Inconsistencies between lock file and nix resolved packages

[tmcl]

If a package with the same name and version but different hashes is uploaded to two different maven repos, gradle dependencies and nix buildMavenRepo might have different ideas about which repo to obtain the file from, and therefore crash.

Possible solutions:

1. Change the way the lock file is produced, to include a reference to the repo from which it was obtained. (This is probably too hard and flaky.)
2. If buildMavenRepo finds a file with the incorrect sum, it shouldn't give up. Instead, it should keep looking at the other repos. (This is probably much easier. But the whole thing feels completely ad hoc. Why shouldn't we know where the package comes from? Is that just how maven works?)

[mschwaig]

I remember reading what makes the second solution difficult to implement is that if you give fetchurl a bunch of different URLs to try if it is successful in downloading a file from one of them and then the hash mismatches this leads to a failure that Nix does not try to recover from. The assumption behind that is that all mirrors would deliver the same file (if they deliver something), and that assumption is not true in this case.

So to implement that solution one could probably add a tryMirrorsOnHashMismatch parameter to fetchurl which changes that behavior for cases like this.