diff --git a/new.nix b/new.nix
index 33c6684b37600bb1221aad14454a3effb816a414..3974dae3ecc8a6be0fb3c5a9d2c2c122b96f0b6e 100644
--- a/new.nix
+++ b/new.nix
@@ -4,38 +4,77 @@ in
 { pkgs ? import sources.release2015 {}
 , pypiData ? sources.pypi-deps-db
 , mach-nix ? import sources.mach-nix { inherit pkgs pypiData; }
-,
+, tahoe-lafs ? "1.14.0"
 }:
-    mach-nix.buildPythonApplication rec {
-      python = "python27";
-      name = "zero-knowledge-access-pass-authorizer";
-      src = ./.;
-      providers = {
-        _default = "sdist,nixpkgs,wheel";
-        # not packaged in nixpkgs at all, we can use the binary wheel from
-        # pypi though.
-        python-challenge-bypass-ristretto = "wheel";
-        # Pure python packages that don't build correctly from sdists
-        # - patches in nixpkgs that don't apply
-        # - missing build dependencies
-        platformdirs = "wheel";
-        boltons = "wheel";
-        klein = "wheel";
-        humanize = "wheel";
-        chardet = "wheel";
-        urllib3 = "wheel";
-        zipp = "wheel";
+  let
+    providers = {
+      _default = "sdist,nixpkgs,wheel";
+      # not packaged in nixpkgs at all, we can use the binary wheel from
+      # pypi though.
+      python-challenge-bypass-ristretto = "wheel";
+      # Pure python packages that don't build correctly from sdists
+      # - patches in nixpkgs that don't apply
+      # - missing build dependencies
+      platformdirs = "wheel";
+      boltons = "wheel";
+      klein = "wheel";
+      humanize = "wheel";
+      chardet = "wheel";
+      urllib3 = "wheel";
+      zipp = "wheel";
+    };
+    tahoe-versions = {
+      "1.14.0" = {
+        requirements = builtins.readFile ./requirements/base.txt;
+        propagatedBuildInputs = [];
       };
-      _.tahoe-lafs.patches = [
-        (
-          pkgs.fetchpatch {
-            url = "https://raw.githubusercontent.com/PrivateStorageio/nixpkgs/privatestorageio/pkgs/development/python-modules/tahoe-lafs/rsa-exponent.patch";
-            sha256 = "sha256-0vIMj5gZPbKLkow6wpA+Tz7bpyy+mZRSSFGmpg0VMyk=";
-          }
-        )
-      ];
-      format = "setuptools";
-      requirements = builtins.readFile ./requirements/base.txt;
-      # Record some settings here, so downstream nix files can consume them.
-      meta.mach-nix = { inherit python providers; };
-    }
+      "1.16.0rc1" = rec {
+        requirements = builtins.readFile ./requirements/base-1.16.txt;
+        propagatedBuildInputs = [
+          (
+            mach-nix.buildPythonPackage {
+              python = "python27";
+              pname = "tahoe-lafs";
+              version = "1.16.0rc1";
+              inherit requirements providers;
+              postPatch = ''
+                cat > src/allmydata/_version.py <<EOF
+                # This _version.py is generated by nix.
+
+                verstr = "$version"
+                __version__ = verstr
+                EOF
+                '';
+              src = pkgs.fetchFromGitHub {
+                owner = "fenn-cs";
+                repo = "tahoe-lafs";
+                rev = "f6a96ae3976ee21ad0376f7b6a22fc3d12110dce";
+                sha256 = "ZN2V5vH+VqPaBmQXXqyH+vUiqW1YNhz+7LsiNNhA/4g=";
+              };
+            }
+          )
+        ];
+      };
+    };
+  in
+#    (builtins.elemAt tahoe-versions."1.16.0rc1".propagatedBuildInputs 0)
+#/*
+  mach-nix.buildPythonApplication rec {
+    python = "python27";
+    name = "zero-knowledge-access-pass-authorizer";
+    src = ./.;
+    inherit providers;
+    inherit (tahoe-versions.${tahoe-lafs}) requirements propagatedBuildInputs;
+    _.tahoe-lafs.patches = [
+      (
+        pkgs.fetchpatch {
+          url = "https://raw.githubusercontent.com/PrivateStorageio/nixpkgs/privatestorageio/pkgs/development/python-modules/tahoe-lafs/rsa-exponent.patch";
+          sha256 = "sha256-0vIMj5gZPbKLkow6wpA+Tz7bpyy+mZRSSFGmpg0VMyk=";
+        }
+      )
+    ];
+    format = "setuptools";
+    # Record some settings here, so downstream nix files can consume them.
+    meta.mach-nix = { inherit python providers; };
+  }
+  /**/
diff --git a/requirements/base-1.16.txt b/requirements/base-1.16.txt
index 5cc65c150025978042c2b51dd2cd793055a5aadf..ef84c2b7aa0fbe1e500c0bf70f880507afb03534 100644
--- a/requirements/base-1.16.txt
+++ b/requirements/base-1.16.txt
@@ -147,8 +147,6 @@ six==1.16.0
     #   txaio
 spake2==0.8
     # via magic-wormhole
-https://github.com/fenn-cs/tahoe-lafs/archive/f6a96ae3976ee21ad0376f7b6a22fc3d12110dce.tar.gz
-    # via -r requirements/base-1.16.in
 tqdm==4.62.3
     # via magic-wormhole
 treq==21.1.0
@@ -179,9 +177,3 @@ zope.interface==5.4.0
     #   tahoe-lafs
     #   twisted
     #   txtorcon
-
-# The following packages are considered to be unsafe in a requirements file:
-setuptools==44.1.1
-    # via
-    #   tahoe-lafs
-    #   zope.interface
diff --git a/tests.nix b/tests.nix
index 620dd582ef68b578329172bc958d45ffa13d18ef..0bf4a9bfaca36a563fdcc4a4d06a78ffed3fc715 100644
--- a/tests.nix
+++ b/tests.nix
@@ -1,64 +1,65 @@
 let
   sources = import nix/sources.nix;
 in
-{
-  pkgs ? import sources.release2015 { },
-  pypiData ? sources.pypi-deps-db,
-  mach-nix ? import sources.mach-nix { inherit pkgs pypiData; },
-  zkapauthorizer ? import ./new.nix { inherit pkgs pypiData mach-nix; },
-  ci-reports ? false,
-  hypothesisProfile ? null,
-  collectCoverage ? false,
-  testSuite ? null,
-  trialArgs ? null,
+{ pkgs ? import sources.release2015 {}
+, pypiData ? sources.pypi-deps-db
+, mach-nix ? import sources.mach-nix { inherit pkgs pypiData; }
+, tahoe-lafs ? "1.14.0"
+, zkapauthorizer ? import ./new.nix { inherit pkgs pypiData mach-nix tahoe-lafs; }
+, ci-reports ? false
+, hypothesisProfile ? null
+, collectCoverage ? false
+, testSuite ? null
+, trialArgs ? null
+,
 }:
-let
-  lib = pkgs.lib;
-  hypothesisProfile' = if hypothesisProfile == null then "default" else hypothesisProfile;
-  defaultTrialArgs = [ "--rterrors" ] ++ ( lib.optional ( ! collectCoverage ) "--jobs=$NIX_BUILD_CORES" );
-  trialArgs' = if trialArgs == null then defaultTrialArgs else trialArgs;
-  extraTrialArgs = builtins.concatStringsSep " " trialArgs';
-  testSuite' = if testSuite == null then "_zkapauthorizer" else testSuite;
+  let
+    lib = pkgs.lib;
+    hypothesisProfile' = if hypothesisProfile == null then "default" else hypothesisProfile;
+    defaultTrialArgs = [ "--rterrors" ] ++ (lib.optional (! collectCoverage) "--jobs=$NIX_BUILD_CORES");
+    trialArgs' = if trialArgs == null then defaultTrialArgs else trialArgs;
+    extraTrialArgs = builtins.concatStringsSep " " trialArgs';
+    testSuite' = if testSuite == null then "_zkapauthorizer" else testSuite;
 
