Google’s Open Source Security Team has introduced a new project called OSS Rebuild, which aims to strengthen trust in open source package ecosystems. The initiative includes automation for deriving declarative build definitions, tools for build observability and verification, and infrastructure definitions to help organizations rebuild, sign, and distribute packages with verified provenance. As part of the project, the team has already published SLSA Provenance attestations for thousands of packages across supported ecosystems.
The primary goal of OSS Rebuild is to empower the security community by making package consumption as transparent as using a source repository. By utilizing a declarative build process, build instrumentation, and network monitoring, the platform generates detailed, trustworthy security metadata within the SLSA Build framework. Drawing from their experience with OSS Fuzz for memory issue detection, Google aims to use hosted resources to address security challenges in the open source space, focusing on securing the software supply chain.
One of the key features of OSS Rebuild is its ability to detect various classes of supply chain compromise. This includes identifying unsubmitted source code, which can be a sign of tampered packages. By creating standardized, minimal build environments with comprehensive monitoring, the project can detect suspicious build activity or prevent exposure to compromised components. Additionally, OSS Rebuild’s dynamic analysis capabilities can detect stealthy backdoors, which often exhibit anomalous behavioral patterns during builds. These advanced detection methods make the project a powerful tool for enterprises and security professionals seeking to enhance their security posture.
For organizations, OSS Rebuild offers several benefits. It allows them to enhance metadata without changing registries by enriching data for upstream packages. This means companies do not need to maintain custom registries or migrate to a new package ecosystem. The initiative also helps augment Software Bills of Materials (SBOMs) by adding detailed build observability information, creating a more complete security picture. Furthermore, the project accelerates vulnerability response by providing a path to vendor, patch, and re-host upstream packages using verifiable build definitions.
Google has initially supported PyPI (Python), npm (JS/TS), and Crates.io (Rust) package registries, providing rebuild provenance for many of their most popular packages. The team emphasizes that this is just the beginning, with plans to expand support to other ecosystems in the future. The easiest way to access OSS Rebuild attestations is through the provided Go-based command-line interface, which allows users to easily obtain the benefits of the project without significant changes to their workflows.