Question: Clarification on hermetic LLVM toolchain origin #42566
Description
Envoy recently switched to using a hermetic LLVM toolchain:
I may have missed some background discussion, but I’d appreciate more details about where the toolchain originates from.
My current understanding:
- Using a locally installed LLVM toolchain is no longer supported.
- Envoy now relies on the LLVM toolchain provided by the LLVM toolchain for Bazel project.
- These toolchains download prebuilt LLVM binaries from the official LLVM release page.
- The downloads are defined in https://github.com/bazel-contrib/toolchains_llvm/blob/master/toolchain/internal/llvm_distributions.bzl
Envoy’s currently selected toolchain is specified in here which point to LLVM 18.1.8. According to the llvm 18.1.8 release notes, these binaries are not from the LLVM project itself:
Volunteers make binaries for the LLVM project, which will be uploaded when they have had time to test and build these binaries. They might not be available directly or not at all for each release. We suggest
you use the binaries from your distribution or build your own if you rely on a specific platform or configuration.
I found some background on who built this specific binary in this LLVM Discourse post https://discourse.llvm.org/t/18-1-8-has-been-tagged/79726/10.
There was discussion in LLVM Discourse about improving binary-build transparency and security ("[RFC] Improve binary security"), and starting with LLVM 19, it seems CI-produced binaries are available.
Is my understanding correct?