Search papers, labs, and topics across Lattice.
This study empirically investigates build reproducibility in the F-Droid ecosystem by analyzing historical reproducibility logs and attempting to rebuild nearly 19,000 app versions. The findings reveal a steady increase in overall bitwise reproducibility rates, with an impressive 83% rebuild success rate for previously confirmed reproducible apps, although missing dependencies were identified as the primary cause of failure in 76% of non-rebuildable cases. Importantly, among the successfully rebuilt apps, 94% maintained bitwise reproducibility, underscoring the fragility of rebuildability over time and its implications for software security and preservation.
Despite a high initial reproducibility rate, 76% of rebuild failures stem from missing dependencies, highlighting a critical vulnerability in software preservation.
The security of open source applications benefits considerably from the possibility of rebuilding their source and verifying the output. F-Droid, a prominent distribution for open source Android applications, systematically rebuilds them from source and tests their bitwise reproducibility at app publishing time. However, F-Droid offers no guarantee that app reproducibility will continue to hold in the future. As software ecosystems evolve, reproducibility may degrade, with potential negative consequences for software preservation and security. We present the first empirical study of build reproducibility in the F-Droid app ecosystem. Analyzing historical reproducibility logs, we find that the overall bitwise reproducibility rate has been steadily increasing over time (as new versions of apps are published). We then evaluate how reproducibility holds in time for fixed app versions, by attempting to rebuild 18 904 app versions that F-Droid had previously confirmed bitwise reproducible, published between September 2018 and February 2026, achieving an 83% rebuild success rate, and identify missing dependencies as the dominant cause of failure, accounting for 76% of non-rebuildable cases. Among successfully rebuilt apps, 94% are also bitwise reproducible-i.e., they still yield bitwise identical artifacts upon rebuild. Together, these results show that while bitwise reproducibility largely holds for apps that can be rebuilt, rebuildability itself is highly sensitive to temporal decay.