-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
content: source track draft: simplify and clarify level goals #1097
Conversation
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Are you thinking something other than #1094? |
@TomHennen, Nope! I think the definition of Level 1 would just be "emits one of those attestations." Probably a draft for source track level 1 should be: "Package has provenance claiming how it was built, when it was built and who contributed to it. Can be used to prevent mistakes but is trivial to bypass or forge." |
this would benefit from a review from @samwhite-gl and GitLab! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a couple of pending comments that I figured I'd get to you sooner rather than later. (I'm going to be a bit distracted this week so I might not get this the full attention it deserves)
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
@zachariahcox Can you add in a note somewhere at the top that most of the examples use Git, but there should be nothing that restricts only the usage of Git, just that Git is the most popular version control for code? I think that will help clear up any confusion. I know the vast majority of folks will be using Git but we probably also want to make sure folks know that this could be used for things other than Git, but that for practical purposes most examples will use Git. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM I think this looks good for this draft. One other thing that I think we might want to include is a bit more clarity around the separation of concerns between the code management/review tools like Gerrit, Github, Gitlab, and the usage of those tools, e.g. repo with a particular set of rules on Github.
In the build track I think we do a reasonable job at saying your build tool should have these features and when using them you must make sure that you take advantage of those features. I think that could be done with a table similar to the table here https://slsa.dev/spec/v1.0/requirements#build-levels that splits Producer from Build Platform. This is unclear from the current open issues if it would be covered.
good idea! I but a comment at the top of the levels section, but we could move it even higher into the objective section if that would read better. |
I like it. Tracked #1111 This makes me wonder if we should use the term "producer" in this source track document to align with the definition on the build track. |
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
Co-authored-by: Zachariah Cox <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Ok, it seems like all major comments have been addressed. This is draft so review requirements are relaxed. We have approval from a second maintainer. So I'll merge. We can continue to make updates in other PRs as we move towards release. |
Context
This was mostly ported from gdoc, (requires [email protected] membership.)
The content is intentionally incomplete.
The final draft document will need wholistic review before progressing to the full proposal phase.
Goals
The source track is about communicating trustworthy claims.
These proposals for levels try to describe the absolute bare minimum policies and controls required to make sense of the code in a repo.
This proposal moves most of the other "good idea" policies into a different, non-leveled, section.
One of the goals of slsa is to help teams make improvements to their process in a prioritized way.
Many of these good ideas should be called out and documented somewhere, but they are not directly required for the repo to produce trustworthy attestations, so we're proposing to document and discuss them separately.
Update! As discussed in slack, products like the ossf scorecard might be better fits for describing policy details. The scorecard is much more opinionated about things like branch protections already!
This pr addresses the topics raised in the following issues.
We should re-valuate the status of these issues when this PR merges: