Verify Packages Are Reproducibly Rebuildable Before Trusting Artifacts With Oss Rebuild
Query OSS Rebuild attestations and rebuild metadata so an agent can verify whether a published package artifact matches a reproducible upstream rebuild.
What it does
Verify Packages Are Reproducibly Rebuildable Before Trusting Artifacts With Oss Rebuild
Query OSS Rebuild attestations and rebuild metadata so an agent can verify whether a published package artifact matches a reproducible upstream rebuild.
Prerequisites
Go, oss-rebuild CLI, optional gcloud ADC credentials for signature verification
Installation
Use the upstream install or setup path that matches your environment:
- $ go install github.com/google/oss-rebuild/cmd/oss-rebuild@latest
Requirements and caveats from upstream:
- PyPI (Python)
- chained with docker to execute a rebuild locally:
- $ oss-rebuild get pypi absl-py 2.0.0 --output=dockerfile | docker run $(docker buildx build -q -)
Basic usage or getting-started notes:
-
The oss-rebuild CLI tool provides access to OSS Rebuild data:
-
bash
-
$ go run github.com/google/oss-rebuild/cmd/oss-rebuild@latest --help
-
Extracted from upstream docs: https://raw.githubusercontent.com/google/oss-rebuild/HEAD/README.md
Documentation
Source
Capabilities
Install
Quality
deterministic score 0.45 from registry signals: · indexed on github topic:agent-skills · 8 github stars · SKILL.md body (1,253 chars)