Enforce clean build environment #2087
Description
Problem:
rattler-build currently inherits the environment variables of the host shell during the build process. This leads to non-reproducible builds, as local user configurations (e.g., CFLAGS, PYTHONPATH, LD_LIBRARY_PATH) can silently leak into the build environment. A build might succeed locally due to these leaked variables but fail in CI or on other machines.
Proposed Solution:
Implement a strict, "deny-by-default" environment sanitization strategy similar to conda-build.
- Sanitize by default: The build process should start with a clean environment, stripping all inherited variables except for a minimal set of system essentials (e.g.,
PATH(sanitized?),HOME, - Allow explicit pass-through: Add support for a
script_env(or similar) field inrecipe.yamlthat allows users to explicitly whitelist variables that should be passed from the host shell to the build script.
Example recipe.yaml:
build:
script_env:
- CI_BUILD_NUMBER
- MY_CUSTOM_FLAG