Google Launches OSS Rebuild (googleblog.com)
(Tuesday July 22, 2025 @11:22AM (msmash)
from the moving-forward dept.)
- Reference: 0178438292
- News link: https://tech.slashdot.org/story/25/07/22/144239/google-launches-oss-rebuild
- Source link: https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
Google has announced OSS Rebuild, a new project designed to [1]detect supply chain attacks in open source software by independently reproducing and verifying package builds across major repositories. The initiative, unveiled by the company's Open Source Security Team, targets PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust) packages.
The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.
Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.
[1] https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
The system, the company said, automatically creates standardized build environments to rebuild packages and compare them against published versions. OSS Rebuild generates SLSA Provenance attestations for thousands of packages, meeting SLSA Build Level 3 requirements without requiring publisher intervention. The project can identify three classes of compromise: unsubmitted source code not present in public repositories, build environment tampering, and sophisticated backdoors that exhibit unusual execution patterns during builds.
Google cited recent real-world attacks including solana/webjs (2024), tj-actions/changed-files (2025), and xz-utils (2024) as examples of threats the system addresses. Open source components now account for 77% of modern applications with an estimated value exceeding $12 trillion. The project builds on Google's hosted infrastructure model previously used for OSS Fuzz memory issue detection.
[1] https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
This is Google, guys (Score:2)
by greytree ( 7124971 )
This sounds good, but Evil Google will of course use it to embed telemetry in the libraries.
Google (Score:1)
Now *there's* somebody I trust to rebuild the Open Source Software ecosystem!
Re:Google (Score:4, Insightful)
So do it yourself. Honestly, this kind of kneejerk response is stupid. Is Google a good company? No. Does that mean everything they do is useless/untrustworthy? Also no.
You can fetch OSS Rebuild's SLSA Provenance:
$ oss-rebuild get cratesio syn 2.0.39
or explore the rebuilt versions of a particular package:
$ oss-rebuild list pypi absl-py
or even rebuild the package for yourself:
$ oss-rebuild get npm lodash 4.17.20 --format=dockerfile | docker run $(docker buildx build -q -)
Re: Google (Score:3)
Hah, exactly.
If you have to just trust the company doing the checking, they haven't done it right. It should be verifiable all the way down.