Building .NET Runtime from Source – The Chainguard Way

.NET is an open-source developer platform created by Microsoft. It is designed for building a wide range of applications, including web, mobile, desktop, and cloud-based solutions. The framework supports multiple programming languages such as C#, F#, and Visual Basic. The .NET ecosystem is also one of the most popular frameworks for development, with over 35% of developers relying on .NET libraries.

As such, the .NET ecosystem is vast and complex, with numerous repositories and dependencies. These complexities make building the runtime from source a daunting challenge, but Chainguard tackled this obstacle head-on to deliver a secure foundation for developers building on .NET. This blog post will dive deeper into a recent Chainguard milestone, where we began building all .NET 8 and .NET 9 components entirely from source.

As a direct result, Chainguard can now deliver faster vulnerability (CVE) remediation, provide full end-to-end integrity, and share detailed build transparency for consumers of our .NET container images. Continue reading to get a deeper dive into the details of how we solved the challenges of building .NET runtimes.

The Challenges of Building .NET Runtime

1. Multiple Repositories: .NET source is composed of many repositories that need to be built in a bespoke, specific combination of commits. This requires careful coordination and management of dependencies during build time to avoid unexpected build failures.

2. Circular Dependencies: Many .NET repositories require the .NET SDK at build time, creating a circular dependency that presents a bootstrapping problem. Without solving this circularity, it is not possible to build .NET images from source. 

3. Compiled Modules: By default, most .NET repositories download prebuilt binary dependencies from untrusted or unverified online sources, which can interfere with the process of converting .NET source code into executable binaries. Additionally, relying on trusted sources for build-time dependencies can run afoul of certain distribution rules (e.g., commercial licensing requirements). In short, this challenge results in failed builds, unexpected costs, and commercial scrutiny. 

4. Cross-Repository Changes: Making code changes across multiple versions of .NET requires coordination across multiple code repositories. This is a complex and time-consuming process.

Chainguard's Approach to Secure .NET Images

1. Self-Hosted Repositories: To ensure proper dependency management, Chainguard invested in our own self-hosting solution. We also developed build automation for each repository to ensure that version dependencies are handled programmatically. 

2. Resolving Circular Dependencies: To solve the bootstrapping challenges of circular dependencies, Chainguard established a process in which a minimal, stripped back version of the .NET SDK was used to build all subsequent components. To build predictability into our builds, we gradually incorporated layers of functionality until the full SDK was built.  

3. Rebuilding Modules from Source: Rather than relying on prebuilt binary dependencies, Chainguard built all dependencies from source. This approach allowed us to remain in compliance with licensing requirements without sacrificing control over the build process. Ultimately, the core principle of building from source allowed Chainguard to avoid unexpected build failures and verify the integrity of all dependencies.  

4. Coordinated Code Changes: While standing up automation to simplify .NET builds, we also implemented a rigorous change management process to coordinate code changes across repositories. This allowed us to leverage automated testing structures that were applicable to every affected repository. That meant at each code change, we identified and prevented regressions.

Chainguard's .NET 8 and .NET 9 Images

Chainguard successfully bootstrapped and rebuilt .NET 8 and 9 images in December 2024. Our work was supported by a trusted partner, Cloudbase Solutions. We are strongly committed to the open source ecosystem, and in the ethos of collaboration, we contributed all discovered issues upstream to the .NET project maintainers.

Having successfully built both .NET 8 and the newly released .NET 9 from source, Chainguard is now offering these secure images to customers through our Images catalog. Engineering and security teams building on Chainguard’s .NET images will benefit from:

• Chainguard, acting as a trusted party, having complete and granular control over the build process.

• Elimination of vulnerabilities due to Chainguard’s philosophy of building minimal, hardened images from source.

• End-to-end integrity of all .NET components with full SBOMs and attestations for builds, tests, and distribution.

The complete collection of related images includes versions 8 & 9 of .NET SDK, .NET Runtime, ASP .NET, and Powershell, as well as FIPS variants of each component. With this collection of images, Chainguard customers can now easily deploy .NET applications with a hardened supply chain, zero vulnerabilities, and FIPS validated cryptography.

Want to learn more about our .NET 8 and .NET 9 images or try them out yourself? Get in touch with our team today.