coding-conventions.chapter.md: update to account for #89885

[ghost]

Description of changes

This PR: #89885 ensures that fetches are done securely (i.e. without --insecure) when the hash parameter is one of the four special "fake" hashes. However the manual was not updated in that PR. This commit updates the manual to account for the already-merged changes from that PR.

ping @matthewbauer

Future-proofing

It would probably be a good idea if Nix didn't print out the complete unexpected hash of insecure fetches on the console, in order to deter people from copy-and-pasting it. For example, by default the error message printed to the console could deliberately garble a few characters in the middle of the hash by replacing them with an invalid character like . unless --option dammit-give-me-the-footgun is set.

The question is how to communicate to Nix that the fetch was insecure. I see two possibilities:

1. Nix adopts the nixpkgs convention that if expected-hash is "", lib.fakeHash, lib.fakeSha256, or lib.fakeSha512 then the unexpected-hash was computed over something which was fetched securely. This could be considered a layering violation.

2. A new derivation attribute __insecure for FODs is added, which tells Nix that the fetch was performed insecurely. Since this would appear only on FODs it shouldn't affect any outpath addresses. It should probably also be allowed on __impure derivations, and be inherited by FODs which depend on __insecure __impure derivations.

@edolstra if either of these approaches sounds acceptable to you I will implement it.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.11 Release Notes (or backporting 22.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.