Secure open-source package ecosystems by originating, validating, and augmenting build attestations.
OSS Rebuild aims to apply reproducible build concepts at low-cost and high-scale for open-source package ecosystems.
Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions. When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.
We currently support the following ecosystems:
- NPM (JavaScript/TypeScript)
- PyPI (Python)
- Crates.io (Rust)
While complete coverage is the aim, only the most popular packages within each ecosystem are currently rebuilt.
The oss-rebuild
CLI tool can be used to inspect attestations:
$ go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
$ oss-rebuild get pypi absl-py 2.0.0
The default output contains the rebuild's Dockerfile in base64-encoded form. To
view this Dockerfile alone, we provide an option in the --output
flag:
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile
This can be chained with the docker
command to execute a rebuild locally:
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile | docker run $(docker buildx build -q -)
While the default --output=payload
option produces more human-readable
content, the entire signed attestation can be accessed as follows:
$ oss-rebuild get pypi absl-py 2.0.0 --output=bundle
The list
command can be used to view the versions of a package that have been
rebuilt:
$ oss-rebuild list pypi absl-py
oss-rebuild
uses a public Cloud KMS key to validate attestation signatures.
Anonymous authentication is not supported so an ADC credential must be present.
This can be accomplished with:
$ gcloud init
$ gcloud auth application-default login
To disable signature verification and skip the requirement for KMS access use: --verify=false
.
Join us in building a more secure and reliable open-source ecosystem!
Check out the contribution guide to learn more.
- Mitigate supply chain attacks: Detect discrepancies in open-source packages, helping to prevent compromises like those of Solarwinds and Codecov.
- Scale security standards: Utilize industry best practices such as SLSA, Sigstore, and containerized builds.
- Community participation: Create a venue to collectivize effort towards securing the open-source supply chain.
- Enable future innovation: Derive data to leverage AI-driven rebuilds.
To better understand the security properties of rebuilds, see Trust and Rebuilds.
Check out these related projects contributing to the reproducible builds effort:
- reproducible-central: Java, Kotlin reproducibility.
- kpcyrd/rebuilderd: Rebuild scheduler with support for several distros.
This is not an officially supported Google product.