Skip to content

Remove SHA checksum for bazel http_archive from GitHub #95039

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 8 commits into from
Closed

Remove SHA checksum for bazel http_archive from GitHub #95039

wants to merge 8 commits into from

Conversation

huydhn
Copy link
Contributor

@huydhn huydhn commented Feb 17, 2023
edited
Loading

An action item from #94346

Although the security practice of setting the checksum is good, it doesn't work when the archive is downloaded from some sites like GitHub because it can change. Specifically, GitHub gives no guarantee to keep the same value forever community/community#46034.

This also adds a new linter to make sure that SHA checksum from GitHub can be removed quickly. The WORKSPACE file is actually updated using the new linter:

>>> Lint for WORKSPACE:

  Advice (BAZEL_LINTER) format
    Redundant SHA checksum. Run `lintrunner -a` to apply this patch.

    You can run `lintrunner -a` to apply this patch.

     5   5 |
     6   6 | http_archive(
     7   7 |     name = "rules_cuda",
     7     |-    sha256 = "f80438bee9906e9ecb1a8a4ae2365374ac1e8a283897281a2db2fb7fcf746333",
     9   8 |     strip_prefix = "runtime-b1c7cce21ba4661c17ac72421c6a0e2015e7bef3/third_party/rules_cuda",
    10   9 |     urls = ["https://github.com/tensorflow/runtime/archive/b1c7cce21ba4661c17ac72421c6a0e2015e7bef3.tar.gz"],
    11  10 | )
--------------------------------------------------------------------------------
    29  28 |   name = "pybind11_bazel",
    30  29 |   strip_prefix = "pybind11_bazel-992381ced716ae12122360b0fbadbc3dda436dbf",
    31  30 |   urls = ["https://github.com/pybind/pybind11_bazel/archive/992381ced716ae12122360b0fbadbc3dda436dbf.zip"],
    31     |-  sha256 = "3dc6435bd41c058453efe102995ef084d0a86b0176fd6a67a6b7100a2e9a940e",
    33  31 | )
    34  32 |
    35  33 | new_local_repository(
--------------------------------------------------------------------------------
    52  50 |     urls = [
    53  51 |         "https://github.com/gflags/gflags/archive/v2.2.2.tar.gz",
    54  52 |     ],
    54     |-    sha256 = "34af2f15cf7367513b352bdcd2493ab14ce43692d2dcd9dfc499492966c64dcf",
    56  53 | )
    57  54 |
    58  55 | new_local_repository(

@huydhn huydhn requested review from malfet, ZainRizvi and a team February 17, 2023 04:18
@pytorch-bot
Copy link

pytorch-bot bot commented Feb 17, 2023
edited
Loading

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/95039

Note: Links to docs will display an error until the docs builds have been completed.

✅ No Failures

As of commit bf0efec:
💚 Looks good so far! There are no failures yet. 💚

This comment was automatically generated by Dr. CI and updates every 15 minutes.

@huydhn huydhn marked this pull request as ready for review February 17, 2023 04:36
ZainRizvi
ZainRizvi approved these changes Feb 21, 2023
View reviewed changes
ZainRizvi
ZainRizvi reviewed Feb 21, 2023
View reviewed changes
@huydhn huydhn added the topic: not user facing topic category label Feb 22, 2023
@huydhn
Copy link
Contributor Author

huydhn commented Feb 22, 2023

@pytorchbot merge -f 'Linter update only and lint jobs have passed'

@pytorchmergebot
Copy link
Collaborator

Merge started

Your change will be merged immediately since you used the force (-f) flag, bypassing any CI checks (ETA: 1-5 minutes).

Learn more about merging in the wiki.

Questions? Feedback? Please reach out to the PyTorch DevX Team

Advanced Debugging
Check the merge workflow status
here

@kit1980 kit1980 mentioned this pull request Feb 25, 2023
Closed
@msaroufim msaroufim mentioned this pull request Mar 3, 2023
Closed
cyyever pushed a commit to cyyever/pytorch_private that referenced this pull request Mar 5, 2023
@huydhn @cyyever
Remove SHA checksum for bazel http_archive from GitHub (#95039)
5ad70da 
An action item from pytorch/pytorch#94346

Although the security practice of setting the checksum is good, it doesn't work when the archive is downloaded from some sites like GitHub because it can change. Specifically, GitHub gives no guarantee to keep the same value forever community/community#46034.

