Lila: Decentralized Build Reproducibility Monitoring for the Functional Package Management Model MSR’26 FOSS Award

MSR 2026

Julien Malka, Arnout Engelen

April 14, 2026

What are Reproducible Builds?

A build is reproducible if independent builds from the same source produce bit-for-bit identical artifacts.

What R-B enables

R-B allows to eliminate trust in arbitrary transformed artifacts along the supply chain.

Application 1: Binary distribution

Today: blind trust

With R-B: verified distribution

Application 2: The xz backdoor (2024)

  • A malicious maintainer infiltrated the xz project over 3 years
  • Backdoor was not in the public git repository — only in release archives
  • Source code review was not enough to detect it

Can R-B help detect this class of attacks?

Application 2: The xz backdoor

Today: trust the maintainer tarball

With R-B: compare builds from both sources

J. Malka, “How Reproducible Builds Could Have Detected the XZ Supply-Chain Attack for the Benefit of All”

Problem solved?

R-B is a powerful tool, but…

  • Do reproducible builds scale? Experts doubt that R-B is feasible across very large, diverse package collections.

“Does Functional Package Management Enable Reproducible Builds at Scale? Yes.”

J. Malka, S. Zacchiroli, T. Zimmermann — MSR 2025

  • First large-scale empirical study of bitwise reproducibility
  • Nixpkgs: largest cross-ecosystem FOSS distribution (100k+ packages)
  • Rebuilt packages from 17 historical revisions (2017–2023)

Results: reproducibility over time

  • Reproducibility rates between 86% and 93%, with an upward trend.
  • Problem: 15,000 build hours on 10 machines!

Lila

Decentralized Build Reproducibility Monitoring for the Functional Package Management Model

Malka, Engelen — MSR 2026

Goal: a decentralized system for collecting and aggregating reproducibility attestations at scale.

  • Leverage the properties of functional package managers
  • Distribute the verification workload across independent builders
  • Provide dashboards for monitoring reproducibility regressions

Design overview

Lila’s deployment for the Nix community

Lila’s deployment for the Nix community

Future work

  • Large-scale reproducibility studies using the Lila database
  • Foundation for user-facing tools that leverage R-B for trust-minimizing binary distribution

Thank you for your attention!

My socials:

luj@chaos.social

julien.malka@telecom-paris.fr