For a long time, we have been shipping binaries to users, often, there is no way for the end-user to check whether the software is honest or have been tampered with. Slowly, we are seeing efforts leading to binary reprodubility in open source projects like the Torproject, Debian and Fedora. This is great! We should develop tools and methodologies to make it easier to achieve binary reproducibility for developers and users.
Next to binary reproducibility, we need a verification protocol, has this binary been signed by the right developer(s)? Can the binary checksum be reproduced? If not, why not, what is different? Are certain networks or nation states modifying binaries from certain projects? And many more questions need to be answered.
By working on binary reproducibility and a verification protocol, we make open source and libre software safer and raise the costs of attackers!
We are happy to hear you like what we do. If you are a developer and work on open source and/or libre software, we encourage you to read the binary reproducibility page.
If you are a developer and looking for a project to hack on, we encourage you to make your own software binary reproducible or work on tools and methodologies to make it possible and maybe easier for other developers to achieve binary reproducibility and verification of their binaries..
As a user, you have to wait, we are hard at work to achieve our dreams. Please check back soon!
We coordinate on irc.oftc.net #brvp