Towards Build Verifiability for Java-based Systems

TL;DR

This paper proposes a systematic approach to enhance build verifiability in Java-based systems, addressing non-determinism and artifact equivalence issues to improve trustworthiness and reproducibility.

Contribution

It introduces a unified build process and tools for controlling non-determinism and post-processing artifacts, specifically tailored for Java-based systems, with extensive empirical validation.

Findings

91% of open source projects verified successfully

Identified 14 patterns causing non-equivalences in build artifacts

78% of patterns are unique to Java-based systems

Abstract

Build verifiability refers to the property that the build of a software system can be verified by independent third parties and it is crucial for the trustworthiness of a software system. Various efforts towards build verifiability have been made to C/C++-based systems, yet the techniques for Java-based systems are not systematic and are often specific to a particular build tool (e.g., Maven). In this study, we present a systematic approach towards build verifiability on Java-based systems. Our approach consists of three parts: a unified build process, a tool that dynamically controls non-determinism during the build process, and another tool that eliminates non-equivalences by post-processing the build artifacts. We apply our approach on 46 unverified open source projects from Reproducible Central and 13 open source projects that are widely used by Huawei commercial products. As a result, 91% of the unverified Reproducible Central projects and 100% of the commercially adopted OSS projects are successfully verified with our approach. In addition, based on our experience in analyzing thousands of builds for both commercial and open source Java-based systems, we present 14 patterns that introduce non-equivalences in generated build artifacts and their respective mitigation strategies. Among these patterns, 11 (78%) are unique for Java-based system, whereas the remaining 3 (22%) are common with C/C++-based systems. The approach and the findings of this paper are useful for both practitioners and researchers who are interested in build verifiability.