-  python = mach-nix.mkPython {
-    inherit (zkapauthorizer.meta.mach-nix) python providers;
-    requirements =
-      builtins.readFile ./requirements/test.txt;
-    packagesExtra = [ zkapauthorizer ];
-    _.hypothesis.postUnpack = "";
-  };
-in
-  pkgs.runCommand "zkapauthorizer-tests" {
-    # When running in CI, we want `nix build` to succeed and create the `result` symlink
-    # even if the tests fail. `succeedOnFailure` will create a `nix-support/failed` file
-    # with the exit code, which is read by the CI command to propogate the exit status.
-    succeedOnFailure = ci-reports;
-  } ''
-    ${if ci-reports then
+    python = mach-nix.mkPython {
+      inherit (zkapauthorizer.meta.mach-nix) python providers;
+      requirements =
+        builtins.readFile ./requirements/test.txt;
+      packagesExtra = [ zkapauthorizer ];
+      _.hypothesis.postUnpack = "";
+    };
+  in
+    pkgs.runCommand "zkapauthorizer-tests" {
+      # When running in CI, we want `nix build` to succeed and create the `result` symlink
+      # even if the tests fail. `succeedOnFailure` will create a `nix-support/failed` file
+      # with the exit code, which is read by the CI command to propogate the exit status.
+      succeedOnFailure = ci-reports;
+    } ''
+      ${if ci-reports then
       ''
         mkdir -p $out/codeclimate
         flake8_args+="--format=gl-codeclimate --output-file $out/codeclimate/flake8.json"
       ''
-      else
+    else
       ''
         mkdir -p $out
         flake8_args+="--tee --output-file $out/flake8.txt"
       ''
     }
-    pushd ${zkapauthorizer.src}
-    #${python}/bin/flake8 $flake8_args
-    ${python}/bin/pyflakes
-    popd
+      pushd ${zkapauthorizer.src}
+      #${python}/bin/flake8 $flake8_args
+      ${python}/bin/pyflakes
+      popd
 
-    ZKAPAUTHORIZER_HYPOTHESIS_PROFILE=${hypothesisProfile'} ${python}/bin/python -m ${if collectCoverage
-      then "coverage run --debug=config --module"
-      else ""
+      ZKAPAUTHORIZER_HYPOTHESIS_PROFILE=${hypothesisProfile'} ${python}/bin/python -m ${if collectCoverage
+    then "coverage run --debug=config --module"
+    else ""
     } twisted.trial ${extraTrialArgs} ${testSuite'}
 
-    ${lib.optionalString collectCoverage
+      ${lib.optionalString collectCoverage
       ''
         mkdir -p "$out/coverage"
         cp -v .coverage.* "$out/coverage"
       ''
     }
-  ''
+    ''