Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Task Sandboxing #63

Closed
lihaoyi opened this issue Dec 12, 2017 · 1 comment
Closed

Task Sandboxing #63

lihaoyi opened this issue Dec 12, 2017 · 1 comment
Labels
later The issue is still relevant, but has now high priority right now
Milestone
0.12.0-RC1

Comments

@lihaoyi
Copy link
Member

lihaoyi commented Dec 12, 2017

Bazel restricts tasks being run to their given work directory: using sandbox-exec on OS-X, and LXC Containers on Linux. This is extremely useful to ensure that

  • Badly-configured builds don't "accidentally" pass due to stale state lying around the filesystem
  • Those builds don't fail mysteriously when that stale state is removed
  • The presence of stale state doesn't cause other builds to fail mysteriously

We can do the same thing, at least to a best effort: using Java SecurityManagers to limit file access in Mill JVM code, and forcing people to use a "blessed" subprocess interface that restricts subprocesses using the same OS tools that Bazel uses.

Builds becoming brittle because parts of it accidentally/implicitly depend on other parts that "have to"/"have always been" run before-hand is a common problem, and this would fix it.
@lihaoyi lihaoyi added the later The issue is still relevant, but has now high priority right now label Dec 12, 2017
@lihaoyi
Copy link
Member Author

lihaoyi commented Aug 16, 2024

#3347 and #3367 do a best effort job here. Even though it doesn't go as extreme as containerization, at least it prevents you from doing the wrong thing unless you actively work to do so

@lihaoyi lihaoyi closed this as completed Sep 26, 2024
@lefou lefou added this to the 0.12.0-RC1 milestone Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
later The issue is still relevant, but has now high priority right now
Projects
None yet
Milestone
0.12.0-RC1
Development

No branches or pull requests
2 participants
@lihaoyi @lefou