{"id":"https://openalex.org/W4384948741","doi":"https://doi.org/10.1109/sp46215.2023.10179320","title":"It\u2019s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security","display_name":"It\u2019s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security","publication_year":2023,"publication_date":"2023-05-01","ids":{"openalex":"https://openalex.org/W4384948741","doi":"https://doi.org/10.1109/sp46215.2023.10179320"},"language":"en","primary_location":{"id":"doi:10.1109/sp46215.2023.10179320","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179320","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref","datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://figshare.com/articles/conference_contribution/It_s_like_flossing_your_teeth_On_the_Importance_and_Challenges_of_Reproducible_Builds_for_Software_Supply_Chain_Security/24614676","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5018571922","display_name":"Marcel Fourn\u00e9","orcid":"https://orcid.org/0000-0003-4442-0085"},"institutions":[{"id":"https://openalex.org/I4210096592","display_name":"Max Planck Institute for Security and Privacy","ror":"https://ror.org/00bj0r217","country_code":"DE","type":"facility","lineage":["https://openalex.org/I149899117","https://openalex.org/I4210096592"]}],"countries":["DE"],"is_corresponding":true,"raw_author_name":"Marcel Fourn\u00e9","raw_affiliation_strings":["Max Planck Institute for Security and Privacy,Bochum,Germany","Max Planck Institute for Security and Privacy, Bochum, Germany"],"affiliations":[{"raw_affiliation_string":"Max Planck Institute for Security and Privacy,Bochum,Germany","institution_ids":["https://openalex.org/I4210096592"]},{"raw_affiliation_string":"Max Planck Institute for Security and Privacy, Bochum, Germany","institution_ids":["https://openalex.org/I4210096592"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5004650891","display_name":"Dominik Wermke","orcid":"https://orcid.org/0009-0008-2921-1254"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Dominik Wermke","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","CISPA Helmholtz Center for Information Security, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5024034310","display_name":"William Enck","orcid":"https://orcid.org/0000-0002-3043-8092"},"institutions":[{"id":"https://openalex.org/I137902535","display_name":"North Carolina State University","ror":"https://ror.org/04tj63d06","country_code":"US","type":"education","lineage":["https://openalex.org/I137902535"]}],"countries":["US"],"is_corresponding":false,"raw_author_name":"William Enck","raw_affiliation_strings":["North Carolina State University,Raleigh,North Carolina,USA","North Carolina State University, Raleigh, North Carolina, USA"],"affiliations":[{"raw_affiliation_string":"North Carolina State University,Raleigh,North Carolina,USA","institution_ids":["https://openalex.org/I137902535"]},{"raw_affiliation_string":"North Carolina State University, Raleigh, North Carolina, USA","institution_ids":["https://openalex.org/I137902535"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5087356408","display_name":"Sascha Fahl","orcid":"https://orcid.org/0000-0002-5644-3316"},"institutions":[{"id":"https://openalex.org/I4210128801","display_name":"Helmholtz Center for Information Security","ror":"https://ror.org/02njgxr09","country_code":"DE","type":"facility","lineage":["https://openalex.org/I1305996414","https://openalex.org/I4210128801"]}],"countries":["DE"],"is_corresponding":false,"raw_author_name":"Sascha Fahl","raw_affiliation_strings":["CISPA Helmholtz Center for Information Security,Germany","CISPA Helmholtz Center for Information Security, Germany"],"affiliations":[{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security,Germany","institution_ids":["https://openalex.org/I4210128801"]},{"raw_affiliation_string":"CISPA Helmholtz Center for Information Security, Germany","institution_ids":["https://openalex.org/I4210128801"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5074668699","display_name":"Yasemin Acar","orcid":"https://orcid.org/0000-0001-7167-7383"},"institutions":[{"id":"https://openalex.org/I206945453","display_name":"Paderborn University","ror":"https://ror.org/058kzsd48","country_code":"DE","type":"education","lineage":["https://openalex.org/I206945453"]},{"id":"https://openalex.org/I193531525","display_name":"George Washington University","ror":"https://ror.org/00y4zzh67","country_code":"US","type":"education","lineage":["https://openalex.org/I193531525"]}],"countries":["DE","US"],"is_corresponding":false,"raw_author_name":"Yasemin Acar","raw_affiliation_strings":["Paderborn University,Germany","Paderborn University, Germany","George Washington