Update sha1 documentation for the maven_jar rule to reflect its lack of security as a cryptographic hash.
See https://github.com/bazelbuild/bazel/issues/8880.
RELNOTES: None.
PiperOrigin-RevId: 258186415
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java b/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java
index 8cdc1ec..1637ea2 100644
--- a/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java
+++ b/src/main/java/com/google/devtools/build/lib/bazel/rules/workspace/MavenJarRule.java
@@ -58,10 +58,13 @@
/* <!-- #BLAZE_RULE(maven_jar).ATTRIBUTE(sha1) -->
A SHA-1 hash of the desired jar.
- <p>If the downloaded jar does not match this hash, Bazel will error out. <em>It is a
- security risk to omit the SHA-1 as remote files can change.</em> At best omitting this
- field will make your build non-hermetic. It is optional to make development easier but
- should be set before shipping.</p>
+ <p>If the downloaded jar does not match this hash, Bazel will error out. It is a security
+ risk to download a file without verifying cryptographic secure hash. <b>Note that SHA-1 is
+ no longer considered a secure cryptographic hash function</b>, but specifying the hash is
+ still marginally better than no check at all. This attribute is kept here for legacy support
+ purposes. Please migrate to <a href="https://github.com/bazelbuild/rules_jvm_external/">
+ <code>rules_jvm_external</code></a> and pin your Maven artifacts with their SHA-256
+ checksums.</p>
<!-- #END_BLAZE_RULE.ATTRIBUTE --> */
.add(attr("sha1", Type.STRING))
/* <!-- #BLAZE_RULE(maven_jar).ATTRIBUTE(sha1_src) -->
