editorial: Clarify that SLSA does not address all represented threats (…

…#1005) This addresses issue #1004. --------- Signed-off-by: Arnaud J Le Hors <[email protected]> Co-authored-by: Mark Lodato <[email protected]>
slsa-framework · Jan 8, 2024 · c61beb5 · c61beb5
1 parent 7bfcf78
commit c61beb5
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 16 deletions.
diff --git a/docs/spec/v1.0/threats-overview.md b/docs/spec/v1.0/threats-overview.md
@@ -1,21 +1,22 @@
 ---
 title: Supply chain threats
-description: Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly in today's environment. This page is an introduction to possible attacks throughout the supply chain and how SLSA can help.
+description: Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly in today's environment. This page is an introduction to possible attacks throughout the supply chain and how SLSA could help.
 ---
 
 Attacks can occur at every link in a typical software supply chain, and these
 kinds of attacks are increasingly public, disruptive, and costly in today's
 environment.
 
 This page is an introduction to possible attacks throughout the supply chain and how
-SLSA can help. For a more technical discussion, see [Threats & mitigations](threats.md).
+SLSA could help. For a more technical discussion, see [Threats & mitigations](threats.md).
 
 ## Summary
 
 ![Supply Chain Threats](images/supply-chain-threats.svg)
 
-See [Terminology](terminology.md) for an explanation of the supply chain
-model.
+**Note that SLSA does not currently address all of the threats presented here.**
+See [Threats & mitigations](threats.md) for what is currently addressed and
+[Terminology](terminology.md) for an explanation of the supply chain model.
 
 SLSA's primary focus is supply chain integrity, with a secondary focus on
 availability. Integrity means protection against tampering or unauthorized
@@ -24,7 +25,7 @@ integrity into source integrity vs build integrity.
 
 **Source integrity:** Ensure that all changes to the source code reflect the
 intent of the software producer. Intent of an organization is difficult to
-define, so SLSA approximates this as approval from two authorized
+define, so SLSA is expected to approximate this as approval from two authorized
 representatives.
 
 **Build integrity:** Ensure that the package is built from the correct,
@@ -46,7 +47,7 @@ Many recent high-profile attacks were consequences of supply chain integrity vul
 <th>
 <th>Integrity threat
 <th>Known example
-<th>How SLSA can help
+<th>How SLSA could help
 <tbody>
 <tr>
 <td>A
@@ -96,7 +97,7 @@ Many recent high-profile attacks were consequences of supply chain integrity vul
 <th>
 <th>Availability threat
 <th>Known example
-<th>How SLSA can help
+<th>How SLSA could help
 <tbody>
 <tr>
 <td>D

diff --git a/docs/spec/v1.0/threats.md b/docs/spec/v1.0/threats.md
@@ -5,7 +5,7 @@ description: A comprehensive technical analysis of supply chain threats and thei
 
 What follows is a comprehensive technical analysis of supply chain threats and
 their corresponding mitigations in SLSA. For an introduction to the
-supply chain threats that SLSA protects against, see [Supply chain threats].
+supply chain threats that SLSA is aiming to protect against, see [Supply chain threats].
 
 The examples on this page are meant to:
 

diff --git a/docs/spec/v1.1/threats-overview.md b/docs/spec/v1.1/threats-overview.md
@@ -1,21 +1,22 @@
 ---
 title: Supply chain threats
-description: Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly in today's environment. This page is an introduction to possible attacks throughout the supply chain and how SLSA can help.
+description: Attacks can occur at every link in a typical software supply chain, and these kinds of attacks are increasingly public, disruptive, and costly in today's environment. This page is an introduction to possible attacks throughout the supply chain and how SLSA could help.
 ---
 
 Attacks can occur at every link in a typical software supply chain, and these
 kinds of attacks are increasingly public, disruptive, and costly in today's
 environment.
 
 This page is an introduction to possible attacks throughout the supply chain and how
-SLSA can help. For a more technical discussion, see [Threats & mitigations](threats.md).
+SLSA could help. For a more technical discussion, see [Threats & mitigations](threats.md).
 
 ## Summary
 
 ![Supply Chain Threats](images/supply-chain-threats.svg)
 
-See [Terminology](terminology.md) for an explanation of the supply chain
-model.
+**Note that SLSA does not currently address all of the threats presented here.**
+See [Threats & mitigations](threats.md) for what is currently addressed and
+[Terminology](terminology.md) for an explanation of the supply chain model.
 
 SLSA's primary focus is supply chain integrity, with a secondary focus on
 availability. Integrity means protection against tampering or unauthorized
@@ -24,7 +25,7 @@ integrity into source integrity vs build integrity.
 
 **Source integrity:** Ensure that all changes to the source code reflect the
 intent of the software producer. Intent of an organization is difficult to
-define, so SLSA approximates this as approval from two authorized
+define, so SLSA is expected to approximate this as approval from two authorized
 representatives.
 
 **Build integrity:** Ensure that the package is built from the correct,
@@ -46,7 +47,7 @@ Many recent high-profile attacks were consequences of supply chain integrity vul
 <th>
 <th>Integrity threat
 <th>Known example
-<th>How SLSA can help
+<th>How SLSA could help
 <tbody>
 <tr>
 <td>A
@@ -96,7 +97,7 @@ Many recent high-profile attacks were consequences of supply chain integrity vul
 <th>
 <th>Availability threat
 <th>Known example
-<th>How SLSA can help
+<th>How SLSA could help
 <tbody>
 <tr>
 <td>D

diff --git a/docs/spec/v1.1/threats.md b/docs/spec/v1.1/threats.md
@@ -5,7 +5,7 @@ description: A comprehensive technical analysis of supply chain threats and thei
 
 What follows is a comprehensive technical analysis of supply chain threats and
 their corresponding mitigations in SLSA. For an introduction to the
-supply chain threats that SLSA protects against, see [Supply chain threats].
+supply chain threats that SLSA is aiming to protect against, see [Supply chain threats].
 
 The examples on this page are meant to: