{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T14:57:01Z","timestamp":1777129021048,"version":"3.51.4"},"reference-count":132,"publisher":"IEEE","license":[{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-009"},{"start":{"date-parts":[[2023,5,1]],"date-time":"2023-05-01T00:00:00Z","timestamp":1682899200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-001"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2023,5]]},"DOI":"10.1109\/sp46215.2023.10179320","type":"proceedings-article","created":{"date-parts":[[2023,7,21]],"date-time":"2023-07-21T17:18:15Z","timestamp":1689959895000},"page":"1527-1544","source":"Crossref","is-referenced-by-count":20,"title":["It\u2019s like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security"],"prefix":"10.1109","author":[{"given":"Marcel","family":"Fourn\u00e9","sequence":"first","affiliation":[{"name":"Max Planck Institute for Security and Privacy,Bochum,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Dominik","family":"Wermke","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"William","family":"Enck","sequence":"additional","affiliation":[{"name":"North Carolina State University,Raleigh,North Carolina,USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sascha","family":"Fahl","sequence":"additional","affiliation":[{"name":"CISPA Helmholtz Center for Information Security,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yasemin","family":"Acar","sequence":"additional","affiliation":[{"name":"Paderborn University,Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"263","reference":[{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"ref3","volume-title":"Gitian: A secure software distribution method","year":"2011"},{"key":"ref4","volume-title":"Reproducible builds moving beyond single points of failure for software distribution","author":"Perry","year":"2014"},{"key":"ref5","first-page":"1393","article-title":"In-toto: Providing farm-to-table guarantees for bits and bytes","volume-title":"Proceedings of the 28th USENIX Security Symposium (Sec\u201919)","author":"Torres-Arias"},{"key":"ref6","first-page":"1271","article-title":"CHAINIAC: Proactive Software-Update transparency via collectively signed skipchains and verified builds","volume-title":"Proceedings of the 26th USENIX Security Symposium (Sec\u201917)","author":"Nikitin"},{"key":"ref7","volume-title":"ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers","year":"2022"},{"key":"ref8","volume-title":"NSA, CISA, ODNI Release Software Supply Chain Guidance for Developers","year":"2022"},{"key":"ref9","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"ref10","volume-title":"Diffoscope in-depth comparison of files, archives, and directories","year":"2014"},{"key":"ref11","volume-title":"Reprotest","year":"2016"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180224"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00056"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510102"},{"key":"ref15","volume-title":"Reproducible Debian overview","year":"2023"},{"key":"ref16","volume-title":"Reproducible Arch Linux?!","year":"2023"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1007\/s11219-022-09607-z"},{"key":"ref18","volume-title":"Research methods in human-computer interaction","author":"Lazar","year":"2017"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"ref20","doi-asserted-by":"publisher","DOI":"10.1002\/j.1538-7305.1980.tb03063.x"},{"key":"ref23","volume-title":"sbuild"},{"key":"ref24","author":"Schach","year":"1992","journal-title":"Practical Software Engineering"},{"key":"ref25","article-title":"Fully countering trusting trust through diverse double-compiling","volume":"abs\/1004.5534","author":"Wheeler","year":"2010","journal-title":"CoRR"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/CSAC.2005.17"},{"key":"ref28","article-title":"Reproducible builds: Break a log, good things come in trees","volume-title":"Master Thesis","author":"Linderud","year":"2019"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1145\/3548606.3560596"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1017\/S0956796810000195"},{"key":"ref31","article-title":"Functional Package Management with Guix","volume-title":"European Lisp Symposium","author":"Court\u00e8s"},{"key":"ref32","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-27308-2_47"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1145\/3136040.3136045"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1145\/3373376.3378519"},{"key":"ref35","doi-asserted-by":"publisher","DOI":"10.1109\/saner.2019.8668013"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1145\/3338906.3340459"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1145\/2854146"},{"key":"ref38","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2019.00030"},{"key":"ref39","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387510"},{"key":"ref40","doi-asserted-by":"publisher","DOI":"10.1109\/ICPC.2008.24"},{"key":"ref41","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597129"},{"key":"ref42","first-page":"18","article-title":"VulinOSS: A dataset of security vulnerabilities in open-source systems","volume-title":"Proceedings of the 15th International Conference on Mining Software Repositories","author":"Gkortzis"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2012.6227141"},{"key":"ref44","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2012.6224294"},{"key":"ref45","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597126"},{"key":"ref46","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2005.73"},{"key":"ref47","doi-asserted-by":"publisher","DOI":"10.1109\/ICSM.2000.883030"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1145\/567793.567795"},{"key":"ref49","doi-asserted-by":"publisher","DOI":"10.1145\/2382196.2382218"},{"key":"ref50","article-title":"Historical analysis of exploit availability timelines","volume-title":"Proceedings of the 13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20)","author":"Householder"},{"issue":"2","key":"ref51","first-page":"3","article-title":"Vulnerabilities and patches of open source software: An empirical study","volume":"4","author":"Altinkemer","year":"2008","journal-title":"Journal of Information System Security"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.1109\/ICEMIS.2016.7745369"},{"key":"ref53","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.2"},{"key":"ref54","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2018.686"},{"key":"ref55","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-55128-4_37"},{"key":"ref56","doi-asserted-by":"publisher","DOI":"10.1109\/ISSRE.2009.25"},{"key":"ref57","doi-asserted-by":"publisher","DOI":"10.1007\/s10664-013-9258-8"},{"key":"ref58","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387465"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.1145\/1082983.1083147"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.1145\/3133956.3134072"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.1145\/3411495.3421360"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1109\/ICST.2019.00017"},{"key":"ref63","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.30"},{"key":"ref64","first-page":"255","article-title":"Effective static analysis of concurrency use-after-free bugs in Linux device drivers","volume-title":"Proceedings of the 2019 USENIX Annual Technical Conference (ATC\u201919)","author":"Bai"},{"key":"ref65","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510111"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00096"},{"key":"ref67","doi-asserted-by":"publisher","DOI":"10.1145\/3449093"},{"key":"ref68","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00119"},{"key":"ref69","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion52605.2021.00084"},{"key":"ref70","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3106246"},{"key":"ref71","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568260"},{"key":"ref72","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568315"},{"key":"ref73","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIS.2019.00014"},{"key":"ref74","doi-asserted-by":"publisher","DOI":"10.1145\/2145204.2145396"},{"key":"ref75","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884875"},{"key":"ref76","doi-asserted-by":"publisher","DOI":"10.1002\/smr.2393"},{"key":"ref77","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00058"},{"key":"ref78","doi-asserted-by":"publisher","DOI":"10.1002\/spip.255"},{"key":"ref79","doi-asserted-by":"publisher","DOI":"10.1145\/2089125.2089127"},{"key":"ref80","doi-asserted-by":"publisher","DOI":"10.23919\/FRUCT.2017.8250205"},{"key":"ref81","doi-asserted-by":"publisher","DOI":"10.1109\/ASEW.2008.4686322"},{"key":"ref82","doi-asserted-by":"publisher","DOI":"10.1145\/2597073.2597117"},{"key":"ref83","doi-asserted-by":"publisher","DOI":"10.1109\/ICSA.2017.39"},{"key":"ref84","doi-asserted-by":"publisher","DOI":"10.1145\/3379597.3387513"},{"key":"ref85","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635880"},{"key":"ref86","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"ref87","doi-asserted-by":"publisher","DOI":"10.1145\/2832987.2833051"},{"key":"ref88","doi-asserted-by":"publisher","DOI":"10.1145\/3106237.3117771"},{"key":"ref89","first-page":"57","article-title":"Stress and burnout in open source: Toward finding, understanding, and mitigating unhealthy interactions","volume-title":"Proceedings of the ACM\/IEEE 42nd International Conference on Software Engineering: New Ideas and Emerging Results (ICSE-NIER\u201920)","author":"Raman"},{"key":"ref90","doi-asserted-by":"publisher","DOI":"10.1007\/978-0-387-72486-7_19"},{"key":"ref91","doi-asserted-by":"publisher","DOI":"10.1145\/1985441.1985462"},{"key":"ref92","doi-asserted-by":"publisher","DOI":"10.1145\/2046582.2046587"},{"key":"ref93","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-57735-7_5"},{"key":"ref94","doi-asserted-by":"publisher","DOI":"10.1145\/1842752.1842796"},{"key":"ref95","doi-asserted-by":"publisher","DOI":"10.1109\/TR.2015.2500367"},{"key":"ref96","doi-asserted-by":"publisher","DOI":"10.1145\/2652524.2652544"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1145\/3127005.3127014"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.1080\/10864415.2002.11044241"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1145\/2957792.2957793