Supply-chain attacks are escalating, with software package non-reproducibility serving as a critical enabler. This paper addresses this challenge by designing and implementing the first end-to-end reproducibility verification system for Arch Linux. Our methodology integrates an automated rebuild pipeline, binary-level comparison via diffoscope, source-code auditing, and metadata consistency validation to systematically identify non-deterministic defects in the build process. Innovatively, we conduct large-scale independent reproducibility verification within the Arch ecosystem, uncovering and precisely localizing 16 reproducibility failures across Certbot-related packages—previously undocumented. We further perform an in-depth root-cause analysis of a timestamp-embedding vulnerability in fwupd, enabling upstream patch submission and acceptance. The work establishes a reusable methodology and practical framework for reproducibility assessment in Linux distributions, significantly strengthening supply-chain security resilience.

Supply chain attacks have emerged as a prominent cybersecurity threat in recent years. Reproducible and bootstrappable builds have the potential to reduce such attacks significantly. In combination with independent, exhaustive and periodic source code audits, these measures can effectively eradicate compromises in the building process. In this paper we introduce both concepts, we analyze the achievements over the last ten years and explain the remaining challenges. We contribute to the reproducible builds effort by setting up a rebuilder and verifier instance to test the reproducibility of Arch Linux packages. Using the results from this instance, we uncover an unnoticed and security-relevant packaging issue affecting 16 packages related to Certbot, the recommended software to install TLS certificates from Let's Encrypt, making them unreproducible. Additionally, we find the root cause of unreproduciblity in the source code of fwupd, a critical software used to update device firmware on Linux devices, and submit an upstream patch to fix it.