jvm_import_external not failing properly for wrong artifact_sha256

[guw]

Description of the problem / feature request:

    jvm_maven_import_external(
        name = "info_picocli",
        artifact = "info.picocli:picocli:4.0.4",
        artifact_sha256 = "",
        licenses = ["notice"],
        server_urls = maven_servers,
    )

If artifact_sha256 is empty and maven_servers is a non-secure service Bazel is complaining about the missing artifact_sha256.

However, if I specify a wrong artifact_sha256 (copy and paste error on my end), Bazel build is not failing with a "wrong sha error" but with a weird: Extracting interface @info_picocli//:info_picocli failed (Aborted): ijar failed: error executing command because of Unable to open Zip file external/info_picocli/....jar: Input/output error

Feature requests: what underlying problem are you trying to solve with this feature?

Bazel should fail with a message explaining that the SHA is wrong.

What's the output of bazel info release?

1.2.1

[benjaminp]

Bazel uses the sha256 attribute to index its content-addressable repository cache. So, it's possible to Bazel pulls some artifact out of the cache if you copy-paste its hash.

[guw]

@benjaminp Thanks for that detail. Is there any history on why just the sha256 is used as cache key but not significant other parts (such as jar name or artifact id)?

It's very likely that this is the reasons, i.e. it copied wrong content from the cache.

[jin]

cc @aehlig

Also see:

#5144
#6089
#7676 (comment)

[aehlig]

@jin since jvm_import_external has another identifier, it probably should use the cache separation described in https://github.com/bazelbuild/proposals/blob/master/designs/2019-04-29-cache.md that is already implemented.

[jin]

@aehlig Thanks. We should set canonical_id parameter to be the fully qualified coordinates of the artifact, since artifacts are immutable and the coordinates (should) map 1:1 to the checksum.