Search papers, labs, and topics across Lattice.
The paper investigates the reproducibility of Maven package builds by comparing source code from Maven Central with independently built packages from Google's Assured Open Source and Oracle's Build-from-Source projects. The study reveals non-equivalent sources in alternative builds for 28 popular packages, highlighting the challenges in ensuring consistent software supply chains. The primary cause of non-equivalence is identified as build extensions that generate code at build time, which are difficult to reproduce, suggesting the need for improved strategies to address this issue.
Reproducible builds of Maven packages are often foiled by build extensions that generate code, undermining supply chain security efforts.
Rebuilding packages from open source is a common practice to improve the security of software supply chains, and is now done at an industrial scale. The basic principle is to acquire the source code used to build a package published in a repository such as Maven Central (for Java), rebuild the package independently with hardened security, and publish it in some alternative repository. In this paper we test the assumption that the same source code is being used by those alternative builds. To study this, we compare the sources released with packages on Maven Central, with the sources associated with independently built packages from Google's Assured Open Source and Oracle's Build-from-Source projects. We study non-equivalent sources for alternative builds of 28 popular packages with 85 releases. We investigate the causes of non-equivalence, and find that the main cause is build extensions that generate code at build time, which are difficult to reproduce. We suggest strategies to address this issue.
