RFC: build.sysroot directive for hermetic-build / manylinux targeting#343
Draft
tannevaled wants to merge 1 commit into
Draft
RFC: build.sysroot directive for hermetic-build / manylinux targeting#343tannevaled wants to merge 1 commit into
tannevaled wants to merge 1 commit into
Conversation
Adds a `build.sysroot:` block to the package.yml schema that, when
set, redirects the compiler at a specific glibc / kernel-headers
bottle (instead of using the build host's libc). This is the
hermetic-build / host-independent piece needed for the pantry to
target manylinux baselines, build on Alpine-musl hosts, and produce
bottles that don't carry the build runner's libc ABI assumptions.
YAML schema:
build:
sysroot:
libc: gnu.org/glibc=~2.28 # required
kernel-headers: kernel.org/linux-headers=^7 # optional
dependencies:
gnu.org/glibc: ~2.28 # MUST also be a build dep
kernel.org/linux-headers: ^7 # MUST also be a build dep
When `build.sysroot.libc` is set, the generated build script exports:
SYSROOT=<libc-install-prefix>
CC="${CC:-gcc} -nostdinc -isystem <libc>/include [-isystem <khdr>/include] -B <libc>/lib -Wl,--enable-new-dtags,--dynamic-linker=<libc>/lib/ld-linux-*.so.*,--rpath=<libc>/lib"
CXX="${CXX:-g++} <same> -nostdinc++"
CPP="${CPP:-gcc} <same> -E"
The libc package must already be a `build.dependencies` entry (so
it's installed and resolved); this directive merely routes existing
deps, it doesn't add them. Same constraint for `kernel-headers`.
No behaviour change for recipes that don't declare `build.sysroot:` —
the helper returns an empty string and no env exports are emitted.
This is the brewkit half of the feature; the pantry yaml schema docs
need a companion update (will land in a pkgxdev/pantry PR).
Empirical motivation: pkgxdev/pantry#12968 (gnu.org/glibc) and the
HPC-cascade work in pkgm/notes/session-2026-05-{19,20}.md. We
demonstrated that this exact sysroot routing pattern (done manually
inside Docker containers) enables building glibc 2.17–2.43 host-
independent on both linux/x86-64 and linux/aarch64 from a clean
debian:bookworm-slim with no apt-installed compiler. Formalising it
in the recipe schema unblocks the rest of the pantry to follow the
same hermetic-build path.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Status: draft / RFC
Proposes a small additive directive to the pantry yaml schema that unblocks the rest of the pantry to follow the same hermetic-build path we demonstrated empirically in pkgxdev/pantry#12968 (gnu.org/glibc).
The brewkit side is concrete (this PR, 75 lines). The pantry yaml schema docs need a companion update; opening as draft so the schema can be discussed first.
Problem
Today the pantry has no way to express "build me against THIS libc bottle, not the build host's libc". Every recipe inherits the runner's libc — so bottles carry the runner's ABI assumptions, can't target older manylinux baselines, can't be built on Alpine/musl hosts.
We worked around this empirically in pkgxdev/pantry#12968 by manually constructing the CC/CXX/CPP wrappers inside Docker containers (see
pkgm/notes/session-2026-05-{19,20}.md). The pattern works — 18 glibc bottles (9 versions × 2 arches) all build host-independent — but it's recipe-side boilerplate that should be a schema feature.Proposal
Add a
build.sysroot:block:When
build.sysroot.libcis set, the build script gains these exports BEFORE the user script runs:Recipes that opt in get the routing automatically; recipes that don't are unchanged.
Behaviour change for existing recipes
None. The new helper returns an empty string when the yaml has no
build.sysrootblock. No existing pantry yml ships such a block.Companion changes
lib/to LD_LIBRARY_PATH. Required so a sysroot-routed bottle doesn't simultaneously pollute consumers' env at runtime.Concrete use cases unlocked
build.sysroot.libc: gnu.org/glibc=~2.17produces a binary that runs on CentOS 7 / RHEL 7.build.sysroot.libc: musl.cc=*.Open questions
build.sysroot.libcvsbuild.libc?build.sysroot.libcvs separate top-levelsysroot:?build.dependencies)? Current sketch requires the recipe to declare both for clarity.-D_FORTIFY_SOURCE=…or similar hardening flags by default? Currently passthrough.host().archswitch covers x86-64 / aarch64 linux; darwin throws. Should it be a no-op on darwin instead?Happy to iterate on the schema, split into smaller PRs, or rework as needed.
Refs
🤖 Generated with Claude Code