generic-specialty via Nix community nixos1@discoursemail.com writes:
Why not have @GrahamcOfBorg fetch the URLs and make sure the hash matches?
If it doesn’t match, the bot would throw an error, both reminding the PR author that the hash must be changed, and also unmasking potentially malicious attempts to exploit fetchurl’s behavior.
I think this would be pretty hard to do, as it’d require ofborg to run
some kind of recursive---check on the derivation it’s building, which
would end up rebuilding all the dependencies all the time.