fetchFromGitHub allows hash and content specified to diverge

[xaverdh]

Issue description

fetchFromGitHub (and its friends as well?) can effectively "accept" hashes which do not match the referenced content. This happens in #61674 for example, where the revision was changed, but the hash wasn't updated accordingly by accident.
This is probably due to caching. The hash remains the same, so there is no attempt to rebuild the derivation, which would detect the mismatch. So the content-hash combination as specified in the nix file becomes invalid, but this is not detected.

Steps to reproduce

Build a derivation which uses fetchFromGitHub, then change rev without changing the hash.

[danieldk]

This true for (I think) all fetchers. fetchFromGitHub uses fetchzip when fetchSubmodules is false. Also see this issue, which has some discussions:

NixOS/nix#969

[vcunat]

Yes, it's a feature, basically. Let's not create yet another thread for discussing it. You can join some of the existing ones.

TL;DR: fetchers are fixed-output derivations, i.e. content-addressable. If you specify a hash that you have already (or can substitute etc.), nix won't attempt to build it. One of original motivations is switching mirrors without rebuilds.