[cnst]

I don't see any mentions of reproducible builds over there.

If you're not familiar what reproducible builds are, I suggest you examine the following article:

* https://brendaneich.com/2014/01/trust-but-verify/

Mozilla, however, is different, in that all builds are posted to ftp.mozilla.org, in a versioned manner, and kept there for a while, which, at least in theory, makes it easier to verify or analyse the builds.

What is the situation with Brave? Can I download a version released a few months ago? As it is, the browser is not only not really versioned (at least in the binary form), but there's not even a way to disable it from automatically updating itself. Self-modifying code, where the user has no control over the channel under which the modifications are pushed, is inherently insecure from the reproducibility's perspective.

[jonathansampson]

You can get older (and many incremental) builds from https://github.com/brave/brave-browser/tags. Hope this helps! There is desire within the team for reproducible builds, and I'll see to it that these coals are stoked. Our intent is to be as open, transparent, and accountable as we can be. Brave's mentality is "Can't be evil", as opposed to "Don't be evil." Thank you for the feedback!

[cnst]

Those are Git tags; they have nothing to do with reproducible builds, because you're not providing the executable binaries that are the ones being distributed. It's a huge downgrade in terms of reproducibility of builds compared to Firefox. (It works for Google with Google Chrome because they have an entirely different business model where the whole thing is a walled-garden by design.)

[jonathansampson]

Yes, I know those are Git tags. Click on them to find associated binaries. For instance, https://github.com/brave/brave-browser/releases/tag/v0.71.44. Not all tags have binaries, but most do. Those that reach a build channel always do.

[cnst]

What a mess, seriously! What is the retention policy? How far into the past are the binaries stored?