Google launches OSS Rebuild to boost trust in open source package security

Google has announced OSS Rebuild, a new initiative designed to enhance trust across open source package ecosystems by reproducibly rebuilding upstream artifacts. Responding to the continued threat of supply chain attacks, OSS Rebuild aims to offer security teams actionable data to avoid compromises and reduce dependency risks, without placing extra demands on upstream maintainers.

At the core of OSS Rebuild is automation that generates declarative build definitions for packages from widely used language sources: PyPI for Python, npm for JavaScript and TypeScript, and Crates.io for Rust. In parallel, the project delivers SLSA provenance for thousands of packages, aligning with Supply-chain Levels for Software Artifacts (SLSA) Build Level 3 standards, and does so without requiring involvement from package publishers.

Following these foundational features, OSS Rebuild supplies observability and verification tools tailored for integration with existing vulnerability management workflows. Additionally, organizations have the option to deploy their own OSS Rebuild instances using provided infrastructure definitions, empowering them to rebuild, generate, sign, and distribute provenance data.

OSS Rebuild employs a declarative build process, comprehensive build instrumentation, and network monitoring in accordance with SLSA guidelines, ensuring security metadata is both fine-grained and durable.