flags.
-
-        Parameters:
-            optionals (list): list of optional arguments
-
-        Returns:
-            str: the syntax for optional flags
-        """
-        return ""
-
-    def subcommands(self, subcommands):
-        """Returns the syntax for reporting subcommands.
-
-        Parameters:
-            subcommands (list): list of subcommand parsers
-
-        Returns:
-            str: the syntax for subcommand parsers
-        """
-        return ""
--- a/lib/spack/llnl/util/filesystem.py
+++ b/lib/spack/llnl/util/filesystem.py
@@ -402,7 +402,7 @@ def groupid_to_group(x):
                os.remove(backup_filename)


-class FileFilter(object):
+class FileFilter:
    """Convenience class for calling ``filter_file`` a lot."""

    def __init__(self, *filenames):
@@ -610,6 +610,8 @@ def chgrp(path, group, follow_symlinks=True):
        gid = grp.getgrnam(group).gr_gid
    else:
        gid = group
+    if os.stat(path).st_gid == gid:
+        return
    if follow_symlinks:
        os.chown(path, -1, gid)
    else:
@@ -1336,7 +1338,7 @@ def lexists_islink_isdir(path):
    return True, is_link, is_dir


-class BaseDirectoryVisitor(object):
+class BaseDirectoryVisitor:
    """Base class and interface for :py:func:`visit_directory_tree`."""

    def visit_file(self, root, rel_path, depth):
@@ -1890,7 +1892,7 @@ class HeaderList(FileList):
    include_regex = re.compile(r"(.*?)(\binclude\b)(.*)")

    def __init__(self, files):
-        super(HeaderList, self).__init__(files)
+        super().__init__(files)

        self._macro_definitions = []
        self._directories = None
@@ -1916,7 +1918,7 @@ def _default_directories(self):
        """Default computation of directories based on the list of
        header files.
        """
-        dir_list = super(HeaderList, self).directories
+        dir_list = super().directories
        values = []
        for d in dir_list:
            # If the path contains a subdirectory named 'include' then stop
@@ -2352,7 +2354,7 @@ def find_all_libraries(root, recursive=False):
    )


-class WindowsSimulatedRPath(object):
+class WindowsSimulatedRPath:
    """Class representing Windows filesystem rpath analog

    One instance of this class is associated with a package (only on Windows)
--- a/lib/spack/llnl/util/lang.py
+++ b/lib/spack/llnl/util/lang.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import division
-
 import collections.abc
 import contextlib
 import functools
@@ -768,10 +766,10 @@ def pretty_seconds(seconds):

 class RequiredAttributeError(ValueError):
    def __init__(self, message):
-        super(RequiredAttributeError, self).__init__(message)
+        super().__init__(message)


-class ObjectWrapper(object):
+class ObjectWrapper:
    """Base class that wraps an object. Derived classes can add new behavior
    while staying undercover.

@@ -798,7 +796,7 @@ def __init__(self, wrapped_object):
        self.__dict__ = wrapped_object.__dict__


-class Singleton(object):
+class Singleton:
    """Simple wrapper for lazily initialized singleton objects."""

    def __init__(self, factory):
@@ -823,7 +821,7 @@ def __getattr__(self, name):
        # 'instance'/'_instance' to be defined or it will enter an infinite
        # loop, so protect against that here.
        if name in ["_instance", "instance"]:
-            raise AttributeError()
+            raise AttributeError(f"cannot create {name}")
        return getattr(self.instance, name)

    def __getitem__(self, name):
@@ -845,27 +843,6 @@ def __repr__(self):
        return repr(self.instance)


-class LazyReference(object):
-    """Lazily evaluated reference to part of a singleton."""
-
-    def __init__(self, ref_function):
-        self.ref_function = ref_function
-
-    def __getattr__(self, name):
-        if name == "ref_function":
-            raise AttributeError()
-        return getattr(self.ref_function(), name)
-
-    def __getitem__(self, name):
-        return self.ref_function()[name]
-
-    def __str__(self):
-        return str(self.ref_function())
-
-    def __repr__(self):
-        return repr(self.ref_function())
-
-
 def load_module_from_file(module_name, module_path):
    """Loads a python module from the path of the corresponding file.

@@ -943,7 +920,7 @@ def _wrapper(args):
    return _wrapper


-class Devnull(object):
+class Devnull:
    """Null stream with less overhead than ``os.devnull``.

    See https://stackoverflow.com/a/2929954.
@@ -1060,7 +1037,7 @@ def __str__(self):
        return str(self.data)


-class GroupedExceptionHandler(object):
+class GroupedExceptionHandler:
    """A generic mechanism to coalesce multiple exceptions and preserve tracebacks."""

    def __init__(self):
@@ -1091,7 +1068,7 @@ def grouped_message(self, with_tracebacks: bool = True) -> str:
        return "due to the following failures:\n{0}".format("\n".join(each_exception_message))


-class GroupedExceptionForwarder(object):
+class GroupedExceptionForwarder:
    """A contextmanager to capture exceptions and forward them to a
    GroupedExceptionHandler."""

@@ -1111,7 +1088,7 @@ def __exit__(self, exc_type, exc_value, tb):
        return True


-class classproperty(object):
+class classproperty:
    """Non-data descriptor to evaluate a class-level property. The function that performs
    the evaluation is injected at creation time and take an instance (could be None) and
    an owner (i.e. the class that originated the instance)
--- a/lib/spack/llnl/util/link_tree.py
+++ b/lib/spack/llnl/util/link_tree.py
@@ -5,8 +5,6 @@

 """LinkTree class for setting up trees of symbolic links."""

-from __future__ import print_function
-
 import filecmp
 import os
 import shutil
@@ -287,7 +285,7 @@ def visit_symlinked_file(self, root, rel_path, depth):
        self.visit_file(root, rel_path, depth)


-class LinkTree(object):
+class LinkTree:
    """Class to create trees of symbolic links from a source directory.

    LinkTree objects are constructed with a source root.  Their
@@ -432,12 +430,12 @@ class MergeConflictError(Exception):

 class ConflictingSpecsError(MergeConflictError):
    def __init__(self, spec_1, spec_2):
-        super(MergeConflictError, self).__init__(spec_1, spec_2)
+        super().__init__(spec_1, spec_2)


 class SingleMergeConflictError(MergeConflictError):
    def __init__(self, path):
-        super(MergeConflictError, self).__init__("Package merge blocked by file: %s" % path)
+        super().__init__("Package merge blocked by file: %s" % path)


 class MergeConflictSummary(MergeConflictError):
@@ -452,4 +450,4 @@ def __init__(self, conflicts):
            msg += "\n    `{0}` and `{1}` both project to `{2}`".format(
                conflict.src_a, conflict.src_b, conflict.dst
            )
-        super(MergeConflictSummary, self).__init__(msg)
+        super().__init__(msg)
--- a/lib/spack/llnl/util/lock.py
+++ b/lib/spack/llnl/util/lock.py
@@ -9,9 +9,10 @@
 import sys
 import time
 from datetime import datetime
+from types import TracebackType
+from typing import IO, Any, Callable, ContextManager, Dict, Generator, Optional, Tuple, Type, Union

-import llnl.util.tty as tty
-from llnl.util.lang import pretty_seconds
+from llnl.util import lang, tty

 import spack.util.string

@@ -34,12 +35,15 @@
 ]


-#: A useful replacement for functions that should return True when not provided
-#: for example.
-true_fn = lambda: True
+ReleaseFnType = Optional[Callable[[], bool]]


-class OpenFile(object):
+def true_fn() -> bool:
+    """A function that always returns True."""
+    return True
+
+
+class OpenFile:
    """Record for keeping track of open lockfiles (with reference counting).

    There's really only one ``OpenFile`` per inode, per process, but we record the
@@ -48,12 +52,12 @@ class OpenFile(object):
    file descriptors as well in the future.
    """

-    def __init__(self, fh):
+    def __init__(self, fh: IO) -> None:
        self.fh = fh
        self.refs = 0


-class OpenFileTracker(object):
+class OpenFileTracker:
    """Track open lockfiles, to minimize number of open file descriptors.

    The ``fcntl`` locks that Spack uses are associated with an inode and a process.
@@ -78,11 +82,11 @@ class OpenFileTracker(object):
    work in Python and assume the GIL.
    """

-    def __init__(self):
+    def __init__(self) -> None:
        """Create a new ``OpenFileTracker``."""
-        self._descriptors = {}
+        self._descriptors: Dict[Any, OpenFile] = {}

-    def get_fh(self, path):
+    def get_fh(self, path: str) -> IO:
        """Get a filehandle for a lockfile.

        This routine will open writable files for read/write even if you're asking
@@ -90,7 +94,7 @@ def get_fh(self, path):
        (write) lock later if requested.

        Arguments:
-          path (str): path to lock file we want a filehandle for
+          path: path to lock file we want a filehandle for
        """
        # Open writable files as 'r+' so we can upgrade to write later
        os_mode, fh_mode = (os.O_RDWR | os.O_CREAT), "r+"
@@ -157,7 +161,7 @@ def purge(self):

 #: Open file descriptors for locks in this process. Used to prevent one process
 #: from opening the sam file many times for different byte range locks
-file_tracker = OpenFileTracker()
+FILE_TRACKER = OpenFileTracker()


 def _attempts_str(wait_time, nattempts):
@@ -166,10 +170,10 @@ def _attempts_str(wait_time, nattempts):
        return ""

    attempts = spack.util.string.plural(nattempts, "attempt")
-    return " after {} and {}".format(pretty_seconds(wait_time), attempts)
+    return " after {} and {}".format(lang.pretty_seconds(wait_time), attempts)


-class LockType(object):
+class LockType:
    READ = 0
    WRITE = 1

@@ -188,11 +192,11 @@ def to_module(tid):
        return lock

    @staticmethod
-    def is_valid(op):
+    def is_valid(op: int) -> bool:
        return op == LockType.READ or op == LockType.WRITE


-class Lock(object):
+class Lock:
    """This is an implementation of a filesystem lock using Python's lockf.

    In Python, ``lockf`` actually calls ``fcntl``, so this should work with
@@ -207,7 +211,16 @@ class Lock(object):
    overlapping byte ranges in the same file).
    """

-    def __init__(self, path, start=0, length=0, default_timeout=None, debug=False, desc=""):
+    def __init__(
+        self,
+        path: str,
+        *,
+        start: int = 0,
+        length: int = 0,
+        default_timeout: Optional[float] = None,
+        debug: bool = False,
+        desc: str = "",
+    ) -> None:
        """Construct a new lock on the file at ``path``.

        By default, the lock applies to the whole file.  Optionally,
@@ -220,17 +233,17 @@ def __init__(self, path, start=0, length=0, default_timeout=None, debug=False, d
        beginning of the file.

        Args:
-            path (str): path to the lock
-            start (int): optional byte offset at which the lock starts
-            length (int): optional number of bytes to lock
-            default_timeout (int): number of seconds to wait for lock attempts,
+            path: path to the lock
+            start: optional byte offset at which the lock starts
+            length: optional number of bytes to lock
+            default_timeout: seconds to wait for lock attempts,
                where None means to wait indefinitely
-            debug (bool): debug mode specific to locking
-            desc (str): optional debug message lock description, which is
+            debug: debug mode specific to locking
+            desc: optional debug message lock description, which is
                helpful for distinguishing between different Spack locks.
        """
        self.path = path
-        self._file = None
+        self._file: Optional[IO] = None
        self._reads = 0
        self._writes = 0

@@ -242,7 +255,7 @@ def __init__(self, path, start=0, length=0, default_timeout=None, debug=False, d
        self.debug = debug

        # optional debug description
-        self.desc = " ({0})".format(desc) if desc else ""
+        self.desc = f" ({desc})" if desc else ""

        # If the user doesn't set a default timeout, or if they choose
        # None, 0, etc. then lock attempts will not time out (unless the
@@ -250,11 +263,15 @@ def __init__(self, path, start=0, length=0, default_timeout=None, debug=False, d
        self.default_timeout = default_timeout or None

        # PID and host of lock holder (only used in debug mode)
-        self.pid = self.old_pid = None
-        self.host = self.old_host = None
+        self.pid: Optional[int] = None
+        self.old_pid: Optional[int] = None
+        self.host: Optional[str] = None
+        self.old_host: Optional[str] = None

    @staticmethod
-    def _poll_interval_generator(_wait_times=None):
+    def _poll_interval_generator(
+        _wait_times: Optional[Tuple[float, float, float]] = None
+    ) -> Generator[float, None, None]:
        """This implements a backoff scheme for polling a contended resource
        by suggesting a succession of wait times between polls.

@@ -277,21 +294,21 @@ def _poll_interval_generator(_wait_times=None):
            num_requests += 1
            yield wait_time

-    def __repr__(self):
+    def __repr__(self) -> str:
        """Formal representation of the lock."""
        rep = "{0}(".format(self.__class__.__name__)
        for attr, value in self.__dict__.items():
            rep += "{0}={1}, ".format(attr, value.__repr__())
        return "{0})".format(rep.strip(", "))

-    def __str__(self):
+    def __str__(self) -> str:
        """Readable string (with key fields) of the lock."""
        location = "{0}[{1}:{2}]".format(self.path, self._start, self._length)
        timeout = "timeout={0}".format(self.default_timeout)
        activity = "#reads={0}, #writes={1}".format(self._reads, self._writes)
        return "({0}, {1}, {2})".format(location, timeout, activity)

-    def _lock(self, op, timeout=None):
+    def _lock(self, op: int, timeout: Optional[float] = None) -> Tuple[float, int]:
        """This takes a lock using POSIX locks (``fcntl.lockf``).

        The lock is implemented as a spin lock using a nonblocking call
@@ -310,7 +327,7 @@ def _lock(self, op, timeout=None):
        # Create file and parent directories if they don't exist.
        if self._file is None:
            self._ensure_parent_directory()
-            self._file = file_tracker.get_fh(self.path)
+            self._file = FILE_TRACKER.get_fh(self.path)

        if LockType.to_module(op) == fcntl.LOCK_EX and self._file.mode == "r":
            # Attempt to upgrade to write lock w/a read-only file.
@@ -319,7 +336,7 @@ def _lock(self, op, timeout=None):

        self._log_debug(
            "{} locking [{}:{}]: timeout {}".format(
-                op_str.lower(), self._start, self._length, pretty_seconds(timeout or 0)
+                op_str.lower(), self._start, self._length, lang.pretty_seconds(timeout or 0)
            )
        )

@@ -343,15 +360,20 @@ def _lock(self, op, timeout=None):
        total_wait_time = time.time() - start_time
        raise LockTimeoutError(op_str.lower(), self.path, total_wait_time, num_attempts)

-    def _poll_lock(self, op):
+    def _poll_lock(self, op: int) -> bool:
        """Attempt to acquire the lock in a non-blocking manner. Return whether
        the locking attempt succeeds
        """
+        assert self._file is not None, "cannot poll a lock without the file being set"
        module_op = LockType.to_module(op)
        try:
            # Try to get the lock (will raise if not available.)
            fcntl.lockf(
-                self._file, module_op | fcntl.LOCK_NB, self._length, self._start, os.SEEK_SET
+                self._file.fileno(),
+                module_op | fcntl.LOCK_NB,
+                self._length,
+                self._start,
+                os.SEEK_SET,
            )

            # help for debugging distributed locking
@@ -377,7 +399,7 @@ def _poll_lock(self, op):

        return False

-    def _ensure_parent_directory(self):
+    def _ensure_parent_directory(self) -> str:
        parent = os.path.dirname(self.path)

        # relative paths to lockfiles in the current directory have no parent
@@ -396,20 +418,22 @@ def _ensure_parent_directory(self):
                raise
        return parent

-    def _read_log_debug_data(self):
+    def _read_log_debug_data(self) -> None:
        """Read PID and host data out of the file if it is there."""
+        assert self._file is not None, "cannot read debug log without the file being set"
        self.old_pid = self.pid
        self.old_host = self.host

        line = self._file.read()
        if line:
            pid, host = line.strip().split(",")
-            _, _, self.pid = pid.rpartition("=")
+            _, _, pid = pid.rpartition("=")
            _, _, self.host = host.rpartition("=")
-            self.pid = int(self.pid)
+            self.pid = int(pid)

-    def _write_log_debug_data(self):
+    def _write_log_debug_data(self) -> None:
        """Write PID and host data to the file, recording old values."""
+        assert self._file is not None, "cannot write debug log without the file being set"
        self.old_pid = self.pid
        self.old_host = self.host

@@ -423,20 +447,21 @@ def _write_log_debug_data(self):
        self._file.flush()
        os.fsync(self._file.fileno())

-    def _unlock(self):
+    def _unlock(self) -> None:
        """Releases a lock using POSIX locks (``fcntl.lockf``)

        Releases the lock regardless of mode. Note that read locks may
        be masquerading as write locks, but this removes either.

        """
-        fcntl.lockf(self._file, fcntl.LOCK_UN, self._length, self._start, os.SEEK_SET)
-        file_tracker.release_by_fh(self._file)
+        assert self._file is not None, "cannot unlock without the file being set"
+        fcntl.lockf(self._file.fileno(), fcntl.LOCK_UN, self._length, self._start, os.SEEK_SET)
+        FILE_TRACKER.release_by_fh(self._file)
        self._file = None
        self._reads = 0
        self._writes = 0

-    def acquire_read(self, timeout=None):
+    def acquire_read(self, timeout: Optional[float] = None) -> bool:
        """Acquires a recursive, shared lock for reading.

        Read and write locks can be acquired and released in arbitrary
@@ -461,7 +486,7 @@ def acquire_read(self, timeout=None):
            self._reads += 1
            return False

-    def acquire_write(self, timeout=None):
+    def acquire_write(self, timeout: Optional[float] = None) -> bool:
        """Acquires a recursive, exclusive lock for writing.

        Read and write locks can be acquired and released in arbitrary
@@ -491,7 +516,7 @@ def acquire_write(self, timeout=None):
            self._writes += 1
            return False

-    def is_write_locked(self):
+    def is_write_locked(self) -> bool:
        """Check if the file is write locked

        Return:
@@ -508,7 +533,7 @@ def is_write_locked(self):

        return False

-    def downgrade_write_to_read(self, timeout=None):
+    def downgrade_write_to_read(self, timeout: Optional[float] = None) -> None:
        """
        Downgrade from an exclusive write lock to a shared read.

@@ -527,7 +552,7 @@ def downgrade_write_to_read(self, timeout=None):
        else:
            raise LockDowngradeError(self.path)

-    def upgrade_read_to_write(self, timeout=None):
+    def upgrade_read_to_write(self, timeout: Optional[float] = None) -> None:
        """
        Attempts to upgrade from a shared read lock to an exclusive write.

@@ -546,7 +571,7 @@ def upgrade_read_to_write(self, timeout=None):
        else:
            raise LockUpgradeError(self.path)

-    def release_read(self, release_fn=None):
+    def release_read(self, release_fn: ReleaseFnType = None) -> bool:
        """Releases a read lock.

        Arguments:
@@ -582,7 +607,7 @@ def release_read(self, release_fn=None):
            self._reads -= 1
            return False

-    def release_write(self, release_fn=None):
+    def release_write(self, release_fn: ReleaseFnType = None) -> bool:
        """Releases a write lock.

        Arguments:
@@ -623,65 +648,65 @@ def release_write(self, release_fn=None):
            else:
                return False

-    def cleanup(self):
+    def cleanup(self) -> None:
        if self._reads == 0 and self._writes == 0:
            os.unlink(self.path)
        else:
            raise LockError("Attempting to cleanup active lock.")

-    def _get_counts_desc(self):
+    def _get_counts_desc(self) -> str:
        return (
            "(reads {0}, writes {1})".format(self._reads, self._writes) if tty.is_verbose() else ""
        )

-    def _log_acquired(self, locktype, wait_time, nattempts):
+    def _log_acquired(self, locktype, wait_time, nattempts) -> None:
        attempts_part = _attempts_str(wait_time, nattempts)
        now = datetime.now()
        desc = "Acquired at %s" % now.strftime("%H:%M:%S.%f")
        self._log_debug(self._status_msg(locktype, "{0}{1}".format(desc, attempts_part)))

-    def _log_acquiring(self, locktype):
+    def _log_acquiring(self, locktype) -> None:
        self._log_debug(self._status_msg(locktype, "Acquiring"), level=3)

-    def _log_debug(self, *args, **kwargs):
+    def _log_debug(self, *args, **kwargs) -> None:
        """Output lock debug messages."""
        kwargs["level"] = kwargs.get("level", 2)
        tty.debug(*args, **kwargs)

-    def _log_downgraded(self, wait_time, nattempts):
+    def _log_downgraded(self, wait_time, nattempts) -> None:
        attempts_part = _attempts_str(wait_time, nattempts)
        now = datetime.now()
        desc = "Downgraded at %s" % now.strftime("%H:%M:%S.%f")
        self._log_debug(self._status_msg("READ LOCK", "{0}{1}".format(desc, attempts_part)))

-    def _log_downgrading(self):
+    def _log_downgrading(self) -> None:
        self._log_debug(self._status_msg("WRITE LOCK", "Downgrading"), level=3)

-    def _log_released(self, locktype):
+    def _log_released(self, locktype) -> None:
        now = datetime.now()
        desc = "Released at %s" % now.strftime("%H:%M:%S.%f")
        self._log_debug(self._status_msg(locktype, desc))

-    def _log_releasing(self, locktype):
+    def _log_releasing(self, locktype) -> None:
        self._log_debug(self._status_msg(locktype, "Releasing"), level=3)

-    def _log_upgraded(self, wait_time, nattempts):
+    def _log_upgraded(self, wait_time, nattempts) -> None:
        attempts_part = _attempts_str(wait_time, nattempts)
        now = datetime.now()
        desc = "Upgraded at %s" % now.strftime("%H:%M:%S.%f")
        self._log_debug(self._status_msg("WRITE LOCK", "{0}{1}".format(desc, attempts_part)))

-    def _log_upgrading(self):
+    def _log_upgrading(self) -> None:
        self._log_debug(self._status_msg("READ LOCK", "Upgrading"), level=3)

-    def _status_msg(self, locktype, status):
+    def _status_msg(self, locktype: str, status: str) -> str:
        status_desc = "[{0}] {1}".format(status, self._get_counts_desc())
        return "{0}{1.desc}: {1.path}[{1._start}:{1._length}] {2}".format(
            locktype, self, status_desc
        )


-class LockTransaction(object):
+class LockTransaction:
    """Simple nested transaction context manager that uses a file lock.