This also adds a new linter to make sure that SHA checksum from GitHub can be removed quickly.  The WORKSPACE file is actually updated using the new linter:

```
>>> Lint for WORKSPACE:

  Advice (BAZEL_LINTER) format
    Redundant SHA checksum. Run `lintrunner -a` to apply this patch.

    You can run `lintrunner -a` to apply this patch.

     5   5 |
     6   6 | http_archive(
     7   7 |     name = "rules_cuda",
     7     |-    sha256 = "f80438bee9906e9ecb1a8a4ae2365374ac1e8a283897281a2db2fb7fcf746333",
     9   8 |     strip_prefix = "runtime-b1c7cce21ba4661c17ac72421c6a0e2015e7bef3/third_party/rules_cuda",
    10   9 |     urls = ["https://github.com/tensorflow/runtime/archive/b1c7cce21ba4661c17ac72421c6a0e2015e7bef3.tar.gz"],
    11  10 | )
--------------------------------------------------------------------------------
    29  28 |   name = "pybind11_bazel",
    30  29 |   strip_prefix = "pybind11_bazel-992381ced716ae12122360b0fbadbc3dda436dbf",
    31  30 |   urls = ["https://github.com/pybind/pybind11_bazel/archive/992381ced716ae12122360b0fbadbc3dda436dbf.zip"],
    31     |-  sha256 = "3dc6435bd41c058453efe102995ef084d0a86b0176fd6a67a6b7100a2e9a940e",
    33  31 | )
    34  32 |
    35  33 | new_local_repository(
--------------------------------------------------------------------------------
    52  50 |     urls = [
    53  51 |         "https://github.com/gflags/gflags/archive/v2.2.2.tar.gz",
    54  52 |     ],
    54     |-    sha256 = "34af2f15cf7367513b352bdcd2493ab14ce43692d2dcd9dfc499492966c64dcf",
    56  53 | )
    57  54 |
    58  55 | new_local_repository(
```

Pull Request resolved: pytorch/pytorch#95039
Approved by: https://github.com/ZainRizvi
@huydhn huydhn mentioned this pull request Mar 7, 2023
Merged
pruthvistony added a commit to ROCm/pytorch that referenced this pull request May 2, 2023
@pruthvistony
Revert "Remove SHA checksum for bazel http_archive from GitHub (pytor…
bed4971 
…ch#95039)"

This reverts commit 2f547ae.
jhavukainen pushed a commit to kulinseth/pytorch that referenced this pull request Mar 15, 2024
@huydhn @jhavukainen
Remove SHA checksum for bazel http_archive from GitHub (pytorch#95039)
61505a8 
An action item from pytorch#94346

Although the security practice of setting the checksum is good, it doesn't work when the archive is downloaded from some sites like GitHub because it can change. Specifically, GitHub gives no guarantee to keep the same value forever community/community#46034.

This also adds a new linter to make sure that SHA checksum from GitHub can be removed quickly.  The WORKSPACE file is actually updated using the new linter:

```
>>> Lint for WORKSPACE:

  Advice (BAZEL_LINTER) format
    Redundant SHA checksum. Run `lintrunner -a` to apply this patch.

    You can run `lintrunner -a` to apply this patch.

     5   5 |
     6   6 | http_archive(
     7   7 |     name = "rules_cuda",
     7     |-    sha256 = "f80438bee9906e9ecb1a8a4ae2365374ac1e8a283897281a2db2fb7fcf746333",
     9   8 |     strip_prefix = "runtime-b1c7cce21ba4661c17ac72421c6a0e2015e7bef3/third_party/rules_cuda",
    10   9 |     urls = ["https://github.com/tensorflow/runtime/archive/b1c7cce21ba4661c17ac72421c6a0e2015e7bef3.tar.gz"],
    11  10 | )
--------------------------------------------------------------------------------
    29  28 |   name = "pybind11_bazel",
    30  29 |   strip_prefix = "pybind11_bazel-992381ced716ae12122360b0fbadbc3dda436dbf",
    31  30 |   urls = ["https://github.com/pybind/pybind11_bazel/archive/992381ced716ae12122360b0fbadbc3dda436dbf.zip"],
    31     |-  sha256 = "3dc6435bd41c058453efe102995ef084d0a86b0176fd6a67a6b7100a2e9a940e",
    33  31 | )
    34  32 |
    35  33 | new_local_repository(
--------------------------------------------------------------------------------
    52  50 |     urls = [
    53  51 |         "https://github.com/gflags/gflags/archive/v2.2.2.tar.gz",
    54  52 |     ],
    54     |-    sha256 = "34af2f15cf7367513b352bdcd2493ab14ce43692d2dcd9dfc499492966c64dcf",
    56  53 | )
    57  54 |
    58  55 | new_local_repository(
```

Pull Request resolved: pytorch#95039
Approved by: https://github.com/ZainRizvi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ZainRizvi ZainRizvi ZainRizvi approved these changes

@malfet malfet Awaiting requested review from malfet

Assignees
No one assigned
Labels
Merged test-config/default topic: not user facing topic category
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@huydhn @pytorchmergebot @ZainRizvi