Google presented project oss rebuild, designed to identify hidden changes in ready-made packages published in repositories. OSS Rebuild is based on the concept of reproducible assemblies and focuses on checking the compliance of the package with the reference source code to ensure it matches the declared version. The tool code is written in Go and available under the Apache 2.0 license.
Currently, OSS Rebuild can verify packages from repositories such as NPM (JavaScript/Typescript), Pypi (Python), and Crates.io (rust). The plan is to expand the number of supported repositories in the future. In practical terms, the tool helps identify potential attack vectors in the “Supply Chain” category, where malicious updates may be introduced to repositories after compromising associated accounts or internally within a project. These changes are only made to the ready-made packages, while the original project code remains intact.
OSS Rebuild can automatically generate a script for the reproducible assembly of a selected package using heuristics and parameters that ensure the identity of the artifacts in the package. If automatic reproduction fails, manual assembly specification can be added. Once the script is prepared, OSS Rebuild can verify new package versions. Verification information is also published for use within the SLSA framework.
Following the verification of a specific package version, certification data is created, which can be used by others to assess previously verified packages. Verification can be done through a command line utility or by comparing hashes stored in cloud storage. The infrastructure for package verification can be deployed on a private server, and data from Google’s verification of thousands of packages can also be utilized.
Examples of potential attacks that OSS Rebuild could protect against include backdoor insertion in XZ, malicious code introduction in the official JavaScript client for the SOLANA cryptocurrency, and changes substitution via Action Changed-Files.