Google's "OSS Rebuild"
David A. Wheeler
dwheeler at dwheeler.com
Tue Jul 22 23:27:53 UTC 2025
FYI:
Google's Open Source Security Team (GOSST) has announced a new project
called "OSS Rebuild". You can see their announcement here:
https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
In it, they attempt to rebuild existing "PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages".
They determine if the build reproduces, and if not, attempt to justify the differences
to determine if they are *semantically* identical.
If they determine that they are semantically identical (including if they're a reproducible build),
they publish the build definition and outcome via SLSA Provenance.
Their goal is to counter various kinds of attacks.
The project's repo is here: https://github.com/google/oss-rebuild
I'm not associated with the project, but I do find it interesting.
--- David A. Wheeler
More information about the rb-general
mailing list