Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support artifact checksum pinning #125

Closed
jin opened this issue Apr 23, 2019 · 15 comments · Fixed by #169
Closed

Support artifact checksum pinning #125

jin opened this issue Apr 23, 2019 · 15 comments · Fixed by #169
Assignees
@jin
Labels
type: feature request
Projects
Triage

Comments

@jin
Copy link
Member

jin commented Apr 23, 2019
edited
Loading

From Bazel slack: https://bazelbuild.slack.com/archives/CE6AZNQP7/p1556024364000500

Coursier supports it: coursier/coursier#625
@jin jin added this to Needs triage in Triage via automation Apr 23, 2019
@jin jin moved this from Needs triage to P0 in Triage Apr 23, 2019
@jin
Copy link
Member Author

jin commented Apr 23, 2019
edited
Loading

I'm probably doing this incorrectly, but the --checksum flag doesn't seem to be doing what I think it should do:

$ sha1sum /usr/local/google/home/jingwen/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar
88e3c593e9b3586e1c6177f89267da6fc6986f0c  /usr/local/google/home/jingwen/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar

$ cat /usr/local/google/home/jingwen/.cache/coursier/v1/https/repo1.maven.org/maven2/com/google/errorprone/error_prone_annotations/2.2.0/error_prone_annotations-2.2.0.jar.sha1 
88e3c593e9b3586e1c6177f89267da6fc6986f0c

$ coursier fetch com.google.errorprone:error_prone_annotations:2.2.0 --checksum 88e3c593e9b3586e1c6177f89267da6fc6986f0c
mirrorConfFiles=List(MirrorConfFile(/usr/local/google/home/jingwen/.config/coursier/mirror.properties, true))
allMirrors0=List()
Resolution error: Error downloading com.google.errorprone:error_prone_annotations:2.2.0
  not found: /usr/local/google/home/jingwen/.ivy2/local/com.google.errorprone/error_prone_annotations/2.2.0/ivys/ivy.xml
  checksum not found:

@jin jin mentioned this issue Apr 23, 2019
Open
@jin
Copy link
Member Author

jin commented Apr 24, 2019

Looks like Coursier CLI doesn't support this yet, according to the referenced issue. We may have to do the checksum verification out of band, after downloading the jars and possibly while generating the BUILD targets.

@arjantop
Copy link

Would this issue also cover "locking" versions of all transitive dependencies? (Like Cargo.lock etc.)

@jin
Copy link
Member Author

jin commented Apr 25, 2019

@arjantop That's #107

@JaredNeil
Copy link
Contributor

@jin #107, does not seem to be about generating or using a .lock file.

@jin
Copy link
Member Author

jin commented Apr 25, 2019
edited
Loading

My understanding is that locking and pinning are similar to each other. #107 talks about locking top level artifacts to specific versions, but doesn't cover transitive dependencies. Let's continue discussions there?

@arjantop
Copy link

@jin If I understand #107 it is about overriding/pinning specific transitive dependencies to some version, .lock file would be generated automatically, pinning all versions to the resolved ones

@jin
Copy link
Member Author

jin commented Apr 25, 2019
edited
Loading

Yes, and I imagine lock file generation will involve Bazel WORKSPACE resolve files to a large extent.

@jin jin changed the title Support artifact checksum verification and pinning Support artifact checksum verification Apr 28, 2019
@mandrean
Copy link
Contributor

@jin Maybe this issue should be renamed "Support artifact checksum pinning" or something to differentiate it from #134 which is more actually verification IMHO

@jin jin changed the title Support artifact checksum verification Support artifact checksum pinning Apr 30, 2019
@JaredNeil
Copy link
Contributor

JaredNeil commented Apr 30, 2019
edited
Loading

One benefit of a lock file not yet discussed here is that the artifacts are pre-resolved to an artifact URL and shasum. This can save a lot of time every time you would normally need to re-run the coursier resolver (several minutes in our repository). Doing the resolution once and storing that information to a lock file saves us a ton of time in our CI builds.

@borkaehw
Copy link
Contributor

borkaehw commented May 7, 2019

@jin any thought on the benefit of a lock file that @JaredNeil mentioned?

@jin
Copy link
Member Author

jin commented May 9, 2019

I agree. This is something that I'll discuss with @aehlig, who implemented the Bazel-wide lock file for external repositories (--experimental_workspace_resolved_file).

@borkaehw
Copy link
Contributor

@jin just a follow-up. Any update on the lock file?

@jin
Copy link
Member Author

jin commented May 17, 2019

Sorry, no updates on this yet.

@jin jin mentioned this issue Jun 17, 2019
Merged
@jin
Copy link
Member Author

jin commented Jun 17, 2019
edited
Loading

Work in progress to support artifact checksum pinning in a file read and exported by maven_install: #169

@jin jin self-assigned this Jun 19, 2019
@jin jin closed this as completed in #169 Jul 4, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jin jin

Labels
type: feature request
Projects
No open projects
Triage
  
P0
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support pinning artifacts with checksums and downloading artifacts with Bazel jin/rules_jvm_external
5 participants
@arjantop @jin @JaredNeil @mandrean @borkaehw