https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
Google has unveiled OSS Rebuild, a comprehensive security initiative designed to strengthen trust in open source package ecosystems by automatically reproducing and verifying the integrity of widely used software packages. The project aims to provide build provenance for packages across Python Package Index (PyPI), npm (JavaScript/TypeScript), and Crates.io (Rust) registries, with plans to expand to additional open source platforms. As supply chain attacks continue to target critical dependencies, OSS Rebuild offers security teams powerful data to identify compromised packages without placing additional burden on upstream maintainers.
The platform operates by using automation and heuristics to determine build definitions for target packages, rebuilding them in controlled environments, and semantically comparing results with existing upstream artifacts. When successful, Google publishes build definitions and outcomes via SLSA Provenance attestations, allowing users to verify package origins, repeat build processes, and customise builds from known-functional baselines. The system is designed to detect multiple categories of supply chain compromises, including published packages containing code not present in public repositories, suspicious build activity, and sophisticated backdoors that exhibit unusual execution patterns during builds.
Building on Google’s hosted infrastructure model pioneered with OSS Fuzz, OSS Rebuild represents a significant step toward comprehensive supply chain transparency for open source software. The initiative addresses the growing security challenges facing an ecosystem that now comprises 77% of modern applications and represents an estimated value exceeding $12 trillion. For enterprises, the platform enhances metadata without requiring registry changes, augments Software Bills of Materials with detailed build observability, and accelerates vulnerability response through verifiable build definitions. The project is immediately available through a Go-based command-line interface, enabling developers and security teams to access rebuild attestations and verify package integrity across supported ecosystems.