Pin external repositories in WORKSPACE

[calder]

http_archive rules in WORKSPACE all reference master and don't include a sha256. This leads to non-reproducible builds.

Request specific versions instead and include sha256's as described in the Bazel docs.

[isturdy]

Abseil prefers to be built from head if possible: https://abseil.io/about/compatibility.

However, I think we should pin repositories in at least two situations:

• gRPC and other versioned repositories: gRPC follows releases, and may silently break compatibility at head. (e.g. Travis build broken by ":_*" gRPC rules. #126)
• Our own releases. Right now, if Abseil breaks compatibility we will fix it at head, but a release will be permanently broken if it is not pinned itself.

[g-easy]

Users of OpenCensus can have reproducible builds by pinning in their (outermost) WORKSPACE.

Abseil hasn't broken compatibility yet. gRPC has a couple of times, although moving the gRPC plugin to their repo will mitigate that somewhat in the future.

Pinning, or at least having some sense of "opencensus-cpp release X works with grpc release Y", would be good, but I'd also like to avoid tons of commits to OpenCensus bumping the versions of dependencies and bazel.

[bogdandrutu]

Any update on this?

[g-easy]

I'd like to keep the master branch building everything from HEAD.

Once we start doing release branches, we could record our dependencies' versions at release time.

Doing this doesn't really affect users of opencensus-cpp because it's their project's WORKSPACE file that specifies which version of every transitive dependency to use - this is bazel's approach to dependencies.

[g-easy]

External repositories are now pinned for OpenCensus releases. Closing this issue.