    Arguments:
@@ -709,7 +734,13 @@ class LockTransaction(object):

    """

-    def __init__(self, lock, acquire=None, release=None, timeout=None):
+    def __init__(
+        self,
+        lock: Lock,
+        acquire: Union[ReleaseFnType, ContextManager] = None,
+        release: Union[ReleaseFnType, ContextManager] = None,
+        timeout: Optional[float] = None,
+    ) -> None:
        self._lock = lock
        self._timeout = timeout
        self._acquire_fn = acquire
@@ -724,15 +755,20 @@ def __enter__(self):
            else:
                return self._as

-    def __exit__(self, type, value, traceback):
+    def __exit__(
+        self,
+        exc_type: Optional[Type[BaseException]],
+        exc_value: Optional[BaseException],
+        traceback: Optional[TracebackType],
+    ) -> bool:
        suppress = False

        def release_fn():
            if self._release_fn is not None:
-                return self._release_fn(type, value, traceback)
+                return self._release_fn(exc_type, exc_value, traceback)

        if self._as and hasattr(self._as, "__exit__"):
-            if self._as.__exit__(type, value, traceback):
+            if self._as.__exit__(exc_type, exc_value, traceback):
                suppress = True

        if self._exit(release_fn):
@@ -740,6 +776,12 @@ def release_fn():

        return suppress

+    def _enter(self) -> bool:
+        return NotImplemented
+
+    def _exit(self, release_fn: ReleaseFnType) -> bool:
+        return NotImplemented
+

 class ReadTransaction(LockTransaction):
    """LockTransaction context manager that does a read and releases it."""
@@ -770,7 +812,7 @@ class LockDowngradeError(LockError):

    def __init__(self, path):
        msg = "Cannot downgrade lock from write to read on file: %s" % path
-        super(LockDowngradeError, self).__init__(msg)
+        super().__init__(msg)


 class LockLimitError(LockError):
@@ -782,10 +824,10 @@ class LockTimeoutError(LockError):

    def __init__(self, lock_type, path, time, attempts):
        fmt = "Timed out waiting for a {} lock after {}.\n    Made {} {} on file: {}"
-        super(LockTimeoutError, self).__init__(
+        super().__init__(
            fmt.format(
                lock_type,
-                pretty_seconds(time),
+                lang.pretty_seconds(time),
                attempts,
                "attempt" if attempts == 1 else "attempts",
                path,
@@ -798,7 +840,7 @@ class LockUpgradeError(LockError):

    def __init__(self, path):
        msg = "Cannot upgrade lock from read to write on file: %s" % path
-        super(LockUpgradeError, self).__init__(msg)
+        super().__init__(msg)


 class LockPermissionError(LockError):
@@ -810,7 +852,7 @@ class LockROFileError(LockPermissionError):

    def __init__(self, path):
        msg = "Can't take write lock on read-only file: %s" % path
-        super(LockROFileError, self).__init__(msg)
+        super().__init__(msg)


 class CantCreateLockError(LockPermissionError):
@@ -819,4 +861,4 @@ class CantCreateLockError(LockPermissionError):
    def __init__(self, path):
        msg = "cannot create lock '%s': " % path
        msg += "file does not exist and location is not writable"
-        super(LockError, self).__init__(msg)
+        super().__init__(msg)
--- a/lib/spack/llnl/util/tty/init.py
+++ b/lib/spack/llnl/util/tty/init.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import unicode_literals
-
 import contextlib
 import io
 import os
--- a/lib/spack/llnl/util/tty/colify.py
+++ b/lib/spack/llnl/util/tty/colify.py
@@ -6,8 +6,6 @@
 """
 Routines for printing columnar output.  See ``colify()`` for more information.
 """
-from __future__ import division, unicode_literals
-
 import io
 import os
 import sys
--- a/lib/spack/llnl/util/tty/color.py
+++ b/lib/spack/llnl/util/tty/color.py
@@ -59,8 +59,6 @@

 To output an @, use '@@'.  To output a } inside braces, use '}}'.
 """
-from __future__ import unicode_literals
-
 import re
 import sys
 from contextlib import contextmanager
@@ -70,7 +68,7 @@ class ColorParseError(Exception):
    """Raised when a color format fails to parse."""

    def __init__(self, message):
-        super(ColorParseError, self).__init__(message)
+        super().__init__(message)


 # Text styles for ansi codes
@@ -205,7 +203,7 @@ def color_when(value):
    set_color_when(old_value)


-class match_to_ansi(object):
+class match_to_ansi:
    def __init__(self, color=True, enclose=False):
        self.color = _color_when_value(color)
        self.enclose = enclose
@@ -321,7 +319,7 @@ def cescape(string):
    return string


-class ColorStream(object):
+class ColorStream:
    def __init__(self, stream, color=None):
        self._stream = stream
        self._color = color
--- a/lib/spack/llnl/util/tty/log.py
+++ b/lib/spack/llnl/util/tty/log.py
@@ -5,8 +5,6 @@

 """Utility classes for logging the output of blocks of code.
 """
-from __future__ import unicode_literals
-
 import atexit
 import ctypes
 import errno
@@ -67,7 +65,7 @@ def _strip(line):
    return _escape.sub("", line)


-class keyboard_input(object):
+class keyboard_input:
    """Context manager to disable line editing and echoing.

    Use this with ``sys.stdin`` for keyboard input, e.g.::
@@ -244,7 +242,7 @@ def __exit__(self, exc_type, exception, traceback):
                signal.signal(signum, old_handler)


-class Unbuffered(object):
+class Unbuffered:
    """Wrapper for Python streams that forces them to be unbuffered.

    This is implemented by forcing a flush after each write.
@@ -289,7 +287,7 @@ def _file_descriptors_work(*streams):
        return False


-class FileWrapper(object):
+class FileWrapper:
    """Represents a file. Can be an open stream, a path to a file (not opened
    yet), or neither. When unwrapped, it returns an open file (or file-like)
    object.
@@ -331,7 +329,7 @@ def close(self):
            self.file.close()


-class MultiProcessFd(object):
+class MultiProcessFd:
    """Return an object which stores a file descriptor and can be passed as an
    argument to a function run with ``multiprocessing.Process``, such that
    the file descriptor is available in the subprocess."""
@@ -431,7 +429,7 @@ def log_output(*args, **kwargs):
        return nixlog(*args, **kwargs)


-class nixlog(object):
+class nixlog:
    """
    Under the hood, we spawn a daemon and set up a pipe between this
    process and the daemon.  The daemon writes our output to both the
@@ -752,7 +750,7 @@ def close(self):
                os.close(self.saved_stream)


-class winlog(object):
+class winlog:
    """
    Similar to nixlog, with underlying
    functionality ported to support Windows.
--- a/lib/spack/llnl/util/tty/pty.py
+++ b/lib/spack/llnl/util/tty/pty.py
@@ -13,8 +13,6 @@

 Note: The functionality in this module is unsupported on Windows
 """
-from __future__ import print_function
-
 import multiprocessing
 import os
 import re
@@ -36,7 +34,7 @@
    pass


-class ProcessController(object):
+class ProcessController:
    """Wrapper around some fundamental process control operations.

    This allows one process (the controller) to drive another (the
@@ -157,7 +155,7 @@ def wait_running(self):
        self.wait(lambda: "T" not in self.proc_status())


-class PseudoShell(object):
+class PseudoShell:
    """Sets up controller and minion processes with a PTY.

    You can create a ``PseudoShell`` if you want to test how some
--- a/lib/spack/spack/abi.py
+++ b/lib/spack/spack/abi.py
@@ -13,7 +13,7 @@
 from spack.util.executable import Executable, ProcessError


-class ABI(object):
+class ABI:
    """This class provides methods to test ABI compatibility between specs.
    The current implementation is rather rough and could be improved."""

--- a/lib/spack/spack/audit.py
+++ b/lib/spack/spack/audit.py
@@ -60,7 +60,7 @@ def _search_duplicate_compilers(error_cls):
 GROUPS = collections.defaultdict(list)


-class Error(object):
+class Error:
    """Information on an error reported in a test."""

    def __init__(self, summary, details):
@@ -725,11 +725,22 @@ def _version_constraints_are_satisfiable_by_some_version_in_repo(pkgs, error_cls

            dependencies_to_check.extend([edge.spec for edge in dependency_data.values()])

+        host_architecture = spack.spec.ArchSpec.default_arch()
        for s in dependencies_to_check:
            dependency_pkg_cls = None
            try:
                dependency_pkg_cls = spack.repo.path.get_pkg_class(s.name)
-                assert any(v.intersects(s.versions) for v in list(dependency_pkg_cls.versions))
+                # Some packages have hacks that might cause failures on some platform
+                # Allow to explicitly set conditions to skip version checks in that case
+                skip_conditions = getattr(dependency_pkg_cls, "skip_version_audit", [])
+                skip_version_check = False
+                for condition in skip_conditions:
+                    if host_architecture.satisfies(spack.spec.Spec(condition).architecture):
+                        skip_version_check = True
+                        break
+                assert skip_version_check or any(
+                    v.intersects(s.versions) for v in list(dependency_pkg_cls.versions)
+                )
            except Exception:
                summary = (
                    "{0}: dependency on {1} cannot be satisfied " "by known versions of {1.name}"
--- a/lib/spack/spack/binary_distribution.py
+++ b/lib/spack/spack/binary_distribution.py
@@ -61,6 +61,22 @@
 _build_cache_keys_relative_path = "_pgp"


+class BuildCacheDatabase(spack_db.Database):
+    """A database for binary buildcaches.
+
+    A database supports writing buildcache index files, in which case certain fields are not
+    needed in each install record, and no locking is required. To use this feature, it provides
+    ``lock_cfg=NO_LOCK``, and override the list of ``record_fields``.
+    """
+
+    record_fields = ("spec", "ref_count", "in_buildcache")
+
+    def __init__(self, root):
+        super().__init__(root, lock_cfg=spack_db.NO_LOCK)
+        self._write_transaction_impl = llnl.util.lang.nullcontext
+        self._read_transaction_impl = llnl.util.lang.nullcontext
+
+
 class FetchCacheError(Exception):
    """Error thrown when fetching the cache failed, usually a composite error list."""

@@ -80,14 +96,14 @@ def __init__(self, errors):
        else:
            err = errors[0]
            self.message = "{0}: {1}".format(err.__class__.__name__, str(err))
-        super(FetchCacheError, self).__init__(self.message)
+        super().__init__(self.message)


 class ListMirrorSpecsError(spack.error.SpackError):
    """Raised when unable to retrieve list of specs from the mirror"""


-class BinaryCacheIndex(object):
+class BinaryCacheIndex:
    """
    The BinaryCacheIndex tracks what specs are available on (usually remote)
    binary caches.
@@ -190,8 +206,7 @@ def _associate_built_specs_with_mirror(self, cache_key, mirror_url):
        tmpdir = tempfile.mkdtemp()

        try:
-            db_root_dir = os.path.join(tmpdir, "db_root")
-            db = spack_db.Database(None, db_dir=db_root_dir, enable_transaction_locking=False)
+            db = BuildCacheDatabase(tmpdir)

            try:
                self._index_file_cache.init_entry(cache_key)
@@ -317,9 +332,9 @@ def update(self, with_cooldown=False):
        from each configured mirror and stored locally (both in memory and
        on disk under ``_index_cache_root``)."""
        self._init_local_index_cache()
-
-        mirrors = spack.mirror.MirrorCollection()
-        configured_mirror_urls = [m.fetch_url for m in mirrors.values()]
+        configured_mirror_urls = [
+            m.fetch_url for m in spack.mirror.MirrorCollection(binary=True).values()
+        ]
        items_to_remove = []
        spec_cache_clear_needed = False
        spec_cache_regenerate_needed = not self._mirrors_for_spec
@@ -517,9 +532,7 @@ class NoOverwriteException(spack.error.SpackError):
    """Raised when a file would be overwritten"""

    def __init__(self, file_path):
-        super(NoOverwriteException, self).__init__(
-            f"Refusing to overwrite the following file: {file_path}"
-        )
+        super().__init__(f"Refusing to overwrite the following file: {file_path}")


 class NoGpgException(spack.error.SpackError):
@@ -528,7 +541,7 @@ class NoGpgException(spack.error.SpackError):
    """

    def __init__(self, msg):
-        super(NoGpgException, self).__init__(msg)
+        super().__init__(msg)


 class NoKeyException(spack.error.SpackError):
@@ -537,7 +550,7 @@ class NoKeyException(spack.error.SpackError):
    """

    def __init__(self, msg):
-        super(NoKeyException, self).__init__(msg)
+        super().__init__(msg)


 class PickKeyException(spack.error.SpackError):
@@ -548,7 +561,7 @@ class PickKeyException(spack.error.SpackError):
    def __init__(self, keys):
        err_msg = "Multiple keys available for signing\n%s\n" % keys
        err_msg += "Use spack buildcache create -k <key hash> to pick a key."
-        super(PickKeyException, self).__init__(err_msg)
+        super().__init__(err_msg)


 class NoVerifyException(spack.error.SpackError):
@@ -565,7 +578,7 @@ class NoChecksumException(spack.error.SpackError):
    """

    def __init__(self, path, size, contents, algorithm, expected, computed):
-        super(NoChecksumException, self).__init__(
+        super().__init__(
            f"{algorithm} checksum failed for {path}",
            f"Expected {expected} but got {computed}. "
            f"File size = {size} bytes. Contents = {contents!r}",
@@ -578,7 +591,7 @@ class NewLayoutException(spack.error.SpackError):
    """

    def __init__(self, msg):
-        super(NewLayoutException, self).__init__(msg)
+        super().__init__(msg)


 class UnsignedPackageException(spack.error.SpackError):
@@ -705,7 +718,7 @@ def get_buildfile_manifest(spec):
    # look for them to decide if text file needs to be relocated or not
    prefixes = [d.prefix for d in spec.traverse(root=True, deptype="all") if not d.external]
    prefixes.append(spack.hooks.sbang.sbang_install_path())
-    prefixes.append(str(spack.store.layout.root))
+    prefixes.append(str(spack.store.STORE.layout.root))

    # Create a giant regex that matches all prefixes
    regex = utf8_paths_to_single_binary_regex(prefixes)
@@ -718,7 +731,7 @@ def get_buildfile_manifest(spec):
    for rel_path in visitor.symlinks:
        abs_path = os.path.join(root, rel_path)
        link = os.readlink(abs_path)
-        if os.path.isabs(link) and link.startswith(spack.store.layout.root):
+        if os.path.isabs(link) and link.startswith(spack.store.STORE.layout.root):
            data["link_to_relocate"].append(rel_path)

    # Non-symlinks.
@@ -760,16 +773,15 @@ def hashes_to_prefixes(spec):
    }


-def get_buildinfo_dict(spec, rel=False):
+def get_buildinfo_dict(spec):
    """Create metadata for a tarball"""
    manifest = get_buildfile_manifest(spec)

    return {
        "sbang_install_path": spack.hooks.sbang.sbang_install_path(),
-        "relative_rpaths": rel,
-        "buildpath": spack.store.layout.root,
+        "buildpath": spack.store.STORE.layout.root,
        "spackprefix": spack.paths.prefix,
-        "relative_prefix": os.path.relpath(spec.prefix, spack.store.layout.root),
+        "relative_prefix": os.path.relpath(spec.prefix, spack.store.STORE.layout.root),
        "relocate_textfiles": manifest["text_to_relocate"],
        "relocate_binaries": manifest["binary_to_relocate"],
        "relocate_links": manifest["link_to_relocate"],
@@ -1062,13 +1074,10 @@ def generate_package_index(cache_prefix, concurrency=32):
    tty.debug("Retrieving spec descriptor files from {0} to build index".format(cache_prefix))

    tmpdir = tempfile.mkdtemp()
-    db_root_dir = os.path.join(tmpdir, "db_root")
-    db = spack_db.Database(
-        None,
-        db_dir=db_root_dir,
-        enable_transaction_locking=False,
-        record_fields=["spec", "ref_count", "in_buildcache"],
-    )
+
+    db = BuildCacheDatabase(tmpdir)
+    db.root = None
+    db_root_dir = db.database_directory

    try:
        _read_specs_and_push_index(file_list, read_fn, cache_prefix, db, db_root_dir, concurrency)
@@ -1199,9 +1208,17 @@ def tar_add_metadata(tar: tarfile.TarFile, path: str, data: dict):
    tar.addfile(deterministic_tarinfo(tarinfo), io.BytesIO(bstring))


-def _do_create_tarball(tarfile_path, binaries_dir, pkg_dir, buildinfo):
+def deterministic_tarinfo_without_buildinfo(tarinfo: tarfile.TarInfo):
+    """Skip buildinfo file when creating a tarball, and normalize other tarinfo fields."""
+    if tarinfo.name.endswith("/.spack/binary_distribution"):
+        return None
+
+    return deterministic_tarinfo(tarinfo)
+
+
+def _do_create_tarball(tarfile_path: str, binaries_dir: str, pkg_dir: str, buildinfo: dict):
    with gzip_compressed_tarfile(tarfile_path) as tar:
-        tar.add(name=binaries_dir, arcname=pkg_dir, filter=deterministic_tarinfo)
+        tar.add(name=binaries_dir, arcname=pkg_dir, filter=deterministic_tarinfo_without_buildinfo)
        tar_add_metadata(tar, buildinfo_file_name(pkg_dir), buildinfo)


@@ -1209,12 +1226,6 @@ class PushOptions(NamedTuple):
    #: Overwrite existing tarball/metadata files in buildcache
    force: bool = False

-    #: Whether to use relative RPATHs
-    relative: bool = False
-
-    #: Allow absolute paths to package prefixes when creating a tarball
-    allow_root: bool = False
-
    #: Regenerated indices after pushing
    regenerate_index: bool = False

@@ -1259,7 +1270,7 @@ def _build_tarball_in_stage_dir(spec: Spec, out_url: str, stage_dir: str, option
    # without concretizing with the current spack packages
    # and preferences

-    spec_file = spack.store.layout.spec_file_path(spec)
+    spec_file = spack.store.STORE.layout.spec_file_path(spec)
    specfile_name = tarball_name(spec, ".spec.json")
    specfile_path = os.path.realpath(os.path.join(cache_prefix, specfile_name))
    signed_specfile_path = "{0}.sig".format(specfile_path)
@@ -1281,41 +1292,14 @@ def _build_tarball_in_stage_dir(spec: Spec, out_url: str, stage_dir: str, option
        raise NoOverwriteException(url_util.format(remote_specfile_path))

    pkg_dir = os.path.basename(spec.prefix.rstrip(os.path.sep))
-    workdir = os.path.join(stage_dir, pkg_dir)

-    # TODO: We generally don't want to mutate any files, but when using relative
-    # mode, Spack unfortunately *does* mutate rpaths and links ahead of time.
-    # For now, we only make a full copy of the spec prefix when in relative mode.
-
-    if options.relative:
-        # tarfile is used because it preserves hardlink etc best.
-        binaries_dir = workdir
-        temp_tarfile_name = tarball_name(spec, ".tar")
-        temp_tarfile_path = os.path.join(tarfile_dir, temp_tarfile_name)
-        with closing(tarfile.open(temp_tarfile_path, "w")) as tar:
-            tar.add(name="%s" % spec.prefix, arcname=".")
-        with closing(tarfile.open(temp_tarfile_path, "r")) as tar:
-            tar.extractall(workdir)
-        os.remove(temp_tarfile_path)
-    else:
-        binaries_dir = spec.prefix
+    binaries_dir = spec.prefix

    # create info for later relocation and create tar
-    buildinfo = get_buildinfo_dict(spec, options.relative)
-
-    # optionally make the paths in the binaries relative to each other
-    # in the spack install tree before creating tarball
-    if options.relative:
-        make_package_relative(workdir, spec, buildinfo, options.allow_root)
-    elif not options.allow_root:
-        ensure_package_relocatable(buildinfo, binaries_dir)
+    buildinfo = get_buildinfo_dict(spec)

    _do_create_tarball(tarfile_path, binaries_dir, pkg_dir, buildinfo)

-    # remove copy of install directory
-    if options.relative:
-        shutil.rmtree(workdir)
-
    # get the sha256 checksum of the tarball
    checksum = checksum_tarball(tarfile_path)

@@ -1335,8 +1319,7 @@ def _build_tarball_in_stage_dir(spec: Spec, out_url: str, stage_dir: str, option
    # Add original install prefix relative to layout root to spec.json.
    # This will be used to determine is the directory layout has changed.
    buildinfo = {}
-    buildinfo["relative_prefix"] = os.path.relpath(spec.prefix, spack.store.layout.root)
-    buildinfo["relative_rpaths"] = options.relative
+    buildinfo["relative_prefix"] = os.path.relpath(spec.prefix, spack.store.STORE.layout.root)
    spec_dict["buildinfo"] = buildinfo

    with open(specfile_path, "w") as outfile:
@@ -1394,7 +1377,7 @@ def specs_to_be_packaged(
    packageable = lambda n: not n.external and n.installed

    # Mass install check
-    with spack.store.db.read_transaction():
+    with spack.store.STORE.db.read_transaction():
        return list(filter(packageable, nodes))


@@ -1496,8 +1479,9 @@ def download_tarball(spec, unsigned=False, mirrors_for_spec=None):
           "signature_verified": "true-if-binary-pkg-was-already-verified"
       }
    """
-    if not spack.mirror.MirrorCollection():
-        tty.die("Please add a spack mirror to allow " + "download of pre-compiled packages.")
+    configured_mirrors = spack.mirror.MirrorCollection(binary=True).values()
+    if not configured_mirrors:
+        tty.die("Please add a spack mirror to allow download of pre-compiled packages.")

    tarball = tarball_path_name(spec, ".spack")
    specfile_prefix = tarball_name(spec, ".spec")
@@ -1514,11 +1498,7 @@ def download_tarball(spec, unsigned=False, mirrors_for_spec=None):
    # we need was in an un-indexed mirror.  No need to check any
    # mirror for the spec twice though.
    try_first = [i["mirror_url"] for i in mirrors_for_spec] if mirrors_for_spec else []
-    try_next = [
-        i.fetch_url
-        for i in spack.mirror.MirrorCollection().values()
-        if i.fetch_url not in try_first
-    ]
+    try_next = [i.fetch_url for i in configured_mirrors if i.fetch_url not in try_first]

    for url in try_first + try_next:
        mirrors_to_try.append(
@@ -1596,41 +1576,6 @@ def download_tarball(spec, unsigned=False, mirrors_for_spec=None):
    return None


-def make_package_relative(workdir, spec, buildinfo, allow_root):
-    """
-    Change paths in binaries to relative paths. Change absolute symlinks
-    to relative symlinks.
-    """
-    prefix = spec.prefix
-    old_layout_root = buildinfo["buildpath"]
-    orig_path_names = list()
-    cur_path_names = list()
-    for filename in buildinfo["relocate_binaries"]:
-        orig_path_names.append(os.path.join(prefix, filename))
-        cur_path_names.append(os.path.join(workdir, filename))
-
-    platform = spack.platforms.by_name(spec.platform)
-    if "macho" in platform.binary_formats:
-        relocate.make_macho_binaries_relative(cur_path_names, orig_path_names, old_layout_root)
-
-    if "elf" in platform.binary_formats:
-        relocate.make_elf_binaries_relative(cur_path_names, orig_path_names, old_layout_root)
-
-    allow_root or relocate.ensure_binaries_are_relocatable(cur_path_names)
-    orig_path_names = list()
-    cur_path_names = list()
-    for linkname in buildinfo.get("relocate_links", []):
-        orig_path_names.append(os.path.join(prefix, linkname))
-        cur_path_names.append(os.path.join(workdir, linkname))
-    relocate.make_link_relative(cur_path_names, orig_path_names)
-
-
-def ensure_package_relocatable(buildinfo, binaries_dir):
-    """Check if package binaries are relocatable."""
-    binaries = [os.path.join(binaries_dir, f) for f in buildinfo["relocate_binaries"]]
-    relocate.ensure_binaries_are_relocatable(binaries)
-
-
 def dedupe_hardlinks_if_necessary(root, buildinfo):
    """Updates a buildinfo dict for old archives that did
    not dedupe hardlinks. De-duping hardlinks is necessary
@@ -1669,7 +1614,7 @@ def relocate_package(spec):
    """
    workdir = str(spec.prefix)
    buildinfo = read_buildinfo_file(workdir)
-    new_layout_root = str(spack.store.layout.root)
+    new_layout_root = str(spack.store.STORE.layout.root)
    new_prefix = str(spec.prefix)
    new_rel_prefix = str(os.path.relpath(new_prefix, new_layout_root))
    new_spack_prefix = str(spack.paths.prefix)
@@ -1917,7 +1862,7 @@ def extract_tarball(spec, download_result, unsigned=False, force=False):
                tarfile_path, size, contents, "sha256", expected, local_checksum
            )

