Skip to content

Reproducible Builds

How can you be sure an app was really built from the source indicated? That's where Reproducible Builds (RB) come into play. As the IzzyOnDroid repository does not build apps itself, it utilizes verification builders for this, which are based on rbtlog. Results might not be available for all apps or even all releases of an app. To find out if the app you're interested in is covered and what it's RB status is, you can…

  • look up the app in our repository browser, scroll down to its „Packages“ section, where you will find a shield icon next to the version information. Hold your mouse over that shield to see what it means. Tap/click the ⓘ (info) icon next to it for more details.
  • if on your Android device, you use Droid-ify or Neo Store as your repository client, you can apply the same approach there: apps are covered by RB, have a shield next to each of their covered releases.

Reproducible Builds

So with a green shield confirming a successful Reproducible Build, you know:

  • the APK has been built from exactly the source indicated, with noting added or taken away
  • all the source code needed to build the app is really available openly
  • no unauthorized changes have been applied to the build process
  • the APK produced by our builders is byte-identical with the one provided by the corresponding developer

And what does it mean if the shield indicates RB failed? Is it immediate danger? Not necessarily. As for a successful RB, both APKs need to be byte identical, it could be very simple things, e.g.:

  • a build step is not deterministic, and e.g. produces a different order of elements
  • optimization produced slightly different results
  • native libraries embedded path names, or build time stamps
  • the developer built the APK locally with other versions of the tooling (e.g. Flutter, Rust) than specified in their build instructions, resulting in different byte code

So while a successful RB gives confidence, a failed RB does not necessarily mean danger. Of course we reach out to the developers in such cases, so the culprit can be identified and fixed. And should it turn out the RB failed due to missing source which was intentionally kept private, the app would also become a candidate for removal: after all, we serve Open Source apps here.

Reproducible Builds have been introduced to IzzyOnDroid in 2024, as outlined in our blog post on Reproducible Builds, special client support and more at IzzyOnDroid.