[bpye]

When you list the sources for a Nix package you also have to specify the hash expected. If it pulls the sources and the hash doesn't match then the package will fail to build.

[slapslash]

Ahh, I see. But couldn‘t the hash then also be used on the packages themselves?

[rgoulter]

The package in the cache which it's downloaded from?

I think so. It would be a bit more involved that "replace the package for gcc-11". The packages are addressed by the inputs which built them.

There has been some effort towards supporting content-addressable storage. https://www.tweag.io/blog/2020-09-10-nix-cas/ https://edolstra.github.io/pubs/secsharing-ase2005-final.pdf