"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.1109\/SANER.2016.68"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-20883-7_11"},{"key":"ref102","doi-asserted-by":"publisher","DOI":"10.1145\/2675133.2675215"},{"key":"ref103","doi-asserted-by":"publisher","DOI":"10.1145\/3178158.3178202"},{"key":"ref104","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2020.3041241"},{"key":"ref105","doi-asserted-by":"publisher","DOI":"10.1145\/2884781.2884806"},{"key":"ref106","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2018.110162131"},{"key":"ref107","doi-asserted-by":"publisher","DOI":"10.1145\/3387940.3391534"},{"key":"ref108","doi-asserted-by":"publisher","DOI":"10.1145\/3412569.3412571"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1145\/2393596.2393647"},{"key":"ref110","doi-asserted-by":"publisher","DOI":"10.1145\/2786805.2786854"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2015.26"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1145\/1518701.1518838"},{"key":"ref113","doi-asserted-by":"publisher","DOI":"10.1145\/1031607.1031672"},{"key":"ref114","doi-asserted-by":"publisher","DOI":"10.1145\/1280680.1280693"},{"key":"ref115","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-38928-3_14"},{"key":"ref116","first-page":"399","article-title":"Investigating the computer security practices and needs of journalists","volume-title":"Proceedings of the 24th USENIX Security Symposium (Sec\u201915)","author":"McGregor"},{"key":"ref117","first-page":"505","article-title":"When the weakest link is strong: Secure collaboration in the case of the Panama Papers","volume-title":"Proceedings of the 26th USENIX Security Symposium (Sec\u201917)","author":"McGregor"},{"key":"ref118","first-page":"89","article-title":"Computer security and privacy in the interactions between victim service providers and human trafficking survivors","volume-title":"Proceedings of the 28th USENIX Security Symposium (Sec\u201919)","author":"Chen"},{"key":"ref119","first-page":"385","article-title":"New me: Understanding expert and non-expert perceptions and usage of the Tor anonymity network","volume-title":"Proceedings of the 13th Symposium on Usable Privacy and Security (SOUPS\u201917)","author":"Gallagher"},{"key":"ref120","first-page":"113","article-title":"An inconvenient trust: User attitudes toward security and usability tradeoffs for key-directory encryption systems","volume-title":"Proceedings of the 12th Symposium on Usable Privacy and Security (SOUPS\u201916)","author":"Bai"},{"key":"ref121","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833756"},{"key":"ref122","first-page":"1339","article-title":"I have no idea what I\u2019m doing\u201d - on the usability of deploying HTTPS","volume-title":"Proceedings of the 26th USENIX Security Symposium (Sec\u201917)","author":"Krombholz"},{"key":"ref123","first-page":"597","article-title":"Benefits and drawbacks of adopting a secure programming language: Rust as a case study","volume-title":"Proceedings of the 17th Symposium on Usable Privacy and Security (SOUPS 2021)","author":"Fulton"},{"key":"ref124","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484780"},{"key":"ref125","first-page":"97","article-title":"Industrial practitioners\u2019 mental models of adversarial machine learning","volume-title":"Proceedings of the 18th Symposium on Usable Privacy and Security (SOUPS\u201922)","author":"Bieringer"},{"key":"ref126","article-title":"\"Security is not my field, I\u2019m a stats guy\u201d: A Qualitative Root Cause Analysis of Barriers to Adversarial Machine Learning Defenses in Industry","volume-title":"Proceedings of the 32nd USENIX Security Symposium","author":"Mink"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833686"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179378"},{"key":"ref130","doi-asserted-by":"publisher","DOI":"10.46743\/2160-3715\/2015.2281"},{"key":"ref131","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445383"},{"key":"ref132","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833713"},{"key":"ref134","doi-asserted-by":"publisher","DOI":"10.1145\/93542.93550"},{"key":"ref135","volume-title":"OpenSSF Scorecards"},{"key":"ref136","volume-title":"Software Bill of Materials (SBOM)"},{"key":"ref137","volume-title":"Executive order on improving the nation\u2019s cybersecurity","year":"2021"},{"key":"ref138","volume-title":"Executive order on America\u2019s supply chains","year":"2022"}],"event":{"name":"2023 IEEE Symposium on Security and Privacy (SP)","location":"San Francisco, CA, USA","start":{"date-parts":[[2023,5,21]]},"end":{"date-parts":[[2023,5,25]]}},"container-title":["2023 IEEE Symposium on Security and Privacy (SP)"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10179215\/10179280\/10179320.pdf?arnumber=10179320","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,7,20]],"date-time":"2024-07-20T05:19:19Z","timestamp":1721452759000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/10179320\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,5]]},"references-count":132,"URL":"https:\/\/doi.org\/10.1109\/sp46215.2023.10179320","relation":{},"subject":[],"published":{"date-parts":[[2023,5]]}}}