Support subresource integrity format for download() checksums.
#7208
Conversation
def _repo_test(ctx):
downloaded = ctx.download(
url = ["https://github.com/bazelbuild/bazel/releases/download/0.21.0/bazel-0.21.0-darwin-x86_64.sig"],
output = "test-download.bin",
integrity = [
"sha256-YTmQnwlYCwr3Er6ellav7BH4VTgHi9hbe5vvOfA0P00=",
"sha384-uIEYsgRb01KvTxnqnmbAlEwedx4VBiZlGlAgjL6Qb+K2h4CzDZbo6FRjA5xKqdDr",
"sha512-/+EGy2d+zm/rB6H5FUEzisWW6dZ+N64/8Vrl/W/h0u8oI8nrHO/wvCguUgsp3H9ZKSS13cjk1JhhU0Cfn0a6DA==",
],
)
print("downloaded: ", downloaded)
ctx.file("WORKSPACE", "workspace(name = {name})\n".format(name = repr(ctx.name)))
ctx.file("BUILD.bazel", "")
repo_test = repository_rule(_repo_test) |
irengrig
added
the
team-ExternalDeps
|
/cc @aehlig |
|
Ping @dslomov, PTAL |
|
@dslomov Have you had time to review this yet? |
|
ping @aehlig |
|
General idea and the API shape sounds good to me. |
|
I ran into a bunch of Git conflicts when trying to rebase this to current master. The changes to plumb checksum types through the HTTP layer have been extracted to #8714; this PR will become only the changes to |
jmillikin
force-pushed
the
jmillikin_download-subresource-integrity
branch
7 times, most recently
from
6907711
to
2e28f5e
Compare
|
🎉 Rebase complete, tests added, and all checks green. I had to back off on one of the new features, multiple checksums, because the semantics were too hard to reason about. In browsers the download is allowed if any checksum matches, and I'm not 100% sure that's the right behavior for Bazel. |
This is extracted from #7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes #8714. PiperOrigin-RevId: 256188026
jmillikin
force-pushed
the
jmillikin_download-subresource-integrity
branch
from
2e28f5e
to
4e5aba1
Compare
|
PR #8714 has merged, and rebase onto it was successful. |
This is extracted from bazelbuild#7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes bazelbuild#8714. PiperOrigin-RevId: 256188026
|
Gentle ping |
This is extracted from bazelbuild#7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes bazelbuild#8714. PiperOrigin-RevId: 256188026
philwo
added
the
team-OSS
|
packages uploaded to the npm registry using version 4 or earlier of the npm CLI are published with a SHA-1 hash. Is there a particular reason you didn't include that @jmillikin ? I'll send a PR to add it, so that Bazel can download everything that appears in an npm |
|
Bazel doesn't currently support SHA1 as a download checksum, and I didn't want to change that as part of my PR. I think it would be fine to send a separate PR to enable SHA1 if that would help you. You might also be able to use Yarn, which supports recalculating checksums when writing its lockfile. We use that functionality in our builds so that every package has at least a SHA256 checksum. |
|
Thanks for your reply. I opened #12777 to add SHA-1 in this spot. The feature we are working on for rules_nodejs would have bazel download the tarballs rather than npm or yarn, so we can't rewrite the lockfile (it wouldn't have the bytes on disk yet to calculate a new hash anyway). |
philwo
removed
the
team-OSS
Closes #4881
Notes for the reviewer:
download()anddownload_and_extract()less strict about having asha256field? If we allowed the returned field to depend on the integrity list, then users of SHA-384 and SHA-512 checksums wouldn't need to re-checksum the downloaded file.