buildtools icon indicating copy to clipboard operation
buildtools copied to clipboard

Published 20 hours ago verified publisher icon bazelbuild

Include source code as asset in releases to avoid issues with GitHub compression algorithm changes

Open kjlubick opened this issue 2 years ago • 2 comments

The buildifier docs say to create an http_archive using a GitHub source archive URL like https://github.com/bazelbuild/buildtools/archive/refs/tags/4.2.2.tar.gz.

However, as was observed in a large outage on Jan 31, 2023, the compression algorithm used by GitHub can change, breaking sha256 validation.

The recommendation seems to be to include the source zip/tar.gz files in the release itself as an asset (like protobufs does). GitHub promises not to change those bytes since they are user-provided.

Then, the docs should show a URL like: https://github.com/bazelbuild/buildtools/releases/download/4.2.2/source-4.2.2.tar.gz depending on what file name for the source code asset is.

kjlubick avatar Feb 01 '23 14:02 kjlubick

See also what rules_python did: https://github.com/bazelbuild/rules_python/pull/1032

kjlubick avatar Feb 01 '23 14:02 kjlubick

Huge +1 here, any plans to do this?

luispadron avatar Apr 12 '23 19:04 luispadron