I'm not sure why andybons and kbr are CC'd on this bug. Regardless, here's a CL to mitigate the issue: https://codereview.chromium.org/2431383003

Adding a PRESUBMIT check to enforce only 40-character hashes is not feasible for a number of reasons:
* Presubmit doesn't have an easy way to parse DEPS files, so it can't just parse the file and check on its own
* gclient can parse DEPS files, and in fact 'gclient verify' exists (and is used by presubmit to ensure that certain aspects of the DEPS file are correct), but doesn't want to enforce 40-character hashes because other kinds of revisions are perfectly reasonable in other repositories.
* Any presubmit check could only be a heuristic and a warning, because 'deadbeef' is both a reasonable short hash and a reasonable branch name, and we don't want to forbid setting branch names (the release buildspec templates would all fail).

I suggested kainino@ add andybons (who's heading up the team focused on immediate Infra needs of Chromium developers) and me. Thanks for picking this up though!

> * Any presubmit check could only be a heuristic and a warning, because 'deadbeef' is both a reasonable short hash and a reasonable branch name, and we don't want to forbid setting branch names (the release buildspec templates would all fail).

If the only way to implement this is with a general gclient check, then yes, it would be too strict, but I originally suggested using a presubmit because we were only talking about src/DEPS (and maybe src-internal/DEPS), which shouldn't be using either short refs or symbolic refs.

Yep, and I'd be strongly in favor of having a src/PRESUBMIT check that could parse the DEPS file and yell, but from my quick survey of PRESUBMIT.py, presubmit_support.py, and gclient.py, doing so would be a highly non-trivial amount of work, and I judged it not worth it compared to the quick CL I was able to throw together above.

If someone wants to dedicate a couple SWE days to adding this functionality to 'gclient verify' behind a flag, or teaching presubmit_support to parse DEPS files independently, then I wholeheartedly support that and will even do the code reviews! But in general I think this should be a P-3 infra issue at the very highest.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2e9de0e8e7df6eedba8de5d2e29210b26d641266

commit 2e9de0e8e7df6eedba8de5d2e29210b26d641266
Author: agable <agable@chromium.org>
Date: Thu Oct 20 01:03:18 2016

Don't let roll scripts use short hashes

R=kainino@chromium.org
BUG= 657642 

Review-Url: https://chromiumcodereview.appspot.com/2431383003
Cr-Commit-Position: refs/heads/master@{#426359}

[modify] https://crrev.com/2e9de0e8e7df6eedba8de5d2e29210b26d641266/tools/roll_angle.py
[modify] https://crrev.com/2e9de0e8e7df6eedba8de5d2e29210b26d641266/tools/roll_webgl_conformance.py
[modify] https://crrev.com/2e9de0e8e7df6eedba8de5d2e29210b26d641266/tools/roll_webrtc.py

Because the above CL landed, I'm going to mark this as fixed. If someone really wants to work on adding an actual presubmit check, please re-open and unassign me as the owner :)