listed later in the list of new valid paths.

  `--register-validity'.
* `nix-store --register-validity': read arguments from stdin, and
  allow the references and deriver to be set.

  users.
* Change to base-32 hashes.

  unique.
* Drop `hashAlgo' attribute in manifests; prefix hashes with the hash
  algorithm instead.

  file names in the directory not included in any of the manifests
  specified on the command line.

* nix-prefecth-url: print out in base-16.

  expressions.

  conditional expression in the blacklist can specify when to
  continue/stop a traversal.  For example, in

    <condition>
      <within>
        <traverse>
          <not><hasAttr name='outputHash' value='.+' /></not>
        </traverse>
        <hasAttr name='outputHash' value='ef1cb003448b4a53517b8f25adb12452' />
      </within>
    </condition>

  we traverse the dependency graph, not following the dependencies of
  `fetchurl' derivations (as indicated by the presence of an
  `outputHash' attribute - this is a bit ugly).  The resulting set of
  paths is scanned for a fetch of a file with the given hash, in this
  case, the hash of zlib-1.2.1.tar.gz (which has a security bug).  The
  intent is that a dependency on zlib is not a problem if it is in a
  `fetchurl' derivation, since that's build-time only.  (Other
  build-time uses of zlib *might* be a problem, e.g., static linking.)

  Maybe this is a bad idea.

  checked against every item in a blacklist.

* Maintain the cleanup invariant in clearSubstitutes().

  store path (which is stored in the database).