-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hermetic build mode #9506
Comments
It's definitely an antipattern to use In general, should |
I think the current state of the art is to |
Perhaps require a |
What about the linker or the C compiler? Different versions can result in different compilation outputs. Should rust-lld be forcefully used instead of the platform linker (probably uncontroversial) and usage of a C compiler prevented (probably controversial)? Should this use seccomp-bpf or other os mechanisms to prevent not just filesystem access, but as much system calls as possible? Should |
People might not only want to protect the binary from side-effects of the build-system but also the build-system from side effects of building (and therefore subsequent builds on the same system) when using the catchphrase "hermetic builds". To offer these features thoroughly, the use of container-solutions (Docker/linux-namespaces, I'm unsure what exists on Windows or MacOS) is necessary. The question then is, whether cargo itself should offer a mode where it spawns such containers, or if merely compatibility and ease of use of third-party tools that spawn build-containers should be the goal here. It's important to note, that container-in-container won't work. So if we spawn containers, people cannot put cargo into a container while using that mode. At my company we have started to implement a container solution using bubblewrap-containers. I could share our development if that's the direction we want to go into. |
Meta: this should be an RFC, but I am unlikely to write one soon. Creating mostly to coordinate discussion.
Problem: today, it's possible to get byte-for-byte identical results compilation results (especially with wasm), but it is impossible to guarantee, because ambient environment (~/.cargo/config, CARGO_HOME, etc) can influence the build. That is, builds are reproducible, but are not hermetic. As a specific example, if I publish a wasm project with Cargo.lock and
rust-toolchain.toml
, folks runningcargo build
will generally get the same results, unless someone hasRUSTFLAGS
set.Solution: add a mechanism to Cargo to out-out of ambient environment. Strawman proposal -- when
--hermetic
flag is passed,cargo
guarantees that the builds are only affected by the contents of the current working directory.I don't know an exhaustive list of things that hypothetical
--hermetic
should forbid, but here are some candidates:.cargo/config
outside of the current directory--hermetic --allow-env RUSTFLAGS
)PATH
is importaet. Perhaps printingrustc -vv
during hermetic build is the way to go?--hermetic
should imply--locked
(valid lockfile)--hermetic
should not imply--frozen
. That is, Cargo should be able to fetch sources from the internet (and usesCARGO_HOME
for caches), as long as it guarantees that the result is reproducible.A related feature is #7894, #7887. It allows to control
.cargo/config
specifically. I, however, feel that we want to make a more specific promise about properties (hermeticity), and tread config handling as an implementation detail.cc @jsgf
The text was updated successfully, but these errors were encountered: