Yes, that's why I package as much stuff as I can into a hermetic Bazel build, including Python modules (and yes, I build Python programs in Google PAR format using Subpar). They're all stored in my own cloud bucket, the entire transitive closure can be tracked down, and they don't change underneath me willy-nilly. For C++ cross-builds I also package toolchains in a similar fashion. You could also package a toolchain for the host if you'd like, I just don't bother. And I package test data likewise. The build isn't 100% hermetic, but I'd say about 90%. I feel pretty good about this set-up and recommend it to others. Grabbing random packages (and worse, their transitive closures) from the internet as a part of the build sounds insane to me.