Skip to content

Sandboxing

Every make publish runs inside a locked-down container: no network, a read-only filesystem, and dropped privileges. Two things follow — builds are reproducible (the same source and pinned image produce the same output years apart), and it is safe to build a book from source you didn't write.

This holds for both templates. core-slim runs the engine from a prebuilt image; core builds that same image from the engine source it ships. The hardening is identical.

What the container can't do

Restriction What it means
No network The build runs fully offline — nothing goes in or out.
Read-only filesystem Your manuscript, fonts, and configuration mount read-only; the only writable output is artifacts/. Scratch space under /tmp is in-memory and vanishes when the build ends.
No privileges Every Linux capability is dropped, privilege escalation is blocked, and the build runs as your user — never root.

Shell-escape is off

While typesetting a PDF, XeLaTeX can normally reach outside the document — running a command with \write18, or reading a command's output through a piped \openin. Both are shell-escape, which Keystone disables entirely — not even LaTeX's restricted default whitelist runs. Nothing in your manuscript can make the typesetter execute a command.

A LaTeX package that shells out to a helper — minted (Pygments), TikZ's external-figure library — won't run. That rarely touches a book author: Keystone's idiom is static assets, not inline execution. Code highlighting is built in; a precompiled diagram goes in as a figure. Wanting the package to run inline is a reason to fork core and relax the sandbox yourself — a deliberate trade against the guarantees above, and yours to own.

Auditing it yourself

The container hardening is your project's .docker/docker-compose.yaml — the network, filesystem, and capability settings are a few readable lines. Shell-escape sits a layer down, in the engine's publish.sh: core ships that file in your project; core-slim inherits it from the signed image. See Verifying your download for image signatures and the checksum manifest.