reproducible-builds
Safeguard articles tagged "reproducible-builds" — guides, analysis, and best practices for software supply chain and application security.
16 articles
Securing Python Virtual Environments
A single sudo pip install can overwrite files an OS package manager owns — PEP 668 exists because that anti-pattern was common enough to break Linux distros.
Reproducible Builds: Why Bother in 2026?
Reproducible builds used to feel academic. After a decade of supply chain attacks, they are the shortest path from an SBOM to a verifiable artifact. Here is the case.
Cargo.lock integrity and reproducible builds as a supply ...
Cargo.lock pins your dependency tree, but only reproducible builds prove the binary you ship matches the source you reviewed and approved.
What is Reproducible Builds
Reproducible builds let anyone recompile source code and cryptographically verify the binary matches — closing the gap attackers exploit when they compromise build systems, not source code.
Safeguard Gold Build Pipeline: How It Works
A walkthrough of the Gold Build pipeline that produces reproducible, attested, policy-verified container images and binaries for Safeguard customers.
Reproducible Builds: Why Bit-for-Bit Identical Matters
If two builds of the same source produce different binaries, you cannot prove what you shipped. How determinism breaks, the flags that fix it, and why auditors care.
What Is a Build Artifact?
A build artifact is the packaged output your build process produces from source code. Here is why artifacts are a critical supply chain checkpoint and how to verify their provenance.
What Is a Lockfile?
A lockfile pins the exact versions and hashes of every dependency your build resolves. Here is how lockfiles make builds reproducible and why they are central to supply chain integrity.
Rebuilding Docker Images: Cache, Patching, and Reproducibility
A plain docker build reuses cached layers and silently skips your security patches. Here is how the cache actually works, how to force a real rebuild, and how to keep rebuilds reproducible.
Reproducible Builds Debian: The Long View
Debian's Reproducible Builds project has been at it for over a decade. Here's what they've learned, what still isn't reproducible, and why it matters.
What is Dependency Pinning
Dependency pinning locks every package in your build to an exact, verified version so the code you tested is the code you ship. Here's how to do it per ecosystem.
Nix Reproducible Builds: A Supply Chain Case
Practical supply chain lessons from running Nix and Nix flakes in production, including flake.lock handling, content-addressed derivations, and cachix trust.