Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model

TL;DR

Lila is a decentralized system designed to monitor and assess build reproducibility at scale within the functional package management model, enhancing transparency and trust in software distribution.

Contribution

It introduces a decentralized reproducibility monitoring system tailored for the functional package management model, enabling distributed reporting and aggregation of build results.

Findings

Achieves scalable reproducibility monitoring for large software collections.

Facilitates distributed reporting and aggregation of build results.

Supports empirical studies of build reproducibility at scale.

Abstract

Ensuring the integrity of software build artifacts is an increasingly important concern for modern software engineering, driven by increasingly sophisticated attacks on build systems, distribution channels, and development infrastructures. Reproducible builds $\unicode{x2013}$ where binaries built independently from the same source code can be verified to be bit-for-bit identical to the distributed artifacts $\unicode{x2013}$ provide a principled foundation for transparency and trust in software distribution. Despite their potential, the large-scale adoption of reproducible builds faces two significant challenges: achieving high reproducibility rates across vast software collections and establishing reproducibility monitoring infrastructure that can operate at very large scale. While recent studies have shown that high reproducibility rates are achievable at scale $\unicode{x2013}$ demonstrated by the Nix ecosystem achieving over 90% reproducibility on more than 80,000 packages $\unicode{x2013}$ the problem of effective reproducibility monitoring remains largely unsolved. In this work, we address the reproducibility monitoring challenge by introducing Lila, a decentralized system for reproducibility assessment tailored to the functional package management model. Lila enables distributed reporting of build results and aggregation into a reproducibility database, benefiting both practitioners and future empirical build reproducibility studies.