oss-rebuild: init at unstable-2025-07-22 · tjh.dev/nixpkgs@c787ce4

tjh.dev / nixpkgs

fork atom

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

fork atom

oss-rebuild: init at unstable-2025-07-22

Signed-off-by: Paul Meyer <katexochen0@gmail.com>

Paul Meyer 9 months ago c787ce45 6c271d33

+62

1 changed file

expand all

pkgs

by-name

oss-rebuild

package.nix

+62

pkgs/by-name/os/oss-rebuild/package.nix

··· 1 + { 2 + lib, 3 + buildGoModule, 4 + fetchFromGitHub, 5 + }: 6 + 7 + buildGoModule (finalAttrs: { 8 + pname = "oss-rebuild"; 9 + version = "0-unstable-2025-07-22"; 10 + 11 + src = fetchFromGitHub { 12 + owner = "google"; 13 + repo = "oss-rebuild"; 14 + rev = "6f57c474a8faf3012204792af8ef5d8b6fae2fd1"; 15 + hash = "sha256-H8HkhQcRt6C+lxoMVLzRfhv60Mq8TAf83ctOBRbx4p0="; 16 + }; 17 + 18 + proxyVendor = true; 19 + vendorHash = "sha256-H6ZMop3tXwpzvjoLWAaovP8UHSYLLFxvSz2jhz8tj/g="; 20 + 21 + subPackages = [ 22 + "cmd/oss-rebuild" 23 + "cmd/proxy" 24 + "cmd/stabilize" 25 + "cmd/timewarp" 26 + # There are other tools in available, but without documentation. 27 + ]; 28 + 29 + ldflags = [ "-s" ]; 30 + 31 + env.CGO_ENABLED = 0; 32 + 33 + meta = { 34 + description = "Securing open-source package ecosystems by originating, validating, and augmenting build attestations"; 35 + longDescription = '' 36 + OSS Rebuild aims to apply reproducible build concepts at low-cost and high-scale for open-source package ecosystems. 37 + 38 + Rebuilds are derived by analyzing the published metadata and artifacts and are evaluated against the upstream package 39 + versions. When successful, build attestations are published for the upstream artifacts, verifying the integrity of 40 + the upstream artifact and eliminating many possible sources of compromise. 41 + 42 + [`oss-rebuild`](https://github.com/google/oss-rebuild?tab=readme-ov-file#usage) CLI tool provides access to OSS Rebuild 43 + data. 44 + 45 + [`proxy`](https://github.com/google/oss-rebuild/blob/main/cmd/proxy/README.md) is a transparent HTTP(S) proxy that 46 + intercepts and records network activity. It's primarily used within OSS Rebuild to monitor network interactions during 47 + the build process, helping to passively enumerate remote dependencies and to identify suspect build behavior. 48 + 49 + [`stabilize`](https://github.com/google/oss-rebuild/blob/main/cmd/stabilize/README.md) is a command-line tool that 50 + removes non-deterministic metadata from software packages to facilitate functional comparison of artifacts. 51 + 52 + [`timewarp`](https://github.com/google/oss-rebuild/blob/main/cmd/timewarp/README.md) is a registry-fronting HTTP 53 + service that filters returned content by time. This tool allows you to transparently adjust the data returned to 54 + package manager clients to reflect the state of a registry at a given point in time (especially useful for reproducing 55 + prior builds). 56 + ''; 57 + homepage = "https://github.com/google/oss-rebuild"; 58 + license = lib.licenses.asl20; 59 + maintainers = with lib.maintainers; [ katexochen ]; 60 + mainProgram = "oss-rebuild"; 61 + }; 62 + })