-    new_relative_prefix = str(os.path.relpath(spec.prefix, spack.store.layout.root))
+    new_relative_prefix = str(os.path.relpath(spec.prefix, spack.store.STORE.layout.root))
    # if the original relative prefix is in the spec file use it
    buildinfo = spec_dict.get("buildinfo", {})
    old_relative_prefix = buildinfo.get("relative_prefix", new_relative_prefix)
@@ -1929,7 +1874,7 @@ def extract_tarball(spec, download_result, unsigned=False, force=False):
    # The directory created is the base directory name of the old prefix.
    # Moving the old prefix name to the new prefix location should preserve
    # hard links and symbolic links.
-    extract_tmp = os.path.join(spack.store.layout.root, ".tmp")
+    extract_tmp = os.path.join(spack.store.STORE.layout.root, ".tmp")
    mkdirp(extract_tmp)
    extracted_dir = os.path.join(extract_tmp, old_relative_prefix.split(os.path.sep)[-1])

@@ -1956,7 +1901,9 @@ def extract_tarball(spec, download_result, unsigned=False, force=False):
        raise e
    else:
        manifest_file = os.path.join(
-            spec.prefix, spack.store.layout.metadata_dir, spack.store.layout.manifest_file_name
+            spec.prefix,
+            spack.store.STORE.layout.metadata_dir,
+            spack.store.STORE.layout.manifest_file_name,
        )
        if not os.path.exists(manifest_file):
            spec_id = spec.format("{name}/{hash:7}")
@@ -2015,7 +1962,7 @@ def install_root_node(spec, unsigned=False, force=False, sha256=None):
        tty.msg('Installing "{0}" from a buildcache'.format(spec.format()))
        extract_tarball(spec, download_result, unsigned, force)
        spack.hooks.post_install(spec, False)
-        spack.store.db.add(spec, spack.store.layout)
+        spack.store.STORE.db.add(spec, spack.store.STORE.layout)


 def install_single_spec(spec, unsigned=False, force=False):
@@ -2040,7 +1987,9 @@ def try_direct_fetch(spec, mirrors=None):
    specfile_is_signed = False
    found_specs = []

-    for mirror in spack.mirror.MirrorCollection(mirrors=mirrors).values():
+    binary_mirrors = spack.mirror.MirrorCollection(mirrors=mirrors, binary=True).values()
+
+    for mirror in binary_mirrors:
        buildcache_fetch_url_json = url_util.join(
            mirror.fetch_url, _build_cache_relative_path, specfile_name
        )
@@ -2103,7 +2052,7 @@ def get_mirrors_for_spec(spec=None, mirrors_to_check=None, index_only=False):
    if spec is None:
        return []

-    if not spack.mirror.MirrorCollection(mirrors=mirrors_to_check):
+    if not spack.mirror.MirrorCollection(mirrors=mirrors_to_check, binary=True):
        tty.debug("No Spack mirrors are currently configured")
        return {}

@@ -2142,7 +2091,7 @@ def clear_spec_cache():

 def get_keys(install=False, trust=False, force=False, mirrors=None):
    """Get pgp public keys available on mirror with suffix .pub"""
-    mirror_collection = mirrors or spack.mirror.MirrorCollection()
+    mirror_collection = mirrors or spack.mirror.MirrorCollection(binary=True)

    if not mirror_collection:
        tty.die("Please add a spack mirror to allow " + "download of build caches.")
@@ -2303,7 +2252,7 @@ def check_specs_against_mirrors(mirrors, specs, output_file=None):

    """
    rebuilds = {}
-    for mirror in spack.mirror.MirrorCollection(mirrors).values():
+    for mirror in spack.mirror.MirrorCollection(mirrors, binary=True).values():
        tty.debug("Checking for built specs at {0}".format(mirror.fetch_url))

        rebuild_list = []
@@ -2347,7 +2296,7 @@ def _download_buildcache_entry(mirror_root, descriptions):


 def download_buildcache_entry(file_descriptions, mirror_url=None):
-    if not mirror_url and not spack.mirror.MirrorCollection():
+    if not mirror_url and not spack.mirror.MirrorCollection(binary=True):
        tty.die(
            "Please provide or add a spack mirror to allow " + "download of buildcache entries."
        )
@@ -2356,7 +2305,7 @@ def download_buildcache_entry(file_descriptions, mirror_url=None):
        mirror_root = os.path.join(mirror_url, _build_cache_relative_path)
        return _download_buildcache_entry(mirror_root, file_descriptions)

-    for mirror in spack.mirror.MirrorCollection().values():
+    for mirror in spack.mirror.MirrorCollection(binary=True).values():
        mirror_root = os.path.join(mirror.fetch_url, _build_cache_relative_path)

        if _download_buildcache_entry(mirror_root, file_descriptions):
@@ -2395,7 +2344,7 @@ def download_single_spec(concrete_spec, destination, mirror_url=None):
    return download_buildcache_entry(files_to_fetch, mirror_url)


-class BinaryCacheQuery(object):
+class BinaryCacheQuery:
    """Callable object to query if a spec is in a binary cache"""

    def __init__(self, all_architectures):
--- a/lib/spack/spack/bootstrap/init.py
+++ b/lib/spack/spack/bootstrap/init.py
@@ -4,7 +4,7 @@
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)
 """Function and classes needed to bootstrap Spack itself."""

-from .config import ensure_bootstrap_configuration, is_bootstrapping
+from .config import ensure_bootstrap_configuration, is_bootstrapping, store_path
 from .core import all_core_root_specs, ensure_core_dependencies, ensure_patchelf_in_path_or_raise
 from .environment import BootstrapEnvironment, ensure_environment_dependencies
 from .status import status_message
@@ -18,4 +18,5 @@
    "ensure_environment_dependencies",
    "BootstrapEnvironment",
    "status_message",
+    "store_path",
 ]
--- a/lib/spack/spack/bootstrap/_common.py
+++ b/lib/spack/spack/bootstrap/_common.py
@@ -50,7 +50,7 @@ def _try_import_from_store(
        # We have to run as part of this python interpreter
        query_spec += " ^" + spec_for_current_python()

-    installed_specs = spack.store.db.query(query_spec, installed=True)
+    installed_specs = spack.store.STORE.db.query(query_spec, installed=True)

    for candidate_spec in installed_specs:
        pkg = candidate_spec["python"].package
@@ -183,7 +183,7 @@ def _executables_in_store(
    executables_str = ", ".join(executables)
    msg = "[BOOTSTRAP EXECUTABLES {0}] Try installed specs with query '{1}'"
    tty.debug(msg.format(executables_str, query_spec))
-    installed_specs = spack.store.db.query(query_spec, installed=True)
+    installed_specs = spack.store.STORE.db.query(query_spec, installed=True)
    if installed_specs:
        for concrete_spec in installed_specs:
            bin_dir = concrete_spec.prefix.bin
--- a/lib/spack/spack/bootstrap/config.py
+++ b/lib/spack/spack/bootstrap/config.py
@@ -150,18 +150,19 @@ def _add_compilers_if_missing() -> None:

@contextlib.contextmanager
 def _ensure_bootstrap_configuration() -> Generator:
+    spack.store.ensure_singleton_created()
    bootstrap_store_path = store_path()
    user_configuration = _read_and_sanitize_configuration()
    with spack.environment.no_active_environment():
        with spack.platforms.prevent_cray_detection(), spack.platforms.use_platform(
            spack.platforms.real_host()
-        ), spack.repo.use_repositories(spack.paths.packages_path), spack.store.use_store(
-            bootstrap_store_path
-        ):
+        ), spack.repo.use_repositories(spack.paths.packages_path):
            # Default configuration scopes excluding command line
            # and builtin but accounting for platform specific scopes
            config_scopes = _bootstrap_config_scopes()
-            with spack.config.use_configuration(*config_scopes):
+            with spack.config.use_configuration(*config_scopes), spack.store.use_store(
+                bootstrap_store_path, extra_data={"padded_length": 0}
+            ):
                # We may need to compile code from sources, so ensure we
                # have compilers for the current platform
                _add_compilers_if_missing()
--- a/lib/spack/spack/bootstrap/environment.py
+++ b/lib/spack/spack/bootstrap/environment.py
@@ -175,12 +175,12 @@ def black_root_spec() -> str:

 def flake8_root_spec() -> str:
    """Return the root spec used to bootstrap flake8"""
-    return _root_spec("py-flake8")
+    return _root_spec("py-flake8@3.8.2:")


 def pytest_root_spec() -> str:
    """Return the root spec used to bootstrap flake8"""
-    return _root_spec("py-pytest")
+    return _root_spec("py-pytest@6.2.4:")


 def ensure_environment_dependencies() -> None:
--- a/lib/spack/spack/build_environment.py
+++ b/lib/spack/spack/build_environment.py
@@ -148,7 +148,7 @@ class MakeExecutable(Executable):

    def __init__(self, name, jobs, **kwargs):
        supports_jobserver = kwargs.pop("supports_jobserver", True)
-        super(MakeExecutable, self).__init__(name, **kwargs)
+        super().__init__(name, **kwargs)
        self.supports_jobserver = supports_jobserver
        self.jobs = jobs

@@ -175,7 +175,7 @@ def __call__(self, *args, **kwargs):
            if jobs_env_jobs is not None:
                kwargs["extra_env"] = {jobs_env: str(jobs_env_jobs)}

-        return super(MakeExecutable, self).__call__(*args, **kwargs)
+        return super().__call__(*args, **kwargs)


 def _on_cray():
@@ -1332,7 +1332,7 @@ class ChildError(InstallError):
    build_errors = [("spack.util.executable", "ProcessError")]

    def __init__(self, msg, module, classname, traceback_string, log_name, log_type, context):
-        super(ChildError, self).__init__(msg)
+        super().__init__(msg)
        self.module = module
        self.name = classname
        self.traceback = traceback_string
--- a/lib/spack/spack/build_systems/_checks.py
+++ b/lib/spack/spack/build_systems/_checks.py
@@ -39,7 +39,7 @@ def check_paths(path_list, filetype, predicate):
    check_paths(pkg.sanity_check_is_file, "file", os.path.isfile)
    check_paths(pkg.sanity_check_is_dir, "directory", os.path.isdir)

-    ignore_file = llnl.util.lang.match_predicate(spack.store.layout.hidden_file_regexes)
+    ignore_file = llnl.util.lang.match_predicate(spack.store.STORE.layout.hidden_file_regexes)
    if all(map(ignore_file, os.listdir(pkg.prefix))):
        msg = "Install failed for {0}.  Nothing was installed!"
        raise spack.installer.InstallError(msg.format(pkg.name))
--- a/lib/spack/spack/build_systems/cached_cmake.py
+++ b/lib/spack/spack/build_systems/cached_cmake.py
@@ -252,7 +252,7 @@ def initconfig_hardware_entries(self):
            entries.append(cmake_cache_path("CUDA_TOOLKIT_ROOT_DIR", cudatoolkitdir))

            archs = spec.variants["cuda_arch"].value
-            if archs != "none":
+            if archs[0] != "none":
                arch_str = ";".join(archs)
                entries.append(
                    cmake_cache_string("CMAKE_CUDA_ARCHITECTURES", "{0}".format(arch_str))
@@ -269,7 +269,7 @@ def initconfig_hardware_entries(self):
                cmake_cache_path("HIP_CXX_COMPILER", "{0}".format(self.spec["hip"].hipcc))
            )
            archs = self.spec.variants["amdgpu_target"].value
-            if archs != "none":
+            if archs[0] != "none":
                arch_str = ";".join(archs)
                entries.append(
                    cmake_cache_string("CMAKE_HIP_ARCHITECTURES", "{0}".format(arch_str))
@@ -289,6 +289,7 @@ def std_initconfig_entries(self):
            "# CMake executable path: {0}".format(self.pkg.spec["cmake"].command.path),
            "#------------------{0}\n".format("-" * 60),
            cmake_cache_path("CMAKE_PREFIX_PATH", cmake_prefix_path),
+            self.define_cmake_cache_from_variant("CMAKE_BUILD_TYPE", "build_type"),
        ]

    def initconfig_package_entries(self):
@@ -311,7 +312,7 @@ def initconfig(self, pkg, spec, prefix):

    @property
    def std_cmake_args(self):
-        args = super(CachedCMakeBuilder, self).std_cmake_args
+        args = super().std_cmake_args
        args.extend(["-C", self.cache_path])
        return args

--- a/lib/spack/spack/build_systems/cmake.py
+++ b/lib/spack/spack/build_systems/cmake.py
@@ -5,6 +5,7 @@
 import collections.abc
 import inspect
 import os
+import pathlib
 import platform
 import re
 import sys
@@ -15,7 +16,6 @@
 import spack.build_environment
 import spack.builder
 import spack.package_base
-import spack.util.path
 from spack.directives import build_system, conflicts, depends_on, variant
 from spack.multimethod import when

@@ -271,7 +271,7 @@ def std_args(pkg, generator=None):
        args = [
            "-G",
            generator,
-            define("CMAKE_INSTALL_PREFIX", pkg.prefix),
+            define("CMAKE_INSTALL_PREFIX", pathlib.Path(pkg.prefix).as_posix()),
            define("CMAKE_BUILD_TYPE", build_type),
            define("BUILD_TESTING", pkg.run_tests),
        ]
@@ -296,8 +296,46 @@ def std_args(pkg, generator=None):
                define("CMAKE_PREFIX_PATH", spack.build_environment.get_cmake_prefix_path(pkg)),
            ]
        )
+
        return args

+    @staticmethod
+    def define_cuda_architectures(pkg):
+        """Returns the str ``-DCMAKE_CUDA_ARCHITECTURES:STRING=(expanded cuda_arch)``.
+
+        ``cuda_arch`` is variant composed of a list of target CUDA architectures and
+        it is declared in the cuda package.
+
+        This method is no-op for cmake<3.18 and when ``cuda_arch`` variant is not set.
+
+        """
+        cmake_flag = str()
+        if "cuda_arch" in pkg.spec.variants and pkg.spec.satisfies("^cmake@3.18:"):
+            cmake_flag = CMakeBuilder.define(
+                "CMAKE_CUDA_ARCHITECTURES", pkg.spec.variants["cuda_arch"].value
+            )
+
+        return cmake_flag
+
+    @staticmethod
+    def define_hip_architectures(pkg):
+        """Returns the str ``-DCMAKE_HIP_ARCHITECTURES:STRING=(expanded amdgpu_target)``.
+
+        ``amdgpu_target`` is variant composed of a list of the target HIP
+        architectures and it is declared in the rocm package.
+
+        This method is no-op for cmake<3.18 and when ``amdgpu_target`` variant is
+        not set.
+
+        """
+        cmake_flag = str()
+        if "amdgpu_target" in pkg.spec.variants and pkg.spec.satisfies("^cmake@3.21:"):
+            cmake_flag = CMakeBuilder.define(
+                "CMAKE_HIP_ARCHITECTURES", pkg.spec.variants["amdgpu_target"].value
+            )
+
+        return cmake_flag
+
    @staticmethod
    def define(cmake_var, value):
        """Return a CMake command line argument that defines a variable.
--- a/lib/spack/spack/build_systems/cuda.py
+++ b/lib/spack/spack/build_systems/cuda.py
@@ -102,11 +102,10 @@ def cuda_flags(arch_list):

    depends_on("cuda@11.0:", when="cuda_arch=80")
    depends_on("cuda@11.1:", when="cuda_arch=86")
-
    depends_on("cuda@11.4:", when="cuda_arch=87")
-
    depends_on("cuda@11.8:", when="cuda_arch=89")
-    depends_on("cuda@11.8:", when="cuda_arch=90")
+
+    depends_on("cuda@12.0:", when="cuda_arch=90")

    # From the NVIDIA install guide we know of conflicts for particular
    # platforms (linux, darwin), architectures (x86, powerpc) and compilers
--- a/lib/spack/spack/build_systems/oneapi.py
+++ b/lib/spack/spack/build_systems/oneapi.py
@@ -121,7 +121,7 @@ def setup_run_environment(self, env):
           $ source {prefix}/{component}/{version}/env/vars.sh
        """
        # Only if environment modifications are desired (default is +envmods)
-        if "+envmods" in self.spec:
+        if "~envmods" not in self.spec:
            env.extend(
                EnvironmentModifications.from_sourcing_file(
                    join_path(self.component_prefix, "env", "vars.sh")
@@ -175,7 +175,7 @@ def libs(self):
        return find_libraries("*", root=lib_path, shared=True, recursive=True)


-class IntelOneApiStaticLibraryList(object):
+class IntelOneApiStaticLibraryList:
    """Provides ld_flags when static linking is needed

    Oneapi puts static and dynamic libraries in the same directory, so
--- a/lib/spack/spack/build_systems/python.py
+++ b/lib/spack/spack/build_systems/python.py
@@ -23,6 +23,7 @@
 import spack.store
 from spack.directives import build_system, depends_on, extends, maintainers
 from spack.error import NoHeadersError, NoLibrariesError, SpecError
+from spack.install_test import test_part
 from spack.version import Version

 from ._checks import BaseBuilder, execute_install_time_tests
@@ -167,18 +168,65 @@ def remove_files_from_view(self, view, merge_map):

        view.remove_files(to_remove)

-    def test(self):
+    def test_imports(self):
        """Attempts to import modules of the installed package."""

        # Make sure we are importing the installed modules,
        # not the ones in the source directory
+        python = inspect.getmodule(self).python
        for module in self.import_modules:
-            self.run_test(
-                inspect.getmodule(self).python.path,
-                ["-c", "import {0}".format(module)],
-                purpose="checking import of {0}".format(module),
+            with test_part(
+                self,
+                f"test_imports_{module}",
+                purpose=f"checking import of {module}",
                work_dir="spack-test",
-            )
+            ):
+                python("-c", f"import {module}")
+
+    def update_external_dependencies(self, extendee_spec=None):
+        """
+        Ensure all external python packages have a python dependency
+
+        If another package in the DAG depends on python, we use that
+        python for the dependency of the external. If not, we assume
+        that the external PythonPackage is installed into the same
+        directory as the python it depends on.
+        """
+        # TODO: Include this in the solve, rather than instantiating post-concretization
+        if "python" not in self.spec:
+            if extendee_spec:
+                python = extendee_spec
+            elif "python" in self.spec.root:
+                python = self.spec.root["python"]
+            else:
+                python = self.get_external_python_for_prefix()
+                if not python.concrete:
+                    repo = spack.repo.path.repo_for_pkg(python)
+                    python.namespace = repo.namespace
+
+                    # Ensure architecture information is present
+                    if not python.architecture:
+                        host_platform = spack.platforms.host()
+                        host_os = host_platform.operating_system("default_os")
+                        host_target = host_platform.target("default_target")
+                        python.architecture = spack.spec.ArchSpec(
+                            (str(host_platform), str(host_os), str(host_target))
+                        )
+                    else:
+                        if not python.architecture.platform:
+                            python.architecture.platform = spack.platforms.host()
+                        if not python.architecture.os:
+                            python.architecture.os = "default_os"
+                        if not python.architecture.target:
+                            python.architecture.target = archspec.cpu.host().family.name
+
+                    # Ensure compiler information is present
+                    if not python.compiler:
+                        python.compiler = self.spec.compiler
+
+                    python.external_path = self.spec.external_path
+                    python._mark_concrete()
+            self.spec.add_dependency_edge(python, deptypes=("build", "link", "run"), virtuals=())


 class PythonPackage(PythonExtension):
@@ -225,51 +273,6 @@ def list_url(cls):
            name = cls.pypi.split("/")[0]
            return "https://pypi.org/simple/" + name + "/"

-    def update_external_dependencies(self, extendee_spec=None):
-        """
-        Ensure all external python packages have a python dependency
-
-        If another package in the DAG depends on python, we use that
-        python for the dependency of the external. If not, we assume
-        that the external PythonPackage is installed into the same
-        directory as the python it depends on.
-        """
-        # TODO: Include this in the solve, rather than instantiating post-concretization
-        if "python" not in self.spec:
-            if extendee_spec:
-                python = extendee_spec
-            elif "python" in self.spec.root:
-                python = self.spec.root["python"]
-            else:
-                python = self.get_external_python_for_prefix()
-                if not python.concrete:
-                    repo = spack.repo.path.repo_for_pkg(python)
-                    python.namespace = repo.namespace
-
-                    # Ensure architecture information is present
-                    if not python.architecture:
-                        host_platform = spack.platforms.host()
-                        host_os = host_platform.operating_system("default_os")
-                        host_target = host_platform.target("default_target")
-                        python.architecture = spack.spec.ArchSpec(
-                            (str(host_platform), str(host_os), str(host_target))
-                        )
-                    else:
-                        if not python.architecture.platform:
-                            python.architecture.platform = spack.platforms.host()
-                        if not python.architecture.os:
-                            python.architecture.os = "default_os"
-                        if not python.architecture.target:
-                            python.architecture.target = archspec.cpu.host().family.name
-
-                    # Ensure compiler information is present
-                    if not python.compiler:
-                        python.compiler = self.spec.compiler
-
-                    python.external_path = self.spec.external_path
-                    python._mark_concrete()
-            self.spec.add_dependency_edge(python, deptypes=("build", "link", "run"))
-
    def get_external_python_for_prefix(self):
        """
        For an external package that extends python, find the most likely spec for the python
@@ -283,7 +286,7 @@ def get_external_python_for_prefix(self):
          spack.spec.Spec: The external Spec for python most likely to be compatible with self.spec
        """
        python_externals_installed = [
-            s for s in spack.store.db.query("python") if s.prefix == self.spec.external_path
+            s for s in spack.store.STORE.db.query("python") if s.prefix == self.spec.external_path
        ]
        if python_externals_installed:
            return python_externals_installed[0]
@@ -398,7 +401,8 @@ def build_directory(self):

    def config_settings(self, spec, prefix):
        """Configuration settings to be passed to the PEP 517 build backend.
-        Requires pip 22.1+, which requires Python 3.7+.
+
+        Requires pip 22.1 or newer.

        Args:
            spec (spack.spec.Spec): build spec
@@ -412,6 +416,8 @@ def config_settings(self, spec, prefix):
    def install_options(self, spec, prefix):
        """Extra arguments to be supplied to the setup.py install command.

+        Requires pip 23.0 or older.
+
        Args:
            spec (spack.spec.Spec): build spec
            prefix (spack.util.prefix.Prefix): installation prefix
@@ -425,6 +431,8 @@ def global_options(self, spec, prefix):
        """Extra global options to be supplied to the setup.py call before the install
        or bdist_wheel command.

