{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T07:06:13Z","timestamp":1782889573465,"version":"3.54.5"},"publisher-location":"New York, NY, USA","reference-count":37,"publisher":"ACM","license":[{"start":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T00:00:00Z","timestamp":1782777600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2026,6,30]]},"DOI":"10.1145\/3805773.3805997","type":"proceedings-article","created":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T05:20:41Z","timestamp":1782883241000},"page":"74-80","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["On the Variability of Source Code in Maven Package Rebuilds"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-9019-6550","authenticated-orcid":false,"given":"Jens","family":"Dietrich","sequence":"first","affiliation":[{"name":"Victoria University of Wellington, Wellington, New Zealand"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0006-6639-3056","authenticated-orcid":false,"given":"Behnaz","family":"Hassanshahi","sequence":"additional","affiliation":[{"name":"Oracle, Brisbane, Australia"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"320","published-online":{"date-parts":[[2026,6,30]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"diffoscope -in-depth comparison of files archives and directories. https:\/\/ diffoscope.org\/."},{"key":"e_1_3_2_1_2_1","unstructured":"Java parser. https:\/\/javaparser.org\/."},{"key":"e_1_3_2_1_3_1","unstructured":"Supply chain levels for software artifacts (slsa) source provenance. https:\/\/slsa. dev\/spec\/v1.2\/source-requirements."},{"key":"e_1_3_2_1_4_1","unstructured":"A tool for comparing jar files. https:\/\/github.com\/lightbend-labs\/jardiff."},{"key":"e_1_3_2_1_5_1","volume-title":"improving the nation's cybersecurity","author":"Executive","year":"2022","unstructured":"Executive order 14028, improving the nation's cybersecurity, 2022. https:\/\/www. nist.gov\/itl\/executive-order-14028-improving-nations-cybersecurity."},{"key":"e_1_3_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.fsidi.2023.301508"},{"key":"e_1_3_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2007.70725"},{"key":"e_1_3_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE55347.2025.00136"},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11219-022-09607-z"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664288"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE63991.2025.00300"},{"key":"e_1_3_2_1_12_1","unstructured":"Dietrich J. Rasheed S. and Jordan A. On the security blind spots of software composition analysis."},{"key":"e_1_3_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME64153.2025.00058"},{"key":"e_1_3_2_1_14_1","first-page":"243","volume-title":"Sicherheit 2024","author":"Drexel J.","year":"2024","unstructured":"Drexel, J., H\u00e4nggi, E., and Veiga, I. M. Reproducible builds and insights from an independent verifier for arch linux. In Sicherheit 2024 (2024), Gesellschaft f\u00fcr Informatik eV, pp. 243-257."},{"key":"e_1_3_2_1_15_1","unstructured":"Ellison R. J. Goodenough J. B. Weinstock C. B. and Woody C. Evaluating and mitigating software supply chain security risks. Software Engineering Institute Tech. Rep. CMU\/SEI-2010-TN-016 (2010)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2022.3142338"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.10179320"},{"key":"e_1_3_2_1_18_1","volume-title":"Java SE 17 Edition","author":"Gosling J.","year":"2021","unstructured":"Gosling, J., Joy, B., Steele, G., Bracha, G., Buckley, A., Smith, D., and Bierman, G. The Java\u00aeLanguage Specification, Java SE 17 Edition, 2021. https:\/\/docs.oracle. com\/javase\/specs\/jls\/se17\/html\/."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605770.3625213"},{"key":"e_1_3_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE63991.2025.00280"},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3643764"},{"key":"e_1_3_2_1_22_1","first-page":"2","article-title":"Reproducible builds: Increasing the integrity of software supply chains","volume":"39","author":"Lamb C.","year":"2021","unstructured":"Lamb, C., and Zacchiroli, S. Reproducible builds: Increasing the integrity of software supply chains. IEEE Software 39, 2 (2021), 62-70.","journal-title":"IEEE Software"},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSR.2017.65"},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/3639476.3639767"},{"key":"e_1_3_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.18280\/ijsse.110505"},{"key":"e_1_3_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_2"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3643991.3644913"},{"key":"e_1_3_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180224"},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2019.00056"},{"key":"e_1_3_2_1_30_1","volume":"181","author":"Rose","unstructured":"Rose, J. JEP 181: Nest-Based Access Control, 2013. https:\/\/openjdk.org\/jeps\/181.","journal-title":"J. JEP"},{"key":"e_1_3_2_1_31_1","volume-title":"Maven-lockfile: High integrity rebuild of past java releases. arXiv preprint arXiv:2510.00730","author":"Schmid L.","year":"2025","unstructured":"Schmid, L., Lundell, E., Gamage, Y., Baudry, B., and Monperrus, M. Maven-lockfile: High integrity rebuild of past java releases. arXiv preprint arXiv:2510.00730 (2025)."},{"key":"e_1_3_2_1_32_1","unstructured":"Schott S. Ponta S. E. Fischer W. Klauke J. and Bodden E. Java bytecode normalization for code similarity analysis."},{"key":"e_1_3_2_1_33_1","article-title":"Causes and canonicalization of unreproducible builds in java","author":"Sharma A.","year":"2025","unstructured":"Sharma, A., Baudry, B., and Monperrus, M. Causes and canonicalization of unreproducible builds in java. IEEE Transactions on Software Engineering (2025).","journal-title":"IEEE Transactions on Software Engineering ("},{"key":"e_1_3_2_1_34_1","first-page":"9","article-title":"An experience report on producing verifiable builds for large-scale commercial systems","volume":"48","author":"Shi Y.","year":"2021","unstructured":"Shi, Y., Wen, M., Cogo, F. R., Chen, B., and Jiang, Z. M. An experience report on producing verifiable builds for large-scale commercial systems. IEEE Transactions on Software Engineering 48, 9 (2021), 3361-3377.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_1_35_1","volume-title":"JEP 280: Indify String Concatenation","author":"Shipilev A.","year":"2015","unstructured":"Shipilev, A. JEP 280: Indify String Concatenation, 2015. https:\/\/openjdk.org\/ jeps\/280."},{"key":"e_1_3_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/358198.358210"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1145\/3510457.3513050"}],"event":{"name":"SecDev '26: 2026 ACM Secure Development Conference","location":"Montreal QC Canada","acronym":"SecDev '26","sponsor":["SIGSOFT ACM Special Interest Group on Software Engineering"]},"container-title":["Proceedings of the 2026 ACM Secure Development Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3805773.3805997","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,7,1]],"date-time":"2026-07-01T05:30:11Z","timestamp":1782883811000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3805773.3805997"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,6,30]]},"references-count":37,"alternative-id":["10.1145\/3805773.3805997","10.1145\/3805773"],"URL":"https:\/\/doi.org\/10.1145\/3805773.3805997","relation":{},"subject":[],"published":{"date-parts":[[2026,6,30]]},"assertion":[{"value":"2026-06-30","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}