Google’s Open Source Security Team (GOSST) has announced OSS Rebuild, an open source project designed to strengthen trust in package ecosystems by independently reproducing upstream artifacts and generating verifiable provenance metadata. The project targets three major registries at launch: PyPI (Python), npm (JavaScript and TypeScript), and Crates.io (Rust).

What OSS Rebuild Does

The platform uses automation and heuristics to derive declarative build definitions for existing packages, then rebuilds those packages in standardized, monitored environments. Rather than performing a simple byte-for-byte comparison, OSS Rebuild normalizes artifacts to account for build-time instabilities such as archive compression differences before comparing results against the upstream artifact.

When a package is successfully reproduced, OSS Rebuild publishes the build definition and outcome as SLSA Provenance meeting SLSA Build Level 3 requirements. This attestation lets consumers verify a package’s origin within the source history, audit its build process, and use the definition as a baseline for generating more detailed Software Bills of Materials (SBOMs). No intervention is required from the package publisher or maintainer for most packages.

Threat Classes Addressed

OSS Rebuild is designed to detect several categories of supply chain compromise:

  • Unsubmitted source code: If a published package contains code absent from the public source repository, OSS Rebuild will not produce an attestation. This pattern was observed in the 2024 solana/web3.js compromise.
  • Build environment compromise: Standardized, minimal build environments with comprehensive network monitoring can detect or prevent exposure to compromised tooling, as seen in the 2025 tj-actions/changed-files incident.
  • Stealthy backdoors: Dynamic analysis during rebuilds can surface anomalous behavioral patterns, a capability relevant to sophisticated attacks such as the 2024 xz-utils backdoor, where unusual build-time behavior was a detectable signal.

Practical Integration for Security Teams

For enterprise consumers, OSS Rebuild can enrich upstream package metadata without requiring migration to a custom registry, augment existing SBOMs with build observability data, and accelerate vulnerability response by providing verifiable build definitions suitable for patching and re-hosting. For publishers, independent rebuild verification provides consumers with additional confidence in package integrity regardless of the complexity of the original build pipeline.

Infrastructure and AI Assistance

Google is publishing the infrastructure definitions needed for organizations to run their own OSS Rebuild instances, following the hosted model the company established with OSS Fuzz. The team also notes that AI-assisted build reproduction is an active area of development. Build and release processes are frequently documented in natural language, and early experiments suggest language models can automate exploration and testing of complex build configurations with limited human supervision.

OSS Rebuild is positioned as an initial step in a broader effort to extend supply chain transparency across all major open source ecosystems.