Achieving "reproducible builds" for improved software security

23 May 2025

Award ceremony at the MSR (Mining Software Repositories) banquet at the Canadian Museum of History, Ottawa. From l. to r.: Bram Adams (MSR general chair), Julien Malka, Stefano Zacchiroli, Olga Baysal & Ayushi Rastogi (MSR programme co-chairs) – photo Roberto Di Cosmo

Julien Malka, PhD student, Stefano Zacchiroli and Théo Zimmermann, professors in the Autonomous Critical Embedded Systems (ACES) team at Télécom Paris’ LTCI lab, have been awarded the ACM SIGSOFT Distinguished Paper Award for their paper Does functional package management enable reproducible builds at scale? Yes. published at the Mining Software Repositories (MSR) 2025 conference.

The Mining Software Repositories (MSR) conference is the most prestigious scientific conference on software analytics, whereby software engineering data is analysed using a mix of data science, machine learning / artificial intelligence and qualitative methodologies.

The research presented in the article ‘Does functional package management enable reproducible builds at scale? Yes.’ will help us to better understand and improve software security.

the authors

When software is installed, it is important to know that it has not been modified or corrupted. To do this, there is a method called ‘reproducible builds’, which allows the exact same software to be reconstructed from the code, regardless of who does it or when.

Our researchers wanted to find out whether this method works, even when applied to hundreds of thousands of software programs. They therefore tested more than 700,000 programs in a system called Nix, between 2017 and 2023.

Their experience showed that, in most cases, the software was identical during manufacture. Sometimes there were small differences, often due to dates or information added automatically during manufacture.

Read the paper Does Functional Package Management Enable...

Learn more: Is NixOS truly reproducible?