# Fetchers and Fixed-Output Derivations

This note covers `22-fetchers-and-fixed-output/`, which uses `fetchurl` to pin an upstream tarball by content hash.

---

## 1. Why Fetchers Need a Hash

When Nix fetches content from outside the store, it needs a declared hash so the result stays reproducible.

That turns the fetch into a fixed-output derivation: the output is defined by the content hash, not just by the build steps.

---

## 2. What This Example Pins

The example fetches:

- the GNU hello source archive,
- from a concrete upstream URL, and
- with a declared SHA-256 hash.

If the upstream content changes, the hash check fails instead of silently accepting different bytes.

---

## 3. Why the Example Builds a Second Package

The fetched file by itself is not very interesting. The point is that later derivations can consume it as a normal store path.

This example adds a small package that reads the tarball and prints its top-level entry. That keeps the fetcher visible while still showing how
fetched inputs flow into downstream builds.

---

## 4. What the Check Verifies

The check:

- computes the tarball SHA-256 with `sha256sum`, and
- asserts that the archive contains `hello-2.12.3/README`.

That proves both the pinned bytes and the expected archive layout.

---

## 5. Commands to Try

```bash
cd 22-fetchers-and-fixed-output

nix build
./result/bin/show-fetched-hello-source

nix run
nix flake check
```