Mutating the "Immutable": A Large-Scale Study of Git Tag Alterations

· Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Software Development & Engineering, Cybersecurity & Data Privacy, Data Science & Analytics · Depth: Expert, short

Summary

A large-scale empirical study, submitted on June 30, 2026, investigates the alteration of Git tags, which are commonly perceived as immutable references crucial for build reproducibility and software supply-chain integrity. Analyzing 328.4 million software repositories from Software Heritage, researchers identified 10.2 million tag alterations affecting 189 thousand unique repositories. Despite Git's design allowing tag modification via force-pushed updates or deletion, the prevalence of these changes poses significant risks. A cross-analysis with Nixpkgs revealed that 32 packages referenced tags that had been altered in the dataset, with 7 of these packages exhibiting confirmed build errors. These findings directly challenge the widespread assumption of tag immutability, demonstrating a tangible threat to reproducible software builds and dependency integrity.

Key takeaway

For DevOps Engineers and Security Engineers managing software supply chains, this study reveals that relying on Git tags for immutable references is a critical vulnerability. You should transition from pinning dependencies to Git tags towards using cryptographic commit hashes to ensure build reproducibility and integrity. Additionally, advocate for development platforms to provide audit logs for tag mutations and implement systematic monitoring of tag alterations within your CI/CD pipelines to mitigate risks.

Key insights

Git tags are frequently altered, undermining software supply-chain integrity and build reproducibility.

Principles

Method

Conducted a large-scale empirical study across 328.4M repositories to identify 10.2M Git tag alterations, then cross-analyzed with Nixpkgs to confirm build failures.

In practice

Topics

Best for: CTO, VP of Engineering/Data, AI Architect, Software Engineer, DevOps Engineer, Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.