FYI: Google's Open Source Security Team (GOSST) has announced a new project called "OSS Rebuild". You can see their announcement here: https://security.googleblog.com/2025/07/introducing-oss-rebuild-open-source.html
In it, they attempt to rebuild existing "PyPI (Python), npm (JS/TS), and Crates.io (Rust) packages". They determine if the build reproduces, and if not, attempt to justify the differences to determine if they are *semantically* identical. If they determine that they are semantically identical (including if they're a reproducible build), they publish the build definition and outcome via SLSA Provenance. Their goal is to counter various kinds of attacks. The project's repo is here: https://github.com/google/oss-rebuild I'm not associated with the project, but I do find it interesting. --- David A. Wheeler
