Google's New Security Project 'OSS Rebuild' Tackles Package Supply Chain Verification

1.2K

•

Google's New Security Project 'OSS Rebuild' Tackles Package Supply Chain Verification (news.slashdot.org)

From the post:

>This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts. It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.")

Archive: https://archive.today/6ceDl From the post: >>This week Google's Open Source Security Team announced "a new project to strengthen trust in open source package ecosystems" — by reproducing upstream artifacts. It includes automation to derive declarative build definitions, new "build observability and verification tools" for security teams, and even "infrastructure definitions" to help organizations rebuild, sign, and distribute provenance by running their own OSS Rebuild instances. (And as part of the initiative, the team also published SLSA Provenance attestations "for thousands of packages across our supported ecosystems.")

Be the first to comment!

Login or register

You can claim this sub in /s/subrequest