Does Bazel Guarantee Hermeticity?

Posted on in programming

cover image for article

Bazel does not guarantee hermeticity, but it does provide some features that can help to achieve hermeticity. These features include:

  • Sandboxing: Bazel can sandbox the execution of build actions, which helps to prevent them from accessing the host system.
  • Dependency pinning: Bazel can pin the versions of dependencies that are used in a build, which helps to ensure that the same versions of dependencies are used every time the build is run.
  • Caching: Bazel can cache the output of build actions, which can help to improve the performance of builds.

However, there are some things that can still compromise the hermeticity of a Bazel build, such as:

  • Using system tools: If a build action uses a system tool, such as ls or grep, the output of the tool may be affected by the environment in which the build is running.
  • Writing to the source tree: If a build action writes to the source tree, the changes to the source tree may affect the output of subsequent build actions.
  • Using non-hermetic rules: Some Bazel rules are not hermetic, which means that they may introduce dependencies on the host system.

To ensure the hermeticity of a Bazel build, it is important to be aware of the potential sources of non-hermeticity and to take steps to mitigate them.

Here are some additional tips for ensuring the hermeticity of a Bazel build:

  • Use sandboxing for all build actions that are not trusted.
  • Pin the versions of all dependencies that are used in a build.
  • Use caching to avoid re-running build actions that have already been run.
  • Use hermetic rules for all build actions that are critical to the correctness of the build.
  • Audit the build configuration to identify any potential sources of non-hermeticity.

By following these tips, you can help to ensure that your Bazel builds are hermetic and reproducible.

Slaptijack's Koding Kraken