Google's "OSS Rebuild"

David A. Wheeler dwheeler at dwheeler.com
Tue Jul 22 23:27:53 UTC 2025


FYI:

Google's Open Source Security Team (GOSST) has announced a new project
called "OSS Rebuild". You can see their announcement here:
https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html

In it, they attempt to rebuild existing "PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages".
They determine if the build reproduces, and if not, attempt to justify the differences
to determine if they are *semantically* identical.

If they determine that they are semantically identical (including if they're a reproducible build),
they publish the build definition and outcome via SLSA Provenance.
Their goal is to counter various kinds of attacks.

The project's repo is here: https://github.com/google/oss-rebuild

I'm not associated with the project, but I do find it interesting.

--- David A. Wheeler




More information about the rb-general mailing list