{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T05:00:35Z","timestamp":1750309235934,"version":"3.41.0"},"publisher-location":"New York, NY, USA","reference-count":27,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,4,14]],"date-time":"2024-04-14T00:00:00Z","timestamp":1713052800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,4,14]]},"DOI":"10.1145\/3639478.3639806","type":"proceedings-article","created":{"date-parts":[[2024,5,23]],"date-time":"2024-05-23T10:49:26Z","timestamp":1716461366000},"page":"184-186","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Increasing trust in the open source supply chain with reproducible builds and functional package management"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-9845-6300","authenticated-orcid":false,"given":"Julien","family":"Malka","sequence":"first","affiliation":[{"name":"LTCI, T\u00e9l\u00e9com Paris, Institut Polytechnique de Paris, France, Palaiseau, France"}]}],"member":"320","published-online":{"date-parts":[[2024,5,23]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"2022. Cyber Resilience Act | Shaping Europe's digital future. https:\/\/web.archive.org\/web\/20231109015038\/https:\/\/digital-strategy.ec.europa.eu\/en\/library\/cyber-resilience-act"},{"key":"e_1_3_2_1_2_1","unstructured":"2023. NixOS Reproducible Builds: minimal installation ISO successfully independently rebuilt - Announcements - NixOS Discourse. https:\/\/web.archive.org\/web\/20231030141336\/https:\/\/discourse.nixos.org\/t\/nixos-reproducible-builds-minimal-installation-iso-successfully-independently-rebuilt\/34756"},{"key":"e_1_3_2_1_3_1","unstructured":"2023. Overview of various statistics about reproducible builds. https:\/\/web.archive.org\/web\/20231029223006\/https:\/\/tests.reproducible-builds.org\/debian\/reproducible.html"},{"key":"e_1_3_2_1_4_1","unstructured":"2023. Reproducible Builds --- a set of software development practices that create an independently-verifiable path from source to binary code. https:\/\/web.archive.org\/web\/20231113151826\/https:\/\/reproducible-builds.org\/"},{"key":"e_1_3_2_1_5_1","unstructured":"2023. Trustix - A new model for Nix binary substitutions. https:\/\/github.com\/nix-community\/trustix original-date: 2020-12-03T15:30:40Z."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICCCNT51525.2021.9579611"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455841"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","unstructured":"Ludovic Court\u00e8s. 2013. Functional Package Management with Guix. arXiv:1305.4584 [cs]. 10.48550\/arXiv.1305.4584","DOI":"10.48550\/arXiv.1305.4584"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.22152\/programming-journal.org\/2023\/7\/1"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"crossref","unstructured":"Ludovic Court\u00e8s and Ricardo Wurmus. 2015. Reproducible and User-Controlled Software Environments in HPC with Guix. https:\/\/inria.hal.science\/hal-01161771","DOI":"10.1007\/978-3-319-27308-2_47"},{"key":"e_1_3_2_1_11_1","unstructured":"Eelco Dolstra. 2006. The purely functional software deployment model. Ph. D. Dissertation. s.n. S.l. OCLC: 71702886."},{"key":"e_1_3_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE43902.2021.00121"},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"crossref","unstructured":"Marcel Fourn\u00e9 Dominik Wermke William Enck Sascha Fahl and Yasemin Acar. 2023. It's like flossing your teeth: On the Importance and Challenges of Reproducible Builds for Software Supply Chain Security. https:\/\/teamusec.de\/publications\/conf-oakland-fourne23\/","DOI":"10.1109\/SP46215.2023.10179320"},{"key":"e_1_3_2_1_14_1","unstructured":"The White House. 2021. Executive Order on Improving the Nation's Cybersecurity. https:\/\/web.archive.org\/web\/20231114135442\/https:\/\/www.whitehouse.gov\/briefing-room\/presidential-actions\/2021\/05\/12\/executive-order-on-improving-the-nations-cybersecurity\/"},{"key":"e_1_3_2_1_15_1","doi-asserted-by":"publisher","unstructured":"Piergiorgio Ladisa Henrik Plate Matias Martinez and Olivier Barais. 2022. Taxonomy of Attacks on Open-Source Software Supply Chains. arXiv:2204.04008 [cs]. 10.48550\/arXiv.2204.04008","DOI":"10.48550\/arXiv.2204.04008"},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/MS.2021.3073045"},{"key":"e_1_3_2_1_17_1","unstructured":"Janneke Nieuwenhuizen and Ludovic Court\u00e8s. 2023. The Full-Source Bootstrap: Building from source all the way down. https:\/\/web.archive.org\/web\/20231112105303\/https:\/\/guix.gnu.org\/en\/blog\/2023\/the-full-source-bootstrap-building-from-source-all-the-way-down\/"},{"key":"e_1_3_2_1_18_1","unstructured":"nikstur. 2023. Bombon. https:\/\/github.com\/nikstur\/bombon original-date: 2022-08-18T23:06:53Z."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","unstructured":"Marc Ohm Timo Pohl and Felix Boes. 2023. You Can Run But You Can't Hide: Runtime Protection Against Malicious Package Updates For Node.js. arXiv:2305.19760 [cs]. 10.48550\/arXiv.2305.19760","DOI":"10.48550\/arXiv.2305.19760"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510104"},{"key":"e_1_3_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4939-9074-0_24"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.2003.03471"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1093\/gigascience\/giy123"},{"key":"e_1_3_2_1_26_1","unstructured":"Claud Xiao. 2015. Novel Malware XcodeGhost Modifies Xcode Infects Apple iOS Apps and Hits App Store. https:\/\/web.archive.org\/web\/20230920153656\/https:\/\/unit42.paloaltonetworks.com\/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store\/"},{"key":"e_1_3_2_1_27_1","unstructured":"Markus Zimmermann Cristian-Alexandru Staicu Cam Tenny and Michael Pradel. 2019. Small World with High Risks: A Study of Security Threats in the npm Ecosystem. 995--1010. https:\/\/www.usenix.org\/conference\/usenixsecurity19\/presentation\/zimmerman"}],"event":{"name":"ICSE-Companion '24: 2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering","IEEE CS","Faculty of Engineering of University of Porto"],"location":"Lisbon Portugal","acronym":"ICSE-Companion '24"},"container-title":["Proceedings of the 2024 IEEE\/ACM 46th International Conference on Software Engineering: Companion Proceedings"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3639478.3639806","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3639478.3639806","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T23:44:32Z","timestamp":1750290272000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3639478.3639806"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,4,14]]},"references-count":27,"alternative-id":["10.1145\/3639478.3639806","10.1145\/3639478"],"URL":"https:\/\/doi.org\/10.1145\/3639478.3639806","relation":{},"subject":[],"published":{"date-parts":[[2024,4,14]]},"assertion":[{"value":"2024-05-23","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}