Documentation index

Academic publications

  • Trusting Trust - Reflections on Trusting Trust (1984) — Ken Thompson. (PDF)

  • Fully Countering Trusting Trust through Diverse Double-Compiling (2005/2009) — David A. Wheeler (PDF, )

  • Functional Package Management with Guix (2013) — Ludovic Courtès. []

  • Reproducible and User-Controlled Software Environments in HPC with Guix (2015) — Ludovic Courtès, Ricardo Wurmus []

  • Automated Localization for Unreproducible Builds (2018) — Zhilei Ren, He Jiang, Jifeng Xuan, Zijiang Yang. (PDF)

  • Transparent, Provenance-assured, and Secure Software-as-a-Service (2019)
    • Nachiket Tapas, Francesco Longo, Giovanni Merlino and Antonio Puliafito. (Link)
  • in-toto: Providing farm-to-table guarantees for bits and bytes (2019) — Santiago Torres-Arias, New York University; Hammad Afzali, New Jersey Institute of Technology; Trishank Karthik Kuppusamy, Datadog; Reza Curtmola, New Jersey Institute of Technology; Justin Cappos, New York University. (PDF)

  • Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks (2020) — Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier. (PDF)

  • Reproducible Containers (2020) — Navarro Leija, Omar S. and Shiptoski, Kelly and Scott, Ryan G. and Wang, Baojun and Renner, Nicholas and Newton, Ryan R. and Devietti, Joseph. ()

  • Towards detection of software supply chain attacks by forensic artifacts (2020) — Marc Ohm, Arnold Sykosch, Michael Meier. (Link)

  • Reproducible builds: Increasing the integrity of software supply chains. (2021) — Chris Lamb & Stefano Zacchiroli. (Link)

  • An Experience Report on Producing Verifiable Builds for Large-Scale Commercial Systems (2021) - Yong Shi, Mingzhi Wen, Filipe Roseiro Cogo, Boyuan Chen and Zhen Ming Jiang. (Link)

  • Automated Patching for Unreproducible Builds (2022) - Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, and Jiang Hi. (Link)

  • On business adoption and use of reproducible builds for open and closed source software (2022) — Simon Butler, Jonas Gamalielsson, Björn Lundell, Christoffer Brax, Anders Mattsson, Tomas Gustavsson, Jonas Feist, Bengt Kvarnström & Erik Lönroth. (Link)

  • Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (2022) William Enck and Laurie Williams. (Link)

  • It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security (2023) Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, Yasemin Acar. (PDF, link)

Documentation index

Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info