Hi all,
The documentation claims that this capability can be used to prevent the creation of symlinks that "escape the input root tree, possibly resulting in non-hermetic builds". However, this seems rather questionable to me:
1. It's still possible for an action to be non-hermetic while resorting to relative symlinks: a relative symlink may still refer to a file that isn't in the action inputs, and it might even escape the input tree given a suitable number of `..` components (which are not only not forbidden, but explicitly
allowed, irrespective of how the capability is set).
2. Disabling the capability prevents the legitimate creation of an absolute symlink that is not meant to be dereferenced during the build (Bazel, in particular, lets you create one through the ctx.actions.declare_symlink API). Even under the assumption that the protection against non-hermeticity is effective, this being a global setting prevents benefitting from both in the same build.
Could someone provide some context on why this capability was deemed worthwhile?
Thanks,
Tiago