Sandboxing
Every make publish runs inside a locked-down container: no network, a
read-only filesystem, and dropped privileges. Two things follow — builds are
reproducible (the same source and pinned image produce the same output years
apart), and it is safe to build a book from source you didn't write.
This holds for both templates. core-slim runs the engine from a prebuilt
image; core builds that same image from the engine source it ships. The
hardening is identical.
What the container can't do
| Restriction | What it means |
|---|---|
| No network | The build runs fully offline — nothing goes in or out. |
| Read-only filesystem | Your manuscript, fonts, and configuration mount read-only; the only writable output is artifacts/. Scratch space under /tmp is in-memory and vanishes when the build ends. |
| No privileges | Every Linux capability is dropped, privilege escalation is blocked, and the build runs as your user — never root. |
Shell-escape is off
While typesetting a PDF, XeLaTeX can normally reach outside the document —
running a command with \write18, or reading a command's output through a piped
\openin. Both are shell-escape, which Keystone disables entirely — not even
LaTeX's restricted default whitelist runs. Nothing in your manuscript can make
the typesetter execute a command.
A LaTeX package that shells out to a helper —
minted (Pygments),
TikZ's external-figure library — won't run. That
rarely touches a book author: Keystone's idiom is static assets, not inline
execution. Code highlighting is
built in; a precompiled diagram goes in as a
figure. Wanting the package to run inline is a reason
to fork core and relax the sandbox yourself — a deliberate trade
against the guarantees above, and yours to own.
Auditing it yourself
The container hardening is your project's .docker/docker-compose.yaml — the
network, filesystem, and capability settings are a few readable lines.
Shell-escape sits a layer down, in the engine's publish.sh: core ships
that file in your project; core-slim inherits it from the signed image. See
Verifying your download for image signatures
and the checksum manifest.