oss-rebuild
by
google

Description: Securing open-source package ecosystems by originating, validating, and augmenting build attestations.

View on GitHub ↗

Summary Information

Updated 2 hours ago
Added to GitGenius on November 17th, 2025
Created on May 22nd, 2024
Open Issues & Pull Requests: 127 (+0)
Number of forks: 59
Total Stargazers: 706 (+0)
Total Subscribers: 12 (+0)

Issue Activity (beta)

Open issues: 73
New in 7 days: 0
Closed in 7 days: 0
Avg open age: 324 days
Stale 30+ days: 70
Stale 90+ days: 67

Recent activity

Opened in 7 days: 0
Closed in 7 days: 0
Comments in 7 days: 0
Events in 7 days: 0

Top labels

  • feature request (3)
  • bug (1)
  • documentation (1)

Most active issues this week

No issue events were indexed in the last 7 days.

Repository Insights (GitGenius)

Median issue/PR response: 0.4 hours
Mean response time: 14.5 days
90th percentile: 28.0 days
Tracked items: 76

Most active contributors

Detailed Description

OSS Rebuild is a Google-maintained project designed to enhance the security of open-source package ecosystems by implementing reproducible build practices at scale. The project focuses on originating, validating, and augmenting build attestations across major package repositories. Written primarily in Go, it addresses critical supply chain security concerns by detecting discrepancies in open-source packages that could indicate compromise, similar to historical attacks like those affecting SolarWinds and Codecov.

The project currently supports three major package ecosystems: npm for JavaScript and TypeScript, PyPI for Python, and Crates.io for Rust. While the ultimate goal is complete coverage across these ecosystems, the current implementation focuses on rebuilding the most popular packages within each. The core approach involves analyzing published metadata and artifacts, then evaluating rebuilds against upstream package versions. When a rebuild succeeds, build attestations are published for the upstream artifacts, verifying integrity and eliminating numerous potential compromise vectors.

The oss-rebuild CLI tool provides the primary interface for accessing rebuild data and attestations. Users can retrieve rebuild information for specific packages using the get command, with multiple output format options available including summarized views, full attestation payloads, and dockerfiles. The list command allows exploration of which package versions have been successfully rebuilt. The tool integrates with Google Cloud KMS for attestation signature validation, requiring authenticated credentials through Application Default Credentials rather than anonymous access. Users can disable signature verification if needed by using the verify=false flag.

GitGenius activity data reveals the project maintains a median issue and pull request response latency of 0.4 hours across 76 tracked items, though the mean latency extends to 348.4 hours, indicating some items receive delayed responses. The most active contributors tracked include msuozzo with 51 events, wbxyz with 43 events, and algomaster99 with 26 events. Feature requests represent the most common issue type with three instances, followed by individual bug and documentation issues. The project's contributor network overlaps with major repositories including rust-lang/rust, twentyhq/twenty, and microsoft/vscode, suggesting cross-pollination with significant open-source projects.

The project explicitly aims to scale security standards by leveraging industry best practices including SLSA, Sigstore, and containerized builds. Beyond immediate supply chain attack mitigation, OSS Rebuild seeks to create a community venue for collective effort toward securing the open-source supply chain and to generate data that could enable future AI-driven rebuild innovations. The project includes comprehensive documentation on trust properties and security considerations, with a dedicated trust and rebuilds document explaining the security implications of the rebuild approach. While not an officially supported Google product, OSS Rebuild positions itself within the broader reproducible builds ecosystem alongside related projects like reproducible-central for Java and Kotlin and kpcyrd's rebuilderd scheduler.

oss-rebuild
by
googlegoogle/oss-rebuild

Repository Details

Fetching additional details & charts...