Trust Nothing, Trace Everything: Auditing Package Builds at Scale with OSS Rebuild

While reproducible builds provide a gold standard for artifact integrity, they often treat the build process itself as a black box: either it matches or it doesn't. But in an era of sophisticated supply chain attacks like the XZ backdoor and Shai Hulud, understanding why a build behaves the way it does is just as critical as the final output. To secure the open-source package ecosystem, we needed to look inside this black box. In this talk, we explore how OSS Rebuild instruments the build environment to detect "badness" in real-time. We detail our open-source observability suite, featuring a transparent network proxy for uncovering hidden remote dependencies and an eBPF-based system analyzer for examining build behavior in fine detail.