"Don't trust, verify" is a foundational principle in security — but most package registries ask you to do the opposite. You download a pre-built artifact and trust that it matches the source code. Source-based builds eliminate that leap of faith.
What Is a Source-Based Build?
A source-based build means that instead of downloading a pre-compiled binary or a bundled package that someone else built on their laptop, the registry itself clones the source repository, runs the build in a controlled environment, and produces the artifact. The entire process is logged and the output is tied to a specific commit hash.
This is different from reproducible builds, though the two are complementary. Reproducible builds ensure that the same inputs always produce the same outputs. Source-based builds ensure that you know what the inputs were. Together, they provide a complete chain of trust.
How Stout Does It
When you request a package from Stout, here's what happens behind the scenes:
- Source resolution — Stout identifies the upstream source repository and the exact commit for the requested version
- Isolated build — The source is cloned into a fresh, sandboxed container with only the declared build dependencies
- Artifact generation — The package is built according to the ecosystem's standard build process (go build, npm pack, docker build, etc.)
- Provenance recording — Build logs, dependency trees, and environment details are captured and stored alongside the artifact
- Cache and serve — The built artifact is cached so subsequent requests are instant
What About Build Performance?
The most common objection to source-based builds is speed. Building from source is slow, right? It can be — but it doesn't have to be.
Stout uses aggressive caching at every layer. Once a specific version of a package has been built, the artifact is stored in content-addressable storage and served directly. The first build might take a few seconds longer, but every subsequent install is just as fast as any traditional registry.
For large organizations, Stout can also pre-build packages proactively. Point Stout at your lock files, and it will ensure every dependency is built and cached before your CI pipeline even starts.
The Pull-Through Proxy Model
Stout works as a pull-through proxy — you configure it as your registry endpoint, and it transparently handles source resolution and building. Your existing tools (go get, npm install, pip install, docker pull) work exactly as before. No workflow changes required.
When a package is requested, Stout checks its cache first. If the artifact exists and is up to date, it's served immediately. If not, Stout builds it on the fly and caches the result. From the developer's perspective, it feels like any other registry — just one you can actually verify.
Beyond Security
Source-based builds aren't just a security measure. They also enable:
- Cross-compilation — build packages for your target platform, not whatever the maintainer happened to use
- Patching — apply security patches to dependencies without waiting for upstream releases
- Compliance — generate accurate SBOMs with verified provenance for every component
- Debugging — access full build logs and source mappings for any artifact in your dependency tree
Source-based builds represent a shift in how we think about package distribution. Instead of "someone built this and we hope it's fine," the model becomes "we built this from audited source and we can prove it." That's the foundation Stout is built on.