Documentation index

Academic publications

  • Trusting Trust - Reflections on Trusting Trust (1984) — Ken Thompson. (PDF)

  • Fully Countering Trusting Trust through Diverse Double-Compiling (2005/2009) — David A. Wheeler (PDF, )

  • Functional Package Management with Guix (2013) — Ludovic Courtès. []

  • Reproducible and User-Controlled Software Environments in HPC with Guix (2015) — Ludovic Courtès, Ricardo Wurmus []

  • in-toto: Providing farm-to-table guarantees for bits and bytes (2019) — Santiago Torres-Arias, New York University; Hammad Afzali, New Jersey Institute of Technology; Trishank Karthik Kuppusamy, Datadog; Reza Curtmola, New Jersey Institute of Technology; Justin Cappos, New York University. (PDF)

  • Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks (2020) — Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier. (PDF)

  • Automated Localization for Unreproducible Builds (2018) — Zhilei Ren, He Jiang, Jifeng Xuan, Zijiang Yang. (PDF)

  • Reproducible Containers (2020) — Navarro Leija, Omar S. and Shiptoski, Kelly and Scott, Ryan G. and Wang, Baojun and Renner, Nicholas and Newton, Ryan R. and Devietti, Joseph. ()

  • Towards detection of software supply chain attacks by forensic artifacts (2020) — Marc Ohm, Arnold Sykosch, Michael Meier. (Link)

  • Reproducible builds: Increasing the integrity of software supply chains. (2021) — Chris Lamb & Stefano Zacchiroli. (Link)

  • On business adoption and use of reproducible builds for open and closed source software (2022) — Simon Butler, Jonas Gamalielsson, Björn Lundell, Christoffer Brax, Anders Mattsson, Tomas Gustavsson, Jonas Feist, Bengt Kvarnström & Erik Lönroth. (Link)

  • Automated Patching for Unreproducible Builds (2022) - Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, and Jiang Hi. (Link)

  • An Experience Report on Producing Verifiable Builds for Large-Scale Commercial Systems (2021) - Yong Shi, Mingzhi Wen, Filipe Roseiro Cogo, Boyuan Chen and Zhen Ming Jiang. (Link)

  • Transparent, Provenance-assured, and Secure Software-as-a-Service (2019)
    • Nachiket Tapas, Francesco Longo, Giovanni Merlino and Antonio Puliafito. (Link)
  • Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (2022) William Enck and Laurie Williams. (Link)

Documentation index

Follow us on Twitter @ReproBuilds, Mastodon & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info