University, USA"],"affiliations":[{"raw_affiliation_string":"Paderborn University,Germany","institution_ids":["https://openalex.org/I206945453"]},{"raw_affiliation_string":"Paderborn University, Germany","institution_ids":["https://openalex.org/I206945453"]},{"raw_affiliation_string":"George Washington University, USA","institution_ids":["https://openalex.org/I193531525"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5018571922"],"corresponding_institution_ids":["https://openalex.org/I4210096592"],"apc_list":null,"apc_paid":null,"fwci":9.6324,"has_fulltext":false,"cited_by_count":21,"citation_normalized_percentile":{"value":0.980236,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":97,"max":99},"biblio":{"volume":null,"issue":null,"first_page":"1527","last_page":"1544"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9987999796867371,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11675","display_name":"Open Source Software Innovations","score":0.9979000091552734,"subfield":{"id":"https://openalex.org/subfields/1706","display_name":"Computer Science Applications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9958000183105469,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6708559989929199},{"id":"https://openalex.org/keywords/supply-chain","display_name":"Supply chain","score":0.6303358674049377},{"id":"https://openalex.org/keywords/upstream","display_name":"Upstream (networking)","score":0.5825295448303223},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5412956476211548},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.5197224617004395},{"id":"https://openalex.org/keywords/point","display_name":"Point (geometry)","score":0.490624338388443},{"id":"https://openalex.org/keywords/work","display_name":"Work (physics)","score":0.42524275183677673},{"id":"https://openalex.org/keywords/code-review","display_name":"Code review","score":0.41237854957580566},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3953537046909332},{"id":"https://openalex.org/keywords/world-wide-web","display_name":"World Wide Web","score":0.3235648274421692},{"id":"https://openalex.org/keywords/software-development","display_name":"Software development","score":0.27247047424316406},{"id":"https://openalex.org/keywords/software-quality","display_name":"Software quality","score":0.2179105579853058},{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.2131880521774292},{"id":"https://openalex.org/keywords/engineering","display_name":"Engineering","score":0.16372975707054138},{"id":"https://openalex.org/keywords/telecommunications","display_name":"Telecommunications","score":0.12506622076034546},{"id":"https://openalex.org/keywords/marketing","display_name":"Marketing","score":0.11030060052871704},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.08956348896026611}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6708559989929199},{"id":"https://openalex.org/C108713360","wikidata":"https://www.wikidata.org/wiki/Q1824206","display_name":"Supply chain","level":2,"score":0.6303358674049377},{"id":"https://openalex.org/C191172861","wikidata":"https://www.wikidata.org/wiki/Q7899321","display_name":"Upstream (networking)","level":2,"score":0.5825295448303223},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5412956476211548},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.5197224617004395},{"id":"https://openalex.org/C28719098","wikidata":"https://www.wikidata.org/wiki/Q44946","display_name":"Point (geometry)","level":2,"score":0.490624338388443},{"id":"https://openalex.org/C18762648","wikidata":"https://www.wikidata.org/wiki/Q42213","display_name":"Work (physics)","level":2,"score":0.42524275183677673},{"id":"https://openalex.org/C150292731","wikidata":"https://www.wikidata.org/wiki/Q1342704","display_name":"Code review","level":5,"score":0.41237854957580566},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3953537046909332},{"id":"https://openalex.org/C136764020","wikidata":"https://www.wikidata.org/wiki/Q466","display_name":"World Wide Web","level":1,"score":0.3235648274421692},{"id":"https://openalex.org/C529173508","wikidata":"https://www.wikidata.org/wiki/Q638608","display_name":"Software development","level":3,"score":0.27247047424316406},{"id":"https://openalex.org/C117447612","wikidata":"https://www.wikidata.org/wiki/Q1412670","display_name":"Software