Search papers, labs, and topics across Lattice.
This study investigates the alteration of Git tags across 328.4 million software repositories, revealing that 10.2 million tag alterations impact 189,000 unique repositories. The research highlights that these modifications can lead to build errors, as evidenced by 32 packages in Nixpkgs referencing altered tags, with 7 confirmed to have build failures. These findings challenge the assumption of Git tags as immutable references, underscoring the need for enhanced practices in software supply-chain integrity.
Tag alterations in Git repositories are not just common; they can lead to real build failures, undermining the very foundations of software reproducibility.
Git tags are commonly viewed as immutable references in software development, marking releases and specific repository states that underpin build reproducibility and software supply-chain integrity. Despite their intended immutability, Git allows tags to be altered through deletion or modification via force-pushed updates. The prevalence of such alterations threatens reproducible builds and dependency integrity. We conduct the first large-scale empirical study of tag alterations in public code repositories, analyzing 328.4 M software repositories from Software Heritage and identifying 10.2 M tag alterations affecting 189 k unique repositories. A cross-analysis with Nixpkgs reveals that 32 packages reference tags altered in our dataset, with 7 exhibiting confirmed build errors, providing concrete evidence that tag alterations break reproducible package builds. Our findings challenge the widespread assumption that tags are immutable anchors for released software. We therefore recommend that build systems and package managers pin dependencies to cryptographic commit hashes, that development forges expose tagmutation audit logs, and that the community adopt systematic monitoring of tag alterations as a standard supply-chain security practice.