Google Launches OSS Rebuild to Strengthen Open Source Software Security

Google has introduced OSS Rebuild, a new initiative designed to enhance the security of open-source ecosystems by preventing software supply chain attacks. As cyber threats increasingly target widely-used software dependencies, this initiative aims to provide verifiable build provenance and transparency without placing additional burdens on package maintainers.

What Is OSS Rebuild?

OSS Rebuild focuses on generating reproducible builds and trustworthy security metadata for open-source packages across major ecosystems, including:

• Python Package Index (PyPI)

• npm (JavaScript/TypeScript)

• Crates.io (Rust)

Google also plans to expand coverage to other open-source platforms in the future.

According to Matthew Suozzo from the Google Open Source Security Team (GOSST), OSS Rebuild “gives security teams powerful data to avoid compromise without burden on upstream maintainers.”

How It Works

The OSS Rebuild system leverages a combination of:

• Declarative build definitions

• Build instrumentation

• Network monitoring

These tools help determine how a package is built and then rebuild it independently to verify its integrity. During this process, Google compares the rebuilt artifact to the original upstream package using semantic normalization techniques (e.g., stripping out compression differences) to ensure a meaningful comparison.

When a match is confirmed, Google generates and publishes a SLSA Provenance attestation, which contains metadata about the build’s origin. This allows security teams and users to:

• Validate the package’s source

• Reproduce the build independently

• Customize the build from a known-good baseline

If a build can't be automated, the system provides a manual specification for human-guided verification.

What OSS Rebuild Detects

This initiative can help uncover a variety of supply chain threats, such as:

• Modified packages that differ from their public source code (e.g., @solana/web3.js)

• Anomalous build behaviors or suspicious publishing activity (e.g., tj-actions/changed-files)

• Embedded malicious operations that are hard to catch through manual code review (e.g., the XZ Utils backdoor)

Benefits Beyond Detection

Beyond identifying attacks, OSS Rebuild also supports:

• Enhanced Software Bills of Materials (SBOMs)

• Faster vulnerability response

• Improved package trust

• Reduced reliance on external CI/CD systems for security

Google summarizes the approach as follows: “Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions. When successful, build attestations are published to verify the artifact’s integrity and eliminate many possible sources of compromise.”