Spack executes package build recipes and fetches source artifacts from many upstream locations. Hardening must focus on package source trust, mirrors, and controlled build execution.
¶ 1) Control package source trust and mirrors
- Use internal trusted mirrors for source tarballs/binaries.
- Prefer checksummed and signed sources only.
- Pin registries/repos for custom package recipes.
- Disable ad-hoc fetching from unknown URLs in production build environments.
- Run builds under non-root service users.
- Isolate builders (container/VM) from production workloads.
- Restrict network egress for build jobs to approved mirrors.
- Prevent write access from build users to system-critical paths.
¶ 3) Lock config and concretization policy
- Version-control
packages.yaml, compilers.yaml, and config.yaml.
- Require code review for package overrides and custom repos.
- Use environments/locks to keep deterministic dependency graphs.
- Monitor for compiler and dependency drift.
¶ Verification commands
spack --version
spack config get mirrors
spack config blame packages
spack spec --yaml hdf5 | head
- Spack docs: https://spack.readthedocs.io/
- Spack source and advisories: https://github.com/spack/spack/security
- Spack mirrors/caching docs: https://spack.readthedocs.io/en/latest/mirrors.html