Mutating the "Immutable": A Large-Scale Study of Git Tag Alterations

📅 2026-06-30
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Although Git tags are commonly regarded as immutable references, they can in fact be altered or deleted via force pushes, thereby jeopardizing build reproducibility and software supply chain security. This study presents the first large-scale empirical analysis of tag mutability across more than 300 million public repositories, leveraging the Software Heritage dataset to identify 10.2 million tag modification events spanning 189,000 repositories. Through cross-validation with the Nixpkgs package management system, the research confirms that seven packages experienced build failures directly attributable to tag changes. The work systematically exposes the non-immutability of Git tags, quantifies their real-world impact, and offers actionable recommendations for improving software integrity and secure development practices.
📝 Abstract
Git tags are commonly viewed as immutable references in software development, marking releases and specific repository states that underpin build reproducibility and software supply-chain integrity. Despite their intended immutability, Git allows tags to be altered through deletion or modification via force-pushed updates. The prevalence of such alterations threatens reproducible builds and dependency integrity. We conduct the first large-scale empirical study of tag alterations in public code repositories, analyzing 328.4 M software repositories from Software Heritage and identifying 10.2 M tag alterations affecting 189 k unique repositories. A cross-analysis with Nixpkgs reveals that 32 packages reference tags altered in our dataset, with 7 exhibiting confirmed build errors, providing concrete evidence that tag alterations break reproducible package builds. Our findings challenge the widespread assumption that tags are immutable anchors for released software. We therefore recommend that build systems and package managers pin dependencies to cryptographic commit hashes, that development forges expose tagmutation audit logs, and that the community adopt systematic monitoring of tag alterations as a standard supply-chain security practice.
Problem

Research questions and friction points this paper is trying to address.

Git tags
immutability
reproducible builds
software supply chain
tag alterations
Innovation

Methods, ideas, or system contributions that make the work stand out.

Git tag immutability
reproducible builds
software supply chain security
empirical study
dependency integrity
🔎 Similar Papers
No similar papers found.