diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index e8caf0ac4035be56594cc6401595f9fa4a849f08..ed69b506f13fa4e50ab95a96022331cc0697f7ee 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -9,7 +9,7 @@ stages:
 - release
 
 variables:
-  TEST_IMAGE: briar/tor-reproducer:${CI_BUILD_REF_NAME}
+  TEST_IMAGE: briar/tor-reproducer:${CI_COMMIT_REF_NAME}
   RELEASE_IMAGE: briar/tor-reproducer:latest
   UPSTREAM_IMAGE: briar/tor-upstream-builder
 
@@ -90,28 +90,28 @@ test_build_mac:
 test_tag_android:
   extends: .base-android
   script:
-    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor.py ${CI_BUILD_REF_NAME}
+    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor.py ${CI_COMMIT_REF_NAME}
   only:
     - tags
 
 test_tag_linux:
   extends: .base-linux
   script:
-    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor_linux.py ${CI_BUILD_REF_NAME}
+    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor_linux.py ${CI_COMMIT_REF_NAME}
   only:
     - tags
 
 test_tag_windows:
   extends: .base-windows
   script:
-    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor_windows.py ${CI_BUILD_REF_NAME}
+    - docker run -v `pwd`/output:/opt/tor-reproducer/output ${TEST_IMAGE} ./verify_tor_windows.py ${CI_COMMIT_REF_NAME}
   only:
     - tags
 
 test_tag_macos:
   extends: .base-mac
   script:
-    - docker run --privileged -v `pwd`/output:/opt/tor-reproducer/output ${UPSTREAM_IMAGE} ./verify_tor_macos.py ${CI_BUILD_REF_NAME}
+    - docker run --privileged -v `pwd`/output:/opt/tor-reproducer/output ${UPSTREAM_IMAGE} ./verify_tor_macos.py ${CI_COMMIT_REF_NAME}
   only:
     - tags
 
diff --git a/README.md b/README.md
index 4ca040d27fdbb02f72faacb6e39f19285e4275ea..938d61cca209727951c35bfed7be07d0d7b18083 100644
--- a/README.md
+++ b/README.md
@@ -80,3 +80,22 @@ reproduce those.
 To build a specific version of Tor, run
 
     docker run briar/tor-reproducer:latest ./build_tor.py [version]
+
+### Upstream build system
+
+This repository uses the upstream Tor build system for building macOS
+binaries. The `tor-versions.json` file defines the configuration for that
+system via the `upstream` stanza.
+
+We maintain our own
+[fork](https://code.briarproject.org/briar/tor-browser-build) of the
+[tor-browser-build](https://gitlab.torproject.org/tpo/applications/tor-browser-build)
+repository so that we're able to define which Tor browser version and
+exact upstream commit/tag we're building our Tor binaries from and
+additionally have the ability to apply patches.
+This makes it for example possible to build Tor binaries with a higher
+version number than yet released in a Tor browser release.
+We maintain a branch that's based on one of the upstream branches such
+as `maint-12.0` but appends a tor version (i.e. `maint-12.0-tor-0.4.7.14`).
+Then we create an annotated tag such as `tor-0.4.7.14` from that branch
+and use that tag name in the `tor-versions.json` configuration file.
diff --git a/build_tor_linux.py b/build_tor_linux.py
index d99752e7896b47fbdd399aca9eaaea204e430a3b..a7b8c5f683c9d57de00fb1216c03723eef8eed05 100755
--- a/build_tor_linux.py
+++ b/build_tor_linux.py
@@ -59,11 +59,6 @@ def build_linux_arch(arch, gcc_arch, cc_env, openssl_target, autogen_host, versi
                 ] + XZ_CONFIGURE_FLAGS, cwd=xz_dir, env=env)
     check_call(['make', '-j', str(os.cpu_count()), 'install'], cwd=xz_dir, env=env)
 
