When calling nixpkgs_package without any of the path or repository argument, bazel complains:

DEBUG: /home/guillaume/.cache/bazel/_bazel_guillaume/9923957c70cd7b59bec21e32af97c8be/external/io_tweag_rules_nixpkgs/nixpkgs/nixpkgs.bzl:66:5: 
WARNING: Implicitly using '<nixpkgs>' as the location of Nixpkgs.
This is not recommended because it makes the build non-hermetic.
Set which Nixpkgs to use explicitly using 'repository' or 'path' attributes.

My setup is correct and hermetic because the file pointed by nix_file setups its own pinned clone of nixpkgs. To remove the warning, I have to set a dummy path = ".".

I propose the following changes:

• remove the defaulting to <nixpkgs> when neither path nor repository are selected. and instead load the provided nix_file (or nix_file_content) with no value for <nixpkgs>.
• (optional) add a new attribute enable_impure_nixpkgs_source, with default to false, which re-enable the current behavior.

This way, by default, the user MUST provides either path or repository or a nix_file with a pinned nixpkgs. The optional new attribute may allow her to get back the unsafe behavior.

I'm opening the issue for discussion, PR will follow if we agree on the design.

This may be a good final conclusion to #17