Could we maybe go back to including patches instead of fetching them

In updating our compute cluster overlay to 20.09, I’m noticing people are now using fetchpatch to fetch patches instead of just including them in the nixpkgs repo.

The reason I’m noticing this is because a bunch of stuff is failing due to invalid URLs (e.g., today I discovered the 20.09 curl CVE patches and the pytest-timeout patch URLs are invalid). This sucks.

If the patch isn’t huge, why fetchpatch it when you could just include the patch and having it work forever?


One reason I can think of is that as mentioned in

Nixpkgs is licensed under the MIT License.

Note: MIT license does not apply to the packages built by Nixpkgs, merely to the files in this repository (the Nix expressions, build scripts, NixOS modules, etc.). It also might not apply to patches included in Nixpkgs, which may be derivative works of the packages to which they apply. The aforementioned artifacts are all covered by the licenses of the respective packages.

fetchpatch avoids the tricky ‘It also might not apply to patches included in Nixpkgs’ part of this licensing issue.

I feel like the patches should be on the tarball mirror at though, but I couldn’t really remember how this thing works.