Thank you, that is helpful information. I was reading up on FODs and they don’t seem like what I’d want since the hash would have to change for ~every commit.
I was digging into the rules_nixpkgs build, which does have a similar http_archive call:
One of the builds talks to BuildBuddy and performs the build remotely, but that invocation runs through nix-shell:
Does this mean that nix-shell --pure doesn’t do sandboxing by default which is done by nix build? I took a look at nix issue 903 - Why is there no way to run nix-shell in a chroot and without the user’s .bashrc? and this comment from 2019 which seems to indicate that’s the case.