Google Introduces OSS Rebuild for Supply Chain Security

By

The project helps secure open source package ecosystems.

Google recently announced the OSS Rebuild project, which is designed “to strengthen trust in open source package ecosystems by reproducing upstream artifacts.”

OSS Rebuild gathers data to help security teams through the use of automation tools, SLSA provenance, build observability and verification tools, and infrastructure definitions.

According to the Google Security blog, OSS Rebuild can help detect various types of supply chain compromise, such as:

  • Unsubmitted source code – When published packages contain code not present in the public source repository, OSS Rebuild will not attest to the artifact.
  • Build environment compromise – By creating standardized, minimal build environments with comprehensive monitoring, OSS Rebuild can detect suspicious build activity.
  • Stealthy backdoors – SS Rebuild can detect unusual execution paths or suspicious operations.

Read more about how OSS Rebuild works at Google.
  
 

 
 
 

08/01/2025

Related content

  • Google Commits $1 Million in Funding to the Secure Open Source Program
  • News for Admins
    In the news: DHS Releases New Guidelines for Securing Critical Infrastructure; Datadog Report Examines DevSecOps Best Practices; Upskilling Key to Tech Staffing Challenges, Says LF Survey; 2024 Open Source Pros Job Survey Report Released; OpenSSF Issues Guidance to Help Prevent Social Engineering Attacks; Black Duck Supply Chain Edition Released by Synopsys; Spectra Logic Announces New Tape Libraries and Management Software; LPI Launches Open Source Essentials Program; Apache Software Foundation Celebrates 25 Years; SUSE Announces Rancher Prime 3.0; NSA Issues Zero Trust Guidelines for Network Security; and NIST Releases Major New Version of Cybersecurity Framework.
  • Zero trust planning and implementation
    The many facets of the zero trust implementation process can be a source of frustration, which is why we offer a step-by-step guide to implementing zero trust models to help you make state-of-the-art IT security become a reality.
  • Linux Foundation Creates New Code Signing Solution
  • New plans for Jenkins
    A new course is proposed for the continuous integration/continuous delivery Jenkins service that includes a cloud-native version.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=