+        Deprecated in pip 23.1.
+
        Args:
            spec (spack.spec.Spec): build spec
            prefix (spack.util.prefix.Prefix): installation prefix
--- a/lib/spack/spack/builder.py
+++ b/lib/spack/spack/builder.py
@@ -63,7 +63,7 @@ def create(pkg):
    return _BUILDERS[id(pkg)]


-class _PhaseAdapter(object):
+class _PhaseAdapter:
    def __init__(self, builder, phase_fn):
        self.builder = builder
        self.phase_fn = phase_fn
@@ -115,7 +115,7 @@ class hierarchy (look at AspellDictPackage for an example of that)
    # package. The semantic should be the same as the method in the base builder were still
    # present in the base class of the package.

-    class _ForwardToBaseBuilder(object):
+    class _ForwardToBaseBuilder:
        def __init__(self, wrapped_pkg_object, root_builder):
            self.wrapped_package_object = wrapped_pkg_object
            self.root_builder = root_builder
@@ -188,7 +188,7 @@ def __init__(self, pkg):
            # Attribute containing the package wrapped in dispatcher with a `__getattr__`
            # method that will forward certain calls to the default builder.
            self.pkg_with_dispatcher = _ForwardToBaseBuilder(pkg, root_builder=self)
-            super(Adapter, self).__init__(pkg)
+            super().__init__(pkg)

        # These two methods don't follow the (self, spec, prefix) signature of phases nor
        # the (self) signature of methods, so they are added explicitly to avoid using a
@@ -388,7 +388,7 @@ def __new__(mcs, name, bases, attr_dict):
        return super(_PackageAdapterMeta, mcs).__new__(mcs, name, bases, attr_dict)


-class InstallationPhase(object):
+class InstallationPhase:
    """Manages a single phase of the installation.

    This descriptor stores at creation time the name of the method it should
@@ -530,9 +530,9 @@ def setup_build_environment(self, env):
                modifications to be applied when the package is built. Package authors
                can call methods on it to alter the build environment.
        """
-        if not hasattr(super(Builder, self), "setup_build_environment"):
+        if not hasattr(super(), "setup_build_environment"):
            return
-        super(Builder, self).setup_build_environment(env)
+        super().setup_build_environment(env)

    def setup_dependent_build_environment(self, env, dependent_spec):
        """Sets up the build environment of packages that depend on this one.
@@ -563,9 +563,9 @@ def setup_dependent_build_environment(self, env, dependent_spec):
                the dependent's state. Note that *this* package's spec is
                available as ``self.spec``
        """
-        if not hasattr(super(Builder, self), "setup_dependent_build_environment"):
+        if not hasattr(super(), "setup_dependent_build_environment"):
            return
-        super(Builder, self).setup_dependent_build_environment(env, dependent_spec)
+        super().setup_dependent_build_environment(env, dependent_spec)

    def __getitem__(self, idx):
        key = self.phases[idx]
--- a/lib/spack/spack/caches.py
+++ b/lib/spack/spack/caches.py
@@ -58,7 +58,7 @@ def _fetch_cache():
    return spack.fetch_strategy.FsCache(path)


-class MirrorCache(object):
+class MirrorCache:
    def __init__(self, root, skip_unstable_versions):
        self.root = os.path.abspath(root)
        self.skip_unstable_versions = skip_unstable_versions
--- a/lib/spack/spack/ci.py
+++ b/lib/spack/spack/ci.py
--- a/lib/spack/spack/cmd/init.py
+++ b/lib/spack/spack/cmd/init.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import argparse
 import os
 import re
@@ -149,7 +147,7 @@ def get_command(cmd_name):
    return getattr(get_module(cmd_name), pname)


-class _UnquotedFlags(object):
+class _UnquotedFlags:
    """Use a heuristic in `.extract()` to detect whether the user is trying to set
    multiple flags like the docker ENV attribute allows (e.g. 'cflags=-Os -pipe').

@@ -275,9 +273,9 @@ def disambiguate_spec_from_hashes(spec, hashes, local=False, installed=True, fir
            See ``spack.database.Database._query`` for details.
    """
    if local:
-        matching_specs = spack.store.db.query_local(spec, hashes=hashes, installed=installed)
+        matching_specs = spack.store.STORE.db.query_local(spec, hashes=hashes, installed=installed)
    else:
-        matching_specs = spack.store.db.query(spec, hashes=hashes, installed=installed)
+        matching_specs = spack.store.STORE.db.query(spec, hashes=hashes, installed=installed)
    if not matching_specs:
        tty.die("Spec '%s' matches no installed packages." % spec)

@@ -475,7 +473,7 @@ def format_list(specs):
        out = ""
        # getting lots of prefixes requires DB lookups. Ensure
        # all spec.prefix calls are in one transaction.
-        with spack.store.db.read_transaction():
+        with spack.store.STORE.db.read_transaction():
            for string, spec in formatted:
                if not string:
                    # print newline from above
@@ -547,7 +545,7 @@ class PythonNameError(spack.error.SpackError):

    def __init__(self, name):
        self.name = name
-        super(PythonNameError, self).__init__("{0} is not a permissible Python name.".format(name))
+        super().__init__("{0} is not a permissible Python name.".format(name))


 class CommandNameError(spack.error.SpackError):
@@ -555,9 +553,7 @@ class CommandNameError(spack.error.SpackError):

    def __init__(self, name):
        self.name = name
-        super(CommandNameError, self).__init__(
-            "{0} is not a permissible Spack command name.".format(name)
-        )
+        super().__init__("{0} is not a permissible Spack command name.".format(name))


 ########################################
--- a/lib/spack/spack/cmd/arch.py
+++ b/lib/spack/spack/cmd/arch.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import collections

 import archspec.cpu
--- a/lib/spack/spack/cmd/blame.py
+++ b/lib/spack/spack/cmd/blame.py
@@ -59,7 +59,7 @@ def setup_parser(subparser):

    subparser.add_argument(
        "package_or_file",
-        help="name of package to show contributions for, " "or path to a file in the spack repo",
+        help="name of package to show contributions for, or path to a file in the spack repo",
    )


--- a/lib/spack/spack/cmd/bootstrap.py
+++ b/lib/spack/spack/cmd/bootstrap.py
@@ -2,8 +2,6 @@
 # Spack Project Developers. See the top-level COPYRIGHT file for details.
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)
-from __future__ import print_function
-
 import os.path
 import shutil
 import tempfile
--- a/lib/spack/spack/cmd/buildcache.py
+++ b/lib/spack/spack/cmd/buildcache.py
@@ -43,96 +43,50 @@ def setup_parser(subparser):
    subparsers = subparser.add_subparsers(help="buildcache sub-commands")

    push = subparsers.add_parser("push", aliases=["create"], help=push_fn.__doc__)
-    # TODO: remove from Spack 0.21
+    push.add_argument("-f", "--force", action="store_true", help="overwrite tarball if it exists")
    push.add_argument(
-        "-r",
-        "--rel",
-        action="store_true",
-        help="make all rpaths relative before creating tarballs. (deprecated)",
-    )
-    push.add_argument("-f", "--force", action="store_true", help="overwrite tarball if it exists.")
-    push.add_argument(
-        "-u", "--unsigned", action="store_true", help="push unsigned buildcache tarballs"
-    )
-    push.add_argument(
-        "-a",
        "--allow-root",
+        "-a",
        action="store_true",
        help="allow install root string in binary files after RPATH substitution",
    )
-    push.add_argument(
-        "-k", "--key", metavar="key", type=str, default=None, help="Key for signing."
+    push_sign = push.add_mutually_exclusive_group(required=False)
+    push_sign.add_argument(
+        "--unsigned", "-u", action="store_true", help="push unsigned buildcache tarballs"
    )
-    output = push.add_mutually_exclusive_group(required=False)
-    # TODO: remove from Spack 0.21
-    output.add_argument(
-        "-d",
-        "--directory",
-        metavar="directory",
-        dest="mirror_flag",
-        type=arguments.mirror_directory,
-        help="local directory where buildcaches will be written. (deprecated)",
+    push_sign.add_argument(
+        "--key", "-k", metavar="key", type=str, default=None, help="key for signing"
    )
-    # TODO: remove from Spack 0.21
-    output.add_argument(
-        "-m",
-        "--mirror-name",
-        metavar="mirror-name",
-        dest="mirror_flag",
-        type=arguments.mirror_name,
-        help="name of the mirror where buildcaches will be written. (deprecated)",
-    )
-    # TODO: remove from Spack 0.21
-    output.add_argument(
-        "--mirror-url",
-        metavar="mirror-url",
-        dest="mirror_flag",
-        type=arguments.mirror_url,
-        help="URL of the mirror where buildcaches will be written. (deprecated)",
-    )
-    # Unfortunately we cannot add this to the mutually exclusive group above,
-    # because we have further positional arguments.
-    # TODO: require from Spack 0.21
-    push.add_argument("mirror", type=str, help="Mirror name, path, or URL.", nargs="?")
+    push.add_argument("mirror", type=str, help="mirror name, path, or URL")
    push.add_argument(
        "--update-index",
        "--rebuild-index",
        action="store_true",
        default=False,
-        help="Regenerate buildcache index after building package(s)",
+        help="regenerate buildcache index after building package(s)",
    )
    push.add_argument(
-        "--spec-file", default=None, help="Create buildcache entry for spec from json or yaml file"
+        "--spec-file", default=None, help="create buildcache entry for spec from json or yaml file"
    )
    push.add_argument(
        "--only",
        default="package,dependencies",
        dest="things_to_install",
        choices=["package", "dependencies"],
-        help=(
-            "Select the buildcache mode. the default is to"
-            " build a cache for the package along with all"
-            " its dependencies. Alternatively, one can"
-            " decide to build a cache for only the package"
-            " or only the dependencies"
-        ),
+        help="select the buildcache mode. "
+        "The default is to build a cache for the package along with all its dependencies. "
+        "Alternatively, one can decide to build a cache for only the package or only the "
+        "dependencies",
    )
    arguments.add_common_arguments(push, ["specs"])
    push.set_defaults(func=push_fn)

    install = subparsers.add_parser("install", help=install_fn.__doc__)
    install.add_argument(
-        "-f", "--force", action="store_true", help="overwrite install directory if it exists."
+        "-f", "--force", action="store_true", help="overwrite install directory if it exists"
    )
    install.add_argument(
-        "-m", "--multiple", action="store_true", help="allow all matching packages "
-    )
-    # TODO: remove from Spack 0.21
-    install.add_argument(
-        "-a",
-        "--allow-root",
-        action="store_true",
-        help="allow install root string in binary files after RPATH substitution. (deprecated)",
+        "-m", "--multiple", action="store_true", help="allow all matching packages"
    )
    install.add_argument(
        "-u",
@@ -186,11 +140,11 @@ def setup_parser(subparser):
        "-m",
        "--mirror-url",
        default=None,
-        help="Override any configured mirrors with this mirror URL",
+        help="override any configured mirrors with this mirror URL",
    )

    check.add_argument(
-        "-o", "--output-file", default=None, help="File where rebuild info should be written"
+        "-o", "--output-file", default=None, help="file where rebuild info should be written"
    )

    # used to construct scope arguments below
@@ -206,13 +160,13 @@ def setup_parser(subparser):
    )

    check.add_argument(
-        "-s", "--spec", default=None, help="Check single spec instead of release specs file"
+        "-s", "--spec", default=None, help="check single spec instead of release specs file"
    )

    check.add_argument(
        "--spec-file",
        default=None,
-        help=("Check single spec from json or yaml file instead of release specs file"),
+        help="check single spec from json or yaml file instead of release specs file",
    )

    check.set_defaults(func=check_fn)
@@ -220,15 +174,15 @@ def setup_parser(subparser):
    # Download tarball and specfile
    download = subparsers.add_parser("download", help=download_fn.__doc__)
    download.add_argument(
-        "-s", "--spec", default=None, help="Download built tarball for spec from mirror"
+        "-s", "--spec", default=None, help="download built tarball for spec from mirror"
    )
    download.add_argument(
        "--spec-file",
        default=None,
-        help=("Download built tarball for spec (from json or yaml file) from mirror"),
+        help="download built tarball for spec (from json or yaml file) from mirror",
    )
    download.add_argument(
-        "-p", "--path", default=None, help="Path to directory where tarball should be downloaded"
+        "-p", "--path", default=None, help="path to directory where tarball should be downloaded"
    )
    download.set_defaults(func=download_fn)

@@ -237,106 +191,52 @@ def setup_parser(subparser):
        "get-buildcache-name", help=get_buildcache_name_fn.__doc__
    )
    getbuildcachename.add_argument(
-        "-s", "--spec", default=None, help="Spec string for which buildcache name is desired"
+        "-s", "--spec", default=None, help="spec string for which buildcache name is desired"
    )
    getbuildcachename.add_argument(
        "--spec-file",
        default=None,
-        help=("Path to spec json or yaml file for which buildcache name is desired"),
+        help="path to spec json or yaml file for which buildcache name is desired",
    )
    getbuildcachename.set_defaults(func=get_buildcache_name_fn)

    # Given the root spec, save the yaml of the dependent spec to a file
    savespecfile = subparsers.add_parser("save-specfile", help=save_specfile_fn.__doc__)
-    savespecfile.add_argument("--root-spec", default=None, help="Root spec of dependent spec")
+    savespecfile.add_argument("--root-spec", default=None, help="root spec of dependent spec")
    savespecfile.add_argument(
        "--root-specfile",
        default=None,
-        help="Path to json or yaml file containing root spec of dependent spec",
+        help="path to json or yaml file containing root spec of dependent spec",
    )
    savespecfile.add_argument(
        "-s",
        "--specs",
        default=None,
-        help="List of dependent specs for which saved yaml is desired",
+        help="list of dependent specs for which saved yaml is desired",
    )
    savespecfile.add_argument(
-        "--specfile-dir", default=None, help="Path to directory where spec yamls should be saved"
+        "--specfile-dir", default=None, help="path to directory where spec yamls should be saved"
    )
    savespecfile.set_defaults(func=save_specfile_fn)

    # Sync buildcache entries from one mirror to another
    sync = subparsers.add_parser("sync", help=sync_fn.__doc__)
    sync.add_argument(
-        "--manifest-glob",
-        default=None,
-        help="A quoted glob pattern identifying copy manifest files",
+        "--manifest-glob", help="a quoted glob pattern identifying copy manifest files"
    )
-    source = sync.add_mutually_exclusive_group(required=False)
-    # TODO: remove in Spack 0.21
-    source.add_argument(
-        "--src-directory",
-        metavar="DIRECTORY",
-        dest="src_mirror_flag",
-        type=arguments.mirror_directory,
-        help="Source mirror as a local file path (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    source.add_argument(
-        "--src-mirror-name",
-        metavar="MIRROR_NAME",
-        dest="src_mirror_flag",
-        type=arguments.mirror_name,
-        help="Name of the source mirror (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    source.add_argument(
-        "--src-mirror-url",
-        metavar="MIRROR_URL",
-        dest="src_mirror_flag",
-        type=arguments.mirror_url,
-        help="URL of the source mirror (deprecated)",
-    )
-    # TODO: only support this in 0.21
-    source.add_argument(
+    sync.add_argument(
        "src_mirror",
        metavar="source mirror",
        type=arguments.mirror_name_or_url,
-        help="Source mirror name, path, or URL",
        nargs="?",
+        help="source mirror name, path, or URL",
    )
-    dest = sync.add_mutually_exclusive_group(required=False)
-    # TODO: remove in Spack 0.21
-    dest.add_argument(
-        "--dest-directory",
-        metavar="DIRECTORY",
-        dest="dest_mirror_flag",
-        type=arguments.mirror_directory,
-        help="Destination mirror as a local file path (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    dest.add_argument(
-        "--dest-mirror-name",
-        metavar="MIRROR_NAME",
-        type=arguments.mirror_name,
-        dest="dest_mirror_flag",
-        help="Name of the destination mirror (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    dest.add_argument(
-        "--dest-mirror-url",
-        metavar="MIRROR_URL",
-        dest="dest_mirror_flag",
-        type=arguments.mirror_url,
-        help="URL of the destination mirror (deprecated)",
-    )
-    # TODO: only support this in 0.21
-    dest.add_argument(
+    sync.add_argument(
        "dest_mirror",
        metavar="destination mirror",
        type=arguments.mirror_name_or_url,
-        help="Destination mirror name, path, or URL",
        nargs="?",
+        help="destination mirror name, path, or URL",
    )
    sync.set_defaults(func=sync_fn)

@@ -344,46 +244,15 @@ def setup_parser(subparser):
    update_index = subparsers.add_parser(
        "update-index", aliases=["rebuild-index"], help=update_index_fn.__doc__
    )
-    update_index_out = update_index.add_mutually_exclusive_group(required=True)
-    # TODO: remove in Spack 0.21
-    update_index_out.add_argument(
-        "-d",
-        "--directory",
-        metavar="directory",
-        dest="mirror_flag",
-        type=arguments.mirror_directory,
-        help="local directory where buildcaches will be written (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    update_index_out.add_argument(
-        "-m",
-        "--mirror-name",
-        metavar="mirror-name",
-        dest="mirror_flag",
-        type=arguments.mirror_name,
-        help="name of the mirror where buildcaches will be written (deprecated)",
-    )
-    # TODO: remove in Spack 0.21
-    update_index_out.add_argument(
-        "--mirror-url",
-        metavar="mirror-url",
-        dest="mirror_flag",
-        type=arguments.mirror_url,
-        help="URL of the mirror where buildcaches will be written (deprecated)",
-    )
-    # TODO: require from Spack 0.21
-    update_index_out.add_argument(
-        "mirror",
-        type=arguments.mirror_name_or_url,
-        help="Destination mirror name, path, or URL",
-        nargs="?",
+    update_index.add_argument(
+        "mirror", type=arguments.mirror_name_or_url, help="destination mirror name, path, or URL"
    )
    update_index.add_argument(
        "-k",
        "--keys",
        default=False,
        action="store_true",
-        help="If provided, key index will be updated as well as package index",
+        help="if provided, key index will be updated as well as package index",
    )
    update_index.set_defaults(func=update_index_fn)

@@ -436,32 +305,17 @@ def _concrete_spec_from_args(args):

 def push_fn(args):
    """create a binary package and push it to a mirror"""
-    if args.mirror_flag:
-        mirror = args.mirror_flag
-    elif not args.mirror:
-        raise ValueError("No mirror provided")
-    else:
-        mirror = arguments.mirror_name_or_url(args.mirror)
+    mirror = arguments.mirror_name_or_url(args.mirror)

-    if args.mirror_flag:
+    if args.allow_root:
        tty.warn(
-            "Using flags to specify mirrors is deprecated and will be removed in "
-            "Spack 0.21, use positional arguments instead."
+            "The flag `--allow-root` is the default in Spack 0.21, will be removed in Spack 0.22"
        )

-    if args.rel:
-        tty.warn("The --rel flag is deprecated and will be removed in Spack 0.21")
-
-    # TODO: remove this in 0.21. If we have mirror_flag, the first
-    # spec is in the positional mirror arg due to argparse limitations.
-    input_specs = args.specs
-    if args.mirror_flag and args.mirror:
-        input_specs.insert(0, args.mirror)
-
    url = mirror.push_url

    specs = bindist.specs_to_be_packaged(
-        _matching_specs(input_specs, args.spec_file),
+        _matching_specs(args.specs, args.spec_file),
        root="package" in args.things_to_install,
        dependencies="dependencies" in args.things_to_install,
    )
@@ -486,9 +340,7 @@ def push_fn(args):
                url,
                bindist.PushOptions(
                    force=args.force,
-                    relative=args.rel,
                    unsigned=args.unsigned,
-                    allow_root=args.allow_root,
                    key=args.key,
                    regenerate_index=args.update_index,
                ),
@@ -524,9 +376,6 @@ def install_fn(args):
    if not args.specs:
        tty.die("a spec argument is required to install from a buildcache")

-    if args.allow_root:
-        tty.warn("The --allow-root flag is deprecated and will be removed in Spack 0.21")
-
    query = bindist.BinaryCacheQuery(all_architectures=args.otherarch)
    matches = spack.store.find(args.specs, multiple=args.multiple, query_fn=query)
    for match in matches:
@@ -564,25 +413,19 @@ def keys_fn(args):


 def preview_fn(args):
-    """analyze an installed spec and reports whether executables
-    and libraries are relocatable
-    """
-    constraints = spack.cmd.parse_specs(args.specs)
-    specs = spack.store.find(constraints, multiple=True)
-
-    # Cycle over the specs that match
-    for spec in specs:
-        print("Relocatable nodes")
-        print("--------------------------------")
-        print(spec.tree(status_fn=spack.relocate.is_relocatable))
+    """analyze an installed spec and reports whether executables and libraries are relocatable"""
+    tty.warn(
+        "`spack buildcache preview` is deprecated since `spack buildcache push --allow-root` is "
+        "now the default. This command will be removed in Spack 0.22"
+    )


 def check_fn(args):
-    """Check specs (either a single spec from --spec, or else the full set
-    of release specs) against remote binary mirror(s) to see if any need
-    to be rebuilt.  This command uses the process exit code to indicate
-    its result, specifically, if the exit code is non-zero, then at least
-    one of the indicated specs needs to be rebuilt.
+    """check specs against remote binary mirror(s) to see if any need to be rebuilt
+
+    either a single spec from --spec, or else the full set of release specs. this command uses the
+    process exit code to indicate its result, specifically, if the exit code is non-zero, then at
+    least one of the indicated specs needs to be rebuilt
    """
    if args.spec or args.spec_file:
        specs = [_concrete_spec_from_args(args)]
@@ -613,10 +456,12 @@ def check_fn(args):


 def download_fn(args):
-    """Download buildcache entry from a remote mirror to local folder.  This
-    command uses the process exit code to indicate its result, specifically,
-    a non-zero exit code indicates that the command failed to download at
-    least one of the required buildcache components."""
+    """download buildcache entry from a remote mirror to local folder
+
+    this command uses the process exit code to indicate its result, specifically, a non-zero exit
+    code indicates that the command failed to download at least one of the required buildcache
+    components
+    """
    if not args.spec and not args.spec_file:
        tty.msg("No specs provided, exiting.")
        return
@@ -633,19 +478,18 @@ def download_fn(args):


 def get_buildcache_name_fn(args):
-    """Get name (prefix) of buildcache entries for this spec"""
+    """get name (prefix) of buildcache entries for this spec"""
    spec = _concrete_spec_from_args(args)
    buildcache_name = bindist.tarball_name(spec, "")
    print("{0}".format(buildcache_name))


 def save_specfile_fn(args):
-    """Get full spec for dependencies, relative to root spec, and write them
-    to files in the specified output directory.  Uses exit code to signal
-    success or failure.  An exit code of zero means the command was likely
-    successful.  If any errors or exceptions are encountered, or if expected
-    command-line arguments are not provided, then the exit code will be
-    non-zero.
+    """get full spec for dependencies and write them to files in the specified output directory
+
+    uses exit code to signal success or failure. an exit code of zero means the command was likely
+    successful. if any errors or exceptions are encountered, or if expected command-line arguments
+    are not provided, then the exit code will be non-zero
    """
    if not args.root_spec and not args.root_specfile:
        tty.msg("No root spec provided, exiting.")
@@ -699,32 +543,19 @@ def copy_buildcache_file(src_url, dest_url, local_path=None):


 def sync_fn(args):
-    """Syncs binaries (and associated metadata) from one mirror to another.
-    Requires an active environment in order to know which specs to sync.
+    """sync binaries (and associated metadata) from one mirror to another

-    Args:
-        src (str): Source mirror URL
-        dest (str): Destination mirror URL
+    requires an active environment in order to know which specs to sync
    """
    if args.manifest_glob:
        manifest_copy(glob.glob(args.manifest_glob))
        return 0

-    # If no manifest_glob, require a source and dest mirror.
-    # TODO: Simplify in Spack 0.21
-    if not (args.src_mirror_flag or args.src_mirror) or not (
-        args.dest_mirror_flag or args.dest_mirror
-    ):
-        raise ValueError("Source and destination mirror are required.")
+    if args.src_mirror is None or args.dest_mirror is None:
+        tty.die("Provide mirrors to sync from and to.")

