-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support subresource integrity format for download()
checksums.
#7208
Support subresource integrity format for download()
checksums.
#7208
Conversation
def _repo_test(ctx):
downloaded = ctx.download(
url = ["https://github.com/bazelbuild/bazel/releases/download/0.21.0/bazel-0.21.0-darwin-x86_64.sig"],
output = "test-download.bin",
integrity = [
"sha256-YTmQnwlYCwr3Er6ellav7BH4VTgHi9hbe5vvOfA0P00=",
"sha384-uIEYsgRb01KvTxnqnmbAlEwedx4VBiZlGlAgjL6Qb+K2h4CzDZbo6FRjA5xKqdDr",
"sha512-/+EGy2d+zm/rB6H5FUEzisWW6dZ+N64/8Vrl/W/h0u8oI8nrHO/wvCguUgsp3H9ZKSS13cjk1JhhU0Cfn0a6DA==",
],
)
print("downloaded: ", downloaded)
ctx.file("WORKSPACE", "workspace(name = {name})\n".format(name = repr(ctx.name)))
ctx.file("BUILD.bazel", "")
repo_test = repository_rule(_repo_test)
|
/cc @aehlig |
Ping @dslomov, PTAL |
@dslomov Have you had time to review this yet? |
ping @aehlig |
General idea and the API shape sounds good to me. |
I ran into a bunch of Git conflicts when trying to rebase this to current master. The changes to plumb checksum types through the HTTP layer have been extracted to #8714; this PR will become only the changes to |
6907711
to
2e28f5e
Compare
🎉 Rebase complete, tests added, and all checks green. I had to back off on one of the new features, multiple checksums, because the semantics were too hard to reason about. In browsers the download is allowed if any checksum matches, and I'm not 100% sure that's the right behavior for Bazel. |
This is extracted from #7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes #8714. PiperOrigin-RevId: 256188026
2e28f5e
to
4e5aba1
Compare
PR #8714 has merged, and rebase onto it was successful. |
This is extracted from bazelbuild#7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes bazelbuild#8714. PiperOrigin-RevId: 256188026
Gentle ping |
This is extracted from bazelbuild#7208 ("Support subresource integrity format for `download()` checksums.") I'm trying to revive that PR and rebase to master, but the replacement of `String sha256` through the HTTP downloader code is causing a lot of Git conflicts. I expect that portion of the change to require less discussion than the proposed content integrity changes, so I'm moving it to a separate PR to simplify review. @dslomov or @aehlig, could one of you take a look? Once this is merged, I will rebase PR 7208 onto it. Closes bazelbuild#8714. PiperOrigin-RevId: 256188026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks. Will import.
packages uploaded to the npm registry using version 4 or earlier of the npm CLI are published with a SHA-1 hash. Is there a particular reason you didn't include that @jmillikin ? I'll send a PR to add it, so that Bazel can download everything that appears in an npm |
Bazel doesn't currently support SHA1 as a download checksum, and I didn't want to change that as part of my PR. I think it would be fine to send a separate PR to enable SHA1 if that would help you. You might also be able to use Yarn, which supports recalculating checksums when writing its lockfile. We use that functionality in our builds so that every package has at least a SHA256 checksum. |
Thanks for your reply. I opened #12777 to add SHA-1 in this spot. The feature we are working on for rules_nodejs would have bazel download the tarballs rather than npm or yarn, so we can't rewrite the lockfile (it wouldn't have the bytes on disk yet to calculate a new hash anyway). |
Closes #4881
Notes for the reviewer:
download()
anddownload_and_extract()
less strict about having asha256
field? If we allowed the returned field to depend on the integrity list, then users of SHA-384 and SHA-512 checksums wouldn't need to re-checksum the downloaded file.