-    # build zstd
-    zstd_dir = os.path.join(BUILD_DIR, 'zstd', "lib")
-    check_call(['make', '-j', str(os.cpu_count()), 'DESTDIR=%s' % prefix_dir, 'PREFIX=""', 'install'],
-               cwd=zstd_dir, env=env)
-
     # build zlib
     zlib_dir = os.path.join(BUILD_DIR, 'zlib')
     check_call(['./configure', '--prefix=%s' % prefix_dir], cwd=zlib_dir, env=env)
@@ -102,7 +97,6 @@ def build_linux_arch(arch, gcc_arch, cc_env, openssl_target, autogen_host, versi
                 '--host=%s' % autogen_host,
                 '--prefix=%s' % prefix_dir,
                 '--enable-lzma',
-                '--enable-zstd',
                 '--enable-static-zlib',
                 '--with-zlib-dir=%s' % prefix_dir,
                 '--enable-static-libevent',
diff --git a/tor-build/Makefile b/tor-build/Makefile
index e265b2861456ceb3f34233ab281d67ea22bf6d8a..62952a0b5b8f24bb7f104aa7735bdde6cb9f0e9f 100644
--- a/tor-build/Makefile
+++ b/tor-build/Makefile
@@ -99,7 +99,6 @@ INSTALL_DIR := $(EXTERNAL_ROOT)/lib/$(APP_ABI)
 	openssl-clean \
 	libevent-clean \
 	lzma-clean \
-	zstd-clean \
 	tor tor-clean
 
 all: test-setup tor
@@ -213,39 +212,6 @@ lzma-clean:
 	-cd xz && \
 		git clean -fdx > /dev/null
 
-
-#------------------------------------------------------------------------------#
-# zstd
-
-zstd-build-stamp:
-	$(MAKE) -C zstd/lib \
-		PREFIX=$(EXTERNAL_ROOT) \
-		libzstd.a-mt
-	$(MAKE) -C zstd/lib \
-		PREFIX=$(EXTERNAL_ROOT) \
-		libzstd.pc
-	test -d lib || mkdir lib
-	test -d lib/pkgconfig || mkdir lib/pkgconfig
-	test -d include || mkdir include
-	cp zstd/lib/libzstd.a lib
-	cp zstd/lib/libzstd.pc lib/pkgconfig
-	cp zstd/lib/zstd.h include
-	cp zstd/lib/common/zstd_errors.h include
-	cp zstd/lib/deprecated/zbuff.h include
-	cp zstd/lib/dictBuilder/zdict.h include
-	touch $@
-
-zstd-clean:
-	-rm -f include/zstd.h include/zstd_errors.h include/zbuff.h include/zdict.h
-	-rm -f lib/libzstd.a
-	-rm -f lib/pkgconfig/libzstd.pc
-	-rm -f zstd-build-stamp
-	-$(MAKE) -C zstd uninstall
-	-$(MAKE) -C zstd clean
-	-cd zstd && \
-		git clean -fdx > /dev/null
-
-
 #------------------------------------------------------------------------------#
 # tor
 
@@ -259,7 +225,6 @@ tor/Makefile: tor/configure.ac tor/Makefile.am
 				--enable-pic \
 				--enable-static-libevent --with-libevent-dir=$(EXTERNAL_ROOT) \
 				--enable-static-openssl --with-openssl-dir=$(EXTERNAL_ROOT) \
-				--enable-zstd \
 				--disable-module-dirauth \
 				--disable-module-relay \
 				--disable-unittests \
@@ -276,7 +241,7 @@ tor-build-stamp: tor/Makefile
 	$(NDK_TOOLCHAIN_BASE)/bin/$(ALTHOST)-strip -D $(OUTPUT_FILE)
 	touch $@
 
-tor: lzma-build-stamp zstd-build-stamp libevent-build-stamp openssl-build-stamp tor-build-stamp
+tor: lzma-build-stamp libevent-build-stamp openssl-build-stamp tor-build-stamp
 
 tor-clean:
 	-rm -f $(OUTPUT_FILE)
@@ -288,7 +253,7 @@ tor-clean:
 #------------------------------------------------------------------------------#
 # cleanup, cleanup, put the toys away
 
