Skip to content

Commit

Permalink
address review comments
Browse files Browse the repository at this point in the history 
Signed-off-by: arewm <[email protected]>
  • Loading branch information
@arewm
arewm committed Oct 24, 2023
1 parent 31662a9 commit f92baff
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 4 deletions.
5 changes: 3 additions & 2 deletions docs/spec/v1.0/faq.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ these, classifying the SLSA build level for the resulting artifact can be confus
Since the SLSA Build track describes increasing levels of trustworthiness and
completeness in a package artifact's <dfn>provenance</dfn>, interpretation of the
specification hinges on the platform entities involved in the provenance generation.
The SLSA build level requirements (secure key storage, isolation, etc.) should be
The SLSA [build level requirements] (secure key storage, isolation, etc.) should be
imposed on the transitive closure of the systems which are responsible for informing
the provenance generated.

Expand All @@ -171,11 +171,12 @@ Some common situations may include:
- The runner generates the provenance. In this situation, the orchestrating platform
is irrelevant and all requirements are imposed on the runner.
- The platform provides the runner with some credentials for generating the provenance
or both the platform and the runner provide information for the provenance.Trust is
or both the platform and the runner provide information for the provenance. Trust is
shared between the platform and the runner so the requirements are imposed on both.

Requirements on the self-hosted runners may increase with Build levels greater than L3.

[build level requirements]: requirements.md
[GitHub Actions]: https://docs.github.com/en/actions/hosting-your-own-runners
[Software Bill of Materials (SBOM)]: https://ntia.gov/sbom
[SLSA Provenance]: provenance.md
Expand Down
5 changes: 3 additions & 2 deletions docs/spec/v1.1/faq.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ these, classifying the SLSA build level for the resulting artifact can be confus
Since the SLSA Build track describes increasing levels of trustworthiness and
completeness in a package artifact's <dfn>provenance</dfn>, interpretation of the
specification hinges on the platform entities involved in the provenance generation.
The SLSA build level requirements (secure key storage, isolation, etc.) should be
The SLSA [build level requirements] (secure key storage, isolation, etc.) should be
imposed on the transitive closure of the systems which are responsible for informing
the provenance generated.

Expand All @@ -171,11 +171,12 @@ Some common situations may include:
- The runner generates the provenance. In this situation, the orchestrating platform
is irrelevant and all requirements are imposed on the runner.
- The platform provides the runner with some credentials for generating the provenance
or both the platform and the runner provide information for the provenance.Trust is
or both the platform and the runner provide information for the provenance. Trust is
shared between the platform and the runner so the requirements are imposed on both.

Requirements on the self-hosted runners may increase with Build levels greater than L3.

[build level requirements]: requirements.md
[GitHub Actions]: https://docs.github.com/en/actions/hosting-your-own-runners
[Software Bill of Materials (SBOM)]: https://ntia.gov/sbom
[SLSA Provenance]: provenance.md
Expand Down

0 comments on commit f92baff

Please sign in to comment.