README
¶
OSS Rebuild
Secure open-source package ecosystems by originating, validating, and augmenting build attestations.
Overview
OSS Rebuild aims to apply reproducible build concepts at low-cost and high-scale for open-source package ecosystems.
Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions. When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.
We currently support the following ecosystems:
- NPM (JavaScript/TypeScript)
- PyPI (Python)
- Crates.io (Rust)
While complete coverage is the aim, only the most popular packages within each ecosystem are currently rebuilt.
Usage
The oss-rebuild CLI tool can be used to inspect attestations:
$ go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
$ oss-rebuild get pypi absl-py 2.0.0
The default output contains the rebuild's Dockerfile in base64-encoded form. To
view this Dockerfile alone, we provide an option in the --output flag:
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile
This can be chained with the docker command to execute a rebuild locally:
$ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile | docker run $(docker buildx build -q -)
While the default --output=payload option produces more human-readable
content, the entire signed attestation can be accessed as follows:
$ oss-rebuild get pypi absl-py 2.0.0 --output=bundle
The list command can be used to view the versions of a package that have been
rebuilt:
$ oss-rebuild list pypi absl-py
Contributing
Join us in building a more secure and reliable open-source ecosystem!
Check out the contribution guide to learn more.
Purpose
- Mitigate supply chain attacks: Detect discrepancies in open-source packages, helping to prevent compromises like those of Solarwinds and Codecov.
- Scale security standards: Utilize industry best practices such as SLSA, Sigstore, and containerized builds.
- Community participation: Create a venue to collectivize effort towards securing the open-source supply chain.
- Enable future innovation: Derive data to leverage AI-driven rebuilds.
Security
To better understand the security properties of rebuilds, see Trust and Rebuilds.
Related Projects
Check out these related projects contributing to the reproducible builds effort:
- reproducible-central: Java, Kotlin reproducibility.
- kpcyrd/rebuilderd: Rebuild scheduler with support for several distros.
Disclaimer
This is not an officially supported Google product.
Directories
¶
| Path | Synopsis |
|---|---|
|
build
|
|
|
binary
Package binary provides routines to programmatically build binary components of the project.
|
Package binary provides routines to programmatically build binary components of the project. |
|
container
Package container provides routines to programmatically build container components of the project.
|
Package container provides routines to programmatically build container components of the project. |
|
cmd
|
|
|
gateway
gateway provides a simple HTTP server that redirects to the provided URI applying the configured policy.
|
gateway provides a simple HTTP server that redirects to the provided URI applying the configured policy. |
|
git_cache
Package main implements a git repo cache on GCS.
|
Package main implements a git repo cache on GCS. |
|
proxy
Package main defines an HTTP(S) proxy.
|
Package main defines an HTTP(S) proxy. |
|
rebuilder
main contains the smoketest rebuilder, which triggers a rebuild local to this binary (not GCB).
|
main contains the smoketest rebuilder, which triggers a rebuild local to this binary (not GCB). |
|
timewarp
The timewarp binary serves the registry timewarp HTTP handler on a local port.
|
The timewarp binary serves the registry timewarp HTTP handler on a local port. |
|
internal
|
|
|
cache
Package cache provides an interface and implementations for caching.
|
Package cache provides an interface and implementations for caching. |
|
gateway
Package gateway provides a client for the gateway service.
|
Package gateway provides a client for the gateway service. |
|
gitx
Package git provides rebuilder-specific git abstractions.
|
Package git provides rebuilder-specific git abstractions. |
|
hashext
Package hashext provides extensions to the standard crypto/hash package.
|
Package hashext provides extensions to the standard crypto/hash package. |
|
httpegress
Package httpegress provides a client constructor for building an HTTP Client for making requests to external services.
|
Package httpegress provides a client constructor for building an HTTP Client for making requests to external services. |
|
httpx
Package http provides a simpler http.Client abstraction and derivative uses.
|
Package http provides a simpler http.Client abstraction and derivative uses. |
|
proxy/dockerfs
Package dockerfs defines a FS interface for accessing files in a Docker container.
|
Package dockerfs defines a FS interface for accessing files in a Docker container. |
|
proxy/handshake
Package handshake contains adaptations of the builtin golang TLS implementation to read part of the handshake.
|
Package handshake contains adaptations of the builtin golang TLS implementation to read part of the handshake. |
|
semver
Package semver implements the Semantic Versioning 2.0.0 spec.
|
Package semver implements the Semantic Versioning 2.0.0 spec. |
|
timewarp
Package timewarp implements a registry-fronting HTTP service that filters returned content by time.
|
Package timewarp implements a registry-fronting HTTP service that filters returned content by time. |
|
verifier
Package verifier provides a library for verifying and attesting to a rebuild.
|
Package verifier provides a library for verifying and attesting to a rebuild. |
|
pkg
|
|
|
archive
Package archive provides common types and functions for archive processing.
|
Package archive provides common types and functions for archive processing. |
|
proxy/cert
Package cert provides certificate generation and formatting interfaces.
|
Package cert provides certificate generation and formatting interfaces. |
|
proxy/docker
Package docker defines a proxy for the Docker API.
|
Package docker defines a proxy for the Docker API. |
|
proxy/policy
Package policy defines the network policy that the proxy can choose to enforce.
|
Package policy defines the network policy that the proxy can choose to enforce. |
|
rebuild/rebuild
Package rebuild provides functionality to rebuild packages.
|
Package rebuild provides functionality to rebuild packages. |
|
rebuild/schema
Package schema is a set of utilities for marshalling strategies.
|
Package schema is a set of utilities for marshalling strategies. |
|
registry/cratesio
Package cratesio provides interfaces for interacting with the crates.io API and with Cargo-specific formats.
|
Package cratesio provides interfaces for interacting with the crates.io API and with Cargo-specific formats. |
|
registry/maven
Package maven provides an interface with Maven package registry and its API.
|
Package maven provides an interface with Maven package registry and its API. |
|
registry/pypi
Package pypi describes the PyPi registry interface.
|
Package pypi describes the PyPi registry interface. |
|
tools
|
|
|
benchmark
Package benchmark provides interfaces related to rebuild benchmarks.
|
Package benchmark provides interfaces related to rebuild benchmarks. |
|
benchmark/generate
Package main generates rebuild benchmark files from external data sources.
|
Package main generates rebuild benchmark files from external data sources. |
|
ctl/ide
Package ide contains UI and state management code for the TUI rebuild debugger.
|
Package ide contains UI and state management code for the TUI rebuild debugger. |
|
ctl/pipe
Package pipe provides a simple way of applying transforms to a channel.
|
Package pipe provides a simple way of applying transforms to a channel. |
|
ctl/rundex
Package rundex provides access to metadata about runs and attempts.
|
Package rundex provides access to metadata about runs and attempts. |
|
docker
Package docker contains container execution APIs.
|
Package docker contains container execution APIs. |
|
indexscan
Package main implements a repo scanning tool to identify the best ref match for an upstream artifact.
|
Package main implements a repo scanning tool to identify the best ref match for an upstream artifact. |
|
run_local
Package main builds and runs a rebuild server.
|
Package main builds and runs a rebuild server. |
Click to show internal directories.
Click to hide internal directories.