From version 0.11.0 onward,
pack can be used to identify builders that should be considered trusted.
pack build will operate slightly differently under the hood based on whether it considers the specified builder to be trusted.
Read the announcement.
pack considers a builder to be trusted,
pack build operations will use a single lifecycle binary called the
pack doesn’t trust a builder it will continue to execute five separate lifecycle binaries:
export. It will run the more privileged phases using a published lifecycle image, if one is available.
This choice strikes a balance between security and performance. The
export phases of the lifecycle require higher levels of privilege or access to sensitive data that is not required by the
pack trusts a builder
pack build will run a single lifecycle binary which will flow through the five lifecycle steps in a single container. This is more efficient than running five separate containers.
pack were to use the
creator lifecycle phase with an untrusted builder, each of the buildpack’s
bin/build processes would run within a container that has heightened privileges or access to registry credentials. The buildpacks distributed with the untrusted builder could be constructed to act maliciously with these privileges or credentials.
You may view which builders are trusted via
pack config trusted-builders list.
Here are some other related commands:
By default, any builder suggested by
pack builder suggest is considered trusted.
Any other builder can be trusted using
pack config trusted-builders add <builder-name>.
To stop trusting a builder use
pack config trusted-builders remove <builder-name.
You may trust any builder for the duration of a single build by using the
--trust-builder flag with
Note: A published lifecycle image is available for lifecycle versions 0.7.5+ and 0.6.1. If your builder has been created with an earlier version of the lifecycle
pack buildwill fail due to this security related change.
If you want to trust this older builder, you may mark it as trusted via
pack trust-builder <builder-name>or by adding