Open Source
Experience & Contributions
From contributing to AsyncAPI to proposing a native uv package manager backend for Hermeto under GSoC 2026.
Adding Native uv Support to Hermeto
A proposal for building a native uv package manager backend in the Hermeto build system for reproducible, hermetic builds.
Sameer Pawar
IST (UTC+5:30)
Newton School of Technology (ADYPU)
+919699065624
Synopsis
uv is quickly becoming the go‑to package manager for Python because of its speed and strict uv.lock format. But right now, Hermeto only supports pip. This leaves a major gap: teams building natively with uv cannot use Hermeto to guarantee reproducible, network‑isolated builds.
This proposal addresses that gap by adding a native uv backend (x‑uv) to Hermeto, handling everything from lockfile parsing to dependency fetching and offline environment configuration.
I found Hermeto when the GSoC 2026 organizations were announced, and I have spent the last three weeks digging in. I set up the dev environment, ran the test suites, and mapped out exactly what this uv integration requires. Before this, I spent four months actively contributing to AsyncAPI — mostly handling maintenance, bug fixes, and PR reviews. That experience taught me how to jump into an established codebase, understand the existing patterns, and get to work.
At its core, Konflux is about software supply chain security. Because the uv.lock format records each dependency with its source, version, and SHA256 checksum for every wheel and sdist, it is actually a perfect fit for secure, deterministic builds. Adding native support for it is not just about keeping up with a new tool — it directly strengthens Hermeto's main mission.
Understanding the Problem
AI Transparency: Hermeto has a clear AI Contribution Policy, so I want to be completely transparent about my workflow. I used AI to help me quickly navigate the codebase, get up to speed on unfamiliar Python patterns, and map out the broader uv ecosystem.
However, I did not just generate answers. I manually verified every technical conclusion, architectural mapping, and implementation step outlined below through my own code inspection and local testing. I fully understand the architecture I am proposing, and I am ready to explain and defend all of it.
What Hermeto Actually Does
Hermeto works in two steps. First, fetch‑deps reads a project's lockfile, downloads every listed dependency, verifies checksums, and stores everything in a flat output directory (deps/<pm>/) alongside a CycloneDX SBOM (bom.json). Second, generate‑env and inject‑files configure the build environment so the package manager uses the local cache instead of the internet. The actual build then runs with zero network access.
Architecture Flow
hermeto fetch-deps
CLI entry point
resolver.py
dispatches to x-uv handler
uv/ backend
parse uv.lock → extract packages → resolve URLs
http_requests.py
download + checksum verify
sbom.py
generate CycloneDX BOM
hermeto-output/
Why uv Needs Its Own Backend
This is something I spent time looking into beyond just the idea description.
Yes, uv is backwards‑compatible with pip. You can run uv pip install -r requirements.txt and it works. The mentors explicitly called this out in the project description — that is NOT the native way. uv has its own workflow based on uv lock and uv sync, and it produces its own lockfile: uv.lock.
The uv.lock format is very different from pip's requirements.txt. It is a TOML file that records each dependency with its name, version, source registry, and inline sdist/wheel entries — each containing the full download URL and SHA256 hash. It also tracks dependency markers for different platforms. The pip backend's requirements.py parser will not work for this — a new parser is needed.
What I Know About the Technical Challenges
“I think this should not be a design document, but a document conveying your capability to write a comprehensive design document and then implement it.”
— Alexey Ovchinnikov, Discussion #1396
So instead of dumping everything I have learned about uv.lock internals, here is what I see as the key challenges and how I would approach them:
1. Parsing uv.lock
The uv.lock file is valid TOML, so Python's tomllib can parse it. The challenge is not the format but the schema — understanding how packages, sources, wheels, and markers are structured inside the file. Here is a simplified snippet of what a uv.lock entry looks like:
The file starts with a header: version = 1, revision = 3, and requires-python. Each [[package]] section has name, version, source, dependencies, and inline sdist and wheels entries — each wheel contains its full PyPI download URL and SHA256 hash. The parser would need to walk through these entries, build a list of what to download, and verify checksums. I also want to follow the patterns of Hermeto's existing parsers (requirements.py for pip, yarn/ backend for yarn.lock).
I plan to start with simple single-package projects and work up to more complex cases during the research phase.
2. Download URL Resolution
From looking at real uv.lock files, the lockfile already contains full download URLs for each wheel and sdist. This means the backend does not need to query the PyPI simple API at fetch time — it can download directly from the URLs in the lockfile. The pip backend already handles PyPI downloads through http_requests.py — I would reuse that infrastructure rather than writing something from scratch.
