That’s in mkDerivation, and you can see the call to derivation in the block where validity is used. So validity is definitely asserted before the derivation is created, and well, the packages in pkgs are derivations. pkg is not.
I think that’s the right time to check too, you don’t want to potentially build packages that have some kind of build time vulnerability or something, and I’m pretty sure you couldn’t prevent derivation from adding the built package to the store, so there are some potential issues with licenses that don’t allow redistribution if the check happened any later.
I wonder if you could use this if you don’t want to hard-code those names:
allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) (map lib.getName [
pkgs.vscode
]);
Chances are this results in infinite recursion? In fact, any reference to a package in this function should result in infinite recursion.