When flake inputs are git repos that use export-subst in .gitattributes (for example, projects that use versioneer for versioning), the NAR hashes of these inputs can be unstable over time, leading to NAR hash mismatch in input errors.
Consider the following minimal example:
{
inputs.export-subst-minimal.url = "git+https://github.com/mcwitt/export-subst-minimal";
inputs.export-subst-minimal.flake = false;
outputs = _: { };
}
Then
$ nix flake lock
$ nix repl
…
nix-repl> :lf .
Added 8 variables.
nix-repl> inputs.export-subst-minimal.outPath
"/nix/store/iy7my74arsc4rgk9xrcs9mxrb0460x8d-source"
$ cat /nix/store/iy7my74arsc4rgk9xrcs9mxrb0460x8d-source/nondeterministic
(HEAD -> main)
The content of nondeterministic will change for example when the pinned commit is no longer HEAD in main, leading to NAR hash mismatch next time we fetch the input (on a different machine, or if the local cache is invalidated).
I was initially surprised that the git+https scheme is affected by export-subst (I would have expected it when using github, which fetches dynamically-generated tarballs), but it seems like the git schemes do call git-archive internally: https://github.com/NixOS/nix/blob/eaa20f25747eb025c7c4e69fa83f0e455a65393f/src/libfetchers/git.cc#L635
(not 100% sure my reading of the code is correct)
Is there a way to work around unstable NAR hashes in this case while still using flake inputs? I’ve found examples of workarounds in nixpkgs using the postFetch argument, but it’s more convenient for my current project to continue using flake inputs if possible.