I’m targeting private repos only.
Using __noChroot = true means that the project is now more susceptible to supply-chain attacks. Nix doesn’t provide the guarantee that the output is the same anymore. Typically the build would use npm, cargo, … who do their own checksum checks, but if the build does something like curl some random website, now the website can change the content of that file for subsequent builds.
Just saying that this needs to be done responsibly. And we can’t really open that for nixpkgs without compromising the project’s fundamental guarantees.
Technically we could extend the builder APIs so vendorSha256 can take an “impure” argument, and then use that only outside of nixpkgs. But I think it would be confusing for packagers. Now they have to know which arguments are meant for nixpkgs, or to use outside.