{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,31]],"date-time":"2026-01-31T17:03:23Z","timestamp":1769879003516,"version":"3.49.0"},"reference-count":45,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,11,29]],"date-time":"2023-11-29T00:00:00Z","timestamp":1701216000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2023,11,29]],"date-time":"2023-11-29T00:00:00Z","timestamp":1701216000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"funder":[{"DOI":"10.13039\/501100000038","name":"NSERC","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2024,1]]},"DOI":"10.1007\/s10664-023-10399-4","type":"journal-article","created":{"date-parts":[[2023,11,29]],"date-time":"2023-11-29T11:02:21Z","timestamp":1701255741000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["Unreproducible builds: time to fix, causes, and correlation with external ecosystem factors"],"prefix":"10.1007","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3367-6907","authenticated-orcid":false,"given":"Rahul","family":"Bajaj","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Eduardo","family":"Fernandes","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bram","family":"Adams","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ahmed E.","family":"Hassan","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,11,29]]},"reference":[{"key":"10399_CR1","doi-asserted-by":"crossref","unstructured":"Abdalkareem R, Nourry O, Wehaibi S, Mujahid S, Shihab E (2017) Why do developers use trivial packages? an empirical case study on npm. In: Proceedings of the 11th joint meeting on foundations of software engineering (ESEC\/FSE). pp 385\u2013395","DOI":"10.1145\/3106237.3106267"},{"issue":"3","key":"10399_CR2","doi-asserted-by":"publisher","first-page":"960","DOI":"10.1007\/s10664-015-9371-y","volume":"21","author":"B Adams","year":"2016","unstructured":"Adams B, Kavanagh R, Hassan AE, German DM (2016) An empirical study of integration activities in distributions of open source software. Empir Softw Eng 21(3):960\u20131001","journal-title":"Empir Softw Eng"},{"key":"10399_CR3","volume-title":"Survival analysis using SAS: a practical guide","author":"PD Allison","year":"2010","unstructured":"Allison PD (2010) Survival analysis using SAS: a practical guide, 2nd edn. SAS Institute","edition":"2"},{"issue":"12","key":"10399_CR4","first-page":"44","volume":"20","author":"FP Brooks","year":"1974","unstructured":"Brooks FP (1974) The mythical man-month. Datamation 20(12):44\u201352","journal-title":"Datamation"},{"key":"10399_CR5","doi-asserted-by":"crossref","unstructured":"Butler S, Gamalielsson J, Lundell B, Brax C, Mattsson A, Gustavsson T, Feist J, Kvarnstr\u00f6m B, L\u00f6nroth E (2022) On business adoption and use of reproducible builds for open and closed source software. Software Qual J 1\u201333","DOI":"10.1007\/s11219-022-09607-z"},{"key":"10399_CR6","doi-asserted-by":"crossref","unstructured":"de Carn\u00e9\u00a0de Carnavalet X, Mannan M (2014) Challenges and implications of verifiable builds for security-critical open-source software. In: Proceedings of the 30th annual computer security applications conference (ACSAC). pp 16\u201325","DOI":"10.1145\/2664243.2664288"},{"key":"10399_CR7","unstructured":"Chowdhury MAR, Abdalkareem R, Shihab E, Adams B (2021) On the untriviality of trivial packages: An empirical study of npm javascript packages. IEEE Transactions on Software Engineering pp 1\u201315"},{"key":"10399_CR8","doi-asserted-by":"crossref","unstructured":"Claes M, Mens T, Di Cosmo R, Vouillon J (2015) A historical analysis of Debian package incompatibilities. In: Proceedings of the 12th working conference on mining software repositories (MSR). pp 212\u2013223","DOI":"10.1109\/MSR.2015.27"},{"key":"10399_CR9","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Claes M (2016) On the topology of package dependency networks: A comparison of three programming language ecosystems. In: Proceedings of the 10th European conference on software architecture workshops (ECSAW). pp 21:1\u201321:4","DOI":"10.1145\/2993412.3003382"},{"key":"10399_CR10","doi-asserted-by":"crossref","unstructured":"Decan