When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Google unveils OSS Rebuild to combat open source supply chain attacks

Google has launched a new project called OSS Rebuild to help open source developers protect their software from advanced supply chain attacks.

Neowin · with 0 comments

Google logo

While much open source software is available free of charge, it makes up the backbone of modern digital infrastructure, making up 77% of applications and is valued at over $12 trillion. Its popularity has made it a prime target for sophisticated supply chain attacks, which can erode trust and create hesitation among developers and users.

Some notable supply chain attacks (where malicious code is injected into trusted components) include solana/webjs, which saw a backdoor added via a compromised npm account, which led attackers to steal crypto private keys; tj-actions/changed-files had a compromised GitHub Action leaking secrets; and xz-utils got infected with a sophisticated backdoor that gave malicious actors remote access.

To boost the safety of open source projects, Google has launched OSS Rebuild, which developers can use to verify the integrity of open source packages by reproducing their builds. The search giant said that OSS Rebuild generates Supply-chain Levels for Software Artifacts (SLSA) Build Level 3 requirements without maintainer effort, giving you a verifiable record of how a software artifact was built. Discussing the motivations behind the project, Google said:

“Our aim with OSS Rebuild is to empower the security community to deeply understand and control their supply chains by making package consumption as transparent as using a source repository.”

The OSS Rebuild project has multiple benefits, mainly aimed at security teams and maintainers. For security teams, they benefit from being able to detect unsubmitted source code, build environment compromises, and stealthy backdoors. OSS Rebuild also enhances metadata, augments Software Bills of Materials, and accelerates vulnerability response.

Maintainers get strengthened package trust through independent verification and benefit from retrofitting historical packages with integrity attestations. The project initially supports PyPI (Python), npm (JS/TS), and Createsio (Rust) with more ecosystem support planned. The project can be used via the command line for users to fetch provenance, explore rebuilt versions, and rebuild packages.

Image via Depositphotos.com

Wuchang Fallen Feathers
Next Article

Nvidia 577.00 driver adds Valorant UE5 upgrade support, WUCHANG: Fallen Feathers, and more

Vifa Stockholm 2 bluetooth soundbar
Previous Article

Amazon Deal: This Vifa Stockholm 2.0 is one of the best sounding bluetooth speakers

0 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here