fetch sources by git commit hash

[milahu]

git already is a content-addressed store
so for fixed output derivations in nix, there should be an outputHashAlgo = "git"

NixOS/rfcs#133

Nix should support content-addressed store objects using git blob + tree hashing, and Nix-unaware remote stores that serve git objects.

https://discourse.nixos.org/t/nix-sha256-is-bug-not-feature-solution-a-global-cas-filesystem/15791

NixOS/nix#10068

NixOS/nix#10344

https://discourse.nixos.org/t/2024-03-25-nix-team-meeting-minutes-133/42167

New design: take advantage of Git tree hashes for tarball verification

NixOS/nix#9485

In combination with lazy-trees, this reduces the disk space required for flakes (e.g. different revisions of nixpkgs) by a lot.

We have two kinds of tree hashes:

• tree hashes from git commits, which do not correspond to fetched trees in general
• tree hashes from file system objects returned by fetchTree

Which one is this, and what is the purpose of exposing it to the expression language?

NixOS/nix#8918

https://github.com/canva-public/js2nix/blob/main/docs/implementation_details.md

Packages from unknown registries

js2nix relies on the tarball URLs in the yarn.lock file being able to contain a SHA1 sum of the tarball content in the URL fragment. That is the case for registry.yarnpkg.com and registry.npmjs.org hosts, but not for other registries. In an average yarn.lock file, the majority of the URLs will point to those first two registries. However, for example, if a dependency is defined as a direct Github one:

{
  "dependencies": {
    "chimp": "hacker/chimp#dfa9125b498297f848e6a5f9eabbf55bf3eb1318"
  }
}

yarn won't provide a SHA1 sum for that URL, which makes it impossible to construct a Nix expression for that package since Nix requires SHA sums because of reproducibility. Similar to the local packages approach, js2nix doesn't make assumptions here and doesn't fetch these packages internally and infer such SHAs somehow. Rather, it relies on the user to provide such SHAs.