"Investigate how we can allow users to independently verify/authenticate a final buildpack" (https://www.pivotaltracker.com/story/show/104469634)
"Explore: Compiled binaries should be reproducible" (https://www.pivotaltracker.com/story/show/104746074)
"determine whether the libfaketime reproducible build strategy will work across all of our binaries" (https://www.pivotaltracker.com/story/show/107752798)
"Investigate Why are our node builds not reproducible?" (https://www.pivotaltracker.com/story/show/128161137)
As well as supporting work to help independent verification of the "chain of custody". There's 25 of those under that label, if you use the search box.