A, Mens T, Constantinou E (2018) On the impact of security vulnerabilities in the NPM package dependency network. In: Proceedings of the 15th international conference on mining software repositories. pp 181\u2013191","DOI":"10.1145\/3196398.3196401"},{"key":"10399_CR11","doi-asserted-by":"crossref","unstructured":"Easterbrook S, Singer J, Storey MA, Damian D (2008) Selecting empirical methods for software engineering research. In: Guide to advanced empirical software engineering. Springer, pp 285\u2013311","DOI":"10.1007\/978-1-84800-044-5_11"},{"issue":"3","key":"10399_CR12","doi-asserted-by":"crossref","first-page":"27","DOI":"10.1080\/07421222.1991.11517928","volume":"8","author":"L Fried","year":"1991","unstructured":"Fried L (1991) Team size and productivity in systems development bigger does not always mean better. J Inf Syst Manag 8(3):27\u201335","journal-title":"J Inf Syst Manag"},{"key":"10399_CR13","doi-asserted-by":"crossref","unstructured":"Goeminne M, Mens T (2015) Towards a survival analysis of database framework usage in java projects. In: Proceedings of the 2015 IEEE international conference on software maintenance and evolution (ICSME), pp 551\u2013555","DOI":"10.1109\/ICSM.2015.7332512"},{"key":"10399_CR14","doi-asserted-by":"crossref","unstructured":"Goswami P, Gupta S, Li Z, Meng N, Yao D (2020) Investigating the reproducibility of NPM packages. In: Proceedings of the 2020 international conference on software maintenance and evolution (ICSME). pp 677\u2013681","DOI":"10.1109\/ICSME46990.2020.00071"},{"issue":"282","key":"10399_CR15","doi-asserted-by":"publisher","first-page":"457","DOI":"10.1080\/01621459.1958.10501452","volume":"53","author":"E Kaplan","year":"1958","unstructured":"Kaplan E, Meier P (1958) Nonparametric estimation from incomplete observations. J Am Stat Assoc 53(282):457\u2013481","journal-title":"J Am Stat Assoc"},{"key":"10399_CR16","unstructured":"Koen R, Olivier MS (2008) The use of file timestamps in digital forensics. In: ISSA. Citeseer, pp 1\u201316"},{"issue":"2","key":"10399_CR17","doi-asserted-by":"publisher","first-page":"62","DOI":"10.1109\/MS.2021.3073045","volume":"39","author":"C Lamb","year":"2021","unstructured":"Lamb C, Zacchiroli S (2021) Reproducible builds: Increasing the integrity of software supply chains. IEEE Software 39(2):62\u201370","journal-title":"IEEE Software"},{"issue":"3","key":"10399_CR18","first-page":"1","volume":"27","author":"M Maes-Bermejo","year":"2022","unstructured":"Maes-Bermejo M, Gallego M, Gort\u00e1zar F, Robles G, Gonzalez-Barahona JM (2022) Revisiting the building of past snapshots-a replication and reproduction study. Empir Softw Eng (EMSE) 27(3):1\u201326","journal-title":"Empir Softw Eng (EMSE)"},{"key":"10399_CR19","doi-asserted-by":"crossref","unstructured":"Mancinelli F, Boender J, Di Cosmo R, Vouillon J, Durak B, Leroy X, Treinen R (2006) Managing the complexity of large free and open source package-based software distributions. In: Proceedings of the 21st international conference on automated software engineering (ASE). pp 199\u2013208","DOI":"10.1109\/ASE.2006.49"},{"issue":"5","key":"10399_CR20","doi-asserted-by":"publisher","first-page":"1384","DOI":"10.1007\/s10664-014-9338-4","volume":"20","author":"MV M\u00e4ntyl\u00e4","year":"2015","unstructured":"M\u00e4ntyl\u00e4 MV, Adams B, Khomh F, Engstr\u00f6m E, Petersen K (2015) On rapid releases and software testing: A case study and a semi-systematic literature review. Empirical Software Engineering 20(5):1384\u20131425","journal-title":"Empirical Software Engineering"},{"issue":"4","key":"10399_CR21","doi-asserted-by":"publisher","first-page":"e0153048","DOI":"10.1371\/journal.pone.0153048","volume":"11","author":"A Mao","year":"2016","unstructured":"Mao A, Mason W, Suri S, Watts DJ (2016) An experimental study of team size and performance on a complex task. PloS one 11(4):e0153048","journal-title":"PloS one"},{"key":"10399_CR22","doi-asserted-by":"publisher","first-page":"14","DOI":"10.1109\/MSEC.2021.3050433","volume":"19","author":"F