Yes, the point of a version and hash is that they are “hardcoded” with regards to a given package derivation as-written. This is not unique to Nix, and other distributions do the same. It is incredibly irresponsible to download something off the internet, not verify its hash against a known-good one, and then install it on your computer.
What is even the point of evaluating a hash dynamically? The whole reason it’s there is to allow users to be sure they are downloading and installing the thing that was packaged, and that upstream didn’t replace the binary (via a new version or via some hack, etc.)
Yes, this is exactly what this request is about. Although more than about my “local packaging process” it’s about how Linux packaging in general works. I’m not aware of a Linux package manager worth its weight that doesn’t rely on the package source being verified in some way. The complaint here is precisely that Roon’s distribution process makes safe, sane, packaging of their software incredibly hard.
That’s archive.org’s problem. We started using that mirror because another user hit the issue of the hash changing from under them and breaking the package, so they changed it to the mirror.
I never asked for that. If they want to yank older releases and make them
404 that’s still better than the current scenario where the URL just changes to point to something else all of a sudden.
Sure, but that hasn’t happened either, it’s mostly been radio silence. I wouldn’t be here pressing on this if someone from Roon had come and said “We do not care about you as a user, and will not be providing support for this.”