NH:STA S01E06 Reproducible Builds posted Wednesday, January 21, 2026 by The Neighbourhoodie Team AnnouncementNewsInterview
This post is part of our series on our work for the Sovereign Tech Agency (STA), formerly the Sovereign Tech Fund. Our introduction post explains why and how we are contributing to various Open Source projects.
In this episode we discover how the Reproducible Builds project helps engineers and users ensure the safety of software packages. We also catch up with Alex Feyerke and Jacoba, who worked on the project, to find out what sets this project apart.
Introducing Reproducible Builds
Suspicion can be a good starting place for personal security on the web. Habits like double-checking the sender of that tracking link before clicking (amazon, not arnazon!) are great, but they can only serve us if we know what to look for. Spotting the equivalent sign of danger in the thousands of rows of code that make up the cool app you downloaded could be… challenging, even if you could be confident you’d recognise it when you came across it.
Software packages, which have been put together especially for your machine’s operating system and specs, are incredibly convenient and have become the standard way many of us interact with new desktop apps. Unfortunately, as is often the case, convenience introduces risks. It turns out, a compiled software binary — the ready-to-install version of a piece of software — is a really good place to hide some malicious code.
Reproducible Builds focuses on exactly this problem: helping people ensure that the binary on their machine contains exactly and only what the author intended. To achieve this, the project defines process commandments and publishes and maintains a wealth of tools to support them in the development process.
The “magic” these approaches and tools contribute to the build process is “complete determinism” — they help ensure the same program, run twice, regardless of hardware, produces the exact same artifact, byte by byte. You may already anticipate that some of the process-side stuff includes practices like not using dates that are logged in the build, for example.
By implementing Reproducible Builds’ practices, you can make the requirements for a successful malicious attack — like a supply chain attack — exceedingly difficult. For starters, you’d need to breach two infrastructures and make the exact same change in both. Not easy, right? That’s exactly what the project had in mind.
What We Worked On
In the Reproducible Builds collaboration our team was able to work on more future-facing aspects of the project. Communication — especially making it easier for more people to understand and participate in the project — was what Reproducible Builds needed to become that much more resilient in 2025.
As happens with contribution-based projects, landing pages and tools can find themselves out-of-step with one another in terms of updates. The maintainer team was happy to have our help ensuring their website and documentation reflect the most up-to-date project status, and convey the impact it can have for teams who are considering implementing it.
Contributor Documentation
First up, our team found opportunities to make the contributor documentation more approachable and informative. Our goal was to ensure it would help first-time visitors understand what the project is about, give an overview of the parts that make it up and highlight the project’s contribution needs, from coding to writing to donating.
Success Stories
It’s become something of a common anecdote that someone is prepared to spend the time or money necessary on digital security only after an incident. Reproducible Builds actively publishes stories that highlight the benefits of using their tools from the outset. We pulled a collection of success stories onto their own page, to help make an executive case to decision-makers to invest in their security through Reproducible Builds.
Website Enhancements
Lastly, we wanted to enhance the information flow and usability of the project’s website, and prominently link the newly updated contributor documentation and success stories in a more intuitive navigation.
Reflections from the Team
What surprised you the most while working on this project?
Alex: What was interesting about this is that the project does have code, but is primarily a process. That’s a really uncommon and challenging thing to communicate, so even though website updates seem pedestrian at first, restructuring the content for this project needed special attention.
Jacoba: Their team is super fast! When we pinged them they were friendly and very responsive, so working with them was a pleasure. They also meet once a year in-person for a few days, which they’ve been doing since 2015; I think that’s quite unique.
Alex: Yeah that’s right, they do in-person meetings. The project has been going for more than 10 or so years now and they have done a lot of traveling and presenting. Their team really values communication so it was great to help with that.
Conclusion
We’re very grateful to the Reproducible Builds team for welcoming our curiosity and contributions. We hope you were delighted to come and explore our website updates and that our efforts freed you up to work on moving the project even further ahead.
You can read more about our work with the Sovereign Tech Agency and the projects we’ve worked on with their support:
Keep up to date with future projects by joining our newsletter.
« Back to the blog post overview