Hermetic Builds
Definition
Hermetic builds refer to a build process where the output is entirely determined by the inputs, ensuring that the build is reproducible and not influenced by external factors. This approach isolates the build environment from the host system, often using containerization or sandboxing techniques, to ensure that dependencies and configurations are consistent and immutable across different build environments. Hermetic builds enhance security by minimizing the risk of introducing vulnerabilities through inconsistent or unauthorized dependencies.
Secure Settings Example
# Example of a Bazel build configuration for a hermetic build
build:
# Use a specific toolchain version to ensure consistency
toolchain: "@bazel_tools//tools/cpp:toolchain"
# Define a fixed set of dependencies
dependencies:
- "@remote_repo//:dependency1"
- "@remote_repo//:dependency2"
# Use a sandboxed environment to isolate the build
sandbox: true
Insecure Settings Example
# Example of a non-hermetic build configuration
build:
# Using system-wide toolchain which may vary across environments
toolchain: "/usr/local/bin/gcc"
# Dependencies are not fixed, leading to potential inconsistencies
dependencies:
- "dependency1"
- "dependency2"
# No sandboxing, allowing external system influence
sandbox: false