boostrap fetchurl: Add SRI support

lib/minver.nix

@@ -1,2 +1,2 @@
 # Expose the minimum required version for evaluating Nixpkgs
-"2.2"
+"2.3"

nixos/doc/manual/from_md/release-notes/rl-2211.section.xml

@@ -255,6 +255,11 @@
   <section xml:id="sec-release-22.11-incompatibilities">
     <title>Backward Incompatibilities</title>
     <itemizedlist>
+      <listitem>
+        <para>
+          Nixpkgs now requires Nix 2.3 or newer.
+        </para>
+      </listitem>
       <listitem>
         <para>
           The <literal>isCompatible</literal> predicate checking CPU

nixos/doc/manual/release-notes/rl-2211.section.md

@@ -94,6 +94,8 @@ Available as [services.patroni](options.html#opt-services.patroni.enable).
 
 ## Backward Incompatibilities {#sec-release-22.11-incompatibilities}
 
+- Nixpkgs now requires Nix 2.3 or newer.
+
 - The `isCompatible` predicate checking CPU compatibility is no longer exposed
   by the platform sets generated using `lib.systems.elaborate`. In most cases
   you will want to use the new `canExecute` predicate instead which also

pkgs/build-support/fetchurl/boot.nix

@@ -4,12 +4,17 @@ let mirrors = import ./mirrors.nix; in
 
 { url ? builtins.head urls
 , urls ? []
-, sha256
+, sha256 ? ""
+, hash ? ""
 , name ? baseNameOf (toString url)
 }:
 
+# assert exactly one hash is set
+assert hash != "" || sha256 != "";
+assert hash != "" -> sha256 == "";
+
 import <nix/fetchurl.nix> {
-  inherit system sha256 name;
+  inherit system hash sha256 name;
 
   url =
     # Handle mirror:// URIs. Since <nix/fetchurl.nix> currently