-    if args.src_mirror_flag or args.dest_mirror_flag:
-        tty.warn(
-            "Using flags to specify mirrors is deprecated and will be removed in "
-            "Spack 0.21, use positional arguments instead."
-        )
-
-    src_mirror = args.src_mirror_flag if args.src_mirror_flag else args.src_mirror
-    dest_mirror = args.dest_mirror_flag if args.dest_mirror_flag else args.dest_mirror
+    src_mirror = args.src_mirror
+    dest_mirror = args.dest_mirror

    src_mirror_url = src_mirror.fetch_url
    dest_mirror_url = dest_mirror.push_url
@@ -802,14 +633,8 @@ def update_index(mirror: spack.mirror.Mirror, update_keys=False):


 def update_index_fn(args):
-    """Update a buildcache index."""
-    if args.mirror_flag:
-        tty.warn(
-            "Using flags to specify mirrors is deprecated and will be removed in "
-            "Spack 0.21, use positional arguments instead."
-        )
-    mirror = args.mirror_flag if args.mirror_flag else args.mirror
-    update_index(mirror, update_keys=args.keys)
+    """update a buildcache index"""
+    update_index(args.mirror, update_keys=args.keys)


 def buildcache(parser, args):
--- a/lib/spack/spack/cmd/checksum.py
+++ b/lib/spack/spack/cmd/checksum.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import argparse
 import sys

--- a/lib/spack/spack/cmd/ci.py
+++ b/lib/spack/spack/cmd/ci.py
@@ -18,6 +18,7 @@
 import spack.environment as ev
 import spack.hash_types as ht
 import spack.mirror
+import spack.util.gpg as gpg_util
 import spack.util.url as url_util
 import spack.util.web as web_util

@@ -47,40 +48,36 @@ def setup_parser(subparser):
    generate.add_argument(
        "--output-file",
        default=None,
-        help="""pathname for the generated gitlab ci yaml file
-  Path to the file where generated jobs file should
-be written. Default is .gitlab-ci.yml in the root of
-the repository.""",
+        help="pathname for the generated gitlab ci yaml file\n\n"
+        "path to the file where generated jobs file should be written. "
+        "default is .gitlab-ci.yml in the root of the repository",
    )
    generate.add_argument(
        "--copy-to",
        default=None,
-        help="""path to additional directory for job files
-  This option provides an absolute path to a directory
-where the generated jobs yaml file should be copied.
-Default is not to copy.""",
+        help="path to additional directory for job files\n\n"
+        "this option provides an absolute path to a directory where the generated "
+        "jobs yaml file should be copied. default is not to copy",
    )
    generate.add_argument(
        "--optimize",
        action="store_true",
        default=False,
-        help="""(Experimental) optimize the gitlab yaml file for size
-  Run the generated document through a series of
-optimization passes designed to reduce the size
-of the generated file.""",
+        help="(experimental) optimize the gitlab yaml file for size\n\n"
+        "run the generated document through a series of optimization passes "
+        "designed to reduce the size of the generated file",
    )
    generate.add_argument(
        "--dependencies",
        action="store_true",
        default=False,
-        help="(Experimental) disable DAG scheduling; use " ' "plain" dependencies.',
+        help="(experimental) disable DAG scheduling (use 'plain' dependencies)",
    )
    generate.add_argument(
        "--buildcache-destination",
        default=None,
-        help="Override the mirror configured in the environment (spack.yaml) "
-        + "in order to push binaries from the generated pipeline to a "
-        + "different location.",
+        help="override the mirror configured in the environment\n\n"
+        "allows for pushing binaries from the generated pipeline to a different location",
    )
    prune_group = generate.add_mutually_exclusive_group()
    prune_group.add_argument(
@@ -88,45 +85,37 @@ def setup_parser(subparser):
        action="store_true",
        dest="prune_dag",
        default=True,
-        help="""skip up-to-date specs
-  Do not generate jobs for specs that are up-to-date
-on the mirror.""",
+        help="skip up-to-date specs\n\n"
+        "do not generate jobs for specs that are up-to-date on the mirror",
    )
    prune_group.add_argument(
        "--no-prune-dag",
        action="store_false",
        dest="prune_dag",
        default=True,
-        help="""process up-to-date specs
-  Generate jobs for specs even when they are up-to-date
-on the mirror.""",
+        help="process up-to-date specs\n\n"
+        "generate jobs for specs even when they are up-to-date on the mirror",
    )
    generate.add_argument(
        "--check-index-only",
        action="store_true",
        dest="index_only",
        default=False,
-        help="""only check spec state from buildcache indices
-  Spack always checks specs against configured binary
-mirrors, regardless of the DAG pruning option.
-  If enabled, Spack will assume all remote buildcache
-indices are up-to-date when assessing whether the spec
-on the mirror, if present, is up-to-date. This has the
-benefit of reducing pipeline generation time but at the
-potential cost of needlessly rebuilding specs when the
-indices are outdated.
-  If not enabled, Spack will fetch remote spec files
-directly to assess whether the spec on the mirror is
-up-to-date.""",
+        help="only check spec state from buildcache indices\n\n"
+        "Spack always checks specs against configured binary mirrors, regardless of the DAG "
+        "pruning option. if enabled, Spack will assume all remote buildcache indices are "
+        "up-to-date when assessing whether the spec on the mirror, if present, is up-to-date. "
+        "this has the benefit of reducing pipeline generation time but at the potential cost of "
+        "needlessly rebuilding specs when the indices are outdated. if not enabled, Spack will "
+        "fetch remote spec files directly to assess whether the spec on the mirror is up-to-date",
    )
    generate.add_argument(
        "--artifacts-root",
        default=None,
-        help="""path to the root of the artifacts directory
-  If provided, concrete environment files (spack.yaml,
-spack.lock) will be generated under this directory.
-Their location will be passed to generated child jobs
-through the SPACK_CONCRETE_ENVIRONMENT_PATH variable.""",
+        help="path to the root of the artifacts directory\n\n"
+        "if provided, concrete environment files (spack.yaml, spack.lock) will be generated under "
+        "this directory. their location will be passed to generated child jobs through the "
+        "SPACK_CONCRETE_ENVIRONMENT_PATH variable",
    )
    generate.set_defaults(func=ci_generate)

@@ -150,13 +139,13 @@ def setup_parser(subparser):
        "--tests",
        action="store_true",
        default=False,
-        help="""run stand-alone tests after the build""",
+        help="run stand-alone tests after the build",
    )
    rebuild.add_argument(
        "--fail-fast",
        action="store_true",
        default=False,
-        help="""stop stand-alone tests after the first failure""",
+        help="stop stand-alone tests after the first failure",
    )
    rebuild.set_defaults(func=ci_rebuild)

@@ -166,10 +155,10 @@ def setup_parser(subparser):
        description=deindent(ci_reproduce.__doc__),
        help=spack.cmd.first_line(ci_reproduce.__doc__),
    )
-    reproduce.add_argument("job_url", help="Url of job artifacts bundle")
+    reproduce.add_argument("job_url", help="URL of job artifacts bundle")
    reproduce.add_argument(
        "--working-dir",
-        help="Where to unpack artifacts",
+        help="where to unpack artifacts",
        default=os.path.join(os.getcwd(), "ci_reproduction"),
    )

@@ -177,12 +166,12 @@ def setup_parser(subparser):


 def ci_generate(args):
-    """Generate jobs file from a CI-aware spack file.
+    """generate jobs file from a CI-aware spack file

-    If you want to report the results on CDash, you will need to set
-    the SPACK_CDASH_AUTH_TOKEN before invoking this command. The
-    value must be the CDash authorization token needed to create a
-    build group and register all generated jobs under it."""
+    if you want to report the results on CDash, you will need to set the SPACK_CDASH_AUTH_TOKEN
+    before invoking this command. the value must be the CDash authorization token needed to create
+    a build group and register all generated jobs under it
+    """
    env = spack.cmd.require_active_env(cmd_name="ci generate")

    output_file = args.output_file
@@ -223,12 +212,13 @@ def ci_generate(args):


 def ci_reindex(args):
-    """Rebuild the buildcache index for the remote mirror.
+    """rebuild the buildcache index for the remote mirror

-    Use the active, gitlab-enabled environment to rebuild the buildcache
-    index for the associated mirror."""
+    use the active, gitlab-enabled environment to rebuild the buildcache index for the associated
+    mirror
+    """
    env = spack.cmd.require_active_env(cmd_name="ci rebuild-index")
-    yaml_root = ev.config_dict(env.manifest)
+    yaml_root = env.manifest[ev.TOP_LEVEL_KEY]

    if "mirrors" not in yaml_root or len(yaml_root["mirrors"].values()) < 1:
        tty.die("spack ci rebuild-index requires an env containing a mirror")
@@ -242,10 +232,11 @@ def ci_reindex(args):


 def ci_rebuild(args):
-    """Rebuild a spec if it is not on the remote mirror.
+    """rebuild a spec if it is not on the remote mirror

-    Check a single spec against the remote mirror, and rebuild it from
-    source if the mirror does not contain the hash."""
+    check a single spec against the remote mirror, and rebuild it from source if the mirror does
+    not contain the hash
+    """
    env = spack.cmd.require_active_env(cmd_name="ci rebuild")

    # Make sure the environment is "gitlab-enabled", or else there's nothing
@@ -274,13 +265,19 @@ def ci_rebuild(args):
    signing_key = os.environ.get("SPACK_SIGNING_KEY")
    job_spec_pkg_name = os.environ.get("SPACK_JOB_SPEC_PKG_NAME")
    job_spec_dag_hash = os.environ.get("SPACK_JOB_SPEC_DAG_HASH")
-    compiler_action = os.environ.get("SPACK_COMPILER_ACTION")
    spack_pipeline_type = os.environ.get("SPACK_PIPELINE_TYPE")
    remote_mirror_override = os.environ.get("SPACK_REMOTE_MIRROR_OVERRIDE")
    remote_mirror_url = os.environ.get("SPACK_REMOTE_MIRROR_URL")
    spack_ci_stack_name = os.environ.get("SPACK_CI_STACK_NAME")
    shared_pr_mirror_url = os.environ.get("SPACK_CI_SHARED_PR_MIRROR_URL")
    rebuild_everything = os.environ.get("SPACK_REBUILD_EVERYTHING")
+    require_signing = os.environ.get("SPACK_REQUIRE_SIGNING")
+
+    # Fail early if signing is required but we don't have a signing key
+    sign_binaries = require_signing is not None and require_signing.lower() == "true"
+    if sign_binaries and not spack_ci.can_sign_binaries():
+        gpg_util.list(False, True)
+        tty.die("SPACK_REQUIRE_SIGNING=True => spack must have exactly one signing key")

    # Construct absolute paths relative to current $CI_PROJECT_DIR
    ci_project_dir = os.environ.get("CI_PROJECT_DIR")
@@ -295,7 +292,6 @@ def ci_rebuild(args):
    tty.debug("pipeline_artifacts_dir = {0}".format(pipeline_artifacts_dir))
    tty.debug("remote_mirror_url = {0}".format(remote_mirror_url))
    tty.debug("job_spec_pkg_name = {0}".format(job_spec_pkg_name))
-    tty.debug("compiler_action = {0}".format(compiler_action))

    # Query the environment manifest to find out whether we're reporting to a
    # CDash instance, and if so, gather some information from the manifest to
@@ -411,14 +407,6 @@ def ci_rebuild(args):
    if signing_key:
        spack_ci.import_signing_key(signing_key)

-    # Depending on the specifics of this job, we might need to turn on the
-    # "config:install_missing compilers" option (to build this job spec
-    # with a bootstrapped compiler), or possibly run "spack compiler find"
-    # (to build a bootstrap compiler or one of its deps in a
-    # compiler-agnostic way), or maybe do nothing at all (to build a spec
-    # using a compiler already installed on the target system).
-    spack_ci.configure_compilers(compiler_action)
-
    # Write this job's spec json into the reproduction directory, and it will
    # also be used in the generated "spack install" command to install the spec
    tty.debug("job concrete spec path: {0}".format(job_spec_json_path))
@@ -616,7 +604,7 @@ def ci_rebuild(args):
    )
    reports_dir = fs.join_path(os.getcwd(), "cdash_report")
    if args.tests and broken_tests:
-        tty.warn("Unable to run stand-alone tests since listed in " "ci's 'broken-tests-packages'")
+        tty.warn("Unable to run stand-alone tests since listed in ci's 'broken-tests-packages'")
        if cdash_handler:
            msg = "Package is listed in ci's broken-tests-packages"
            cdash_handler.report_skipped(job_spec, reports_dir, reason=msg)
@@ -659,7 +647,7 @@ def ci_rebuild(args):
                    tty.warn("No recognized test results reporting option")

        else:
-            tty.warn("Unable to run stand-alone tests due to unsuccessful " "installation")
+            tty.warn("Unable to run stand-alone tests due to unsuccessful installation")
            if cdash_handler:
                msg = "Failed to install the package"
                cdash_handler.report_skipped(job_spec, reports_dir, reason=msg)
@@ -675,7 +663,7 @@ def ci_rebuild(args):
                input_spec=job_spec,
                buildcache_mirror_url=buildcache_mirror_url,
                pipeline_mirror_url=pipeline_mirror_url,
-                pr_pipeline=spack_is_pr_pipeline,
+                sign_binaries=sign_binaries,
            ):
                msg = tty.msg if result.success else tty.warn
                msg(
@@ -738,10 +726,11 @@ def ci_rebuild(args):


 def ci_reproduce(args):
-    """Generate instructions for reproducing the spec rebuild job.
+    """generate instructions for reproducing the spec rebuild job

-    Artifacts of the provided gitlab pipeline rebuild job's URL will be
-    used to derive instructions for reproducing the build locally."""
+    artifacts of the provided gitlab pipeline rebuild job's URL will be used to derive
+    instructions for reproducing the build locally
+    """
    job_url = args.job_url
    work_dir = args.working_dir

--- a/lib/spack/spack/cmd/clean.py
+++ b/lib/spack/spack/cmd/clean.py
@@ -115,7 +115,7 @@ def clean(parser, args):
        tty.msg("Removing all temporary build stages")
        spack.stage.purge()
        # Temp directory where buildcaches are extracted
-        extract_tmp = os.path.join(spack.store.layout.root, ".tmp")
+        extract_tmp = os.path.join(spack.store.STORE.layout.root, ".tmp")
        if os.path.exists(extract_tmp):
            tty.debug("Removing {0}".format(extract_tmp))
            shutil.rmtree(extract_tmp)
--- a/lib/spack/spack/cmd/clone.py
+++ b/lib/spack/spack/cmd/clone.py
@@ -48,7 +48,7 @@ def get_origin_info(remote):
        )
    except ProcessError:
        origin_url = _SPACK_UPSTREAM
-        tty.warn("No git repository found; " "using default upstream URL: %s" % origin_url)
+        tty.warn("No git repository found; using default upstream URL: %s" % origin_url)
    return (origin_url.strip(), branch.strip())


@@ -69,7 +69,7 @@ def clone(parser, args):
    files_in_the_way = os.listdir(prefix)
    if files_in_the_way:
        tty.die(
-            "There are already files there! " "Delete these files before boostrapping spack.",
+            "There are already files there! Delete these files before boostrapping spack.",
            *files_in_the_way,
        )

--- a/lib/spack/spack/cmd/commands.py
+++ b/lib/spack/spack/cmd/commands.py
@@ -3,17 +3,17 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import argparse
 import copy
 import os
 import re
 import sys
+from argparse import ArgumentParser, Namespace
+from typing import IO, Any, Callable, Dict, Iterable, List, Optional, Sequence, Set, Tuple, Union

 import llnl.util.filesystem as fs
 import llnl.util.tty as tty
-from llnl.util.argparsewriter import ArgparseCompletionWriter, ArgparseRstWriter, ArgparseWriter
+from llnl.util.argparsewriter import ArgparseRstWriter, ArgparseWriter, Command
 from llnl.util.tty.colify import colify

 import spack.cmd
@@ -27,28 +27,46 @@


 #: list of command formatters
-formatters = {}
+formatters: Dict[str, Callable[[Namespace, IO], None]] = {}


 #: standard arguments for updating completion scripts
 #: we iterate through these when called with --update-completion
-update_completion_args = {
+update_completion_args: Dict[str, Dict[str, Any]] = {
    "bash": {
        "aliases": True,
        "format": "bash",
        "header": os.path.join(spack.paths.share_path, "bash", "spack-completion.in"),
        "update": os.path.join(spack.paths.share_path, "spack-completion.bash"),
-    }
+    },
+    "fish": {
+        "aliases": True,
+        "format": "fish",
+        "header": os.path.join(spack.paths.share_path, "fish", "spack-completion.in"),
+        "update": os.path.join(spack.paths.share_path, "spack-completion.fish"),
+    },
 }


-def formatter(func):
-    """Decorator used to register formatters"""
+def formatter(func: Callable[[Namespace, IO], None]) -> Callable[[Namespace, IO], None]:
+    """Decorator used to register formatters.
+
+    Args:
+        func: Formatting function.
+
+    Returns:
+        The same function.
+    """
    formatters[func.__name__] = func
    return func


-def setup_parser(subparser):
+def setup_parser(subparser: ArgumentParser) -> None:
+    """Set up the argument parser.
+
+    Args:
+        subparser: Preliminary argument parser.
+    """
    subparser.add_argument(
        "--update-completion",
        action="store_true",
@@ -91,18 +109,34 @@ class SpackArgparseRstWriter(ArgparseRstWriter):

    def __init__(
        self,
-        prog,
-        out=None,
-        aliases=False,
-        documented_commands=[],
-        rst_levels=["-", "-", "^", "~", ":", "`"],
+        prog: str,
+        out: IO = sys.stdout,
+        aliases: bool = False,
+        documented_commands: Set[str] = set(),
+        rst_levels: Sequence[str] = ["-", "-", "^", "~", ":", "`"],
    ):
-        out = sys.stdout if out is None else out
-        super(SpackArgparseRstWriter, self).__init__(prog, out, aliases, rst_levels)
+        """Initialize a new SpackArgparseRstWriter instance.
+
+        Args:
+            prog: Program name.
+            out: File object to write to.
+            aliases: Whether or not to include subparsers for aliases.
+            documented_commands: Set of commands with additional documentation.
+            rst_levels: List of characters for rst section headings.
+        """
+        super().__init__(prog, out, aliases, rst_levels)
        self.documented = documented_commands

-    def usage(self, *args):
-        string = super(SpackArgparseRstWriter, self).usage(*args)
+    def usage(self, usage: str) -> str:
+        """Example usage of a command.
+
+        Args:
+            usage: Command usage.
+
+        Returns:
+            Usage of a command.
+        """
+        string = super().usage(usage)

        cmd = self.parser.prog.replace(" ", "-")
        if cmd in self.documented:
@@ -112,11 +146,21 @@ def usage(self, *args):


 class SubcommandWriter(ArgparseWriter):
-    def format(self, cmd):
+    """Write argparse output as a list of subcommands."""
+
+    def format(self, cmd: Command) -> str:
+        """Return the string representation of a single node in the parser tree.
+
+        Args:
+            cmd: Parsed information about a command or subcommand.
+
+        Returns:
+            String representation of this subcommand.
+        """
        return "    " * self.level + cmd.prog + "\n"


-_positional_to_subroutine = {
+_positional_to_subroutine: Dict[str, str] = {
    "package": "_all_packages",
    "spec": "_all_packages",
    "filter": "_all_packages",
@@ -135,10 +179,76 @@ def format(self, cmd):
 }


-class BashCompletionWriter(ArgparseCompletionWriter):
+class BashCompletionWriter(ArgparseWriter):
    """Write argparse output as bash programmable tab completion."""

