Academic publications
-
Trusting Trust - Reflections on Trusting Trust (1984) — Ken Thompson. (PDF)
-
Fully Countering Trusting Trust through Diverse Double-Compiling (2005/2009) — David A. Wheeler (PDF, …)
-
Functional Package Management with Guix (2013) — Ludovic Courtès. […]
-
Reproducible and User-Controlled Software Environments in HPC with Guix (2015) — Ludovic Courtès, Ricardo Wurmus […]
-
Automated Localization for Unreproducible Builds (2018) — Zhilei Ren, He Jiang, Jifeng Xuan, Zijiang Yang. (PDF)
- Transparent, Provenance-assured, and Secure Software-as-a-Service (2019)
- Nachiket Tapas, Francesco Longo, Giovanni Merlino and Antonio Puliafito. (Link)
-
in-toto: Providing farm-to-table guarantees for bits and bytes (2019) — Santiago Torres-Arias, New York University; Hammad Afzali, New Jersey Institute of Technology; Trishank Karthik Kuppusamy, Datadog; Reza Curtmola, New Jersey Institute of Technology; Justin Cappos, New York University. (PDF)
-
Backstabber’s Knife Collection: A Review of Open Source Software Supply Chain Attacks (2020) — Marc Ohm, Henrik Plate, Arnold Sykosch, Michael Meier. (PDF)
-
Reproducible Containers (2020) — Navarro Leija, Omar S. and Shiptoski, Kelly and Scott, Ryan G. and Wang, Baojun and Renner, Nicholas and Newton, Ryan R. and Devietti, Joseph. (…)
-
Towards detection of software supply chain attacks by forensic artifacts (2020) — Marc Ohm, Arnold Sykosch, Michael Meier. (Link)
-
Reproducible builds: Increasing the integrity of software supply chains. (2021) — Chris Lamb & Stefano Zacchiroli. (Link)
-
An Experience Report on Producing Verifiable Builds for Large-Scale Commercial Systems (2021) - Yong Shi, Mingzhi Wen, Filipe Roseiro Cogo, Boyuan Chen and Zhen Ming Jiang. (Link)
-
Automated Patching for Unreproducible Builds (2022) - Zhilei Ren, Shiwei Sun, Jifeng Xuan, Xiaochen Li, and Jiang Hi. (Link)
-
On business adoption and use of reproducible builds for open and closed source software (2022) — Simon Butler, Jonas Gamalielsson, Björn Lundell, Christoffer Brax, Anders Mattsson, Tomas Gustavsson, Jonas Feist, Bengt Kvarnström & Erik Lönroth. (Link)
-
Top Five Challenges in Software Supply Chain Security: Observations From 30 Industry and Government Organizations (2022) William Enck and Laurie Williams. (Link)
- It’s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security (2023) Marcel Fourné, Dominik Wermke, William Enck, Sascha Fahl, Yasemin Acar. (PDF, link)
Introduction
- Definitions
- History
- Buy-in
- Making plans
- Academic publications
Achieve deterministic builds
- Variations in the build environment
- SOURCE_DATE_EPOCH
- Deterministic build systems
- Volatile inputs can disappear
- Stable order for inputs
- Value initialization
- Version information
- Timestamps
- Timezones
- Locales
- Archive metadata
- Stable order for outputs
- Randomness
- Build path
- System images
- JVM
Define a build environment
- What's in a build environment?
- Recording the build environment
- Definition strategies
- Proprietary operating systems
Distribute the environment
Verification
Specifications
Follow us on Twitter @ReproBuilds, Mastodon @reproducible_builds@fosstodon.org & Reddit and please consider making a donation. • Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. • Patches for this website welcome via our Git repository (instructions) or via our mailing list. • Full contact info