Update sha1 documentation for the maven_jar rule to reflect its lack …

…of security as a cryptographic hash. See #8880. RELNOTES: None. PiperOrigin-RevId: 258186415
bazelbuild · Jul 15, 2019 · b065b13 · b065b13
1 parent f380735
commit b065b13
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java
@@ -58,10 +58,13 @@ public RuleClass build(RuleClass.Builder builder, RuleDefinitionEnvironment envi
         /* <!-- #BLAZE_RULE(maven_jar).ATTRIBUTE(sha1) -->
         A SHA-1 hash of the desired jar.
 
-        <p>If the downloaded jar does not match this hash, Bazel will error out. <em>It is a
-        security risk to omit the SHA-1 as remote files can change.</em> At best omitting this
-        field will make your build non-hermetic. It is optional to make development easier but
-        should be set before shipping.</p>
+        <p>If the downloaded jar does not match this hash, Bazel will error out. It is a security
+        risk to download a file without verifying cryptographic secure hash. <b>Note that SHA-1 is
+        no longer considered a secure cryptographic hash function</b>, but specifying the hash is
+        still marginally better than no check at all. This attribute is kept here for legacy support
+        purposes. Please migrate to <a href="https://github.com/bazelbuild/rules_jvm_external/">
+        <code>rules_jvm_external</code></a> and pin your Maven artifacts with their SHA-256
+        checksums.</p>
         <!-- #END_BLAZE_RULE.ATTRIBUTE --> */
         .add(attr("sha1", Type.STRING))
         /* <!-- #BLAZE_RULE(maven_jar).ATTRIBUTE(sha1_src) -->