Who Built This?

A deep survey of how different language ecosystems and package managers handle VCS stamping — embedding the source commit hash into built artifacts. Go does this automatically since 1.18; Rust requires opt-in build scripts; .NET has mature tooling via SourceLink; Java relies on Maven/Gradle plugins; PHP's Composer preserves commit SHAs by default. Interpreted languages generally lose VCS metadata at publish time, while system package managers like dpkg and RPM rarely propagate it. OCI container images have an annotation spec for this but it's inconsistently used. The post also covers git archive's export-subst mechanism, trusted publishing via Sigstore as a registry-side alternative, and how reliable stamping metadata could enable richer dependency tooling like checking out the exact upstream commit your installed package was built from.