nix-store --repair-path should not delete path before replacing it

[lheckemann]

Describe the bug

This operations work on the store paths in place. This can be a problem if operating on store paths that Nix itself needs in order to perform the operation:

[root@tmp:~]# readlink -f /etc/ssl/certs/ca-bundle.crt
/nix/store/5xcgrpb8x4qrbsz56afsfnqvdaq24dx0-nss-cacert-3.77/etc/ssl/certs/ca-bundle.crt

[root@tmp:~]# nix-store --repair-path /nix/store/5xcgrpb8x4qrbsz56afsfnqvdaq24dx0-nss-cacert-3.77/etc/ssl/certs/ca-bundle.crt
copying path '/nix/store/5xcgrpb8x4qrbsz56afsfnqvdaq24dx0-nss-cacert-3.77' from 'https://cache.nixos.org'...
error: unable to download 'https://cache.nixos.org/nar/0lmk54fn95xnln14msnph4gwzscfy2ini7av85iy9lz057n3phdx.nar.xz': Problem with the SSL CA cert (path? access rights?) (77)
error: cannot repair path '/nix/store/5xcgrpb8x4qrbsz56afsfnqvdaq24dx0-nss-cacert-3.77'

This deletes the contents of the path recursively before starting to fetch the replacement. The new path should IMHO be fetched to a different location and renamed into place afterwards (renameat2 with RENAME_EXCHANGE would be ideal here, wherever available, to avoid a window where the path does not exist).

Steps To Reproduce

1. Try repairing the in-use cacert path.

Expected behavior

The cacert path is repaired without any problems.

nix-env --version output

Tested on:

• nix-env (Nix) 2.8.1