Massacci","year":"2021","unstructured":"Massacci F, Jaeger T, Peisert S (2021) Solarwinds and the challenges of patching: Can we ever stop dancing with the devil? IEEE Secur Priv 19:14\u201319","journal-title":"IEEE Secur Priv"},{"key":"10399_CR23","unstructured":"Maste E (2017) Reproducible builds in freebsd. In: Proceedings of 11th Asian conference on BSD based systems (AsiaBSDCon). pp 1\u20138"},{"issue":"3","key":"10399_CR24","doi-asserted-by":"publisher","first-page":"276","DOI":"10.11613\/BM.2012.031","volume":"22","author":"M McHugh","year":"2012","unstructured":"McHugh M (2012) Interrater reliability: The Kappa statistic. Biochemia Medica 22(3):276\u2013282","journal-title":"Biochemia Medica"},{"key":"10399_CR25","doi-asserted-by":"crossref","unstructured":"McIntosh S, Adams B, Nagappan M, Hassan AE (2014) Mining co-change information to understand when build changes are necessary. In: Proceedings of the 2014 IEEE international conference on software maintenance and evolution (ICSME). pp 241\u2013250","DOI":"10.1109\/ICSME.2014.46"},{"key":"10399_CR26","doi-asserted-by":"crossref","unstructured":"Michlmayr M, Hunt F, Probert D (2007) Release management in free software projects: Practices and problems. In: Proceedings of the 2007 international federation for information processing international conference on open source systems (IFIPAICT), vol 234. pp 295\u2013300","DOI":"10.1007\/978-0-387-72486-7_31"},{"key":"10399_CR27","unstructured":"Miller P (1998) Recursive make considered harmful. AUUGN Journal of AUUG Inc 19(1):14\u201325"},{"key":"10399_CR28","doi-asserted-by":"crossref","unstructured":"Mirhosseini S, Parnin C (2017) Can automated pull requests encourage software developers to upgrade out-of-date dependencies? In: 2017 32nd IEEE\/ACM international conference on automated software engineering (ASE). pp 84\u201394","DOI":"10.1109\/ASE.2017.8115621"},{"key":"10399_CR29","doi-asserted-by":"crossref","unstructured":"Nagappan N, Ball T (2005) Use of relative code churn measures to predict system defect density. In: Proceedings of the 27th international conference on software engineering. pp 284\u2013292","DOI":"10.1145\/1062455.1062514"},{"key":"10399_CR30","doi-asserted-by":"crossref","unstructured":"Nussbaum L, Zacchiroli S (2010) The ultimate Debian database: Consolidating bazaar metadata for quality assurance and data mining. In: 2010 7th IEEE working conference on mining software repositories (MSR 2010). pp 52\u201361","DOI":"10.1109\/MSR.2010.5463277"},{"key":"10399_CR31","doi-asserted-by":"crossref","unstructured":"Ohm M, Plate H, Sykosch A, Meier M (2020) Backstabber\u2019s knife collection: A review of open source software supply chain attacks. In: Proceedings of the 2020 international conference on detection of intrusions and malware, and vulnerability assessment, vol 12223. pp 23\u201343","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"10399_CR32","doi-asserted-by":"crossref","unstructured":"Ohm M, Sykosch A, Meier M (2020) Towards detection of software supply chain attacks by forensic artifacts. In: Proceedings of the 15th international conference on availability, reliability and security (ARES). pp 1\u20136","DOI":"10.1145\/3407023.3409183"},{"issue":"1","key":"10399_CR33","doi-asserted-by":"publisher","first-page":"59","DOI":"10.2307\/1402731","volume":"51","author":"R Plackett","year":"1983","unstructured":"Plackett R (1983) Karl Pearson and the Chi-Squared test. Int Stat Rev 51(1):59\u201372","journal-title":"Int Stat Rev"},{"issue":"3","key":"10399_CR34","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1007\/s12130-999-1026-0","volume":"12","author":"E Raymond","year":"1999","unstructured":"Raymond E (1999) The cathedral and the bazaar. Knowl Technol Policy 12(3):23\u201349","journal-title":"Knowl Technol Policy"},{"key":"10399_CR35","volume-title":"Designing and conducting survey research: A comprehensive guide","author":"LM Rea","year":"2014","unstructured":"Rea LM, Parker RA (2014) Designing and conducting survey research: A comprehensive guide, 1st edn. John Wiley & Sons","edition":"1"},{"key":"10399_CR36","unstructured":"Ren