While much open source software is available free of charge, it makes up the backbone of modern digital infrastructure, making up 77% of applications and is valued at over $12 trillion. Its popularity has made it a prime target for sophisticated supply chain attacks, which can erode trust and create hesitation among developers and users.
Some notable supply chain attacks (where malicious code is injected into trusted components) include solana/webjs, which saw a backdoor added via a compromised npm account, which led attackers to steal crypto private keys; tj-actions/changed-files had a compromised GitHub Action leaking secrets; and xz-utils got infected with a sophisticated backdoor that gave malicious actors remote access.
To boost the safety of open source projects, Google has launched OSS Rebuild, which developers can use to verify the integrity of open source packages by reproducing their builds. The search giant said that OSS Rebuild generates Supply-chain Levels for Software Artifacts (SLSA) Build Level 3 requirements without maintainer effort, giving you a verifiable record of how a software artifact was built. Discussing the motivations behind the project, Google said:
“Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository.”
The OSS Rebuild project has multiple benefits, mainly aimed at security teams and maintainers. For security teams, they benefit from being able to detect unsubmitted source code, build environment compromises, and stealthy backdoors. OSS Rebuild also enhances metadata, augments Software Bills of Materials, and accelerates vulnerability response.
Maintainers get strengthened package trust through independent verification and benefit from retrofitting historical packages with integrity attestations. The project initially supports PyPI (Python), npm (JS/TS), and Createsio (Rust) with more ecosystem support planned. The project can be used via the command line for users to fetch provenance, explore rebuilt versions, and rebuild packages.
Image via Depositphotos.com