Skip to content

Define Policy and Implement Mirroring Strategy for External Toolchain Artifacts #2629

New issue
New issue
Open
Open
Define Policy and Implement Mirroring Strategy for External Toolchain Artifacts#2629
@dcalavrezo-qorix

Description

@dcalavrezo-qorix
dcalavrezo-qorix
opened on Feb 26, 2026

What

Define and implement a clear policy for handling external toolchain artifacts (SDKs, vendor blobs, GitHub-hosted artifacts) to ensure long-term reproducibility, traceability and hermetic builds across S-CORE repositories.

Currently, several repositories fetch external artifacts directly from:

  • Vendor URLs (e.g., QNX SDP downloads)
  • GitHub repositories (via git_override)
  • Potentially GitHub Release assets (in some repositories)

Even when protected with sha256 or integrity checks, these sources do not guarantee long-term availability.

How

Step 1 – Inventory External Artifacts

Across S-CORE repositories:

  • Identify http_archive, archive_override, git_override, and toolchain fetches
  • Classify:
    • Vendor SDK downloads (e.g. QNX SDP)
    • GitHub repository fetches
    • GitHub Release assets
    • Other external binary blobs

Produce an inventory list.

Step 2 – Define Policy

Propose and align on one of the following policies:

Option A – Strict Mirroring

  • All external toolchain artifacts must be mirrored into an S-CORE-controlled artifact store.
  • MODULE.bazel must reference only mirror URLs.
  • sha256 / integrity remains mandatory.

Option B – Conditional Mirroring

  • Mirroring required only for:
    • Safety-relevant toolchains
    • Release branches
  • Development dependencies may use upstream sources.

Option C - Other

Step 3 – Implement Mirror (If Required)

If mirroring is agreed:

  • Create an S-CORE “distfiles” mirror (artifact repository)
  • Mirror:
    • Vendor SDK archives (if licensing permits)
    • Toolchain tarballs
    • GitHub-based artifacts
  • Update MODULE.bazel references to mirror URLs
  • Keep all sha256 / integrity checks

Step 4 – CI / Policy Enforcement (optional but recommended imho)

  • Add CI check preventing direct vendor URLs in MODULE.bazel
  • Allow only approved mirror domains

Estimates for realization

Resources

  • Infra team
  • Repo maintainers
  • Possibly legal/licensing clarification for SDK redistribution

Category

  • Affects Detailed Design

Requirements / Architecture

  • Requirements / Architecture are not affected by this change?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions