Research article: Does Functional Package Management Enable Reproducible Builds at Scale? Yes

Hello everyone,

I am very proud to announce the publication of my latest research paper at MSR’25: Does Functional Package Management Enable Reproducible Builds at Scale? Yes, written with Stefano Zacchiroli and Théo Zimmermann.

This is a publication as part of my PhD on the impact of Nix on software supply chain security and in particular it focuses on studying the proportion and evolution of bit-by-bit reproducible packages in nixpkgs.

I invite curious readers to read directly the paper, but I also summarized the key takeaways of the article in a blogpost.

Happy to answer any question :smiley:

47 Likes

Congratulations on this work, this is very inspirational! Keep up the great work guys!!!

2 Likes

Indeed, very nice read!
Great work and good luck with the PhD, so all hands on deck to get Trustix in place?

1 Like

Awesome work, and a really impressive result for the reproducible builds heroes around Nixpkgs! Please add the paper to Research and Scientific Publications | Nix & NixOS

3 Likes

@JulienMalka Kind of OT, but what led you to use this way of phrasing the title, rather than a perhaps more traditinoal “Functional package management enables reproducible builds at scale” ?

Just curious, I like the title, it’s a bit catchier I guess :slight_smile:

Congrats on publishing your findings ! I got the link for FOSDEM but this deserves more advertising.
One question : you checked for bitwise reproducibility with nix build --check. Does that compare the build and its refernce bit per bit ?

Yes, it does compare bit-by-bit !

Yes indeed, it was a catchier title :slight_smile:

2 Likes

Hi Julien, I was sorry to miss this talk at FOSDEM, but my colleague went and thought it was very interesting! I loved the fact that you found a regression in pip as a result of the work.

1 Like