>> However, there's no real reason that git-fetch *needs* to be
>> fixed-output in terms of having a hash pre-defined, at least for local
>> development and other purposes.  So is there a way around this?
>
>  • write (package (source (git-checkout …)) …)

This works well.  Now I'm curious how to know what can go in the (source) 
field?  Obviously not just (origin)...

>> If having a way around it is not desirable should url-fetch consider
>> this an error as well?
>
>I’m not sure; do you have an example where it’s not behaving as
>expected?

Yes.  When using (sha256 #f) url-fetch still has network access and works to 
download things, which is inconsistent vs other fetchers.