quality","level":4,"score":0.2179105579853058},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.2131880521774292},{"id":"https://openalex.org/C127413603","wikidata":"https://www.wikidata.org/wiki/Q11023","display_name":"Engineering","level":0,"score":0.16372975707054138},{"id":"https://openalex.org/C76155785","wikidata":"https://www.wikidata.org/wiki/Q418","display_name":"Telecommunications","level":1,"score":0.12506622076034546},{"id":"https://openalex.org/C162853370","wikidata":"https://www.wikidata.org/wiki/Q39809","display_name":"Marketing","level":1,"score":0.11030060052871704},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.08956348896026611},{"id":"https://openalex.org/C2524010","wikidata":"https://www.wikidata.org/wiki/Q8087","display_name":"Geometry","level":1,"score":0.0},{"id":"https://openalex.org/C78519656","wikidata":"https://www.wikidata.org/wiki/Q101333","display_name":"Mechanical engineering","level":1,"score":0.0},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.0}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.1109/sp46215.2023.10179320","is_oa":false,"landing_page_url":"https://doi.org/10.1109/sp46215.2023.10179320","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2023 IEEE Symposium on Security and Privacy (SP)","raw_type":"proceedings-article"},{"id":"pmh:oai:figshare.com:article/24614676","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/It_s_like_flossing_your_teeth_On_the_Importance_and_Challenges_of_Reproducible_Builds_for_Software_Supply_Chain_Security/24614676","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},{"id":"doi:10.60882/cispa.24614676.v1","is_oa":true,"landing_page_url":"https://doi.org/10.60882/cispa.24614676.v1","pdf_url":null,"source":{"id":"https://openalex.org/S7407050916","display_name":"CISPA Helmholtz Center","issn_l":null,"issn":[],"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:oai:figshare.com:article/24614676","is_oa":true,"landing_page_url":"https://figshare.com/articles/conference_contribution/It_s_like_flossing_your_teeth_On_the_Importance_and_Challenges_of_Reproducible_Builds_for_Software_Supply_Chain_Security/24614676","pdf_url":null,"source":{"id":"https://openalex.org/S4377196282","display_name":"Figshare","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4210132348","host_organization_name":"Figshare (United Kingdom)","host_organization_lineage":["https://openalex.org/I4210132348"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"","raw_type":"Text"},"sustainable_development_goals":[{"display_name":"Industry, innovation and infrastructure","score":0.5600000023841858,"id":"https://metadata.un.org/sdg/9"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":122,"referenced_works":["https://openalex.org/W104553443","https://openalex.org/W205609712","https://openalex.org/W1511656335","https://openalex.org/W1627569172","https://openalex.org/W1780778418","https://openalex.org/W1966276021","https://openalex.org/W1967042038","https://openalex.org/W1975782063","https://openalex.org/W1979778970","https://openalex.org/W1986222079","https://openalex.org/W2006624349","https://openalex.org/W2018638699","https://openalex.org/W2028486686","https://openalex.org/W2035789063","https://openalex.org/W2062706277","https://openalex.org/W2069268700","https://openalex.org/W2073429012","https://openalex.org/W2075337331","https://openalex.org/W2098681705","https://openalex.org/W2103001366","https://openalex.org/W2107294940","https://openalex.org/W2109156518","https://openalex.org/W2111978054","https://openalex.org/W2121513440","https://openalex.org/W2123829847","https://openalex.org/W2124100711","https://openalex.org/W2124789775","https://openalex.org/W2128780139","https://openalex.org/W2130743551","https://openalex.org/W2138783984","https://openalex.org/W2139092060","https://openalex.org/W2141168725","https://openalex.org/W2146649871","https://openalex.org/W2150198410","https://openalex.org/W2157071571","https://openalex.org/W2157353183","https://openalex.org/W2166838101","https://openalex.org/W2168248828","https://openalex.org/W2170267084","https://openalex.org/W2186103202","https://openalex.org/W2194432963","https://openalex.org/W2243109068","https://openalex.org/W2269388016","https://openalex.org/W2344018727","https://openalex.org/W2354248936","https://openalex.org/W2368671040","https://openalex.org/W2394834103","https://openalex.org/W2469513535","https://openalex.org/W2534280618","https://openalex.org/W2557302400","https://openalex.org/W2605726584","https://openalex.org/W2615284185","https://openalex.org/W2646484260","https://openalex.org/W2735173242","https://openalex.org/W2740329368","https://openalex.org/W2763622888","https://openalex.org/W2766411424","https://openalex.org/W2781981343","https://openalex.org/W2782969241","https://openalex.org/W2783990487","https://openalex.org/W2800968634","https://openalex.org/W2903126489","https://openalex.org/W2946567467","https://openalex.org/W2951913189","https://openalex.org/W2953859928","https://openalex.org/W2954266827","https://openalex.org/W2962804757","https://openalex.org/W2966980041","https://openalex.org/W2999