The source registry field tells us where the package came from originally, but the actual download URLs are baked into the sdist and wheels entries. This simplifies the fetching logic compared to pip where download URLs need to be resolved separately.
3. Security: No Arbitrary Code Execution
This is a core Hermeto rule. From what I have read, uv does not run setup.py during resolution — it reads metadata statically. That would align with Hermeto's security model. But I have not fully verified this yet and it is one of the first things I need to confirm during the research phase.
This is important enough that I would want to trace through uv's actual source code during the research phase rather than just trusting what the documentation says. The mentors specifically listed “inspecting uv's internals to verify whether there's a potential arbitrary code execution path” as an expectation, so this cannot be hand-waved.
4. SBOM Integration
Each fetched package needs to become a CycloneDX component in the SBOM. The pip backend already maps Python packages to pkg:pypi/ PURLs through sbom.py. The uv backend would produce the same PURL entries — the packages come from the same ecosystem (PyPI), just resolved through a different tool.
These follow the same pkg:pypi/ format Hermeto already generates for pip packages (I verified this in the test suite at tests/unit/package_managers/pip/test_main.py). The tricky part is ensuring metadata accuracy for packages with non-PyPI sources — git dependencies and direct URLs need special PURL qualifiers.
Also, since the uv backend would launch as experimental (x-uv), the SBOM needs to include the experimental backend annotations. From the design template, experimental backends mark their components with annotations like hermeto:backend:experimental:x-uv. This needs to be wired up from the start.
5. Build Environment Configuration
After fetching, Hermeto needs to tell uv to use the cached dependencies instead of the network. uv has environment variables for cache directory and offline mode that should work for this. I still need to dig into the exact configuration during the research phase.
The key question is whether uv sync can be pointed entirely at a local cache with no network fallback. If it can, the generate-env step just needs to emit the right env vars. If not, there may be config files that need to be injected. This is one of those things that is easier to figure out by testing locally than by reading docs.
A note on output directory structure: Hermeto's fetch-deps typically downloads wheels and sdists into a flat output directory (e.g. deps/pip/ for pip, deps/npm/ for npm). uv, on the other hand, has a highly specific, complex internal cache structure (UV_CACHE_DIR). A key research deliverable is figuring out how to feed Hermeto's flat downloaded files into uv sync --offline. I will investigate whether to construct a local index (--find-links or a local file URI index) or if uv exposes a way to directly consume flat files without its internal cache layout. This is a friction point the design document will need to solve before any implementation starts.
6. Edge Cases I Am Watching For
- •Git dependencies in uv.lock — these are not PyPI packages and need different fetching logic
- •Platform-specific wheel selection — uv.lock records wheels for multiple platforms; Hermeto needs to decide which to fetch
- •Source distributions without pre-built wheels — these might require a build step, which conflicts with the no-arbitrary-code rule
- •Workspace/monorepo support — uv supports workspaces with multiple packages; the lockfile structure gets more complex
The uv.lock format is not formally specified as a stable API yet — Astral moves exceptionally fast and the format is still evolving. Mitigation: I will design the parser to explicitly check the version field in the lockfile header (currently version = 1). If Astral introduces a breaking lockfile change, Hermeto should gracefully fail or alert the user rather than silently producing incorrect results.
Some details will be refined during the research and design phase. I have identified the key questions and will work with mentors to resolve them early.
Implementation Plan & Timeline
The expected deliverables from the project description are clear: research, design document, implementation, SBOM integration, tests, and documentation. Here is how I plan to sequence them.
Bonding + Wk 1–2
Research & Design Document
Design doc via docs/design/package-manager-template.md. Submitted as PR, iterate on Erik and Alexey's feedback. Also: set up local test environments, study pip backend, inspect uv.lock for different project types.
Wk 3–4
Lockfile Parser
Create hermeto/core/package_managers/uv/ module. Write the uv.lock parser that extracts dependency names, versions, sources, and checksums. Unit tests with various lockfile shapes.
Wk 4–5
Fetch Pipeline
Implement fetch_uv_source(). Download via http_requests.py, checksum verification against lockfile hashes. Register as x-uv in resolver with experimental prefix.
Wk 5–6
SBOM Integration
Map uv metadata to CycloneDX components. Generate accurate pkg:pypi/ PURLs. Experimental backend annotations in SBOM.
Wk 6–7
Build Environment
Implement generate-env support — emit the right environment variables for offline uv usage. Implement inject-files support — write any config files uv needs.
Wk 7
Midterm: End-to-end Demo
hermeto fetch-deps '{"type": "x-uv"}' works end-to-end — reads lockfile, downloads, verifies checksums, generates SBOM, offline build works.
