Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explicitly mention that BuildEnv L2 build platform MUST verify the SLSA Provenance OR its VSA. #1196

Open
marcelamelara opened this issue Oct 15, 2024 · 1 comment
Open

Explicitly mention that BuildEnv L2 build platform MUST verify the SLSA Provenance OR its VSA. #1196

marcelamelara opened this issue Oct 15, 2024 · 1 comment
Labels
build-environment-track Issues/PRs related to the SLSA BuildEnv track

Comments

@marcelamelara
Copy link
Contributor

marcelamelara commented Oct 15, 2024
edited
Loading

Prior to the instantiation of a new build environment, the SLSA Provenance for the selected build image MUST be automatically verified.

If it must be, do we have to say what about the image is verified?
Just the VSA's "build level 2" claim about the build image?

Originally posted by @zachariahcox in #1115 (comment)
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 15, 2024
@marcelamelara marcelamelara added the build-environment-track Issues/PRs related to the SLSA BuildEnv track label Oct 15, 2024
@marcelamelara marcelamelara mentioned this issue Oct 15, 2024
Merged
@paveliak
Copy link

@marcelamelara Curious, how does this requirement go along with the claim that we do not assume Control Plane to be trusted at L2? If we demand provenance verification from the Control Plane how can we trust the verification result? And once we add Control Plane into TCB then request for having Control Plane provenance becomes reasonable...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
build-environment-track Issues/PRs related to the SLSA BuildEnv track
Projects
Issue triage
Status: 🆕 New
SLSA Attested Build Environment Track
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
2 participants
@paveliak @marcelamelara