Today we’re excited to announce OSS Rebuild, a new project to strengthen trust in open source package ecosystems by reproducing upstream artifacts. As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers.
The project comprises:
- Automation to derive declarative build definitions for existing PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages.
- SLSA Provenance for thousands of packages across our supported ecosystems, meeting SLSA Build Level 3 requirements with no publisher intervention.
- Build observability and verification tools that security teams can integrate into their existing vulnerability management workflows.
- Infrastructure definitions to allow organizations to easily run their own instances of OSS Rebuild to rebuild, generate, sign, and distribute provenance.
5 Likes
Thanks for sharing, this is a bit intriguing. How would this be leverage to the the front-end? As disclaimed in the Github:
This is not an officially supported Google product.
Is this an alternative to Sigstore, or could these tools be used to supplement it?