Google has introduced a new security initiative called OSS Rebuild, designed to improve the integrity of open-source software ecosystems and protect against increasingly common software supply chain attacks. The project focuses on providing reliable build provenance for packages hosted on popular registries such as PyPI (Python), npm (JavaScript/TypeScript), and Crates.io (Rust), with future plans to expand coverage.
“As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers,” said Matthew Suozzo from Google’s Open Source Security Team in a blog post.
OSS Rebuild is intended to validate that a published software package genuinely corresponds to its public source code, ensuring that it hasn’t been tampered with during the build process. The system achieves this by combining automated build definitions, instrumentation, and network monitoring to generate trusted security metadata. This data can then be used to confirm the package’s authenticity.
“Through automation and heuristics, we determine a prospective build definition for a target package and rebuild it,” Google explained. “We semantically compare the result with the existing upstream artifact, normalizing each one to remove instabilities that cause bit-for-bit comparisons to fail (e.g., archive compression).”
The results of these rebuilds are published as SLSA Provenance—a type of attestation that allows users to verify a package’s integrity, reproduce the build, and even tailor it from a known-good starting point. In cases where the automation fails to fully reproduce the package, OSS Rebuild provides a manual build specification instead.
This initiative helps uncover multiple forms of supply chain risks, including packages with hidden malicious code not found in their public repositories (e.g., @solana/web3.js), unexpected build behavior (e.g., tj-actions/changed-files), or stealthy execution patterns that are hard to detect manually (e.g., XZ Utils).
Google also emphasized that OSS Rebuild can enhance Software Bills of Materials (SBOMs), accelerate vulnerability mitigation, increase trust in open-source packages, and reduce the dependency on CI/CD platforms for securing builds.
“Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions,” the company added. “When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.”
