I’m trying to understand how tools like (cabal2nix, yarn2nix) that use import-from-derivation to streamline their use directly even work if internet access is sandboxed away?
I was looking at yarn2nix or composition-c4 and couldn’t grok it.
They seem to rely on some tool to determine the SHA to that they can generate fixed-output derivations for the dependencies.
Appreciate any tips.
Modern package managers often produce so-called lock files, which contain hashes of the all source dependencies.
For example, npm and yarn will have hashes of the source tarballs in package-lock.json/yarn.lock, and yarn2nix, node2nix or napalm will parse the lock files and create fixed-output derivations for the dependency sources.
Composer does not contain hashes of tarballs, since it fetches them from GitHub and tarballs there are not stable. But it still contains commit references and Nix will accept those even in sandbox so that is what composition-c4 uses. (Though this will fail in restricted eval mode).