Google Launches OSS Rebuild (googleblog.com) 6
Google has announced OSS Rebuild, a new project designed to detect supply chain attacks in open source software by independently reproducing and verifying package builds across major repositories. The initiative, unveiled by the company's Open Source Security Team, targets PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust) packages.
The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.
Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.
The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.
Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.
Re:Google (Score:4, Insightful)
So do it yourself. Honestly, this kind of kneejerk response is stupid. Is Google a good company? No. Does that mean everything they do is useless/untrustworthy? Also no.
You can fetch OSS Rebuild's SLSA Provenance:
$ oss-rebuild get cratesio syn 2.0.39
or explore the rebuilt versions of a particular package:
$ oss-rebuild list pypi absl-py
or even rebuild the package for yourself:
$ oss-rebuild get npm lodash 4.17.20 --format=dockerfile | docker run $(docker buildx build -q -)
Re: Google (Score:3, Insightful)
Hah, exactly.
If you have to just trust the company doing the checking, they haven't done it right. It should be verifiable all the way down.
Re: (Score:2)
So do it yourself. Honestly, this kind of kneejerk response is stupid.
Moreover, Chris Mattern's implication is that he thinks Google might somehow backdoor their reproducibly-rebuilt packages. Even if he thinks Google engineers are evil, does he really believe they're stupid? It would be impossible without someone noticing and crying foul.
Google's security efforts provide a lot of value to the world, for no direct financial gain to Google. Things like Project Zero, Certificate Transparency and OSS Rebuild make the computing world better and safer. In this case, I suspec
This is Google, guys (Score:1)
Re: (Score:2)
It just means you'll get ads from now on every time you use 'xz'...