Google has unveiled an open-source software (OSS) rebuild designed to enhance the security of open-source package ecosystems.
The new project, called OSS Rebuild, addresses growing concerns about supply chain attacks targeting widely-used dependencies across major programming language ecosystems.
OSS Rebuild automatically generates declarative build definitions for existing packages on PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust) registries.
The system produces SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring intervention from upstream maintainers.
Addressing Critical Security Vulnerabilities
The initiative responds to the increasing sophistication of supply chain attacks targeting open source software, which now comprises 77% of modern applications and represents over $12 trillion in economic value.
Recent high-profile incidents, including the Solana/WebJS compromise in 2024 and the Xz-Utils backdoor, have demonstrated how attackers can infiltrate widely-trusted packages.
OSS Rebuild employs automated heuristics to determine build definitions for target packages, then rebuilds them in standardized, monitored environments.
The system performs semantic comparisons between rebuilt artifacts and original upstream packages, normalizing results to account for build instabilities that prevent bit-for-bit comparisons.
The platform can detect several classes of compromise: unsubmitted source code in published packages, build environment compromises through comprehensive monitoring, and stealthy backdoors via dynamic analysis of unusual execution patterns during builds.
Technical Implementation and Capabilities
Built on Google’s hosted infrastructure model pioneered with OSS Fuzz, OSS Rebuild utilizes declarative build processes, build instrumentation, and network monitoring within the SLSA Build framework.
This approach produces fine-grained, durable security metadata without shifting burden to package maintainers.
The system offers a Go-based command-line interface allowing users to fetch SLSA Provenance attestations, explore rebuilt package versions, and even rebuild packages locally using generated Dockerfiles.
For enterprises, OSS Rebuild enhances existing metadata without requiring registry changes and can augment Software Bills of Materials with detailed build observability information.
Google is exploring AI integration to automate complex build reproductions by parsing natural language documentation that describes build and release processes.
Initial experiments show promise for automating exploration and testing with minimal human intervention.
The project aims to make package consumption as transparent as using source repositories directly, providing security teams with powerful tools to understand and control their supply chains.
OSS Rebuild’s open architecture allows organizations to run their instances for rebuilding, generating, signing, and distributing provenance attestations.
The project code and documentation are available at github.com/google/oss-rebuild, with the team actively seeking community contributions to expand ecosystem support.
