{
  lib,
  buildPackages ? {
    inherit stdenvNoCC;
  },
  stdenvNoCC,
  curl, # Note that `curl' may be `null', in case of the native stdenvNoCC.
  cacert ? null,
}:

let

  mirrors = import ./mirrors.nix;

  # Write the list of mirrors to a file that we can reuse between
  # fetchurl instantiations, instead of passing the mirrors to
  # fetchurl instantiations via environment variables.  This makes the
  # resulting store derivations (.drv files) much smaller, which in
  # turn makes nix-env/nix-instantiate faster.
  mirrorsFile = buildPackages.stdenvNoCC.mkDerivation (
    {
      name = "mirrors-list";
      strictDeps = true;
      builder = ./write-mirror-list.sh;
      preferLocalBuild = true;
    }
    // mirrors
  );

  # Names of the master sites that are mirrored (i.e., "sourceforge",
  # "gnu", etc.).
  sites = builtins.attrNames mirrors;

  impureEnvVars =
    lib.fetchers.proxyImpureEnvVars
    ++ [
      # This variable allows the user to pass additional options to curl
      "NIX_CURL_FLAGS"

      # This variable allows the user to override hashedMirrors from the
      # command-line.
      "NIX_HASHED_MIRRORS"

      # This variable allows overriding the timeout for connecting to
      # the hashed mirrors.
      "NIX_CONNECT_TIMEOUT"
    ]
    ++ (map (site: "NIX_MIRRORS_${site}") sites);

in

{
  # URL to fetch.
  url ? "",

  # Alternatively, a list of URLs specifying alternative download
  # locations.  They are tried in order.
  urls ? [ ],

  # Additional curl options needed for the download to succeed.
  # Warning: Each space (no matter the escaping) will start a new argument.
  # If you wish to pass arguments with spaces, use `curlOptsList`
  curlOpts ? "",

  # Additional curl options needed for the download to succeed.
  curlOptsList ? [ ],

  # Name of the file.  If empty, use the basename of `url' (or of the
  # first element of `urls').
  name ? "",

  # for versioned downloads optionally take pname + version.
  pname ? "",
  version ? "",

  # SRI hash.
  hash ? "",

  # Legacy ways of specifying the hash.
  outputHash ? "",
  outputHashAlgo ? "",
  sha1 ? "",
  sha256 ? "",
  sha512 ? "",

  recursiveHash ? false,

  # Shell code to build a netrc file for BASIC auth
  netrcPhase ? null,

  # Impure env vars (https://nixos.org/nix/manual/#sec-advanced-attributes)
  # needed for netrcPhase
  netrcImpureEnvVars ? [ ],

  # Shell code executed after the file has been fetched
  # successfully. This can do things like check or transform the file.
  postFetch ? "",

  # Whether to download to a temporary path rather than $out. Useful
  # in conjunction with postFetch. The location of the temporary file
  # is communicated to postFetch via $downloadedFile.
  downloadToTemp ? false,

  # If true, set executable bit on downloaded file
  executable ? false,

  # If set, don't download the file, but write a list of all possible
  # URLs (resulting from resolving mirror:// URLs) to $out.
  showURLs ? false,

  # Meta information, if any.
  meta ? { },

  # Passthru information, if any.
  passthru ? { },
  # Doing the download on a remote machine just duplicates network
  # traffic, so don't do that by default
  preferLocalBuild ? true,

  # Additional packages needed as part of a fetch
  nativeBuildInputs ? [ ],
}:

let
  urls_ =
    if urls != [ ] && url == "" then
      (if lib.isList urls then urls else throw "`urls` is not a list")
    else if urls == [ ] && url != "" then
      (if lib.isString url then [ url ] else throw "`url` is not a string")
    else
      throw "fetchurl requires either `url` or `urls` to be set";

  hash_ =
    if
      with lib.lists;
      length (
        filter (s: s != "") [
          hash
          outputHash
          sha1
          sha256
          sha512
        ]
      ) > 1
    then
      throw "multiple hashes passed to fetchurl"
    else

    if hash != "" then
      {
        outputHashAlgo = null;
        outputHash = hash;
      }
    else if outputHash != "" then
      if outputHashAlgo != "" then
        { inherit outputHashAlgo outputHash; }
      else
        throw "fetchurl was passed outputHash without outputHashAlgo"
    else if sha512 != "" then
      {
        outputHashAlgo = "sha512";
        outputHash = sha512;
      }
    else if sha256 != "" then
      {
        outputHashAlgo = "sha256";
        outputHash = sha256;
      }
    else if sha1 != "" then
      {
        outputHashAlgo = "sha1";
        outputHash = sha1;
      }
    else if cacert != null then
      {
        outputHashAlgo = "sha256";
        outputHash = "";
      }
    else
      throw "fetchurl requires a hash for fixed-output derivation: ${lib.concatStringsSep ", " urls_}";
in

assert
  (lib.isList curlOpts)
  -> lib.warn ''
    fetchurl for ${toString (builtins.head urls_)}: curlOpts is a list (${
      lib.generators.toPretty { multiline = false; } curlOpts
    }), which is not supported anymore.
    - If you wish to get the same effect as before, for elements with spaces (even if escaped) to expand to multiple curl arguments, use a string argument instead:
      curlOpts = ${lib.strings.escapeNixString (toString curlOpts)};
    - If you wish for each list element to be passed as a separate curl argument, allowing arguments to contain spaces, use curlOptsList instead:
      curlOptsList = [ ${lib.concatMapStringsSep " " lib.strings.escapeNixString curlOpts} ];'' true;

stdenvNoCC.mkDerivation (
  (
    if (pname != "" && version != "") then
      { inherit pname version; }
    else
      {
        name =
          if showURLs then
            "urls"
          else if name != "" then
            name
          else
            baseNameOf (toString (builtins.head urls_));
      }
  )
  // {
    builder = ./builder.sh;

    nativeBuildInputs = [ curl ] ++ nativeBuildInputs;

    urls = urls_;

    # If set, prefer the content-addressable mirrors
    # (http://tarballs.nixos.org) over the original URLs.
    preferHashedMirrors = true;

    # New-style output content requirements.
    inherit (hash_) outputHashAlgo outputHash;

    # Disable TLS verification only when we know the hash and no credentials are
    # needed to access the resource
    SSL_CERT_FILE =
      if
        (
          hash_.outputHash == ""
          || hash_.outputHash == lib.fakeSha256
          || hash_.outputHash == lib.fakeSha512
          || hash_.outputHash == lib.fakeHash
          || netrcPhase != null
        )
      then
        "${cacert}/etc/ssl/certs/ca-bundle.crt"
      else
        "/no-cert-file.crt";

    outputHashMode = if (recursiveHash || executable) then "recursive" else "flat";

    inherit curlOpts;
    curlOptsList = lib.escapeShellArgs curlOptsList;
    inherit
      showURLs
      mirrorsFile
      postFetch
      downloadToTemp
      executable
      ;

    impureEnvVars = impureEnvVars ++ netrcImpureEnvVars;

    nixpkgsVersion = lib.trivial.release;

    inherit preferLocalBuild;

    postHook =
      if netrcPhase == null then
        null
      else
        ''
          ${netrcPhase}
          curlOpts="$curlOpts --netrc-file $PWD/netrc"
        '';

    inherit meta;
    passthru = {
      inherit url;
    } // passthru;
  }
)