-clean: openssl-clean libevent-clean lzma-clean zstd-clean tor-clean
+clean: openssl-clean libevent-clean lzma-clean tor-clean
 
 
 #------------------------------------------------------------------------------#
diff --git a/tor-versions.json b/tor-versions.json
index 9341d0d50765233473f4bf4dccb42e521df40f16..eb7ba3aedabcc7f53f8631bf113b2c2d68732ca9 100644
--- a/tor-versions.json
+++ b/tor-versions.json
@@ -1,4 +1,38 @@
 {
+  "0.4.7.14": {
+    "tor": {
+      "url": "https://gitlab.torproject.org/tpo/core/tor.git",
+      "commit": "tor-0.4.7.14"
+    },
+    "libevent": {
+      "url": "https://github.com/libevent/libevent.git",
+      "commit": "release-2.1.12-stable"
+    },
+    "openssl": {
+      "url": "https://github.com/openssl/openssl.git",
+      "commit": "OpenSSL_1_1_1s"
+    },
+    "xz": {
+      "url": "https://git.tukaani.org/xz.git",
+      "commit": "v5.2.10"
+    },
+    "zlib": {
+      "url": "https://github.com/madler/zlib.git",
+      "commit": "v1.2.12"
+    },
+    "ndk": {
+      "url": "https://dl.google.com/android/repository/android-ndk-r21e-linux-x86_64.zip",
+      "revision": "21.4.7075529",
+      "sha256": "ad7ce5467e18d40050dc51b8e7affc3e635c85bd8c59be62de32352328ed467e"
+    },
+    "upstream": {
+      "url": "https://code.briarproject.org/briar/tor-browser-build.git",
+      "commit": "tor-0.4.7.14",
+      "libevent": "2.1.7",
+      "reproduce-upstream": false
+    },
+    "timestamp": "201001010000.00"
+  },
   "0.4.7.13-2": {
     "tor": {
       "url": "https://gitlab.torproject.org/tpo/core/tor.git",
@@ -33,7 +67,8 @@
       "url": "https://gitlab.torproject.org/tpo/applications/tor-browser-build.git",
       "commit": "tbb-12.0.6-build1",
       "tor-browser": "12.0.6",
-      "libevent": "2.1.7"
+      "libevent": "2.1.7",
+      "reproduce-upstream": true
     },
     "timestamp": "201001010000.00"
   },
diff --git a/upstream/build_tor_macos.py b/upstream/build_tor_macos.py
index 52fd848d14878c4b450bcc7be10bfb7df6689d75..d81bf2f1df10e2d115348ca0981e2c54454489b3 100755
--- a/upstream/build_tor_macos.py
+++ b/upstream/build_tor_macos.py
@@ -129,4 +129,5 @@ def compare_with_upstream(versions, arch):
 
 if __name__ == "__main__":
     versions = build()
-    compare_output_with_upstream(versions)
+    if (versions['upstream']['reproduce-upstream']):
+        compare_output_with_upstream(versions)
diff --git a/utils.py b/utils.py
index ef478b467a62a2ac3f6c71bd12d9f41b82e127bd..f6a71afbd312ed140ce203c5e3d9eb3ea0220a88 100644
--- a/utils.py
+++ b/utils.py
@@ -85,7 +85,6 @@ def prepare_repos(versions):
     prepare_repo(os.path.join(BUILD_DIR, "openssl"), versions['openssl']['url'], versions['openssl']['commit'])
     prepare_repo(os.path.join(BUILD_DIR, "xz"), versions['xz']['url'], versions['xz']['commit'])
     prepare_repo(os.path.join(BUILD_DIR, "zlib"), versions['zlib']['url'], versions['zlib']['commit'])
-    prepare_repo(os.path.join(BUILD_DIR, "zstd"), versions['zstd']['url'], versions['zstd']['commit'])
 
 
 def prepare_repo(path, url, version):