[abdullahkhalids]

> Not to mention, the code to do this would have to land in our public repos on GitHub, where we would quickly be tarred and feathered.

What is the status of reproducible builds for the Brave browser?

[obelix150]

FYI we didn't have an issue open on the topic of reproducible builds until now[0]. While it has been discussed internally, we haven't focused on it. We will have to assess the work involved but will put it on our backlog.

[0] https://github.com/brave/brave-browser/issues/5830

[jonathansampson]

Please clarify if I'm missing your point, but you can build Brave today. See github.com/brave/brave-browser. Let me know if you run into any issues.

[Vinnl]

I think "reproducible builds" usually refers to being able to build Brave yourself, then creating a hash of the resulting artefact, and that hash being exactly the same as that of the built version Brave distributes itself.

In other words, being able to verify that the source code that is included in the build of Brave that Brave distributes, is the same as the source code we can view publicly.

[cnst]

I don't see any mentions of reproducible builds over there.

If you're not familiar what reproducible builds are, I suggest you examine the following article:

* https://brendaneich.com/2014/01/trust-but-verify/

Mozilla, however, is different, in that all builds are posted to ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at least in theory, makes it easier to verify or analyse the builds.

What is the situation with Brave? Can I download a version released a few months ago? As it is, the browser is not only not really versioned (at least in the binary form), but there's not even a way to disable it from automatically updating itself. Self-modifying code, where the user has no control over the channel under which the modifications are pushed, is inherently insecure from the reproducibility's perspective.

[jonathansampson]

You can get older (and many incremental) builds from https://github.com/brave/brave-browser/tags. Hope this helps! There is desire within the team for reproducible builds, and I'll see to it that these coals are stoked. Our intent is to be as open, transparent, and accountable as we can be. Brave's mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the feedback!

[cnst]

Those are Git tags; they have nothing to do with reproducible builds, because you're not providing the executable binaries that are the ones being distributed. It's a huge downgrade in terms of reproducibility of builds compared to Firefox. (It works for Google with Google Chrome because they have an entirely different business model where the whole thing is a walled-garden by design.)

[jonathansampson]

Yes, I know those are Git tags. Click on them to find associated binaries. For instance, https://github.com/brave/brave-browser/releases/tag/v0.71.44. Not all tags have binaries, but most do. Those that reach a build channel always do.

[cnst]

What a mess, seriously! What is the retention policy? How far into the past are the binaries stored?

[bpye]

Reproducibile builds would mean that anyone could download the code for a specific release and build a binary that is identical to the one you provide - byte for byte. Is that possible?

[pabs3]

More info about reproducible builds is here:

https://reproducible-builds.org/