1.4 KiB
Fetchers and Fixed-Output Derivations
This note covers 22-fetchers-and-fixed-output/, which uses fetchurl to pin an upstream tarball by content hash.
1. Why Fetchers Need a Hash
When Nix fetches content from outside the store, it needs a declared hash so the result stays reproducible.
That turns the fetch into a fixed-output derivation: the output is defined by the content hash, not just by the build steps.
2. What This Example Pins
The example fetches:
- the GNU hello source archive,
- from a concrete upstream URL, and
- with a declared SHA-256 hash.
If the upstream content changes, the hash check fails instead of silently accepting different bytes.
3. Why the Example Builds a Second Package
The fetched file by itself is not very interesting. The point is that later derivations can consume it as a normal store path.
This example adds a small package that reads the tarball and prints its top-level entry. That keeps the fetcher visible while still showing how fetched inputs flow into downstream builds.
4. What the Check Verifies
The check:
- computes the tarball SHA-256 with
sha256sum, and - asserts that the archive contains
hello-2.12.3/README.
That proves both the pinned bytes and the expected archive layout.
5. Commands to Try
cd 22-fetchers-and-fixed-output
nix build
./result/bin/show-fetched-hello-source
nix run
nix flake check