| The announcement post for gomod2nix has some additional info on the problems with buildGoModule's approach to vendorization: > The buildGoModule package is designed around fixed-output derivations, which means that a single derivation is created where all the dependencies of the package you want to build are wrapped, and only a single hash of the derivation is specified. It fetches all dependencies in the fixed output, creating a vendor directory which is used for the build. > This has several issues, most notably there is no sharing of dependencies between packages that depend on the same Go module. > The other notable issue is that it forces developers to remember editing the vendorSha256 attribute separately from the already existing hash/sha256 attribute on the derivation. Forgetting to do so can not only lead to incorrect builds but also be frustrating when working with larger packages that takes a long time to build, and only very late in the build notice that something was broken so you have to start over from scratch. > Because of the lack of hash granularity the build needs to clone every dependency every time the vendorSha256 is invalidated, and cannot use the cache from previous builds. https://www.tweag.io/blog/2021-03-04-gomod2nix/ So you get greater granularity here, and thus also greater cache reuse between builds. |
Note there is also an opened issue to restrict Nix fixed output derivation which would make impossible the buildGoModule "hack".
[1] https://github.com/NixOS/nixpkgs/issues/84826
[2] https://www.tweag.io/blog/2020-06-18-software-heritage/