We have a number of problems that currently require full rebuilds of nixpkgs:
- glibc needs to find third-party nss modules
- cacerts needs to contain custom CA's from enterprises
- tzdata just changed frequently
- locales
Interestingly, Nix's deep pinning of cacerts and tzdata gets in the way of Nix's promise of packages working over the long term in an archival sense: