Google has introduced OSS Rebuild, a new initiative aimed at enhancing the security of open-source package ecosystems and mitigating software supply chain attacks. The company announced the launch in a blog post on July 23, 2025, revealing that this project is a response to the rising threats targeting widely-used dependencies.
Matthew Suozzo, a member of the Google Open Source Security Team (GOSST), highlighted the importance of the new tool, stating, “As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to avoid compromise without burden on upstream maintainers.” This underscores the urgency of implementing robust security measures in software development and deployment.
OSS Rebuild aims to provide build provenance for packages across popular registries including the Python Package Index, npm, and Crates.io, with future expansions planned for other open-source software development platforms. By employing declarative build definitions, build instrumentation, and network monitoring, Google intends to offer trustworthy security metadata to validate the origin of packages and ensure their integrity.
The method involves automating the reconstruction of packages, facilitating a comparison between the newly built software and its original version to confirm authenticity. This approach is designed to catch a variety of supply chain compromises. For example, it seeks to identify published packages with code not found in the public repositories and detect suspicious build activities.
Moreover, OSS Rebuild has the potential to significantly improve Software Bills of Materials (SBOMs) and expedite vulnerability responses. It strives to strengthen package trust and alleviate the responsibility on CI/CD platforms regarding organizational package security—all crucial components in today’s software development landscape. For more details on OSS Rebuild, readers can refer to the Google security blog and explore further resources related to the project from SLSA Provenance. “