Securing open-source package ecosystems by originating, validating, and augmenting build attestations.
OSS Rebuild aims to apply reproducible build concepts at low-cost and high-scale for open-source package ecosystems.
Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package versions. When successful, build attestations are published for the upstream artifacts, verifying the integrity of the upstream artifact and eliminating many possible sources of compromise.
oss-rebuild CLI tool provides access to OSS Rebuild data.
proxy is a transparent HTTP(S) proxy that intercepts and records network activity. It's primarily used within OSS Rebuild to monitor network interactions during the build process, helping to passively enumerate remote dependencies and to identify suspect build behavior.
stabilize is a command-line tool that removes non-deterministic metadata from software packages to facilitate functional comparison of artifacts.
timewarp is a registry-fronting HTTP service that filters returned content by time. This tool allows you to transparently adjust the data returned to package manager clients to reflect the state of a registry at a given point in time (especially useful for reproducing prior builds).