| > Hermetic build systems Wanting to know more, I found this: "Hermeticity: This page covers hermeticity, the benefits of using hermetic builds, and strategies for identifying non-hermetic behavior in your builds."
https://docs.bazel.build/versions/main/hermeticity.html Sounds great. Ages ago, my teams had a policy of "one button build". Install VS C++ on a new box, open the project (from source repo), hit "Build". Tada. We could rebuild any revision on demand. Terrific for reproducing regressions and delta-debugging. In the Java world, with (misuse of) maven, gradle, jenkins, etc. attaining reproducible one button builds is quixotic. For hermetic builds, everything would be digitally signed (SHA256), right? There's a spec for signing Linux kernels, which I can't quickly refind. But the idea is to apply that strategy to everything, right? That sounds perfect. |
For caches you just say 'here's the SHA1 of the inputs and the cache server can just give you the output.
Basel does this for each build command, e.g. for each object in a big C program. Nix does it for each package.