A hermetic build is a build process that uses only declared, controlled inputs and does not rely on undeclared network access or external environment drift. It matters because hidden dependencies and network lookups make software builds harder to trust and easier to subvert.
What is Hermetic Build?
Hermetic builds aim to remove ambient influence from package mirrors, local machine quirks, undeclared tools, or internet access during build execution. This improves determinism, auditability, and resistance to certain supply chain attacks.
What Hermetic Build Commonly Supports
Common uses include reproducibility, secure CI design, build isolation, and supply chain assurance.
Hermetic Build vs. Environment-Dependent Build
A hermetic build tightly controls what inputs are allowed. An environment-dependent build can change based on external state the team did not intentionally declare.
Frequently Asked Questions
Why do hermetic builds matter?
Because software is easier to trust when teams know exactly what inputs shaped the final artifact.
Is hermetic the same as reproducible?
They are related but not identical. Hermetic design helps reproducibility, but reproducibility also depends on deterministic behavior across those inputs.
