hash mismatch in fixed-output derivation '/nix/store/0kxcxasvcn9n1cj8iawjmhc2xkahcan6-ristretto-0.9.999-vendor':
  wanted: sha256:1qbfp24d21wg13sgzccwn3ndvrzbydg0janxp7mzkjm4a83v0qij
  got:    sha256:1vfzdvpjj6s94p650zvai8gz89hj5ldrakci5l15n33map1iggch

clever | exarkun: i get the arch+darwin hash, on my nixos box
clever | exarkun: this means, that upstream has fudged with the source, and only the arch+darwin hash will work
clever | exarkun: if you provide the old hash, nixos finds the old copy in /nix/store and doesnt care that upstream borked things
clever | exarkun: if you use the "darwin" hash on nixos, then it should just work everywhere
clever | exarkun: you can blame somebody on the rust package management end, for changing a source tar without changing the version
exarkun | clever: is there some strategy for dealing with this case - the case where /nix/store has the "wrong" hash (wrong in the sense that you would never be able to reproduce it if it weren't in your /nix/store already)
exarkun: set the hash wrong, on all machines, and see if the new hash they come up with matches, on all machines
clever | exarkun: that will proove that somebody upstream borked (or mitm'd) the download, and nixos was just blindly trusting your old hash
tilpner | exarkun: --check on foo.src might work too (but verify!)