build-sys: Run most parts with --network=none
#1725
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course, `--network=bridge` should probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle `--network=none` in some places. The biggest one is wrapping `make`. Signed-off-by: Colin Walters <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request makes a valuable improvement towards hermetic and reproducible builds by disabling network access for most build steps. The separation of cargo fetch is a good pattern.
I've added a few comments:
- A suggestion to further improve Docker layer caching for dependencies, which would speed up builds.
- Two findings of what appears to be an existing bug with incorrect cache mount paths in the
unitsandvalidatestages. Fixing this will make the build cache effective for those stages.
Overall, this is a solid change.
Well spotted Gemini Code Review! Signed-off-by: Colin Walters <[email protected]>
gursewak1997
approved these changes
Nov 1, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why? It just shows that we have put some thought into our build system and care about reproducibility, hermetic builds etc. And yes of course,
--network=bridgeshould probably have been required as an opt-in in Dockerfile, but oh well. It's not too bad to sprinkle--network=nonein some places. The biggest one is wrappingmake.