-    def body(self, positionals, optionals, subcommands):
+    def format(self, cmd: Command) -> str:
+        """Return the string representation of a single node in the parser tree.
+
+        Args:
+            cmd: Parsed information about a command or subcommand.
+
+        Returns:
+            String representation of this subcommand.
+        """
+
+        assert cmd.optionals  # we should always at least have -h, --help
+        assert not (cmd.positionals and cmd.subcommands)  # one or the other
+
+        # We only care about the arguments/flags, not the help messages
+        positionals: Tuple[str, ...] = ()
+        if cmd.positionals:
+            positionals, _, _, _ = zip(*cmd.positionals)
+        optionals, _, _, _, _ = zip(*cmd.optionals)
+        subcommands: Tuple[str, ...] = ()
+        if cmd.subcommands:
+            _, subcommands, _ = zip(*cmd.subcommands)
+
+        # Flatten lists of lists
+        optionals = [x for xx in optionals for x in xx]
+
+        return (
+            self.start_function(cmd.prog)
+            + self.body(positionals, optionals, subcommands)
+            + self.end_function(cmd.prog)
+        )
+
+    def start_function(self, prog: str) -> str:
+        """Return the syntax needed to begin a function definition.
+
+        Args:
+            prog: Program name.
+
+        Returns:
+            Function definition beginning.
+        """
+        name = prog.replace("-", "_").replace(" ", "_")
+        return "\n_{0}() {{".format(name)
+
+    def end_function(self, prog: str) -> str:
+        """Return the syntax needed to end a function definition.
+
+        Args:
+            prog: Program name
+
+        Returns:
+            Function definition ending.
+        """
+        return "}\n"
+
+    def body(
+        self, positionals: Sequence[str], optionals: Sequence[str], subcommands: Sequence[str]
+    ) -> str:
+        """Return the body of the function.
+
+        Args:
+            positionals: List of positional arguments.
+            optionals: List of optional arguments.
+            subcommands: List of subcommand parsers.
+
+        Returns:
+            Function body.
+        """
        if positionals:
            return """
    if $list_options
@@ -168,7 +278,15 @@ def body(self, positionals, optionals, subcommands):
                self.optionals(optionals)
            )

-    def positionals(self, positionals):
+    def positionals(self, positionals: Sequence[str]) -> str:
+        """Return the syntax for reporting positional arguments.
+
+        Args:
+            positionals: List of positional arguments.
+
+        Returns:
+            Syntax for positional arguments.
+        """
        # If match found, return function name
        for positional in positionals:
            for key, value in _positional_to_subroutine.items():
@@ -178,22 +296,439 @@ def positionals(self, positionals):
        # If no matches found, return empty list
        return 'SPACK_COMPREPLY=""'

-    def optionals(self, optionals):
+    def optionals(self, optionals: Sequence[str]) -> str:
+        """Return the syntax for reporting optional flags.
+
+        Args:
+            optionals: List of optional arguments.
+
+        Returns:
+            Syntax for optional flags.
+        """
        return 'SPACK_COMPREPLY="{0}"'.format(" ".join(optionals))

-    def subcommands(self, subcommands):
+    def subcommands(self, subcommands: Sequence[str]) -> str:
+        """Return the syntax for reporting subcommands.
+
+        Args:
+            subcommands: List of subcommand parsers.
+
+        Returns:
+            Syntax for subcommand parsers
+        """
        return 'SPACK_COMPREPLY="{0}"'.format(" ".join(subcommands))


+# Map argument destination names to their complete commands
+# Earlier items in the list have higher precedence
+_dest_to_fish_complete = {
+    ("activate", "view"): "-f -a '(__fish_complete_directories)'",
+    ("bootstrap root", "path"): "-f -a '(__fish_complete_directories)'",
+    ("mirror add", "mirror"): "-f",
+    ("repo add", "path"): "-f -a '(__fish_complete_directories)'",
+    ("test find", "filter"): "-f -a '(__fish_spack_tests)'",
+    ("bootstrap", "name"): "-f -a '(__fish_spack_bootstrap_names)'",
+    ("buildcache create", "key"): "-f -a '(__fish_spack_gpg_keys)'",
+    ("build-env", r"spec \[--\].*"): "-f -a '(__fish_spack_build_env_spec)'",
+    ("checksum", "package"): "-f -a '(__fish_spack_packages)'",
+    (
+        "checksum",
+        "versions",
+    ): "-f -a '(__fish_spack_package_versions $__fish_spack_argparse_argv[1])'",
+    ("config", "path"): "-f -a '(__fish_spack_colon_path)'",
+    ("config", "section"): "-f -a '(__fish_spack_config_sections)'",
+    ("develop", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("diff", "specs?"): "-f -a '(__fish_spack_installed_specs)'",
+    ("gpg sign", "output"): "-f -a '(__fish_complete_directories)'",
+    ("gpg", "keys?"): "-f -a '(__fish_spack_gpg_keys)'",
+    ("graph", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("help", "help_command"): "-f -a '(__fish_spack_commands)'",
+    ("list", "filter"): "-f -a '(__fish_spack_packages)'",
+    ("mirror", "mirror"): "-f -a '(__fish_spack_mirrors)'",
+    ("pkg", "package"): "-f -a '(__fish_spack_pkg_packages)'",
+    ("remove", "specs?"): "-f -a '(__fish_spack_installed_specs)'",
+    ("repo", "namespace_or_path"): "$__fish_spack_force_files -a '(__fish_spack_repos)'",
+    ("restage", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("rm", "specs?"): "-f -a '(__fish_spack_installed_specs)'",
+    ("solve", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("spec", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("stage", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("test-env", r"spec \[--\].*"): "-f -a '(__fish_spack_build_env_spec)'",
+    ("test", r"\[?name.*"): "-f -a '(__fish_spack_tests)'",
+    ("undevelop", "specs?"): "-f -k -a '(__fish_spack_specs_or_id)'",
+    ("verify", "specs_or_files"): "$__fish_spack_force_files -a '(__fish_spack_installed_specs)'",
+    ("view", "path"): "-f -a '(__fish_complete_directories)'",
+    ("", "comment"): "-f",
+    ("", "compiler_spec"): "-f -a '(__fish_spack_installed_compilers)'",
+    ("", "config_scopes"): "-f -a '(__fish_complete_directories)'",
+    ("", "extendable"): "-f -a '(__fish_spack_extensions)'",
+    ("", "installed_specs?"): "-f -a '(__fish_spack_installed_specs)'",
+    ("", "job_url"): "-f",
+    ("", "location_env"): "-f -a '(__fish_complete_directories)'",
+    ("", "pytest_args"): "-f -a '(__fish_spack_unit_tests)'",
+    ("", "package_or_file"): "$__fish_spack_force_files -a '(__fish_spack_packages)'",
+    ("", "package_or_user"): "-f -a '(__fish_spack_packages)'",
+    ("", "package"): "-f -a '(__fish_spack_packages)'",
+    ("", "PKG"): "-f -a '(__fish_spack_packages)'",
+    ("", "prefix"): "-f -a '(__fish_complete_directories)'",
+    ("", r"rev\d?"): "-f -a '(__fish_spack_git_rev)'",
+    ("", "specs?"): "-f -k -a '(__fish_spack_specs)'",
+    ("", "tags?"): "-f -a '(__fish_spack_tags)'",
+    ("", "virtual_package"): "-f -a '(__fish_spack_providers)'",
+    ("", "working_dir"): "-f -a '(__fish_complete_directories)'",
+    ("", r"(\w*_)?env"): "-f -a '(__fish_spack_environments)'",
+    ("", r"(\w*_)?dir(ectory)?"): "-f -a '(__fish_spack_environments)'",
+    ("", r"(\w*_)?mirror_name"): "-f -a '(__fish_spack_mirrors)'",
+}
+
+
+def _fish_dest_get_complete(prog: str, dest: str) -> Optional[str]:
+    """Map from subcommand to autocompletion argument.
+
+    Args:
+        prog: Program name.
+        dest: Destination.
+
+    Returns:
+        Autocompletion argument.
+    """
+    s = prog.split(None, 1)
+    subcmd = s[1] if len(s) == 2 else ""
+
+    for (prog_key, pos_key), value in _dest_to_fish_complete.items():
+        if subcmd.startswith(prog_key) and re.match("^" + pos_key + "$", dest):
+            return value
+    return None
+
+
+class FishCompletionWriter(ArgparseWriter):
+    """Write argparse output as bash programmable tab completion."""
+
+    def format(self, cmd: Command) -> str:
+        """Return the string representation of a single node in the parser tree.
+
+        Args:
+            cmd: Parsed information about a command or subcommand.
+
+        Returns:
+            String representation of a node.
+        """
+        assert cmd.optionals  # we should always at least have -h, --help
+        assert not (cmd.positionals and cmd.subcommands)  # one or the other
+
+        # We also need help messages and how arguments are used
+        # So we pass everything to completion writer
+        positionals = cmd.positionals
+        optionals = cmd.optionals
+        subcommands = cmd.subcommands
+
+        return (
+            self.prog_comment(cmd.prog)
+            + self.optspecs(cmd.prog, optionals)
+            + self.complete(cmd.prog, positionals, optionals, subcommands)
+        )
+
+    def _quote(self, string: str) -> str:
+        """Quote string and escape special characters if necessary.
+
+        Args:
+            string: Input string.
+
+        Returns:
+            Quoted string.
+        """
+        # Goal here is to match fish_indent behavior
+
+        # Strings without spaces (or other special characters) do not need to be escaped
+        if not any([sub in string for sub in [" ", "'", '"']]):
+            return string
+
+        string = string.replace("'", r"\'")
+        return f"'{string}'"
+
+    def optspecs(
+        self,
+        prog: str,
+        optionals: List[Tuple[Sequence[str], List[str], str, Union[int, str, None], str]],
+    ) -> str:
+        """Read the optionals and return the command to set optspec.
+
+        Args:
+            prog: Program name.
+            optionals: List of optional arguments.
+
+        Returns:
+            Command to set optspec variable.
+        """
+        # Variables of optspecs
+        optspec_var = "__fish_spack_optspecs_" + prog.replace(" ", "_").replace("-", "_")
+
+        if optionals is None:
+            return "set -g %s\n" % optspec_var
+
+        # Build optspec by iterating over options
+        args = []
+
+        for flags, dest, _, nargs, _ in optionals:
+            if len(flags) == 0:
+                continue
+
+            required = ""
+
+            # Because nargs '?' is treated differently in fish, we treat it as required.
+            # Because multi-argument options are not supported, we treat it like one argument.
+            required = "="
+            if nargs == 0:
+                required = ""
+
+            # Pair short options with long options
+
+            # We need to do this because fish doesn't support multiple short
+            # or long options.
+            # However, since we are paring options only, this is fine
+
+            short = [f[1:] for f in flags if f.startswith("-") and len(f) == 2]
+            long = [f[2:] for f in flags if f.startswith("--")]
+
+            while len(short) > 0 and len(long) > 0:
+                arg = "%s/%s%s" % (short.pop(), long.pop(), required)
+            while len(short) > 0:
+                arg = "%s/%s" % (short.pop(), required)
+            while len(long) > 0:
+                arg = "%s%s" % (long.pop(), required)
+
+            args.append(arg)
+
+        # Even if there is no option, we still set variable.
+        # In fish such variable is an empty array, we use it to
+        # indicate that such subcommand exists.
+        args = " ".join(args)
+
+        return "set -g %s %s\n" % (optspec_var, args)
+
+    @staticmethod
+    def complete_head(
+        prog: str, index: Optional[int] = None, nargs: Optional[Union[int, str]] = None
+    ) -> str:
+        """Return the head of the completion command.
+
+        Args:
+            prog: Program name.
+            index: Index of positional argument.
+            nargs: Number of arguments.
+
+        Returns:
+            Head of the completion command.
+        """
+        # Split command and subcommand
+        s = prog.split(None, 1)
+        subcmd = s[1] if len(s) == 2 else ""
+
+        if index is None:
+            return "complete -c %s -n '__fish_spack_using_command %s'" % (s[0], subcmd)
+        elif nargs in [argparse.ZERO_OR_MORE, argparse.ONE_OR_MORE, argparse.REMAINDER]:
+            head = "complete -c %s -n '__fish_spack_using_command_pos_remainder %d %s'"
+        else:
+            head = "complete -c %s -n '__fish_spack_using_command_pos %d %s'"
+        return head % (s[0], index, subcmd)
+
+    def complete(
+        self,
+        prog: str,
+        positionals: List[Tuple[str, Optional[Iterable[Any]], Union[int, str, None], str]],
+        optionals: List[Tuple[Sequence[str], List[str], str, Union[int, str, None], str]],
+        subcommands: List[Tuple[ArgumentParser, str, str]],
+    ) -> str:
+        """Return all the completion commands.
+
+        Args:
+            prog: Program name.
+            positionals: List of positional arguments.
+            optionals: List of optional arguments.
+            subcommands: List of subcommand parsers.
+
+        Returns:
+            Completion command.
+        """
+        commands = []
+
+        if positionals:
+            commands.append(self.positionals(prog, positionals))
+
+        if subcommands:
+            commands.append(self.subcommands(prog, subcommands))
+
+        if optionals:
+            commands.append(self.optionals(prog, optionals))
+
+        return "".join(commands)
+
+    def positionals(
+        self,
+        prog: str,
+        positionals: List[Tuple[str, Optional[Iterable[Any]], Union[int, str, None], str]],
+    ) -> str:
+        """Return the completion for positional arguments.
+
+        Args:
+            prog: Program name.
+            positionals: List of positional arguments.
+
+        Returns:
+            Completion command.
+        """
+        commands = []
+
+        for idx, (args, choices, nargs, help) in enumerate(positionals):
+            # Make sure we always get same order of output
+            if isinstance(choices, dict):
+                choices = sorted(choices.keys())
+            elif isinstance(choices, (set, frozenset)):
+                choices = sorted(choices)
+
+            # Remove platform-specific choices to avoid hard-coding the platform.
+            if choices is not None:
+                valid_choices = []
+                for choice in choices:
+                    if spack.platforms.host().name not in choice:
+                        valid_choices.append(choice)
+                choices = valid_choices
+
+            head = self.complete_head(prog, idx, nargs)
+
+            if choices is not None:
+                # If there are choices, we provide a completion for all possible values.
+                commands.append(head + " -f -a %s" % self._quote(" ".join(choices)))
+            else:
+                # Otherwise, we try to find a predefined completion for it
+                value = _fish_dest_get_complete(prog, args)
+                if value is not None:
+                    commands.append(head + " " + value)
+
+        return "\n".join(commands) + "\n"
+
+    def prog_comment(self, prog: str) -> str:
+        """Return a comment line for the command.
+
+        Args:
+            prog: Program name.
+
+        Returns:
+            Comment line.
+        """
+        return "\n# %s\n" % prog
+
+    def optionals(
+        self,
+        prog: str,
+        optionals: List[Tuple[Sequence[str], List[str], str, Union[int, str, None], str]],
+    ) -> str:
+        """Return the completion for optional arguments.
+
+        Args:
+            prog: Program name.
+            optionals: List of optional arguments.
+
+        Returns:
+            Completion command.
+        """
+        commands = []
+        head = self.complete_head(prog)
+
+        for flags, dest, _, nargs, help in optionals:
+            # Make sure we always get same order of output
+            if isinstance(dest, dict):
+                dest = sorted(dest.keys())
+            elif isinstance(dest, (set, frozenset)):
+                dest = sorted(dest)
+
+            # Remove platform-specific choices to avoid hard-coding the platform.
+            if dest is not None:
+                valid_choices = []
+                for choice in dest:
+                    if spack.platforms.host().name not in choice:
+                        valid_choices.append(choice)
+                dest = valid_choices
+
+            # To provide description for optionals, and also possible values,
+            # we need to use two split completion command.
+            # Otherwise, each option will have same description.
+            prefix = head
+
+            # Add all flags to the completion
+            for f in flags:
+                if f.startswith("--"):
+                    long = f[2:]
+                    prefix += " -l %s" % long
+                elif f.startswith("-"):
+                    short = f[1:]
+                    assert len(short) == 1
+                    prefix += " -s %s" % short
+
+            # Check if option require argument.
+            # Currently multi-argument options are not supported, so we treat it like one argument.
+            if nargs != 0:
+                prefix += " -r"
+
+            if dest is not None:
+                # If there are choices, we provide a completion for all possible values.
+                commands.append(prefix + " -f -a %s" % self._quote(" ".join(dest)))
+            else:
+                # Otherwise, we try to find a predefined completion for it
+                value = _fish_dest_get_complete(prog, dest)
+                if value is not None:
+                    commands.append(prefix + " " + value)
+
+            if help:
+                commands.append(prefix + " -d %s" % self._quote(help))
+
+        return "\n".join(commands) + "\n"
+
+    def subcommands(self, prog: str, subcommands: List[Tuple[ArgumentParser, str, str]]) -> str:
+        """Return the completion for subcommands.
+
+        Args:
+            prog: Program name.
+            subcommands: List of subcommand parsers.
+
+        Returns:
+            Completion command.
+        """
+        commands = []
+        head = self.complete_head(prog, 0)
+
+        for _, subcommand, help in subcommands:
+            command = head + " -f -a %s" % self._quote(subcommand)
+
+            if help is not None and len(help) > 0:
+                help = help.split("\n")[0]
+                command += " -d %s" % self._quote(help)
+
+            commands.append(command)
+
+        return "\n".join(commands) + "\n"
+
+
@formatter
-def subcommands(args, out):
+def subcommands(args: Namespace, out: IO) -> None:
+    """Hierarchical tree of subcommands.
+
+    args:
+        args: Command-line arguments.
+        out: File object to write to.
+    """
    parser = spack.main.make_argument_parser()
    spack.main.add_all_commands(parser)
    writer = SubcommandWriter(parser.prog, out, args.aliases)
    writer.write(parser)


-def rst_index(out):
+def rst_index(out: IO) -> None:
+    """Generate an index of all commands.
+
+    Args:
+        out: File object to write to.
+    """
    out.write("\n")

    index = spack.main.index_commands()
@@ -221,13 +756,19 @@ def rst_index(out):


@formatter
-def rst(args, out):
+def rst(args: Namespace, out: IO) -> None:
+    """ReStructuredText documentation of subcommands.
+
+    args:
+        args: Command-line arguments.
+        out: File object to write to.
+    """
    # create a parser with all commands
    parser = spack.main.make_argument_parser()
    spack.main.add_all_commands(parser)

    # extract cross-refs of the form `_cmd-spack-<cmd>:` from rst files
-    documented_commands = set()
+    documented_commands: Set[str] = set()
    for filename in args.rst_files:
        with open(filename) as f:
            for line in f:
@@ -245,7 +786,13 @@ def rst(args, out):


@formatter
-def names(args, out):
+def names(args: Namespace, out: IO) -> None:
+    """Simple list of top-level commands.
+
+    args:
+        args: Command-line arguments.
+        out: File object to write to.
+    """
    commands = copy.copy(spack.cmd.all_commands())

    if args.aliases:
@@ -255,7 +802,13 @@ def names(args, out):


@formatter
-def bash(args, out):
+def bash(args: Namespace, out: IO) -> None:
+    """Bash tab-completion script.
+
+    args:
+        args: Command-line arguments.
+        out: File object to write to.
+    """
    parser = spack.main.make_argument_parser()
    spack.main.add_all_commands(parser)

@@ -263,7 +816,22 @@ def bash(args, out):
    writer.write(parser)


-def prepend_header(args, out):
+@formatter
+def fish(args, out):
+    parser = spack.main.make_argument_parser()
+    spack.main.add_all_commands(parser)
+
+    writer = FishCompletionWriter(parser.prog, out, args.aliases)
+    writer.write(parser)
+
+
+def prepend_header(args: Namespace, out: IO) -> None:
+    """Prepend header text at the beginning of a file.
+
+    Args:
+        args: Command-line arguments.
+        out: File object to write to.
+    """
    if not args.header:
        return

@@ -271,10 +839,14 @@ def prepend_header(args, out):
        out.write(header.read())


-def _commands(parser, args):
+def _commands(parser: ArgumentParser, args: Namespace) -> None:
    """This is the 'regular' command, which can be called multiple times.

    See ``commands()`` below for ``--update-completion`` handling.
+
+    Args:
+        parser: Argument parser.
+        args: Command-line arguments.
    """
    formatter = formatters[args.format]

@@ -296,12 +868,15 @@ def _commands(parser, args):
        formatter(args, sys.stdout)


-def update_completion(parser, args):
+def update_completion(parser: ArgumentParser, args: Namespace) -> None:
    """Iterate through the shells and update the standard completion files.

    This is a convenience method to avoid calling this command many
    times, and to simplify completion update for developers.

+    Args:
+        parser: Argument parser.
+        args: Command-line arguments.
    """
    for shell, shell_args in update_completion_args.items():
        for attr, value in shell_args.items():
@@ -309,14 +884,20 @@ def update_completion(parser, args):
        _commands(parser, args)


-def commands(parser, args):
+def commands(parser: ArgumentParser, args: Namespace) -> None:
+    """Main function that calls formatter functions.
+
+    Args:
+        parser: Argument parser.
+        args: Command-line arguments.
+    """
    if args.update_completion:
        if args.format != "names" or any([args.aliases, args.update, args.header]):
            tty.die("--update-completion can only be specified alone.")

        # this runs the command multiple times with different arguments
-        return update_completion(parser, args)
+        update_completion(parser, args)

    else:
        # run commands normally
-        return _commands(parser, args)
+        _commands(parser, args)
--- a/lib/spack/spack/cmd/common/init.py
+++ b/lib/spack/spack/cmd/common/init.py
@@ -36,7 +36,10 @@ def shell_init_instructions(cmd, equivalent):
        "  source %s/setup-env.fish" % spack.paths.share_path,
        "",
        color.colorize("@*c{For Windows batch:}"),
-        "  source %s/spack_cmd.bat" % spack.paths.share_path,
+        "  %s\\spack_cmd.bat" % spack.paths.bin_path,
+        "",
+        color.colorize("@*c{For PowerShell:}"),
+        "  %s\\setup-env.ps1" % spack.paths.share_path,
        "",
        "Or, if you do not want to use shell support, run "
        + ("one of these" if shell_specific else "this")
@@ -50,6 +53,7 @@ def shell_init_instructions(cmd, equivalent):
            equivalent.format(sh_arg="--csh ") + "  # csh/tcsh",
            equivalent.format(sh_arg="--fish") + "  # fish",
            equivalent.format(sh_arg="--bat ") + "  # batch",
+            equivalent.format(sh_arg="--pwsh") + "  # powershell",
        ]
    else:
        msg += ["  " + equivalent]
--- a/lib/spack/spack/cmd/common/arguments.py
+++ b/lib/spack/spack/cmd/common/arguments.py
@@ -82,12 +82,12 @@ def _specs(self, **kwargs):

        # return everything for an empty query.
        if not qspecs:
-            return spack.store.db.query(**kwargs)
+            return spack.store.STORE.db.query(**kwargs)

        # Return only matching stuff otherwise.
        specs = {}
        for spec in qspecs:
-            for s in spack.store.db.query(spec, **kwargs):
+            for s in spack.store.STORE.db.query(spec, **kwargs):
                # This is fast for already-concrete specs
                specs[s.dag_hash()] = s

@@ -265,7 +265,7 @@ def recurse_dependents():
        "--dependents",
        action="store_true",
        dest="dependents",
-        help="also uninstall any packages that depend on the ones given " "via command line",
+        help="also uninstall any packages that depend on the ones given via command line",
    )


@@ -286,7 +286,7 @@ def deptype():
        "--deptype",
        action=DeptypeAction,
        default=dep.all_deptypes,
-        help="comma-separated list of deptypes to traverse\ndefault=%s"
+        help="comma-separated list of deptypes to traverse\n\ndefault=%s"
        % ",".join(dep.all_deptypes),
    )

@@ -349,14 +349,25 @@ def install_status():
        "-I",
        "--install-status",
        action="store_true",
-        default=False,
-        help="show install status of packages. packages can be: "
+        default=True,
+        help="show install status of packages\n\npackages can be: "
        "installed [+], missing and needed by an installed package [-], "
-        "installed in and upstream instance [^], "
+        "installed in an upstream instance [^], "
        "or not installed (no annotation)",
    )


+@arg
+def no_install_status():
+    return Args(
+        "--no-install-status",
+        dest="install_status",
+        action="store_false",
+        default=True,
+        help="do not show install status annotations",
+    )
+
+
@arg
 def no_checksum():
    return Args(
@@ -382,24 +393,23 @@ def add_cdash_args(subparser, add_help):
    cdash_help = {}
    if add_help:
        cdash_help["upload-url"] = "CDash URL where reports will be uploaded"
-        cdash_help[
-            "build"
-        ] = """The name of the build that will be reported to CDash.
-Defaults to spec of the package to operate on."""
-        cdash_help[
-            "site"
-        ] = """The site name that will be reported to CDash.
-Defaults to current system hostname."""
-        cdash_help[
-            "track"
-        ] = """Results will be reported to this group on CDash.
-Defaults to Experimental."""
-        cdash_help[
-            "buildstamp"
-        ] = """Instead of letting the CDash reporter prepare the
-buildstamp which, when combined with build name, site and project,
-uniquely identifies the build, provide this argument to identify
-the build yourself.  Format: %%Y%%m%%d-%%H%%M-[cdash-track]"""
+        cdash_help["build"] = (
+            "name of the build that will be reported to CDash\n\n"
+            "defaults to spec of the package to operate on"
+        )
+        cdash_help["site"] = (
+            "site name that will be reported to CDash\n\n" "defaults to current system hostname"
+        )
+        cdash_help["track"] = (
+            "results will be reported to this group on CDash\n\n" "defaults to Experimental"
+        )
+        cdash_help["buildstamp"] = (
+            "use custom buildstamp\n\n"
+            "instead of letting the CDash reporter prepare the "
+            "buildstamp which, when combined with build name, site and project, "
+            "uniquely identifies the build, provide this argument to identify "
+            "the build yourself. format: %%Y%%m%%d-%%H%%M-[cdash-track]"
+        )
    else:
        cdash_help["upload-url"] = argparse.SUPPRESS
        cdash_help["build"] = argparse.SUPPRESS
@@ -468,7 +478,7 @@ def __init__(
        # substituting '_' for ':'.
        dest = dest.replace(":", "_")

