Academic publications
Citing reproducible-builds.org
The
CITATION.cff
file is available at the root of the repository. It can be used to generate
citations in various formats using
cffconvert.
If you are preparing a paper or article and wish to reference the reproducible-builds.org project, the following BibTeX entry is recommended:
@misc{ReproducibleBuildsOrg,
author = {{Reproducible Builds}},
title = {Reproducible Builds Website},
url = {https://reproducible-builds.org/}
}
Academic publications
In addition to the resources mentioned, our repository also includes a bibliography.bib file, which contains BibTeX entries for all the academic publications listed here. This file is continuously updated to reflect the most recent scholarly works related to reproducible builds. It serves as a comprehensive source for researchers and practitioners looking to cite relevant literature in their work. The file can be found within the repository, making it easy for anyone to access and utilize in their own scholarly writings.
- Reflections on trusting trust
- Commun. ACM, 27 (8), 761–763
Thompson, K. (1984)
https://doi.org/10.1145/358198.358210 - Fully countering trusting trust through diverse double-compiling
- Wheeler, D. A. (2010)
https://arxiv.org/abs/1004.5534 - Functional package management with guix
- Courtès, L. (2013)
https://arxiv.org/abs/1305.4584 - Reproducible and User-Controlled Software Environments in HPC with Guix
- 2nd International Workshop on Reproducibility in Parallel Computing (RepPar)
Courtès, L., & Wurmus, R. (2015, August)
https://inria.hal.science/hal-01161771 - Automated localization for unreproducible builds.
- Proceedings of the 40th International Conference on Software Engineering
Ren, Z., Jiang, H., Xuan, J., & Yang, Z. (2018, May)
https://doi.org/10.1145/3180155.3180224 - Transparent, provenance-assured, and secure software-as-a-service
- 2019 IEEE 18th International Symposium on Network Computing and Applications (NCA), 1–8
Tapas, N., Longo, F., Merlino, G., & Puliafito, A. (2019)
https://doi.org/10.1109/NCA.2019.8935014 - In-toto: Providing farm-to-table guarantees for bits and bytes
- Proceedings of the 28th USENIX Conference on Security Symposium, 1393–1410
Torres-Arias, S., Afzali, H., Kuppusamy, T. K., Curtmola, R., & Cappos, J. (2019)
https://www.usenix.org/conference/usenixsecurity19/presentation/torres-arias - Backstabber’s knife collection: A review of open source software supply chain attacks
- In Lecture notes in computer science (pp. 23–43). Springer International Publishing.
Ohm, M., Plate, H., Sykosch, A., & Meier, M. (2020)
https://doi.org/10.1007/978-3-030-52683-2_2 - Reproducible containers
- Proceedings of the Twenty-Fifth International Conference on Architectural Support for Programming Languages and Operating Systems, 167–182
Navarro Leija, O. S., Shiptoski, K., Scott, R. G., Wang, B., Renner, N., Newton, R. R., & Devietti, J. (2020)
https://doi.org/10.1145/3373376.3378519 - Towards detection of software supply chain attacks by forensic artifacts
- Proceedings of the 15th International Conference on Availability, Reliability and Security
Ohm, M., Sykosch, A., & Meier, M. (2020)
https://doi.org/10.1145/3407023.3409183 - Toward long-term and archivable reproducibility
- Computing in Science & Engineering, 23(3), 82–91
Akhlaghi, M., Infante-Sainz, R., Roukema, B. F., Khellat, M., Valls-Gabaud, D., & Baena-Galle, R. (2021)
https://doi.org/10.1109/mcse.2021.3072860 - Reproducible builds: Increasing the integrity of software supply chains
- IEEE Software, 39(2), 62–70
Lamb, C., & Zacchiroli, S. (2022)
https://doi.org/10.1109/MS.2021.3073045 - An experience report on producing verifiable builds for large-scale commercial systems
- IEEE Transactions on Software Engineering, 48(9), 3361–3377
Shi, Y., Wen, M., Cogo, F. R., Chen, B., & Jiang, Z. M. (2022)
https://doi.org/10.1109/TSE.2021.3092692 - Automated patching for unreproducible builds
- Proceedings of the 44th International Conference on Software Engineering, 200–211
Ren, Z., Sun, S., Xuan, J., Li, X., Zhou, Z., & Jiang, H. (2022)
https://doi.org/10.1145/3510003.3510102 - Top five challenges in software supply chain security: Observations from 30 industry and organizations
- IEEE Security & Privacy, 20(2), 96–100
Enck, W., & Williams, L. (2022)
https://doi.org/10.1109/MSEC.2022.3142338 - Reproducibility of computational environments for software development
- Bachelor’s thesis, RWTH Aachen University
Strangfeld, M. (2022)
https://doi.org/10.5281/zenodo.13843189 - On business adoption and use of reproducible builds for open and closed source software
- Software Quality Journal, 31(3), 687–719
Butler, S., Gamalielsson, J., Lundell, B., Brax, C., Mattsson, A., Gustavsson, T., Feist, J., Kvarnström, B., & Lönroth, E. (2022)
https://doi.org/10.1007/s11219-022-09607-z - It’s like flossing your teeth: On the importance and challenges of reproducible builds for software supply chain security
- 2023 IEEE Symposium on Security and Privacy (SP), 1527–1544
Fourne, M., Wermke, D., Enck, W., Fahl, S., & Acar, Y. (2023)
https://doi.org/10.1109/SP46215.2023.10179320 - Signing in four public software package registries: Quantity, quality, and influencing factors
- Schorlemmer, T. R., Kalu, K. G., Chigges, L., Ko, K. M., Isghair, E. A.-M. A., Baghi, S., Torres-Arias, S., & Davis, J. C. (2024)
https://arxiv.org/abs/2401.14635 - Reproducibility of build environments through space and time
- Malka, J., Zacchiroli, S., & Zimmermann, T. (2024)
https://arxiv.org/abs/2402.00424 - Options Matter: Documenting and Fixing Non-Reproducible Builds in Highly-Configurable Systems
- MSR 2024 - 21th International Conference on Mining Software Repository, 1–11.
Randrianaina, G. A., Khelladi, D. E., Zendra, O., & Acher, M. (2024)
https://inria.hal.science/hal-04441579 - Reproducibility in software engineering
- University of Mons.
Dellaiera, P. (2024)
https://doi.org/10.5281/zenodo.12666898
Introduction
- Definitions
- History
- Buy-in
- Making plans
- Academic publications
Achieve deterministic builds
- Commandments of reproducible builds
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Stripping of unreproducible information
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Verification
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info
