content: source track: address org threats #1236
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Copilot reviewed 1 out of 1 changed files in this pull request and generated no suggestions.
Comments skipped due to low confidence (2)
docs/spec/draft/threats.md:86
- [nitpick] The word 'SHOULD' should not be in all caps unless it is a specific requirement in a specification. Consider changing it to 'should'.
Trustworthiness scales with transparency, and consumers SHOULD push on their vendors to follow transparency best-practices.
docs/spec/draft/threats.md:86
- [nitpick] The phrase 'Trustworthiness scales with transparency' is unclear. Consider rephrasing it to 'Trustworthiness increases with transparency'.
Trustworthiness scales with transparency, and consumers SHOULD push on their vendors to follow transparency best-practices.
Tip: Turn on automatic Copilot reviews for this repository to get quick feedback on every pull request. Learn more
zachariahcox
requested review from
MarkLodato,
TomHennen,
lehors,
adityasaky and
arewm
TomHennen
reviewed
Nov 19, 2024
Co-authored-by: Tom Hennen <[email protected]> Signed-off-by: Zachariah Cox <[email protected]>
adityasaky
reviewed
Nov 22, 2024
| @@ -76,25 +76,20 @@ be nice to resolve. For example, compromised developer credentials - is that (A) | |||
| or (B)? | |||
| --> | |||
|
|
|||
| <details><summary>Software producer intentionally submits bad code</summary> | |||
| <details><summary>The organization intentionally creates a malicious revision</summary> | |||
There was a problem hiding this comment.
Is there a reason to switch the terminology to "organization" from "producer"? Organization seems narrower to me, and the figure also uses producer.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fixes: #1178
I'm not sure how much we need this threats.md section.
We already have a generic blurb here that covers much the same topic: https://github.com/slsa-framework/slsa/blob/5fea409bc055bb0e593950b23a256422ee8b3ba5/docs/spec/draft/about.md#what-slsa-doesnt-cover