Wk 8–9
Integration Tests
Containerized e2e tests in tests/integration/ with real uv projects. Alexey confirmed in #1396 these are expected and "rather straightforward" to add.
Wk 9–10
Documentation
User-facing docs page in docs/ — prerequisites, example usage, known limitations.
Wk 10–12
Hardening & Stretch Goals
Handle edge cases surfaced during testing. Possible graduation from x-uv to uv if mentors approve. Stretch goals TBD based on progress.
These targets may be adjusted based on design reviews or upstream uv changes, and I will communicate any updates early with mentors. I will be available 25–30 hours per week throughout the program.
Previous Contributions
The Hermeto GSoC guide says one merged PR is the bar. I have that, but I also want to show the four months of open source work I did before Hermeto.
Note: I'll continue to add contributions here until GSoC selection to become more familiar with the codebase.
Hermeto
| PR | Description | Status |
|---|---|---|
| #1354 | Replaced fragile automatic test-exclusion logic with standard pytest -k filtering, closing mentor-opened issue. | Merged |
That PR required understanding how the integration test infrastructure actually worked — not just where tests live, but why the exclusion logic existed in the first place and why the simpler approach was safe. It was not glamorous work, but it was the kind of work that makes the test suite easier to maintain going forward.
AsyncAPI
4 months before switching orgsI was contributing to AsyncAPI for about four months before they got rejected from GSoC 2026. Mostly maintenance stuff.
| PR | Description | Status |
|---|---|---|
| #4781 | Removed deprecated scripts from the repo | Merged |
| #4997 | Cleaned up unused dependencies from package.json | Open |
| #4804 | Fixed react-hooks/exhaustive-deps warnings across the codebase | Open |
| #5014 | Replaced Moment.js with Day.js — ~90% bundle reduction | Merged |
| #4710 | Fixed background scrolling bug on Roadmap modal | Merged |
| #4585 | Fixed broken links in git-workflow.md | Merged |
| #4600 | Fixed broken community links in contributor docs | Merged |
| #4988 | Reviewed and tested Navbar Chevron UI fix | Review |
| #4808 | Verified Algolia search language sync logic | Review |
| #4893 | Helped a contributor understand codebase logic | Review |
None of this was glamorous — and that was kind of the point.
Some PRs are still open — AsyncAPI was rejected from GSoC 2026, so I switched orgs before they all got merged.
Benefits to the Community
Right now, any Python team using uv with Konflux cannot do hermetic builds because Hermeto only speaks pip. uv is not niche anymore — a lot of projects are moving to it. This backend closes that gap.
There is also a secondary benefit. The pip backend is older and more complex. A clean uv backend gives future contributors a better reference if they ever need to add support for Poetry, PDM, or whatever comes next. And the design document itself is useful even if the code takes longer than expected — right now there is no written-down analysis of how uv should integrate with Hermeto.
About Me
I am a 2nd year student at Newton School of Technology (ADYPU). I have experience in Python, TypeScript (React, Next.js, Node.js), and I am comfortable working across both ecosystems. Hermeto's codebase aligns well with my experience, and I can easily follow its patterns.
I'm also part of my college's Student Developer Club where I help organize meets, hackathons, and work on projects with others. A lot of it is coordination — less about code and more about making sure things actually get done.
A few projects I built outside of open source:
Availability & Commitments
My college has an internship period from June to December. If I get selected for GSoC, that becomes my internship — no classes, no exams, no conflicts for the entire coding period.
I can put in 25–30 hours a week. Timezone is IST (UTC+5:30). I usually work during the day but I am flexible. Happy to do async (GitHub, email) or sync calls with Erik and Alexey, whatever works better for them.
Post GSoC
Honestly, the x-uv backend shipping is not the end of the work — it's the beginning of it. Astral moves fast, uv.lock will keep changing, and whoever maintains the parser needs to already understand why certain edge cases were handled the way they were. I will have that context. It would be wasteful to just walk away.
The graduation path from x-uv to a stable uv backend is also something I want to see through personally. Shipping it experimental and then handing it off to someone else to graduate feels like leaving halfway.
And beyond just the uv work, I have spent enough time in the Hermeto codebase now to care about it. The problem it solves is real, the mentors actually engage with contributors, and there is still meaningful work to do here after GSoC. That's rare enough that I'm not going to take it for granted.
Other Contributions
More open source work and community contributions — details coming soon.
AsyncAPI Initiative
4 months of active contributions — maintenance, bug fixes, PR reviews, and infrastructure improvements across the AsyncAPI website.
More Coming Soon
This section will grow as I continue contributing to open source projects and communities.