On Business Adoption and Use of Reproducible Builds for Open and Closed Source Software

Software Quality Journal have published our article on the use of reproducible builds in industry. The article is published with open access and is available at https://link.springer.com/article/10.1007/s11219-022-09607-z


Reproducible builds (R-Bs) are techniques for creating identical executable files from known source code. Establishing the correspondence between source code and binary has a wide range of applications in securing application development, in particular, and provides support for activities such as licence clearance when building complex software with multiple dependencies. Research work on R-Bs has largely focused on the technical problems and solutions. This article reports an interview study on the use of R-Bs in industry, and perspectives on their value and potential applications. Interviewees identified a wide range of applications of R-Bs in software engineering, especially in the security and safety-critical domains. Opinions expressed on R-Bs and reported in the article include the idea that R-Bs will become conventional software development practice, and that we will be surprised by the applications for R-Bs that developers will uncover during the next few years.


Abstract: Reproducible builds (R-Bs) are software engineering practices that reliably create bit-for-bit identical binary executable files from specified source code. R-Bs are applied in some open source software (OSS) projects and distributions to allow verification that the distributed binary has been built from the released source code. The use of R-Bs has been advocated in software maintenance and R-Bs are applied in the development of some OSS security applications. Nonetheless, industry application of R-Bs appears limited, and we seek to understand whether awareness is low or if significant technical and business reasons prevent wider adoption. Through interviews with software practitioners and business managers, this study explores the utility of applying R-Bs in businesses in the primary and secondary software sectors and the business and technical reasons supporting their adoption. We find businesses use R-Bs in the safety-critical and security domains, and R-Bs are valuable for traceability and support collaborative software development. We also found that R-Bs are valued as engineering processes and are seen as a badge of software quality, but without a tangible value proposition. There are good engineering reasons to use R-Bs in industrial software development, and the principle of establishing correspondence between source code and binary offers opportunities for the development a of further applications.


title = {On Business Adoption and Use of Reproducible Builds for Open and Closed Source Software},
journal = {Software Quality Journal},
year = {2022},
author = {Butler, Simon and Gamalielsson, Jonas and Lundell, Björn and Brax, Christoffer and Mattsson, Anders and Gustavsson, Tomas and Feist, Jonas and Kvarnström, Bengt and Lönroth, Erik},
note = {In Press},
doi = {10.1007/s11219-022-09607-z},