0.15.0 Sha256 Sum Changed

[loganasherjones]

🐞 bug report

Affected Rule

N/A

Is this a regression?

N/A

Description

Recently, the 0.15.0 version of rules_python seems to have a different sha256sum. According to the release page for 0.15.0 the sha256 should be fda23c37fbacf7579f94d5e8f342d3a831140e9471b770782e83846117dd6596 but I'm currently getting 99e0d77f6ca445134adb5ef3d321a065d3b55b47a834cca110c30bf519d919bb.

🔬 Minimal Reproduction

Create a WORKSPACE using the instructions from the 0.15.0 release page:

load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
http_archive(
    name = "bazel_skylib",
    sha256 = "74d544d96f4a5bb630d465ca8bbcfe231e3594e5aae57e1edbf17a6eb3ca2506",
    urls = [
        "https://mirror.bazel.build/github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz",
        "https://github.com/bazelbuild/bazel-skylib/releases/download/1.3.0/bazel-skylib-1.3.0.tar.gz",
    ],
)
http_archive(
    name = "rules_python",
    sha256 = "fda23c37fbacf7579f94d5e8f342d3a831140e9471b770782e83846117dd6596",
    strip_prefix = "rules_python-0.15.0",
    url = "https://github.com/bazelbuild/rules_python/archive/refs/tags/0.15.0.tar.gz",
)

main.py

print("Hello, World")

BUILD:

load("@rules_python//python:defs.bzl", "py_binary")

py_binary(
  name = "main",
  srcs = ["main.py"],
)

bazel run //:main

Will fail with a checksum issue.

🔥 Exception or Error

ERROR: An error occurred during the fetch of repository 'rules_python':
   Traceback (most recent call last):
	File "/home/.cache/bazel/external/bazel_tools/tools/build_defs/repo/http.bzl", line 125, column 45, in _http_archive_impl
		download_info = ctx.download_and_extract(
Error in download_and_extract: java.io.IOException: Error downloading [https://github.com/bazelbuild/rules_python/archive/refs/tags/0.15.0.tar.gz] to /home/.cache/bazel/external/rules_python/temp14311180362336136035/0.15.0.tar.gz: Checksum was 99e0d77f6ca445134adb5ef3d321a065d3b55b47a834cca110c30bf519d919bb but wanted fda23c37fbacf7579f94d5e8f342d3a831140e9471b770782e83846117dd6596

🌍 Your Environment

Operating System:

  
Confirmed on Ubuntu, Red Hat and Windows
  

Output of bazel version:

Rules_python version:

  
0.15.0
  

Anything else relevant?

[loganasherjones]

Hmm, this also appears to be affecting rules_jvm 0.9.0 Did GitHub change something?

[CrazyKevinHu]

same for https://github.com/bazelbuild/rules_python/archive/refs/tags/0.7.0.tar.gz wrong hash
Checksum was 3291d135797e424c02f3860fb5ac0a026ce63e61621da18b1da334f90afbe98a but wanted 15f84594af9da06750ceb878abbf129241421e3abbd6e36893041188db67f2fb

[loganasherjones]

Ok, I think this happened because we currently rely on the source code .tar.gz files.

Unfortunately, this source code is generated automatically by GitHub on release. This means that GitHub can change the contents of it relatively easily. Here seems to be some supporting evidence:

• libgit issue
• Github Community Discussion
• Stack exchange post

My guess is that GitHub changed something recently for how these source code .tar.gz files are downloaded. Seems like it's going to cause some massive headaches for bazel libraries that release this way.

I think the core problem is that the release does not include it's own .tar.gz file. Compare that with something like skylib release which upload their own version of the .tar.gz file.

[phlax]

fyi we are hitting similar issues in other project (Envoy) - so it seems like github have broken the tarball hashes (again)

[Wyverald]

Last time this happened, github promised that certain archives will have stable checksums: bazel-contrib/SIG-rules-authors#11 (comment)

[loganasherjones]

Yep looks like there is a community discussion on it now

[loganasherjones]

I'm going to go ahead and close this as GitHub seems to have reverted the change. I think #1032 will solve problems like this in the future. For details on what happened see the community discussion linked above.