From 0b3e7f063cdc340ee5840a0c7ef4202d342bcd95 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janne=20He=C3=9F?= <janne@hess.ooo>
Date: Tue, 23 Aug 2022 13:06:54 +0200
Subject: [PATCH] boostrap fetchurl: Add SRI support

---
 lib/minver.nix                                           | 2 +-
 .../doc/manual/from_md/release-notes/rl-2211.section.xml | 5 +++++
 nixos/doc/manual/release-notes/rl-2211.section.md        | 2 ++
 pkgs/build-support/fetchurl/boot.nix                     | 9 +++++++--
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/minver.nix b/lib/minver.nix
index 86391bcd69e0..507d45bba4dc 100644
--- a/lib/minver.nix
+++ b/lib/minver.nix
@@ -1,2 +1,2 @@
 # Expose the minimum required version for evaluating Nixpkgs
-"2.2"
+"2.3"
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
index c3c3a5d92ecf..3b7f4f7ef5dc 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml
@@ -255,6 +255,11 @@
   <section xml:id="sec-release-22.11-incompatibilities">
     <title>Backward Incompatibilities</title>
     <itemizedlist>
+      <listitem>
+        <para>
+          Nixpkgs now requires Nix 2.3 or newer.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>isCompatible</literal> predicate checking CPU
diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md
index 0e0ae598b342..4c4b226b97cf 100644
--- a/nixos/doc/manual/release-notes/rl-2211.section.md
+++ b/nixos/doc/manual/release-notes/rl-2211.section.md
@@ -94,6 +94,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
 
 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
 
+- Nixpkgs now requires Nix 2.3 or newer.
+
 - The `isCompatible` predicate checking CPU compatibility is no longer exposed
   by the platform sets generated using `lib.systems.elaborate`. In most cases
   you will want to use the new `canExecute` predicate instead which also
diff --git a/pkgs/build-support/fetchurl/boot.nix b/pkgs/build-support/fetchurl/boot.nix
index bd71f93c5291..8f8c78b7a454 100644
--- a/pkgs/build-support/fetchurl/boot.nix
+++ b/pkgs/build-support/fetchurl/boot.nix
@@ -4,12 +4,17 @@ let mirrors = import ./mirrors.nix; in
 
 { url ? builtins.head urls
 , urls ? []
-, sha256
+, sha256 ? ""
+, hash ? ""
 , name ? baseNameOf (toString url)
 }:
 
+# assert exactly one hash is set
+assert hash != "" || sha256 != "";
+assert hash != "" -> sha256 == "";
+
 import <nix/fetchurl.nix> {
-  inherit system sha256 name;
+  inherit system hash sha256 name;
 
   url =
     # Handle mirror:// URIs. Since <nix/fetchurl.nix> currently