Z, Jiang H, Xuan J, Yang Z (2016) Automated localization for unreproducible builds. In: Proceedings of the 40th international conference on software engineering (ICSE). pp 71\u201381"},{"issue":"9","key":"10399_CR37","doi-asserted-by":"publisher","first-page":"902","DOI":"10.1016\/j.infsof.2010.05.001","volume":"52","author":"I Samoladas","year":"2010","unstructured":"Samoladas I, Angelis L, Stamelos I (2010) Survival analysis on the duration of open source projects. Inf Softw Technol 52(9):902\u2013922","journal-title":"Inf Softw Technol"},{"key":"10399_CR38","doi-asserted-by":"crossref","unstructured":"Shi Y, Wen M, Cogo FR, Chen B, Jiang ZMJ (2021) An experience report on producing verifiable builds for large-scale commercial systems. IEEE Transactions on Software Engineering","DOI":"10.1109\/TSE.2021.3092692"},{"issue":"8","key":"10399_CR39","doi-asserted-by":"publisher","first-page":"761","DOI":"10.1145\/358198.358210","volume":"27","author":"K Thompson","year":"1984","unstructured":"Thompson K (1984) Reflections on trusting trust. Commun ACM 27(8):761\u2013763","journal-title":"Commun ACM"},{"key":"10399_CR40","doi-asserted-by":"crossref","unstructured":"Vu DL, Pashchenko I, Massacci F, Plate H, Sabetta A (2020) Towards using source code repositories to identify software supply chain attacks, pp 2093\u20132095","DOI":"10.1145\/3372297.3420015"},{"key":"10399_CR41","doi-asserted-by":"crossref","unstructured":"Wang Z, Zhang H, Chen TH, Wang S (2021) Would you like a quick peek? Providing logging support to monitor data processing in big data applications. In: Proceedings of the 29th joint meeting on european software engineering conference and symposium on the foundations of software engineering (ESEC\/FSE). pp 516\u2013526","DOI":"10.1145\/3468264.3468613"},{"key":"10399_CR42","doi-asserted-by":"crossref","unstructured":"Wheeler DA (2005) Countering trusting trust through diverse double-compiling. In: Proceedings of the 21st annual computer security applications conference (ACSAC). pp 1\u201313","DOI":"10.1109\/CSAC.2005.17"},{"key":"10399_CR43","doi-asserted-by":"crossref","unstructured":"Yan D, Niu Y, Liu K, Liu Z, Liu Z, Bissyand\u00e9 TF (2021) Estimating the attack surface from residual vulnerabilities in open source software supply chain. In: Proceedings of the 21st international conference on software quality, reliability and security (QRS). pp 493\u2013502","DOI":"10.1109\/QRS54544.2021.00060"},{"key":"10399_CR44","doi-asserted-by":"crossref","unstructured":"Zerouali A, Constantinou E, Mens T, Robles G, Gonz\u00e1lez-Barahona J (2018) An empirical analysis of technical lag in NPM package dependencies. In: International conference on software reuse. pp 95\u2013110","DOI":"10.1007\/978-3-319-90421-4_6"},{"key":"10399_CR45","doi-asserted-by":"crossref","unstructured":"Zerouali A, Mens T, Robles G, Gonzalez-Barahona JM (2019) On the diversity of software package popularity metrics: an empirical study of npm. In: Proceedings of the 26th international conference on software analysis, evolution and reengineering (SANER). pp 589\u2013593","DOI":"10.1109\/SANER.2019.8667997"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10399-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-023-10399-4\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-023-10399-4.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,3,27]],"date-time":"2024-03-27T13:29:32Z","timestamp":1711546172000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-023-10399-4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,29]]},"references-count":45,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,1]]}},"alternative-id":["10399"],"URL":"https:\/\/doi.org\/10.1007\/s10664-023-10399-4","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,29]]},"assertion":[{"value":"21 September 2023","order":1,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"29 November 2023","order":2,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"All authors declare that there is no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of Interest"}}],"article-number":"11"}}