907777","https://openalex.org/W3028407954","https://openalex.org/W3029879311","https://openalex.org/W3032932651","https://openalex.org/W3088041916","https://openalex.org/W3090554539","https://openalex.org/W3097007871","https://openalex.org/W3098893992","https://openalex.org/W3105037104","https://openalex.org/W3108826526","https://openalex.org/W3112421345","https://openalex.org/W3140103367","https://openalex.org/W3141872514","https://openalex.org/W3155859537","https://openalex.org/W3156903202","https://openalex.org/W3159563414","https://openalex.org/W3160499023","https://openalex.org/W3161052308","https://openalex.org/W3162004270","https://openalex.org/W3162246821","https://openalex.org/W3190536237","https://openalex.org/W3208623264","https://openalex.org/W3211341298","https://openalex.org/W4233214837","https://openalex.org/W4248045917","https://openalex.org/W4282813657","https://openalex.org/W4284672755","https://openalex.org/W4284698521","https://openalex.org/W4288057734","https://openalex.org/W4288057759","https://openalex.org/W4288057810","https://openalex.org/W4288079288","https://openalex.org/W4288079339","https://openalex.org/W4308463084","https://openalex.org/W4310364134","https://openalex.org/W4312439220","https://openalex.org/W4385080312","https://openalex.org/W4394663859","https://openalex.org/W6628602181","https://openalex.org/W6715480035","https://openalex.org/W6740524821","https://openalex.org/W6742102062","https://openalex.org/W6743784117","https://openalex.org/W6743880665","https://openalex.org/W6765285382","https://openalex.org/W6765587806","https://openalex.org/W6766054592","https://openalex.org/W6767123700","https://openalex.org/W6781159446","https://openalex.org/W6800603138","https://openalex.org/W6803329020","https://openalex.org/W6864364900","https://openalex.org/W6921127687","https://openalex.org/W6959146781"],"related_works":["https://openalex.org/W3187420948","https://openalex.org/W4250195981","https://openalex.org/W2066709420","https://openalex.org/W2767550285","https://openalex.org/W2620085874","https://openalex.org/W2064496565","https://openalex.org/W2140798747","https://openalex.org/W3123355452","https://openalex.org/W2948169060","https://openalex.org/W1994860370"],"abstract_inverted_index":{"The":[0,83],"2020":[1],"Solarwinds":[2],"attack":[3],"was":[4],"a":[5,10,37,92,98,105,139],"tipping":[6],"point":[7],"that":[8,51,119,143,169],"caused":[9],"heightened":[11],"awareness":[12],"about":[13],"the":[14,17,24,53,69,115,193,196],"security":[15,157],"of":[16,27,68,78,85,107,141,155,163,195],"software":[18,70,201],"supply":[19],"chain":[20],"and":[21,59,126,159,171,199],"in":[22,30],"particular":[23],"large":[25],"amount":[26],"trust":[28],"placed":[29],"build":[31,41,47,57,60],"systems.":[32],"Reproducible":[33],"Builds":[34],"(R-Bs)":[35],"provide":[36],"strong":[38],"foundation":[39],"to":[40,89,96,135,149,188],"defenses":[42],"for":[43,80,94,151],"arbitrary":[44],"attacks":[45],"against":[46],"systems":[48],"by":[49,122],"ensuring":[50],"given":[52],"same":[54],"source":[55,147,198],"code,":[56],"environment,":[58],"instructions,":[61],"bitwise-identical":[62],"artifacts":[63],"are":[64,74,132],"created.":[65],"Unfortunately,":[66],"much":[67],"industry":[71],"believes":[72],"R-Bs":[73,95,191],"too":[75],"far":[76],"out":[77],"reach":[79],"most":[81],"projects.":[82,181],"goal":[84],"this":[86,101],"paper":[87],"is":[88],"help":[90,170],"identify":[91,167],"path":[93],"become":[97],"commonplace":[99],"property.To":[100],"end,":[102],"we":[103],"conducted":[104],"series":[106],"24":[108],"semi-structured":[109],"expert":[110],"interviews":[111],"with":[112,129,179,184,192],"participants":[113],"from":[114],"Reproducible-Builds.org":[116],"project,":[117],"finding":[118],"self-effective":[120],"work":[121],"highly":[123],"motivated":[124],"developers":[125,148],"collaborative":[127],"communication":[128,178],"upstream":[130,180],"projects":[131],"key":[133],"contributors":[134],"R-Bs.":[136],"We":[137,165,182],"identified":[138],"range":[140],"motivations":[142],"can":[144],"encourage":[145],"open":[146,197],"strive":[150],"R-Bs,":[152],"including":[153],"indicators":[154],"quality,":[156],"benefits,":[158],"more":[160],"efficient":[161],"caching":[162],"artifacts.":[164],"also":[166],"experiences":[168],"hinder":[172],"adoption,":[173],"which":[174],"often":[175],"revolves":[176],"around":[177],"conclude":[183],"recommendations":[185],"on":[186],"how":[187],"better":[189],"integrate":[190],"efforts":[194],"free":[200],"community.":[202]},"counts_by_year":[{"year":2025,"cited_by_count":11},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":6}],"updated_date":"2026-03-25T14:56:36.534964","created_date":"2025-10-10T00:00:00"}