An important concept of Please is that you should be getting what you expect at
each build. Third-party dependencies are an important case for this since they allow
code you don't totally control into your build.
Please has two explicit mechanisms for controlling this.
Please can natively verify hashes of packages. Some of the built-in rules for fetching things from third-party repos have this option, and you can add it to your own genrules. For example, one of the Python libraries we use:
This declares that the calculated sha1 hash of the package must match one of the given set, and it's a failure if not.
pip_library( name = "six", version = "1.9.0", outs = ["six.py"], hashes = ["sha1: 0c31ab7cf1a2761efa32d9a7e891ddeadc0d8673"], )
You can find the output hash of a particular target by running
plz hash //third_party/python:six which will calculate it for you, and
you can enter it in the BUILD file.
If it changes (for example when you update the version) plz can update the BUILD file for you via
plz hash --update //third_party/python:six.
The reason for allowing multiple hashes is for rules that generate different outputs on different architectures; this is common for Python libraries which have a compiled component, for example.
For testing purposes you can run Please with the
flag which will reduce hash verification failures to a warning message only.
Note that when using this you must be careful that the outputs of your rule are
really deterministic. This is generally true for
but obviously only if the server returns the same thing every time for that URL.
Some care should be taken with
pip_library since the outputs of a
pip install for a package containing binary (not pure Python) modules are
not bit-for-bit identical if compiled locally, only if you downloaded a precompiled wheel.
Different Python and OS versions can affect it too.
sha1: prefix is informative only and indeed any string can occur before
the colon. In future we may extend this to allow specifying other hash types.
Please can attempt to autodetect licences from some third-party packages and inform you if they're not ones you'd accept. You mark licences in the .plzconfig file like so:
By default, with no
[licences] accept = MIT accept = BSD reject = MS-EULA
[licences]section, Please won't perform any licence checking.
Currently we can autodetect licences from
you can also set them manually via the
licences attribute on a rule.
It bears mentioning that this is done as a best-effort - since licences and their
locations are not standardised in pip (and many other places) we can't always be fully
confident about how to match licence names and hence don't try (for example,
The Apache Software License, version 2 all refer to the same licence,
despite being very different strings, whereas
are significantly different licences but only one letter apart).
Please also isn't a lawyer and can't provide advice about whether a specific licence is suitable for you or not. Only you can make that decision.