Fetchurl- without sha Inside official repo

I want to submit a package fontFromRepo which takes two args- repo and name and downloads fonts from popular repos. (For now, only google). This is when I’d like to install a few specific fonts.

The package would look something like this-


{
        repo, #Only google for now
	name,
        pkgs,
	url,
	deletable ? []
}:

stdenv.mkDerivation 
	{
		inherit 
			name deletable;
           
                # **************** Made up syntax ***************************
		src = fetchurl ''https://fonts.google.com/download?family=${builtins.replaceStrings [ " " ] [ "%20" ] name }'';

		buildInputs = [ unzip ];

		unpackPhase = ''
			runHook preUnpack

			newtmp=$(mktemp -d)
			unzip $src -d $newtmp/
			cd $newtmp

			runHook postUnpack
		'';

		installPhase = ''
			runHook preInstall

			mkdir -p $out/share/fonts
			cp -r * $out/share/fonts

			cd $out/share/fonts
			for de in $deletable
			do
				find -name $de
				find -name $de | xargs rm
				echo "Removed $de"
				find -name $de
			done

			runHook postInstall
		'';

		phases = [  "unpackPhase" "installPhase" ];
}

There are two issues I see- is there even a way to download a url without a sha? And would that be allowed in the package repository at all.

I found fetchzip but I’m getting the following error with it-

nix-repl> (import <nixpkgs>{}).fetchzip {url="https://fonts.google.com/download?family=Lora";}
error: fetchurl requires a hash for fixed-output derivation: https://fonts.google.com/download?family=Lora

I spent only a few minutes looking around but couldn’t find how to fix this…

Of course, I don’t know if this package itself would be accepted in the repository. Personally for me- a benefit is making it very easy to download a single or a few google fonts. (and hopefully add more font repos later…)

My question is how do I go ahead with this so that it is idiomatic enough to be included in the repos (assuming it’s useful enough)?

EDIT: The argument format wouldn’t look like this in the final version- the invokation would look something like:

	( pkgs.fontFromRepo.override { 
		google = [   
                    { 
                        name = "firstFont";
                    }
                    { 
                       name = "secondFont"; 
                       deletable = "UnpredictableFontConfigUsesThisBadFont.ttf";
                    }
               ];

           	repo2 = [  
                    { 
                        name = "thirdFont";
                    }
                ];
           } 
      )

In short, you want to pass a checksum as a parameter. Alternatively, if a domain provides list of fonts with checksums, you can extract the checksum from that list (albeit, most likely this is a wrong way to go as that file is more likely to change then fonts themselves). There is a way to download a file without providing a checksum (disabling sandboxing or builtins.exec), but this will cause practical issues.