Understanding Build Reproducibility in the F-Droid Ecosystem

📅 2026-07-02
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This study addresses the temporal stability of reproducible builds in the F-Droid ecosystem, where open-source Android applications are initially reproducible but may degrade over time due to ecosystem evolution. Conducting the first large-scale empirical analysis, the authors evaluate 18,904 historical app versions through automated rebuilding, dependency-missing diagnostics, and bit-for-bit output comparison. Their findings reveal that 83% of versions can be successfully rebuilt, with 94% of those achieving bitwise identical outputs. However, 76% of rebuild failures stem from missing dependencies, demonstrating a significant decay in reproducibility over time. These results underscore the critical need for robust, long-term mechanisms to sustain build reproducibility in evolving software ecosystems.
📝 Abstract
The security of open source applications benefits considerably from the possibility of rebuilding their source and verifying the output. F-Droid, a prominent distribution for open source Android applications, systematically rebuilds them from source and tests their bitwise reproducibility at app publishing time. However, F-Droid offers no guarantee that app reproducibility will continue to hold in the future. As software ecosystems evolve, reproducibility may degrade, with potential negative consequences for software preservation and security. We present the first empirical study of build reproducibility in the F-Droid app ecosystem. Analyzing historical reproducibility logs, we find that the overall bitwise reproducibility rate has been steadily increasing over time (as new versions of apps are published). We then evaluate how reproducibility holds in time for fixed app versions, by attempting to rebuild 18 904 app versions that F-Droid had previously confirmed bitwise reproducible, published between September 2018 and February 2026, achieving an 83% rebuild success rate, and identify missing dependencies as the dominant cause of failure, accounting for 76% of non-rebuildable cases. Among successfully rebuilt apps, 94% are also bitwise reproducible-i.e., they still yield bitwise identical artifacts upon rebuild. Together, these results show that while bitwise reproducibility largely holds for apps that can be rebuilt, rebuildability itself is highly sensitive to temporal decay.
Problem

Research questions and friction points this paper is trying to address.

build reproducibility
F-Droid
software preservation
temporal decay
open source security
Innovation

Methods, ideas, or system contributions that make the work stand out.

build reproducibility
F-Droid
empirical study
temporal decay
bitwise reproducibility
🔎 Similar Papers