Skip to content

Add thesis topic: Escaping the Hermetic Boundary #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
algomaster99 merged 6 commits into from
Jun 3, 2026
+24 −0
Merged

Add thesis topic: Escaping the Hermetic Boundary #97

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
9daa16e
Add thesis topic: Escaping the Hermetic Boundary
claude May 26, 2026
459163a
Convert hermetic boundary thesis topic to plain Markdown
claude May 26, 2026
2e7146d
Remove references [2] (Nix homepage) and [8] (SBOM paper)
claude May 26, 2026
e8b7ba2
Update reference [3] link to mcislab.github.io
Copilot May 27, 2026
c53761c
Shorten hermetic boundary topic and drop RQs
algomaster99 Jun 3, 2026
928ecfb
Rename hermetic boundary topic with clearer title
algomaster99 Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions master-thesis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,6 +243,30 @@ The stages of package installation
</ol>


### Beyond Declared Dependencies: The Limits of Hermetic Build Tools
Contact: Aman Sharma

Tools like [Hermeto][herm1] promise hermetic container builds by prefetching all declared dependencies before network isolation kicks in. In theory, the build runs against a closed, auditable set of inputs. In practice, the hermetic guarantee is layered and partial: Hermeto addresses the *declared dependency layer* — what appears in lockfiles like `package-lock.json`, `Cargo.lock`, or `requirements.txt` — but leaves the *toolchain and native dependency layer* to the user. Nix offers a theoretically stronger model: content-addressed derivations, sandboxed builds, and a store that captures the full dependency closure including compilers and system libraries. An ecosystem of automated translation tools — `dream2nix`, `poetry2nix`, `cargo2nix` [2] — attempts to generate these derivations from standard lockfiles, but the two models rest on different assumptions about what a hermetic boundary even means.

This thesis investigates the *hermetic gap*: the delta between what a tool declares as its dependency set and what a build actually consumes. The central question is whether Nix's stronger closure model translates into a meaningfully tighter boundary in practice, and what classes of dependencies — undeclared system libraries, toolchain leakage, native extension bindings, implicit platform assumptions — fall outside the boundary regardless of which model is used.

Related Work:

[1] [Hermeto — prefetch CLI for hermetic container builds](https://github.com/hermetoproject/hermeto)

[2] [dream2nix — automated Nix derivation generation from package manager metadata](https://github.com/nix-community/dream2nix)

[3] [Zheng, Adams, Hassan — On Build Hermeticity in Bazel-Based Build Systems, IEEE Software 2025](https://mcislab.github.io/publications/2025/ieeesw-shenyu.pdf)

[4] [Lamb & Zacchiroli — Reproducible Builds: Increasing the Integrity of Software Supply Chains, IEEE Software 2021](https://arxiv.org/pdf/2104.06020)

[5] [SLSA — Supply-chain Levels for Software Artifacts framework](https://slsa.dev/)

[6] [The Design Space of Lockfiles Across Package Managers, Empirical Software Engineering 2025](https://arxiv.org/abs/2505.04834)

[herm1]: https://github.com/hermetoproject/hermeto


### Dependency Fingerprinting: Reconstructing Full Dependency Trees from Partial Observations
Contact: Aman Sharma, Eric Cornelissen

Expand Down
Loading