diff --git a/master-thesis.md b/master-thesis.md index 48bc329..56a7b86 100644 --- a/master-thesis.md +++ b/master-thesis.md @@ -243,6 +243,30 @@ The stages of package installation +### Beyond Declared Dependencies: The Limits of Hermetic Build Tools +Contact: Aman Sharma + +Tools like [Hermeto][herm1] promise hermetic container builds by prefetching all declared dependencies before network isolation kicks in. In theory, the build runs against a closed, auditable set of inputs. In practice, the hermetic guarantee is layered and partial: Hermeto addresses the *declared dependency layer* — what appears in lockfiles like `package-lock.json`, `Cargo.lock`, or `requirements.txt` — but leaves the *toolchain and native dependency layer* to the user. Nix offers a theoretically stronger model: content-addressed derivations, sandboxed builds, and a store that captures the full dependency closure including compilers and system libraries. An ecosystem of automated translation tools — `dream2nix`, `poetry2nix`, `cargo2nix` [2] — attempts to generate these derivations from standard lockfiles, but the two models rest on different assumptions about what a hermetic boundary even means. + +This thesis investigates the *hermetic gap*: the delta between what a tool declares as its dependency set and what a build actually consumes. The central question is whether Nix's stronger closure model translates into a meaningfully tighter boundary in practice, and what classes of dependencies — undeclared system libraries, toolchain leakage, native extension bindings, implicit platform assumptions — fall outside the boundary regardless of which model is used. + +Related Work: + +[1] [Hermeto — prefetch CLI for hermetic container builds](https://github.com/hermetoproject/hermeto) + +[2] [dream2nix — automated Nix derivation generation from package manager metadata](https://github.com/nix-community/dream2nix) + +[3] [Zheng, Adams, Hassan — On Build Hermeticity in Bazel-Based Build Systems, IEEE Software 2025](https://mcislab.github.io/publications/2025/ieeesw-shenyu.pdf) + +[4] [Lamb & Zacchiroli — Reproducible Builds: Increasing the Integrity of Software Supply Chains, IEEE Software 2021](https://arxiv.org/pdf/2104.06020) + +[5] [SLSA — Supply-chain Levels for Software Artifacts framework](https://slsa.dev/) + +[6] [The Design Space of Lockfiles Across Package Managers, Empirical Software Engineering 2025](https://arxiv.org/abs/2505.04834) + +[herm1]: https://github.com/hermetoproject/hermeto + + ### Dependency Fingerprinting: Reconstructing Full Dependency Trees from Partial Observations Contact: Aman Sharma, Eric Cornelissen