Causes and Canonicalization of Unreproducible Builds in Java
Aman Sharma, Benoit Baudry, Martin Monperrus
TL;DR
This work tackles unreproducible builds in Java, a critical concern for software integrity in complex supply chains. It introduces a framework distinguishing builders from rebuilders and analyzes reproducibility through a large-scale dataset derived from Reproducible Central, resulting in a six-item taxonomy of unreproducibility causes. The authors evaluate two canonicalization strategies—artifact-level (OSS-Rebuild) and Java bytecode-level (jNorm)—and introduce Chains-Rebuild, a tailored tool that improves reproducibility by canonicalizing releases; on 12,803 unreproducible artifacts, Chains-Rebuild achieves 26.60% success, with artifact canonicalization contributing additional gains. The study provides a publicly available dataset of 8,292 unreproducible Maven releases and demonstrates that canonicalization can fix a substantial portion of unreproducible builds, offering practical guidance for builders and rebuilders and paving the way for more reliable Java software supply chains.
Abstract
The increasing complexity of software supply chains and the rise of supply chain attacks have elevated concerns around software integrity. Users and stakeholders face significant challenges in validating that a given software artifact corresponds to its declared source. Reproducible Builds address this challenge by ensuring that independently performed builds from identical source code produce identical binaries. However, achieving reproducibility at scale remains difficult, especially in Java, due to a range of non-deterministic factors and caveats in the build process. In this work, we focus on reproducibility in Java-based software, archetypal of enterprise applications. We introduce a conceptual framework for reproducible builds, we analyze a large dataset from Reproducible Central, and we develop a novel taxonomy of six root causes of unreproducibility. We study actionable mitigations: artifact and bytecode canonicalization using OSS-Rebuild and jNorm respectively. Finally, we present Chains-Rebuild, a tool that achieve successfulcanonicalization for 26.60% on 12,803 unreproducible artifacts To sum up, our contributions are the first large-scale taxonomy of build unreproducibility causes in Java, a publicly available dataset of unreproducible builds, and Chains-Rebuild, a canonicalization tool for mitigating unreproducible builds in Java.
