Pinning: pass hashes

[kubukoz]

Currently, all the tutorials on pinning (https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs / https://nix.dev/reference/pinning-nixpkgs#ref-pinning-nixpkgs) seem to use fetchTarball without passing a sha - the snippets should probably be updated to include that, and provide some hints on where to get the sha.

[domenkozar]

Would be great to have a PR to fix this!

[willbush]

There are a bunch of these: https://github.com/search?q=repo%3ANixOS%2Fnix.dev+%22fetchTarball+%5C%22%22&type=code

Not necessarily an error, but fetchTarball can take an attribute set as an argument:

fetchTarball {
  url = "https://github.com/NixOS/nixpkgs/archive/nixos-14.12.tar.gz";
  sha256 = "1jppksrfvbk5ypiqdz4cddxdl8z6zyzdb2srq8fcffr327ld5jj2";
}

Note that when obtaining the hash with nix-prefetch-url the option --unpack is required.

Earlist example in nix.dev that I see using fetchTarball is here: https://nix.dev/tutorials/first-steps/declarative-shell

@fricklerhandwerk worth changing?

[fricklerhandwerk]

The whole topic of obtaining remote sources is a ball of yarn. None of the obvious alternatives are pretty:

• pinning sources with vanilla Nix is tedious, but we should provide a lightweight introduction
• nix-prefetch-url doesn't use the fetcher cache, so it's extremely inefficient for the most common use case, Nixpkgs
• flakes aren't done and, in my humble opinion, wrong on many levels, so I don't think it's a good idea to promote any of that
• we're showing npins in a guide, but that requires having Nixpkgs (here we take whatever comes with the installation)
• vendoring sources with Git subtrees is possible but has its own caveats and is too unconventional to put on the front page

I'm leaning towards not changing the first encounter, and maybe introducing npins earlier and more explicitly, fixing nix-prefetch-url, and finally figuring out native fetching and locking (or ditching it altogether to be replaced with something else).

I'm of course open to discuss this.

My goal is for beginners to learn correct information in an efficient order such that their knowledge scales and doesn't lead them into problems or excessive additional work later on, and where wide adoption doesn't impede future upstream development. It's not necessarily about doing the easiest thing wherever they currently are with their knowledge. This is why teaching `nix-env` is not a good idea even if it's close to widespread experience with package managers; it leads to re-doing work very soon. (Even calling Nix a package manager is misleading, because it invokes all the wrong associations.) This is also why I'm not excited about teaching anything about flakes: from experience it doesn't scale to larger projects without adding more tooling or concepts (such as `flake-parts`) and refactoring code that has piled up, and requires explaining more stuff up-front about the system string, the output schema, the flake URL syntax, ...