Skip to content
/ oss-rebuild Public

Securing open-source package ecosystems by originating, validating, and augmenting build attestations.

License

Apache-2.0 license
18 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

google/oss-rebuild

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

56 Commits
.github/workflows
.github/workflows
 
 
build
build
 
 
cmd
cmd
 
 
definitions/pypi/beautifulsoup4/4.12.3/beautifulsoup4-4.12.3-py3-none-any.whl
definitions/pypi/beautifulsoup4/4.12.3/beautifulsoup4-4.12.3-py3-none-any.whl
 
 
deployments
deployments
 
 
docs
docs
 
 
internal
internal
 
 
pkg
pkg
 
 
tools
tools
 
 
.gitignore
.gitignore
 
 
AUTHORS
AUTHORS
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 

Repository files navigation

OSS Rebuild

Secure open-source package ecosystems by originating, validating, and augmenting build attestations.

Overview

OSS Rebuild aims to apply reproducible build concepts at low-cost and high-scale for open-source package ecosystems.

Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions. When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.

We currently support the following ecosystems:

  • NPM (JavaScript/TypeScript)
  • PyPI (Python)
  • Crates.io (Rust)

While complete coverage is the aim, only the most popular packages within each ecosystem are currently rebuilt.

Usage

The oss-rebuild CLI tool can be used to inspect attestations:

$ go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
$ oss-rebuild get pypi absl-py 2.0.0

The default output contains the rebuild's Dockerfile in base64-encoded form. To view this Dockerfile alone, we provide an option in the --output flag:

$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile

This can be chained with the docker command to execute a rebuild locally:

$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile | docker run $(docker buildx build -q -)

While the default --output=payload option produces more human-readable content, the entire signed attestation can be accessed as follows:

$ oss-rebuild get pypi absl-py 2.0.0 --output=bundle

The list command can be used to view the versions of a package that have been rebuilt:

$ oss-rebuild list pypi absl-py

Contributing

Join us in building a more secure and reliable open-source ecosystem!

Check out the contribution guide to learn more.

Purpose

  • Mitigate supply chain attacks: Detect discrepancies in open-source packages, helping to prevent compromises like those of Solarwinds and Codecov.
  • Scale security standards: Utilize industry best practices such as SLSA, Sigstore, and containerized builds.
  • Community participation: Create a venue to collectivize effort towards securing the open-source supply chain.
  • Enable future innovation: Derive data to leverage AI-driven rebuilds.

Security

To better understand the security properties of rebuilds, see Trust and Rebuilds.

Related Projects

Check out these related projects contributing to the reproducible builds effort:

Disclaimer

This is not an officially supported Google product.

About

Securing open-source package ecosystems by originating, validating, and augmenting build attestations.

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

18 stars

Watchers

3 watching

Forks

2 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages