Google launches OSS Rebuild

Google has announcedthe existence of OSS Rebuild, an infrastructure for the creation andverification of reproducible builds of software projects.

Our aim with OSS Rebuild is to empower the security community todeeply understand and control their supply chains by making packageconsumption as transparent as using a source repository. Ourrebuild platform unlocks this transparency by utilizing adeclarative build process, build instrumentation, and networkmonitoring capabilities which, within the SLSA Build framework,produces fine-grained, durable, trustworthy security metadata. [...]

Our vision extends beyond any single ecosystem: We are committed tobringing supply chain transparency and security to all open sourcesoftware development. Our initial support for the PyPI (Python),npm (JS/TS), and Crates.io (Rust) package registries-providingrebuild provenance for many of their most popular packages-is justthe beginning of our journey.