GitHub source archive hashes changing

[Brian Silverman]

Hi everybody,

I ran across this blog post from GitHub, and it seems relevant to many Bazel projects and users: https://github.blog/2023-02-21-update-on-the-future-stability-of-source-code-archives-and-hashes/

TLDR is GitHub didn't realize people rely on checksums of source archives staying the same. Now that they do, they're going to keep them the same for a year, and then provide six months of notice for future changes. Note that tarballs provided as part of a release are separate from this, and are a better alternative.

This means using http_archive with tarballs of source code downloaded from GitHub is not a good idea. I know I've done this because http_archive is so much faster than git_archive. I usually end up rehosting the tarball somewhere else because github.com downloads are slow and unreliable, but this is another very good reason to rehost them.

For example, the rules_python getting started docs use this approach, and should be updated. I've seen it in many other Bazel rulesets too. A better approach is the rules_rust setup instructions, which use a tarball from a release on GitHub.

Brian Silverman

[Alex Eagle]

Yes, there was a bunch of discussion on Bazel slack and on the centithread https://github.com/bazel-contrib/SIG-rules-authors/issues/11 so we made this determination a couple days after the outage.

I updated the canonical rules template: https://github.com/bazel-contrib/rules-template/commit/82fdd337cda84bbe012751e959fb8388f8f7d76c (it's linked from https://bazel.build/rules/rules-tutorial)

I'll fixup rules_python - please do file issues on anything else that needs an update, as you see from that template change it's easy to do.

-Alex