Help the Reproducible Builds effort!

The not-for-profit Reproducible Builds effort needs your help to continue its work towards ensuring the security of computer systems of all shapes and sizes around the world. We use any and all donated funds to ensure focused and intense work on ensuring this mission.

Software Freedom Conservancy

The Reproducible Builds project is a member of the Software Freedom Conservancy, a 501(c)3 non-profit organisation. The Conservancy has allowed us to pool organisational resources with other projects such as Selenium, Inkscape, Samba and Wine in order to reduce the management overhead associated with creating our own, dedicated legal entity.

About the project

Whilst anyone can inspect the source code of free and open source software for malicious flaws, most software is distributed pre-compiled to end users.

The motivation behind the Reproducible Builds project is to permit verification that no flaws have been introduced during the compilation process—either maliciously or accidentally—by promising identical results are always generated from a given source, thus allowing multiple third-parties to come to a consensus on whether a system is compromised.

Your continued support will be key in solving this important problem which affects systems of all sizes, from embedded microcontrollers to the largest government and corporate systems.

Past work

  • 94% of packages in Debian are reproducible in our tests, and Debian Policy now recommends that builds are reproducible. Support for our build metadata format (.buildinfo) has been merged into the official toolchain.

  • Large amount of cross-distribution collaboration — Tails and Coreboot now offer reproducible ISO images based heavily on our work, and NetBSD offer a reproducible base system to complement considerable progress from F-Droid, openSUSE and ArchLinux. In addition, we are also providing continuous reproducible builds testing for eight Linux distributions.

  • Core patches written and submitted for GCC, R and Go, Rust introduced “file maps” in support of reproducibility after our feedback.

  • A number of highly lauded presentations (LCA, Embedded Linux onference, LibrePlanet, Scale15x, CCC, OSSE, LinuxCon China, Open Compliance Summit, etc.) as well highly-productive meetups in “real life”.

  • Countless features in diffoscope and other tools; 1000s of lines changed with extensive use outside of a reproducibility context.

  • Mentoring in Outreachy and GSoC to ease inclusion of new contributors especially ones from under-represented groups in technology.

  • Almost 3 years of regular weekly newsletters as well as IRC-based meetings. Friendly communications have ensured that newcomers from all backgrounds feel involved and welcome.

Future work

The Reproducible Builds team has demonstrated that it is, in principle, possible to build a Linux distribution in a reproducible manner and have solved many of the issues in doing so.

However, the next release of Debian (“bullseye”) is currently not yet 100% reproducible and funding to support on-going maintenance of critical infrastructure will be absolutely essential to reach this goal.

This not only includes the administration of over 50 build nodes across multiple architectures, it requires continuous and patient work with package maintainers and upstreams to merge reproducibility-related patches. It also includes extending the scope of our testing framework to even more projects, as well as improving the existing tests and reports.

In addition, there are currently no tools that let a user know whether packages that they are installing are reproducible or not, required to “close the loop” and allow end-users to finally truly validate the software they are running on their machines.

Furthermore, maintaining momentum — both in terms of public perception and in private — around the various related projects such as diffoscope, etc. will be key in ensuring a reproducible “buster” becomes a reality.

Benefits of sponsorship

  • You (or your company) are contributing to an renowned and respected free/open source project.
  • Community consciousness of your company (and its promotion of Reproducible Builds) will be increased in the minds of the wider community.
  • For corporate donations that equal or are more than the Bronze level, your logo will be placed on our site for one year.
  • People find out about Reproducible Builds first from our website; having a link from our website therefore will associate you and/or your company as a supporter of the well-known and respected Reproducible Builds project.
  • Contributions are tax-deductible to the extent permitted by law.

Please see our list of current sponsors.

Logos

  • Placement on the front page of https://reproducible-builds.org will be for donations that equal or are more than the Platinum level.
  • For donations that are equal to the Gold level, your logo will be placed on each page of the documentation hosted at https://reproducible-builds.org/docs/.
  • Logo placement is alphabetically ordered within each category. Position will be maintained as long as sponsorship is continued each year.
  • Logos on the front page will only be there for a year starting from when your logo is put up on the page.
  • Logos may be up to 468 pixels wide and 80 pixels tall. Platinum-level sponsors may be up to 600 pixels wide and 250 pixels tall.

Levels

Below are the names and amounts associated with levels of sponsorship (all values in USD):

  • Platinum: $250,000
  • Gold: $100,000
  • Silver: $50,000
  • Bronze: $5,000

Non-monetary Donations

The Reproducible Builds project will naturally consider non-monetary donations to the project such as hardware or hosting where we will set a sponsorship level appropriately. (Please note that non-monetary donations may not be tax-deductible; to confirm, you should seek the advice of a qualified tax professional. In general, we suggest cash donations, as that process is much simpler.)

Contact

Please contact us (info@reproducible-builds.org) for more information. Thank you for your consideration and we thank you in advance for your support.

Paypal

The easiest way to individually donate to the project is through PayPal. You can use this button to donate to us:

Other methods

We can accept check donations drawn in USD from banks in the USA. Donations from banks outside of the US or not in USD should be handled by wire transfer. Please make your check payable to “Software Freedom Conservancy, Inc.” and to place “Directed donation: Reproducible Builds” in the memo field. Checks should then be mailed to:

Software Freedom Conservancy, Inc.<br>
137 Montague ST STE 380<br>
BROOKLYN, NY 11201<br>
USA

Conservancy also accepts other methods to receive donations, including US cheques and wire transfers. If you are interested please get in touch with us!

Follow us on Twitter @ReproBuilds and please consider making a donation. Content licensed under CC BY-SA 4.0, style licensed under MIT. Templates and styles based on the Tor Styleguide. Logos and trademarks belong to their respective owners. Patches welcome via our Git repository (instructions) or via our mailing list.