![]() To my knowledge, GitHub has not documented a guarantee that files returned by the archive endpoints have stable SHA-256 sums. Upgrading dependencies (especially Git and especially if you’re GitHub) is a reasonable thing to do. Since GitHub made the change that triggered this, they naturally get the immediate blame from the community, though I think it’s mostly undeserved. I’m writing this in the hope that we can make our systems more resilient and avoid these kinds of problems in the future. This has also been discussed extensively before. This is at least the third time Bazel builds have broken that I can remember. I think there was a small change in zip compression, but it doesn’t really matter-any variation in file ordering, alignment or compression causes the archives’ SHA-256 sums to change even though the extracted contents are the same. ![]() ![]() The Git upgrade caused a change in archives’ SHA-256 sums. ![]() Bazel then checks the file’s SHA-256 sum against the known value and, if it’s correct, extracts the archive and proceeds with the build. This is bare-bones dependency management: Bazel attempts to download an archive from the first URL in the list it tries the next URL if the first is not available and so on. See that /archive/refs/tags/ part of the path? That’s the endpoint I’m talking about. Name = “com_github_bazelbuild_buildtools”, sha256 =
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |