Academic publications

• Trusting Trust - Reflections on Trusting Trust (1984) — Ken Thompson. (PDF)

• Fully Countering Trusting Trust through Diverse Double-Compiling (2005/2009) — David A. Wheeler (PDF, …)

• Functional Package Management with Guix (2013) — Ludovic Courtès. […]

• Reproducible and User-Controlled Software Environments in HPC with Guix (2015) — Ludovic Courtès, Ricardo Wurmus […]

• Automated Localization for Unreproducible Builds (2018) — Zhilei Ren, He Jiang, Jifeng Xuan, Zijiang Yang. (PDF)

• Transparent, Provenance-assured, and Secure Software-as-a-Service (2019)
  • Nachiket Tapas, Francesco Longo, Giovanni Merlino and Antonio Puliafito. (Link)

• in-toto: Providing farm-to-table guarantees for bits and bytes (2019) — Santiago Torres-Arias, New York University; Hammad Afzali, New Jersey Institute of Technology; Trishank Karthik Kuppusamy, Datadog; Reza Curtmola, New Jersey Institute of Technology; Justin Cappos, New York University. (PDF)

• Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks (2020) — Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier. (PDF)

• Reproducible Containers (2020) — Navarro Leija, Omar S. and Shiptoski, Kelly and Scott, Ryan G. and Wang, Baojun and Renner, Nicholas and Newton, Ryan R. and Devietti, Joseph. (…)

• Towards detection of software supply chain attacks by forensic artifacts (2020) — Marc Ohm, Arnold Sykosch, Michael Meier. (Link)

• Reproducible builds: Increasing the integrity of software supply chains. (2021) — Chris Lamb & Stefano Zacchiroli. (Link)

• An Experience Report on Producing Verifiable Builds for Large-Scale Commercial Systems (2021) - Yong Shi, Mingzhi Wen, Filipe Roseiro Cogo, Boyuan Chen and Zhen Ming Jiang. (Link)

• Automated Patching for Unreproducible Builds (2022) - Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, and Jiang Hi. (Link)

• On business adoption and use of reproducible builds for open and closed source software (2022) — Simon Butler, Jonas Gamalielsson, Björn Lundell, Christoffer Brax, Anders Mattsson, Tomas Gustavsson, Jonas Feist, Bengt Kvarnström & Erik Lönroth. (Link)

• Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (2022) William Enck and Laurie Williams. (Link)

• It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security (2023) Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, Yasemin Acar. (PDF, link)

---

← Documentation index

Documentation home

Introduction

• Definitions
• History
• Buy-in
• Making plans
• Academic publications

Achieve deterministic builds

• Variations in the build environment
• SOURCE_DATE_EPOCH
• Deterministic build systems
• Volatile inputs can disappear
• Stable order for inputs
• Value initialization
• Version information
• Timestamps
• Timezones
• Locales
• Archive metadata
• Stable order for outputs
• Randomness
• Build path
• System images
• JVM

Define a build environment

• What's in a build environment?
• Recording the build environment
• Definition strategies
• Proprietary operating systems

Distribute the environment

• Building from source
• Virtual machine drivers
• Formal definition

Verification

• Cryptographic checksums
• Embedded signatures
• Sharing certifications
• Rebuilders

Specifications

• SOURCE_DATE_EPOCH
• BUILD_PATH_PREFIX_MAP (WIP)