Default argument is evaluated (and causes failure in restrict-eval) even though it shouldn't be

[lheckemann]

Describe the bug

The default value for openwrt-src:

https://github.com/lheckemann/uap-nix/blob/84c8bf6ebe0b2a0a48f1fd15deec0f5907bca79a/default.nix#L4-L7

seems to be evaluated even though a replacement value is provided:

https://gist.github.com/lheckemann/6cad751e20ae1364e983fd22537450c9#file-flake-nix-L21

Steps To Reproduce

nix build https://gist.github.com/lheckemann/6cad751e20ae1364e983fd22537450c9/archive/424cb57212242a459cbf2718db198d0c7304797f.zip --restrict-eval

Expected behavior

Evaluation succeeds, because the impure fetchGit is never actually used due to lazy evaluation.

Actual behaviour

error: access to URI 'https://git.openwrt.org/openwrt/openwrt.git' is forbidden in restricted mode

nix-env --version output

nix-env (Nix) 2.12.0pre20220913_2a1c63c (lazy-trees)
Also confirmed on nix (Nix) 2.8.1

[lheckemann]

This doesn't seem to be strictly connected to default arguments -- it also happens if I use null as the default and check it in an if or by checking whether the set passed contains that member like in lheckemann/uap-nix@354ff70

[olivia-fl]

I'm also experiencing this with the vimUtils.buildVimPlugin function, which has a default value for name that depends on attrs.pname and attrs.version. Previously, I was able to provide a value for name without providing pname or version and everything worked fine. When updating to the latest nixpkgs-unstable, this seems to have stopped working.

[olivia-fl]

I'm guessing this was introduced by #7093

edit: looking closer at that PR, this is clearly impossible. I don't know what I was thinking...

[lheckemann]

I think I was misinterpreting this, and this is actually #7098.