OSS Rebuild: open-source, Rebuilt to Last
9 months ago
- #security
- #supply-chain
- #open-source
- Announcement of OSS Rebuild, a project to strengthen trust in open source package ecosystems by reproducing upstream artifacts.
- Features include automation for deriving build definitions, SLSA Provenance for packages, build observability tools, and infrastructure definitions.
- Addresses challenges in open source security, such as supply chain attacks and the need for transparency.
- Aims to empower the security community with deep understanding and control over supply chains.
- Works by rebuilding packages, comparing them with upstream artifacts, and publishing build definitions via SLSA Provenance.
- Capabilities include detecting unsubmitted source code, build environment compromises, and stealthy backdoors.
- Benefits for enterprises include enhanced metadata, augmented SBOMs, and accelerated vulnerability response.
- Benefits for publishers include strengthened package trust, retrofitting historical packages, and reducing CI security-sensitivity.
- Provides a Go-based CLI for accessing attestations, fetching SLSA Provenance, and rebuilding packages.
- Invites developers, enterprises, and security researchers to join in securing open source ecosystems.