-        super(ConfigSetAction, self).__init__(
+        super().__init__(
            option_strings=option_strings,
            dest=dest,
            nargs=0,
@@ -531,16 +541,16 @@ def add_s3_connection_args(subparser, add_help):
        "--s3-access-key-id", help="ID string to use to connect to this S3 mirror"
    )
    subparser.add_argument(
-        "--s3-access-key-secret", help="Secret string to use to connect to this S3 mirror"
+        "--s3-access-key-secret", help="secret string to use to connect to this S3 mirror"
    )
    subparser.add_argument(
-        "--s3-access-token", help="Access Token to use to connect to this S3 mirror"
+        "--s3-access-token", help="access token to use to connect to this S3 mirror"
    )
    subparser.add_argument(
        "--s3-profile", help="S3 profile name to use to connect to this S3 mirror", default=None
    )
    subparser.add_argument(
-        "--s3-endpoint-url", help="Endpoint URL to use to connect to this S3 mirror"
+        "--s3-endpoint-url", help="endpoint URL to use to connect to this S3 mirror"
    )


--- a/lib/spack/spack/cmd/common/env_utility.py
+++ b/lib/spack/spack/cmd/common/env_utility.py
@@ -2,8 +2,6 @@
 # Spack Project Developers. See the top-level COPYRIGHT file for details.
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)
-from __future__ import print_function
-
 import argparse
 import os

@@ -108,7 +106,7 @@ def emulate_env_utility(cmd_name, context, args):
    visitor = AreDepsInstalledVisitor(context=context)

    # Mass install check needs read transaction.
-    with spack.store.db.read_transaction():
+    with spack.store.STORE.db.read_transaction():
        traverse.traverse_breadth_first_with_visitor([spec], traverse.CoverNodesVisitor(visitor))

    if visitor.has_uninstalled_deps:
--- a/lib/spack/spack/cmd/compiler.py
+++ b/lib/spack/spack/cmd/compiler.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import argparse
 import sys

@@ -53,7 +51,7 @@ def setup_parser(subparser):
        "--scope",
        choices=scopes,
        metavar=scopes_metavar,
-        default=spack.config.default_modify_scope("compilers"),
+        default=None,
        help="configuration scope to modify",
    )

@@ -106,19 +104,21 @@ def compiler_find(args):


 def compiler_remove(args):
-    cspec = spack.spec.CompilerSpec(args.compiler_spec)
-    compilers = spack.compilers.compilers_for_spec(cspec, scope=args.scope)
-    if not compilers:
-        tty.die("No compilers match spec %s" % cspec)
-    elif not args.all and len(compilers) > 1:
-        tty.error("Multiple compilers match spec %s. Choose one:" % cspec)
-        colify(reversed(sorted([c.spec.display_str for c in compilers])), indent=4)
+    compiler_spec = spack.spec.CompilerSpec(args.compiler_spec)
+    candidate_compilers = spack.compilers.compilers_for_spec(compiler_spec, scope=args.scope)
+
+    if not candidate_compilers:
+        tty.die("No compilers match spec %s" % compiler_spec)
+
+    if not args.all and len(candidate_compilers) > 1:
+        tty.error(f"Multiple compilers match spec {compiler_spec}. Choose one:")
+        colify(reversed(sorted([c.spec.display_str for c in candidate_compilers])), indent=4)
        tty.msg("Or, use `spack compiler remove -a` to remove all of them.")
        sys.exit(1)

-    for compiler in compilers:
-        spack.compilers.remove_compiler_from_config(compiler.spec, scope=args.scope)
-        tty.msg("Removed compiler %s" % compiler.spec.display_str)
+    for current_compiler in candidate_compilers:
+        spack.compilers.remove_compiler_from_config(current_compiler.spec, scope=args.scope)
+        tty.msg(f"{current_compiler.spec.display_str} has been removed")


 def compiler_info(args):
--- a/lib/spack/spack/cmd/concretize.py
+++ b/lib/spack/spack/cmd/concretize.py
@@ -14,18 +14,16 @@

 def setup_parser(subparser):
    subparser.add_argument(
-        "-f", "--force", action="store_true", help="Re-concretize even if already concretized."
+        "-f", "--force", action="store_true", help="re-concretize even if already concretized"
    )
    subparser.add_argument(
        "--test",
        default=None,
        choices=["root", "all"],
-        help="""Concretize with test dependencies. When 'root' is chosen, test
-dependencies are only added for the environment's root specs. When 'all' is
-chosen, test dependencies are enabled for all packages in the environment.""",
+        help="concretize with test dependencies of only root packages or all packages",
    )
    subparser.add_argument(
-        "-q", "--quiet", action="store_true", help="Don't print concretized specs"
+        "-q", "--quiet", action="store_true", help="don't print concretized specs"
    )

    spack.cmd.common.arguments.add_concretizer_args(subparser)
--- a/lib/spack/spack/cmd/config.py
+++ b/lib/spack/spack/cmd/config.py
@@ -2,8 +2,6 @@
 # Spack Project Developers. See the top-level COPYRIGHT file for details.
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)
-from __future__ import print_function
-
 import collections
 import os
 import shutil
@@ -44,7 +42,7 @@ def setup_parser(subparser):
    get_parser = sp.add_parser("get", help="print configuration values")
    get_parser.add_argument(
        "section",
-        help="configuration section to print. " "options: %(choices)s",
+        help="configuration section to print\n\noptions: %(choices)s",
        nargs="?",
        metavar="section",
        choices=spack.config.section_schemas,
@@ -55,7 +53,7 @@ def setup_parser(subparser):
    )
    blame_parser.add_argument(
        "section",
-        help="configuration section to print. " "options: %(choices)s",
+        help="configuration section to print\n\noptions: %(choices)s",
        metavar="section",
        choices=spack.config.section_schemas,
    )
@@ -63,7 +61,7 @@ def setup_parser(subparser):
    edit_parser = sp.add_parser("edit", help="edit configuration file")
    edit_parser.add_argument(
        "section",
-        help="configuration section to edit. " "options: %(choices)s",
+        help="configuration section to edit\n\noptions: %(choices)s",
        metavar="section",
        nargs="?",
        choices=spack.config.section_schemas,
@@ -78,7 +76,7 @@ def setup_parser(subparser):
    add_parser.add_argument(
        "path",
        nargs="?",
-        help="colon-separated path to config that should be added," " e.g. 'config:default:true'",
+        help="colon-separated path to config that should be added, e.g. 'config:default:true'",
    )
    add_parser.add_argument("-f", "--file", help="file from which to set all config values")

@@ -90,7 +88,7 @@ def setup_parser(subparser):
        "--local",
        action="store_true",
        default=False,
-        help="Set packages preferences based on local installs, rather " "than upstream.",
+        help="set packages preferences based on local installs, rather than upstream",
    )

    remove_parser = sp.add_parser("remove", aliases=["rm"], help="remove configuration parameters")
@@ -159,7 +157,7 @@ def config_get(args):
            tty.die("environment has no %s file" % ev.manifest_name)

    else:
-        tty.die("`spack config get` requires a section argument " "or an active environment.")
+        tty.die("`spack config get` requires a section argument or an active environment.")


 def config_blame(args):
@@ -182,7 +180,7 @@ def config_edit(args):
        # If we aren't editing a spack.yaml file, get config path from scope.
        scope, section = _get_scope_and_section(args)
        if not scope and not section:
-            tty.die("`spack config edit` requires a section argument " "or an active environment.")
+            tty.die("`spack config edit` requires a section argument or an active environment.")
        config_file = spack.config.config.get_config_filename(scope, section)

    if args.print_file:
@@ -376,7 +374,7 @@ def config_revert(args):

    proceed = True
    if not args.yes_to_all:
-        msg = "The following scopes will be restored from the corresponding" " backup files:\n"
+        msg = "The following scopes will be restored from the corresponding backup files:\n"
        for entry in to_be_restored:
            msg += "\t[scope={0.scope}, bkp={0.bkp}]\n".format(entry)
        msg += "This operation cannot be undone."
@@ -401,8 +399,8 @@ def config_prefer_upstream(args):
    if scope is None:
        scope = spack.config.default_modify_scope("packages")

-    all_specs = set(spack.store.db.query(installed=True))
-    local_specs = set(spack.store.db.query_local(installed=True))
+    all_specs = set(spack.store.STORE.db.query(installed=True))
+    local_specs = set(spack.store.STORE.db.query_local(installed=True))
    pref_specs = local_specs if args.local else all_specs - local_specs

    conflicting_variants = set()
--- a/lib/spack/spack/cmd/containerize.py
+++ b/lib/spack/spack/cmd/containerize.py
@@ -10,7 +10,7 @@
 import spack.container
 import spack.container.images

-description = "creates recipes to build images for different" " container runtimes"
+description = "creates recipes to build images for different container runtimes"
 section = "container"
 level = "long"

--- a/lib/spack/spack/cmd/create.py
+++ b/lib/spack/spack/cmd/create.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import os
 import re
 import urllib.parse
@@ -71,7 +69,7 @@ class {class_name}({base_class_name}):
 '''


-class BundlePackageTemplate(object):
+class BundlePackageTemplate:
    """
    Provides the default values to be used for a bundle package file template.
    """
@@ -122,7 +120,7 @@ def install(self, spec, prefix):
    url_line = '    url = "{url}"'

    def __init__(self, name, url, versions):
-        super(PackageTemplate, self).__init__(name, versions)
+        super().__init__(name, versions)

        self.url_def = self.url_line.format(url=url)

@@ -200,7 +198,7 @@ def __init__(self, name, url, *args, **kwargs):
            # Make it more obvious that we are renaming the package
            tty.msg("Changing package name from {0} to lua-{0}".format(name))
            name = "lua-{0}".format(name)
-        super(LuaPackageTemplate, self).__init__(name, url, *args, **kwargs)
+        super().__init__(name, url, *args, **kwargs)


 class MesonPackageTemplate(PackageTemplate):
@@ -308,7 +306,7 @@ def __init__(self, name, url, *args, **kwargs):
            tty.msg("Changing package name from {0} to rkt-{0}".format(name))
            name = "rkt-{0}".format(name)
        self.body_def = self.body_def.format(name[4:])
-        super(RacketPackageTemplate, self).__init__(name, url, *args, **kwargs)
+        super().__init__(name, url, *args, **kwargs)


 class PythonPackageTemplate(PackageTemplate):
@@ -327,6 +325,7 @@ class PythonPackageTemplate(PackageTemplate):
    # FIXME: Add a build backend, usually defined in pyproject.toml. If no such file
    # exists, use setuptools.
    # depends_on("py-setuptools", type="build")
+    # depends_on("py-hatchling", type="build")
    # depends_on("py-flit-core", type="build")
    # depends_on("py-poetry-core", type="build")

@@ -334,17 +333,11 @@ class PythonPackageTemplate(PackageTemplate):
    # depends_on("py-foo", type=("build", "run"))"""

    body_def = """\
-    def global_options(self, spec, prefix):
-        # FIXME: Add options to pass to setup.py
+    def config_settings(self, spec, prefix):
+        # FIXME: Add configuration settings to be passed to the build backend
        # FIXME: If not needed, delete this function
-        options = []
-        return options
-
-    def install_options(self, spec, prefix):
-        # FIXME: Add options to pass to setup.py install
-        # FIXME: If not needed, delete this function
-        options = []
-        return options"""
+        settings = {}
+        return settings"""

    def __init__(self, name, url, *args, **kwargs):
        # If the user provided `--name py-numpy`, don't rename it py-py-numpy
@@ -400,7 +393,7 @@ def __init__(self, name, url, *args, **kwargs):
                + self.url_line
            )

-        super(PythonPackageTemplate, self).__init__(name, url, *args, **kwargs)
+        super().__init__(name, url, *args, **kwargs)


 class RPackageTemplate(PackageTemplate):
@@ -439,7 +432,7 @@ def __init__(self, name, url, *args, **kwargs):
        if bioc:
            self.url_line = '    url = "{0}"\n' '    bioc = "{1}"'.format(url, r_name)

-        super(RPackageTemplate, self).__init__(name, url, *args, **kwargs)
+        super().__init__(name, url, *args, **kwargs)


 class PerlmakePackageTemplate(PackageTemplate):
@@ -466,7 +459,7 @@ def __init__(self, name, *args, **kwargs):
            tty.msg("Changing package name from {0} to perl-{0}".format(name))
            name = "perl-{0}".format(name)

-        super(PerlmakePackageTemplate, self).__init__(name, *args, **kwargs)
+        super().__init__(name, *args, **kwargs)


 class PerlbuildPackageTemplate(PerlmakePackageTemplate):
@@ -499,7 +492,7 @@ def __init__(self, name, *args, **kwargs):
            tty.msg("Changing package name from {0} to octave-{0}".format(name))
            name = "octave-{0}".format(name)

-        super(OctavePackageTemplate, self).__init__(name, *args, **kwargs)
+        super().__init__(name, *args, **kwargs)


 class RubyPackageTemplate(PackageTemplate):
@@ -527,7 +520,7 @@ def __init__(self, name, *args, **kwargs):
            tty.msg("Changing package name from {0} to ruby-{0}".format(name))
            name = "ruby-{0}".format(name)

-        super(RubyPackageTemplate, self).__init__(name, *args, **kwargs)
+        super().__init__(name, *args, **kwargs)


 class MakefilePackageTemplate(PackageTemplate):
@@ -572,7 +565,7 @@ def __init__(self, name, *args, **kwargs):
            tty.msg("Changing package name from {0} to py-{0}".format(name))
            name = "py-{0}".format(name)

-        super(SIPPackageTemplate, self).__init__(name, *args, **kwargs)
+        super().__init__(name, *args, **kwargs)


 templates = {
@@ -614,7 +607,7 @@ def setup_parser(subparser):
        "--template",
        metavar="TEMPLATE",
        choices=sorted(templates.keys()),
-        help="build system template to use. options: %(choices)s",
+        help="build system template to use\n\noptions: %(choices)s",
    )
    subparser.add_argument(
        "-r", "--repo", help="path to a repository where the package should be created"
@@ -622,7 +615,7 @@ def setup_parser(subparser):
    subparser.add_argument(
        "-N",
        "--namespace",
-        help="specify a namespace for the package. must be the namespace of "
+        help="specify a namespace for the package\n\nmust be the namespace of "
        "a repository registered with Spack",
    )
    subparser.add_argument(
@@ -715,7 +708,7 @@ def __call__(self, stage, url):
                output = tar("--exclude=*/*/*", "-tf", stage.archive_file, output=str)
            except ProcessError:
                output = ""
-        lines = output.split("\n")
+        lines = output.splitlines()

        # Determine the build system based on the files contained
        # in the archive.
@@ -880,7 +873,7 @@ def get_build_system(template, url, guesser):
        # Use whatever build system the guesser detected
        selected_template = guesser.build_system
        if selected_template == "generic":
-            tty.warn("Unable to detect a build system. " "Using a generic package template.")
+            tty.warn("Unable to detect a build system. Using a generic package template.")
        else:
            msg = "This package looks like it uses the {0} build system"
            tty.msg(msg.format(selected_template))
--- a/lib/spack/spack/cmd/debug.py
+++ b/lib/spack/spack/cmd/debug.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import os
 import platform
 import re
@@ -62,16 +60,16 @@ def create_db_tarball(args):
    tarball_name = "spack-db.%s.tar.gz" % _debug_tarball_suffix()
    tarball_path = os.path.abspath(tarball_name)

-    base = os.path.basename(str(spack.store.root))
+    base = os.path.basename(str(spack.store.STORE.root))
    transform_args = []
    if "GNU" in tar("--version", output=str):
        transform_args = ["--transform", "s/^%s/%s/" % (base, tarball_name)]
    else:
        transform_args = ["-s", "/^%s/%s/" % (base, tarball_name)]

-    wd = os.path.dirname(str(spack.store.root))
+    wd = os.path.dirname(str(spack.store.STORE.root))
    with working_dir(wd):
-        files = [spack.store.db._index_path]
+        files = [spack.store.STORE.db._index_path]
        files += glob("%s/*/*/*/.spack/spec.json" % base)
        files += glob("%s/*/*/*/.spack/spec.yaml" % base)
        files = [os.path.relpath(f) for f in files]
--- a/lib/spack/spack/cmd/dependencies.py
+++ b/lib/spack/spack/cmd/dependencies.py
@@ -26,8 +26,8 @@ def setup_parser(subparser):
        "--installed",
        action="store_true",
        default=False,
-        help="List installed dependencies of an installed spec, "
-        "instead of possible dependencies of a package.",
+        help="list installed dependencies of an installed spec "
+        "instead of possible dependencies of a package",
    )
    subparser.add_argument(
        "-t",
@@ -60,7 +60,7 @@ def dependencies(parser, args):
        format_string = "{name}{@version}{%compiler}{/hash:7}"
        if sys.stdout.isatty():
            tty.msg("Dependencies of %s" % spec.format(format_string, color=True))
-        deps = spack.store.db.installed_relatives(
+        deps = spack.store.STORE.db.installed_relatives(
            spec, "children", args.transitive, deptype=args.deptype
        )
        if deps:
--- a/lib/spack/spack/cmd/dependents.py
+++ b/lib/spack/spack/cmd/dependents.py
@@ -25,15 +25,15 @@ def setup_parser(subparser):
        "--installed",
        action="store_true",
        default=False,
-        help="List installed dependents of an installed spec, "
-        "instead of possible dependents of a package.",
+        help="list installed dependents of an installed spec "
+        "instead of possible dependents of a package",
    )
    subparser.add_argument(
        "-t",
        "--transitive",
        action="store_true",
        default=False,
-        help="Show all transitive dependents.",
+        help="show all transitive dependents",
    )
    arguments.add_common_arguments(subparser, ["spec"])

@@ -96,7 +96,7 @@ def dependents(parser, args):
        format_string = "{name}{@version}{%compiler}{/hash:7}"
        if sys.stdout.isatty():
            tty.msg("Dependents of %s" % spec.cformat(format_string))
-        deps = spack.store.db.installed_relatives(spec, "parents", args.transitive)
+        deps = spack.store.STORE.db.installed_relatives(spec, "parents", args.transitive)
        if deps:
            spack.cmd.display_specs(deps, long=True)
        else:
--- a/lib/spack/spack/cmd/deprecate.py
+++ b/lib/spack/spack/cmd/deprecate.py
@@ -13,8 +13,6 @@
 It is up to the user to ensure binary compatibility between the deprecated
 installation and its deprecator.
 """
-from __future__ import print_function
-
 import argparse
 import os

@@ -28,7 +26,7 @@
 from spack.database import InstallStatuses
 from spack.error import SpackError

-description = "Replace one package with another via symlinks"
+description = "replace one package with another via symlinks"
 section = "admin"
 level = "long"

@@ -48,7 +46,7 @@ def setup_parser(sp):
        action="store_true",
        default=True,
        dest="dependencies",
-        help="Deprecate dependencies (default)",
+        help="deprecate dependencies (default)",
    )
    deps.add_argument(
        "-D",
@@ -56,7 +54,7 @@ def setup_parser(sp):
        action="store_false",
        default=True,
        dest="dependencies",
-        help="Do not deprecate dependencies",
+        help="do not deprecate dependencies",
    )

    install = sp.add_mutually_exclusive_group()
@@ -66,7 +64,7 @@ def setup_parser(sp):
        action="store_true",
        default=False,
        dest="install",
-        help="Concretize and install deprecator spec",
+        help="concretize and install deprecator spec",
    )
    install.add_argument(
        "-I",
@@ -74,7 +72,7 @@ def setup_parser(sp):
        action="store_false",
        default=False,
        dest="install",
-        help="Deprecator spec must already be installed (default)",
+        help="deprecator spec must already be installed (default)",
    )

    sp.add_argument(
@@ -83,7 +81,7 @@ def setup_parser(sp):
        type=str,
        default="soft",
        choices=["soft", "hard"],
-        help="Type of filesystem link to use for deprecation (default soft)",
+        help="type of filesystem link to use for deprecation (default soft)",
    )

    sp.add_argument(
@@ -132,7 +130,7 @@ def deprecate(parser, args):
        already_deprecated = []
        already_deprecated_for = []
        for spec in all_deprecate:
-            deprecated_for = spack.store.db.deprecator(spec)
+            deprecated_for = spack.store.STORE.db.deprecator(spec)
            if deprecated_for:
                already_deprecated.append(spec)
                already_deprecated_for.append(deprecated_for)
--- a/lib/spack/spack/cmd/dev_build.py
+++ b/lib/spack/spack/cmd/dev_build.py
@@ -25,14 +25,14 @@ def setup_parser(subparser):
        "--source-path",
        dest="source_path",
        default=None,
-        help="path to source directory. defaults to the current directory",
+        help="path to source directory (defaults to the current directory)",
    )
    subparser.add_argument(
        "-i",
        "--ignore-dependencies",
        action="store_true",
        dest="ignore_deps",
-        help="don't try to install dependencies of requested packages",
+        help="do not try to install dependencies of requested packages",
    )
    arguments.add_common_arguments(subparser, ["no_checksum", "deprecated"])
    subparser.add_argument(
@@ -55,16 +55,13 @@ def setup_parser(subparser):
        type=str,
        dest="shell",
        default=None,
-        help="drop into a build environment in a new shell, e.g. bash, zsh",
+        help="drop into a build environment in a new shell, e.g., bash",
    )
    subparser.add_argument(
        "--test",
        default=None,
        choices=["root", "all"],
-        help="""If 'root' is chosen, run package tests during
-installation for top-level packages (but skip tests for dependencies).
-if 'all' is chosen, run package tests during installation for all
-packages. If neither are chosen, don't run tests for any packages.""",
+        help="run tests on only root packages or all packages",
    )
    arguments.add_common_arguments(subparser, ["spec"])

--- a/lib/spack/spack/cmd/develop.py
+++ b/lib/spack/spack/cmd/develop.py
@@ -20,7 +20,7 @@


 def setup_parser(subparser):
-    subparser.add_argument("-p", "--path", help="Source location of package")
+    subparser.add_argument("-p", "--path", help="source location of package")

    clone_group = subparser.add_mutually_exclusive_group()
    clone_group.add_argument(
@@ -28,18 +28,18 @@ def setup_parser(subparser):
        action="store_false",
        dest="clone",
        default=None,
-        help="Do not clone. The package already exists at the source path",
+        help="do not clone, the package already exists at the source path",
    )
    clone_group.add_argument(
        "--clone",
        action="store_true",
        dest="clone",
        default=None,
-        help="Clone the package even if the path already exists",
+        help="clone the package even if the path already exists",
    )

    subparser.add_argument(
-        "-f", "--force", help="Remove any files or directories that block cloning source code"
+        "-f", "--force", help="remove any files or directories that block cloning source code"
    )

    arguments.add_common_arguments(subparser, ["spec"])
@@ -66,8 +66,7 @@ def develop(parser, args):
            # Both old syntax `spack develop pkg@x` and new syntax `spack develop pkg@=x`
            # are currently supported.
            spec = spack.spec.parse_with_version_concrete(entry["spec"])
-            pkg_cls = spack.repo.path.get_pkg_class(spec.name)
-            pkg_cls(spec).stage.steal_source(abspath)
+            env.develop(spec=spec, path=path, clone=True)

        if not env.dev_specs:
            tty.warn("No develop specs to download")
--- a/lib/spack/spack/cmd/diff.py
+++ b/lib/spack/spack/cmd/diff.py
@@ -29,7 +29,7 @@ def setup_parser(subparser):
        action="store_true",
        default=False,
        dest="dump_json",
-        help="Dump json output instead of pretty printing.",
+        help="dump json output instead of pretty printing",
    )
    subparser.add_argument(
        "--first",
--- a/lib/spack/spack/cmd/edit.py
+++ b/lib/spack/spack/cmd/edit.py
@@ -62,7 +62,7 @@ def setup_parser(subparser):
        dest="path",
        action="store_const",
        const=spack.paths.build_systems_path,
-        help="Edit the build system with the supplied name.",
+        help="edit the build system with the supplied name",
    )
    excl_args.add_argument(
        "-c",
--- a/lib/spack/spack/cmd/env.py
+++ b/lib/spack/spack/cmd/env.py
@@ -86,6 +86,13 @@ def env_activate_setup_parser(subparser):
        const="bat",
        help="print bat commands to activate the environment",
    )
+    shells.add_argument(
+        "--pwsh",
+        action="store_const",
+        dest="shell",
+        const="pwsh",
+        help="print powershell commands to activate environment",
+    )

    view_options = subparser.add_mutually_exclusive_group()
    view_options.add_argument(
@@ -95,7 +102,7 @@ def env_activate_setup_parser(subparser):
        dest="with_view",
        const=True,
        default=True,
-        help="update PATH etc. with associated view",
+        help="update PATH, etc., with associated view",
    )
    view_options.add_argument(
        "-V",
@@ -104,7 +111,7 @@ def env_activate_setup_parser(subparser):
        dest="with_view",
        const=False,
        default=True,
-        help="do not update PATH etc. with associated view",
+        help="do not update PATH, etc., with associated view",
    )

    subparser.add_argument(
@@ -154,7 +161,7 @@ def env_activate(args):

