Should the values from config.nix be validated in any way?  They are
obviously trusted, but it is very easy for the users to make mistakes
that could cause extremely confusing problems.  For instance, the
update patch doesn't support URLs with a query string or a fragment
specifier.  In fact, such URLs could get mangled.  There are other
URLs that tools like curl will accept but which will break the build.

Should these be validated with regular expressions before use?
That will result in build-time errors that at least somewhat point
to the source of the problem, rather than mysterious build-time or
runtime misbehavior.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)