Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define 'source control system' in source track #1128

Closed
TomHennen opened this issue Sep 9, 2024 · 4 comments · Fixed by #1171
Closed

Define 'source control system' in source track #1128

TomHennen opened this issue Sep 9, 2024 · 4 comments · Fixed by #1171
Assignees

Comments

@TomHennen
Copy link
Contributor

We currently talk about 'VCS' and 'SCP' but don't have a term to talk about the system as a whole.

Defining such a term would make some things easier when we don't have a strong opinion about which specific component of the system fulfills a given role as long as it is filled somewhere.

Let's define the term and then update the source track to use it where appropriate.

@TomHennen
Copy link
Contributor Author

Let's also incorporate @marcelamelara's feedback from #1094 (review)

Thanks for the updates! My main high-level suggestion is that the source track ought to make the roles and requirements of the VCS vs. SCP vs. producer clearer. In the Build track, the distinction between what the hosted build platform vs the producer is responsible for is called out. In the current source track spec, I feel like there are a lot of assumptions/expectations about the SCP, the producer and the VCS that we aren't including right now. So it might be helpful to draw a clearer separation between who is responsible for achieving which requirements.

@TomHennen
Copy link
Contributor Author

Proposal (which we can iterate on):

Source Attestation Issuer

A party that evaluates evidence and issues attestations (summary or provenance) about source revisions.

Source Control System (SCS)

A combination of a VCS, SCP, and Source Attestation Issuers that are trusted to manage the source for a Repository by the Organization which controls it. A SCS is the entity responsible for meeting the SLSA requirements through how it assembles and configures the VCS, SCP, and Source Attestation Issuers.

@TomHennen TomHennen self-assigned this Sep 20, 2024
@TomHennen
Copy link
Contributor Author

When we do this perhaps we can address @marcelamelara's comment from #1094:

I'm wondering if we can be a tad more concrete than "Entities with the knowledge to issue them". Is this about the SCP's components, or are these entities more at an organizational level? Or something else I might be missing?

@zachariahcox
Copy link
Contributor

how is SCS different from SCP? the SCP is already "a collection of services."

What is the main scenario we'll unblock by having a second concept? @adityasaky @TomHennen

@zachariahcox zachariahcox moved this from Ready for work! to In review in SLSA Source Track Sep 30, 2024
@zachariahcox zachariahcox moved this from In review to In progress in SLSA Source Track Oct 2, 2024
TomHennen pushed a commit that referenced this issue Oct 2, 2024
…with project board links. (#1171)

fixes: #1128

(cleaned up version of #1166)

This change is in response to the 9.30 slsa specification meeting on
this topic.

A SCS is the full suite of services and ideas relied upon by the
organization to create source revisions.

VCS stuff should mostly fall out of the discussion

Repositories can be used as the concept used when we need to talk about
authN and authZ w.r.t. authentic contributions.
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Issue triage Oct 2, 2024
@github-project-automation github-project-automation bot moved this from In progress to Done in SLSA Source Track Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: Done
Status: Done
2 participants