    # Error out when -e, -E, -D flags are given, cause they are ambiguous.
    if args.env or args.no_env or args.env_dir:
-        tty.die("Calling spack env activate with --env, --env-dir and --no-env " "is ambiguous")
+        tty.die("Calling spack env activate with --env, --env-dir and --no-env is ambiguous")

    env_name_or_dir = args.activate_env or args.dir

@@ -243,7 +250,7 @@ def env_deactivate(args):

    # Error out when -e, -E, -D flags are given, cause they are ambiguous.
    if args.env or args.no_env or args.env_dir:
-        tty.die("Calling spack env deactivate with --env, --env-dir and --no-env " "is ambiguous")
+        tty.die("Calling spack env deactivate with --env, --env-dir and --no-env is ambiguous")

    if ev.active_environment() is None:
        tty.die("No environment is currently active.")
@@ -283,7 +290,7 @@ def env_create_setup_parser(subparser):
        "envfile",
        nargs="?",
        default=None,
-        help="either a lockfile (must end with '.json' or '.lock') or a manifest file.",
+        help="either a lockfile (must end with '.json' or '.lock') or a manifest file",
    )


@@ -411,7 +418,7 @@ def env_list(args):
    colify(color_names, indent=4)


-class ViewAction(object):
+class ViewAction:
    regenerate = "regenerate"
    enable = "enable"
    disable = "disable"
@@ -601,16 +608,16 @@ def env_depfile_setup_parser(subparser):
        "--make-target-prefix",
        default=None,
        metavar="TARGET",
-        help="prefix Makefile targets (and variables) with <TARGET>/<name>. By default "
+        help="prefix Makefile targets (and variables) with <TARGET>/<name>\n\nby default "
        "the absolute path to the directory makedeps under the environment metadata dir is "
-        "used. Can be set to an empty string --make-prefix ''.",
+        "used. can be set to an empty string --make-prefix ''",
    )
    subparser.add_argument(
        "--make-disable-jobserver",
        default=True,
        action="store_false",
        dest="jobserver",
-        help="disable POSIX jobserver support.",
+        help="disable POSIX jobserver support",
    )
    subparser.add_argument(
        "--use-buildcache",
@@ -618,8 +625,8 @@ def env_depfile_setup_parser(subparser):
        type=arguments.use_buildcache,
        default="package:auto,dependencies:auto",
        metavar="[{auto,only,never},][package:{auto,only,never},][dependencies:{auto,only,never}]",
-        help="When using `only`, redundant build dependencies are pruned from the DAG. "
-        "This flag is passed on to the generated spack install commands.",
+        help="when using `only`, redundant build dependencies are pruned from the DAG\n\n"
+        "this flag is passed on to the generated spack install commands",
    )
    subparser.add_argument(
        "-o",
@@ -633,7 +640,7 @@ def env_depfile_setup_parser(subparser):
        "--generator",
        default="make",
        choices=("make",),
-        help="specify the depfile type. Currently only make is supported.",
+        help="specify the depfile type\n\ncurrently only make is supported",
    )
    subparser.add_argument(
        metavar="specs",
--- a/lib/spack/spack/cmd/extensions.py
+++ b/lib/spack/spack/cmd/extensions.py
@@ -22,7 +22,7 @@

 def setup_parser(subparser):
    subparser.epilog = (
-        "If called without argument returns " "the list of all valid extendable packages"
+        "If called without argument returns the list of all valid extendable packages"
    )
    arguments.add_common_arguments(subparser, ["long", "very_long"])
    subparser.add_argument(
@@ -91,7 +91,7 @@ def extensions(parser, args):

    if args.show in ("installed", "all"):
        # List specs of installed extensions.
-        installed = [s.spec for s in spack.store.db.installed_extensions_for(spec)]
+        installed = [s.spec for s in spack.store.STORE.db.installed_extensions_for(spec)]

        if args.show == "all":
            print
--- a/lib/spack/spack/cmd/external.py
+++ b/lib/spack/spack/cmd/external.py
@@ -2,8 +2,6 @@
 # Spack Project Developers. See the top-level COPYRIGHT file for details.
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)
-from __future__ import print_function
-
 import argparse
 import errno
 import os
@@ -44,7 +42,7 @@ def setup_parser(subparser):
        "--path",
        default=None,
        action="append",
-        help="Alternative search paths for finding externals. May be repeated",
+        help="one or more alternative search paths for finding externals",
    )
    find_parser.add_argument(
        "--scope",
@@ -68,10 +66,8 @@ def setup_parser(subparser):

    read_cray_manifest = sp.add_parser(
        "read-cray-manifest",
-        help=(
-            "consume a Spack-compatible description of externally-installed "
-            "packages, including dependency relationships"
-        ),
+        help="consume a Spack-compatible description of externally-installed packages, including "
+        "dependency relationships",
    )
    read_cray_manifest.add_argument(
        "--file", default=None, help="specify a location other than the default"
@@ -94,7 +90,7 @@ def setup_parser(subparser):
    read_cray_manifest.add_argument(
        "--fail-on-error",
        action="store_true",
-        help=("if a manifest file cannot be parsed, fail and report the " "full stack trace"),
+        help="if a manifest file cannot be parsed, fail and report the full stack trace",
    )


@@ -113,14 +109,14 @@ def external_find(args):
            # For most exceptions, just print a warning and continue.
            # Note that KeyboardInterrupt does not subclass Exception
            # (so CTRL-C will terminate the program as expected).
-            skip_msg = "Skipping manifest and continuing with other external " "checks"
+            skip_msg = "Skipping manifest and continuing with other external checks"
            if (isinstance(e, IOError) or isinstance(e, OSError)) and e.errno in [
                errno.EPERM,
                errno.EACCES,
            ]:
                # The manifest file does not have sufficient permissions enabled:
                # print a warning and keep going
-                tty.warn("Unable to read manifest due to insufficient " "permissions.", skip_msg)
+                tty.warn("Unable to read manifest due to insufficient permissions.", skip_msg)
            else:
                tty.warn("Unable to read manifest, unexpected error: {0}".format(str(e)), skip_msg)

@@ -170,7 +166,7 @@ def external_find(args):
    )
    if new_entries:
        path = spack.config.config.get_config_filename(args.scope, "packages")
-        msg = "The following specs have been detected on this system " "and added to {0}"
+        msg = "The following specs have been detected on this system and added to {0}"
        tty.msg(msg.format(path))
        spack.cmd.display_specs(new_entries)
    else:
@@ -238,7 +234,7 @@ def _collect_and_consume_cray_manifest_files(
            if fail_on_error:
                raise
            else:
-                tty.warn("Failure reading manifest file: {0}" "\n\t{1}".format(path, str(e)))
+                tty.warn("Failure reading manifest file: {0}\n\t{1}".format(path, str(e)))


 def external_list(args):
--- a/lib/spack/spack/cmd/fetch.py
+++ b/lib/spack/spack/cmd/fetch.py
@@ -10,6 +10,7 @@
 import spack.config
 import spack.environment as ev
 import spack.repo
+import spack.traverse

 description = "fetch archives for packages"
 section = "build"
@@ -36,6 +37,12 @@ def setup_parser(subparser):


 def fetch(parser, args):
+    if args.no_checksum:
+        spack.config.set("config:checksum", False, scope="command_line")
+
+    if args.deprecated:
+        spack.config.set("config:deprecated", True, scope="command_line")
+
    if args.specs:
        specs = spack.cmd.parse_specs(args.specs, concretize=True)
    else:
@@ -51,24 +58,21 @@ def fetch(parser, args):
            else:
                specs = env.all_specs()
            if specs == []:
-                tty.die(
-                    "No uninstalled specs in environment. Did you " "run `spack concretize` yet?"
-                )
+                tty.die("No uninstalled specs in environment. Did you run `spack concretize` yet?")
        else:
            tty.die("fetch requires at least one spec argument")

-    if args.no_checksum:
-        spack.config.set("config:checksum", False, scope="command_line")
+    if args.dependencies or args.missing:
+        to_be_fetched = spack.traverse.traverse_nodes(specs, key=spack.traverse.by_dag_hash)
+    else:
+        to_be_fetched = specs

-    if args.deprecated:
-        spack.config.set("config:deprecated", True, scope="command_line")
+    for spec in to_be_fetched:
+        if args.missing and spec.installed:
+            continue

-    for spec in specs:
-        if args.missing or args.dependencies:
-            for s in spec.traverse(root=False):
-                # Skip already-installed packages with --missing
-                if args.missing and s.installed:
-                    continue
+        pkg = spec.package

-                s.package.do_fetch()
-        spec.package.do_fetch()
+        pkg.stage.keep = True
+        with pkg.stage:
+            pkg.do_fetch()
--- a/lib/spack/spack/cmd/find.py
+++ b/lib/spack/spack/cmd/find.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import copy
 import sys

@@ -32,6 +30,14 @@ def setup_parser(subparser):
        default=None,
        help="output specs with the specified format string",
    )
+    format_group.add_argument(
+        "-H",
+        "--hashes",
+        action="store_const",
+        dest="format",
+        const="{/hash}",
+        help="same as '--format {/hash}'; use with xargs or $()",
+    )
    format_group.add_argument(
        "--json",
        action="store_true",
--- a/lib/spack/spack/cmd/gc.py
+++ b/lib/spack/spack/cmd/gc.py
@@ -20,7 +20,7 @@ def setup_parser(subparser):


 def gc(parser, args):
-    specs = spack.store.db.unused_specs
+    specs = spack.store.STORE.db.unused_specs

    # Restrict garbage collection to the active environment
    # speculating over roots that are yet to be installed
--- a/lib/spack/spack/cmd/gpg.py
+++ b/lib/spack/spack/cmd/gpg.py
@@ -68,7 +68,7 @@ def setup_parser(subparser):
        metavar="DEST",
        type=str,
        dest="secret",
-        help="export the private key to a file.",
+        help="export the private key to a file",
    )
    create.set_defaults(func=gpg_create)

@@ -86,7 +86,7 @@ def setup_parser(subparser):
    export = subparsers.add_parser("export", help=gpg_export.__doc__)
    export.add_argument("location", type=str, help="where to export keys")
    export.add_argument(
-        "keys", nargs="*", help="the keys to export; " "all public keys if unspecified"
+        "keys", nargs="*", help="the keys to export (all public keys if unspecified)"
    )
    export.add_argument("--secret", action="store_true", help="export secret keys")
    export.set_defaults(func=gpg_export)
@@ -99,29 +99,29 @@ def setup_parser(subparser):
        "--directory",
        metavar="directory",
        type=str,
-        help="local directory where keys will be published.",
+        help="local directory where keys will be published",
    )
    output.add_argument(
        "-m",
        "--mirror-name",
        metavar="mirror-name",
        type=str,
-        help="name of the mirror where " + "keys will be published.",
+        help="name of the mirror where keys will be published",
    )
    output.add_argument(
        "--mirror-url",
        metavar="mirror-url",
        type=str,
-        help="URL of the mirror where " + "keys will be published.",
+        help="URL of the mirror where keys will be published",
    )
    publish.add_argument(
        "--rebuild-index",
        action="store_true",
        default=False,
-        help=("Regenerate buildcache key index " "after publishing key(s)"),
+        help="regenerate buildcache key index after publishing key(s)",
    )
    publish.add_argument(
-        "keys", nargs="*", help="the keys to publish; " "all public keys if unspecified"
+        "keys", nargs="*", help="keys to publish (all public keys if unspecified)"
    )
    publish.set_defaults(func=gpg_publish)

@@ -146,7 +146,7 @@ def gpg_create(args):


 def gpg_export(args):
-    """export a gpg key, optionally including secret key."""
+    """export a gpg key, optionally including secret key"""
    keys = args.keys
    if not keys:
        keys = spack.util.gpg.signing_keys()
@@ -168,7 +168,7 @@ def gpg_sign(args):
        elif not keys:
            raise RuntimeError("no signing keys are available")
        else:
-            raise RuntimeError("multiple signing keys are available; " "please choose one")
+            raise RuntimeError("multiple signing keys are available; please choose one")
    output = args.output
    if not output:
        output = args.spec[0] + ".asc"
@@ -216,7 +216,7 @@ def gpg_publish(args):
        url = spack.util.url.path_to_file_url(args.directory)
        mirror = spack.mirror.Mirror(url, url)
    elif args.mirror_name:
-        mirror = spack.mirror.MirrorCollection().lookup(args.mirror_name)
+        mirror = spack.mirror.MirrorCollection(binary=True).lookup(args.mirror_name)
    elif args.mirror_url:
        mirror = spack.mirror.Mirror(args.mirror_url, args.mirror_url)

--- a/lib/spack/spack/cmd/graph.py
+++ b/lib/spack/spack/cmd/graph.py
@@ -63,7 +63,7 @@ def graph(parser, args):
        if env:
            specs = env.all_specs()
        else:
-            specs = spack.store.db.query()
+            specs = spack.store.STORE.db.query()

    else:
        specs = spack.cmd.parse_specs(args.specs, concretize=not args.static)
--- a/lib/spack/spack/cmd/info.py
+++ b/lib/spack/spack/cmd/info.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import textwrap
 from itertools import zip_longest

@@ -73,7 +71,7 @@ def variant(s):
    return spack.spec.enabled_variant_color + s + plain_format


-class VariantFormatter(object):
+class VariantFormatter:
    def __init__(self, variants):
        self.variants = variants
        self.headers = ("Name [Default]", "When", "Allowed values", "Description")
--- a/lib/spack/spack/cmd/install.py
+++ b/lib/spack/spack/cmd/install.py
@@ -75,10 +75,9 @@ def setup_parser(subparser):
        default="package,dependencies",
        dest="things_to_install",
        choices=["package", "dependencies"],
-        help="""select the mode of installation.
-the default is to install the package along with all its dependencies.
-alternatively one can decide to install only the package or only
-the dependencies""",
+        help="select the mode of installation\n\n"
+        "default is to install the package along with all its dependencies. "
+        "alternatively, one can decide to install only the package or only the dependencies",
    )
    subparser.add_argument(
        "-u",
@@ -143,12 +142,11 @@ def setup_parser(subparser):
        type=arguments.use_buildcache,
        default="package:auto,dependencies:auto",
        metavar="[{auto,only,never},][package:{auto,only,never},][dependencies:{auto,only,never}]",
-        help="""select the mode of buildcache for the 'package' and 'dependencies'.
-Default: package:auto,dependencies:auto
- `auto` behaves like --use-cache
- `only` behaves like --cache-only
- `never` behaves like --no-cache
-""",
+        help="select the mode of buildcache for the 'package' and 'dependencies'\n\n"
+        "default: package:auto,dependencies:auto\n\n"
+        "- `auto` behaves like --use-cache\n"
+        "- `only` behaves like --cache-only\n"
+        "- `never` behaves like --no-cache",
    )

    subparser.add_argument(
@@ -156,8 +154,8 @@ def setup_parser(subparser):
        action="store_true",
        dest="include_build_deps",
        default=False,
-        help="""include build deps when installing from cache,
-which is useful for CI pipeline troubleshooting""",
+        help="include build deps when installing from cache, "
+        "useful for CI pipeline troubleshooting",
    )

    subparser.add_argument(
@@ -186,7 +184,7 @@ def setup_parser(subparser):
        dest="install_verbose",
        help="display verbose build output while installing",
    )
-    subparser.add_argument("--fake", action="store_true", help="fake install for debug purposes.")
+    subparser.add_argument("--fake", action="store_true", help="fake install for debug purposes")
    subparser.add_argument(
        "--only-concrete",
        action="store_true",
@@ -199,14 +197,13 @@ def setup_parser(subparser):
        "--add",
        action="store_true",
        default=False,
-        help="""(with environment) add spec to the environment as a root.""",
+        help="(with environment) add spec to the environment as a root",
    )
    updateenv_group.add_argument(
        "--no-add",
        action="store_false",
        dest="add",
-        help="""(with environment) do not add spec to the environment as a
-root (the default behavior).""",
+        help="(with environment) do not add spec to the environment as a root",
    )

    subparser.add_argument(
@@ -216,7 +213,7 @@ def setup_parser(subparser):
        default=[],
        dest="specfiles",
        metavar="SPEC_YAML_FILE",
-        help="install from file. Read specs to install from .yaml files",
+        help="read specs to install from .yaml files",
    )

    cd_group = subparser.add_mutually_exclusive_group()
@@ -227,19 +224,12 @@ def setup_parser(subparser):
        "--test",
        default=None,
        choices=["root", "all"],
-        help="""If 'root' is chosen, run package tests during
-installation for top-level packages (but skip tests for dependencies).
-if 'all' is chosen, run package tests during installation for all
-packages. If neither are chosen, don't run tests for any packages.""",
+        help="run tests on only root packages or all packages",
    )
    arguments.add_common_arguments(subparser, ["log_format"])
+    subparser.add_argument("--log-file", default=None, help="filename for the log file")
    subparser.add_argument(
-        "--log-file",
-        default=None,
-        help="filename for the log file. if not passed a default will be used",
-    )
-    subparser.add_argument(
-        "--help-cdash", action="store_true", help="Show usage instructions for CDash reporting"
+        "--help-cdash", action="store_true", help="show usage instructions for CDash reporting"
    )
    arguments.add_cdash_args(subparser, False)
    arguments.add_common_arguments(subparser, ["yes_to_all", "spec"])
@@ -276,11 +266,11 @@ def require_user_confirmation_for_overwrite(concrete_specs, args):
    if args.yes_to_all:
        return

-    installed = list(filter(lambda x: x, map(spack.store.db.query_one, concrete_specs)))
+    installed = list(filter(lambda x: x, map(spack.store.STORE.db.query_one, concrete_specs)))
    display_args = {"long": True, "show_flags": True, "variants": True}

    if installed:
-        tty.msg("The following package specs will be " "reinstalled:\n")
+        tty.msg("The following package specs will be reinstalled:\n")
        spack.cmd.display_specs(installed, **display_args)

    not_installed = list(filter(lambda x: x not in installed, concrete_specs))
--- a/lib/spack/spack/cmd/license.py
+++ b/lib/spack/spack/cmd/license.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import os
 import re
 from collections import defaultdict
@@ -102,7 +100,7 @@ def list_files(args):
 ]


-class LicenseError(object):
+class LicenseError:
    def __init__(self):
        self.error_counts = defaultdict(int)

--- a/lib/spack/spack/cmd/list.py
+++ b/lib/spack/spack/cmd/list.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import division, print_function
-
 import argparse
 import fnmatch
 import json
--- a/lib/spack/spack/cmd/load.py
+++ b/lib/spack/spack/cmd/load.py
@@ -66,10 +66,9 @@ def setup_parser(subparser):
        default="package,dependencies",
        dest="things_to_load",
        choices=["package", "dependencies"],
-        help="""select whether to load the package and its dependencies
-the default is to load the package and all dependencies
-alternatively one can decide to load only the package or only
-the dependencies""",
+        help="select whether to load the package and its dependencies\n\n"
+        "the default is to load the package and all dependencies. alternatively, "
+        "one can decide to load only the package or only the dependencies",
    )

    subparser.add_argument(
@@ -102,7 +101,7 @@ def load(parser, args):
        )
        return 1

-    with spack.store.db.read_transaction():
+    with spack.store.STORE.db.read_transaction():
        if "dependencies" in args.things_to_load:
            include_roots = "package" in args.things_to_load
            specs = [
--- a/lib/spack/spack/cmd/location.py
+++ b/lib/spack/spack/cmd/location.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import os

 import llnl.util.tty as tty
@@ -57,13 +55,13 @@ def setup_parser(subparser):
    directories.add_argument(
        "--source-dir",
        action="store_true",
-        help="source directory for a spec " "(requires it to be staged first)",
+        help="source directory for a spec (requires it to be staged first)",
    )
    directories.add_argument(
        "-b",
        "--build-dir",
        action="store_true",
-        help="build directory for a spec " "(requires it to be staged first)",
+        help="build directory for a spec (requires it to be staged first)",
    )
    directories.add_argument(
        "-e",
@@ -164,7 +162,7 @@ def location(parser, args):
    # source dir remains, which requires the spec to be staged
    if not pkg.stage.expanded:
        tty.die(
-            "Source directory does not exist yet. " "Run this to create it:",
+            "Source directory does not exist yet. Run this to create it:",
            "spack stage " + " ".join(args.spec),
        )

--- a/lib/spack/spack/cmd/maintainers.py
+++ b/lib/spack/spack/cmd/maintainers.py
@@ -3,8 +3,6 @@
 #
 # SPDX-License-Identifier: (Apache-2.0 OR MIT)

-from __future__ import print_function
-
 import argparse
 from collections import defaultdict

--- a/lib/spack/spack/cmd/make_installer.py
+++ b/lib/spack/spack/cmd/make_installer.py
@@ -39,7 +39,7 @@ def line_to_rtf(str):
 def setup_parser(subparser):
    spack_source_group = subparser.add_mutually_exclusive_group(required=True)
    spack_source_group.add_argument(
-        "-v", "--spack-version", default="", help="download given spack version e.g. 0.16.0"
+        "-v", "--spack-version", default="", help="download given spack version"
    )
    spack_source_group.add_argument(
        "-s", "--spack-source", default="", help="full path to spack source"
@@ -49,9 +49,8 @@ def setup_parser(subparser):
        "-g",
        "--git-installer-verbosity",
        default="",
-        choices=set(["SILENT", "VERYSILENT"]),
-        help="Level of verbosity provided by bundled Git Installer.\
-             Default is fully verbose",
+        choices=["SILENT", "VERYSILENT"],
+        help="level of verbosity provided by bundled git installer (default is fully verbose)",
        required=False,
        action="store",
        dest="git_verbosity",
--- a/Show More
+++ b/Show More