Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

source track formatting should follow the slsa project standards #1069

Open
TomHennen opened this issue Jun 17, 2024 · 2 comments
Open

source track formatting should follow the slsa project standards #1069

TomHennen opened this issue Jun 17, 2024 · 2 comments
Assignees
@TomHennen
Labels
source-track

Comments

@TomHennen
Copy link
Contributor

Apologies for being late to review this. It's fantastic to see the beginnings of a Source track emerge. Thank you for the continued effort on this @kpk47.

This feels equivalent to what we had in v0.1, only compressed into 3 levels instead of 4 and with more affordances for changes from robots. Does that assessment feel fair/accurate to you?

Most of my comments are related to presentation, the requirements feeling so close to the v0.1 version is a great baseline.

The formatting and structure of the Levels changes don’t match the existing Build track levels.
Build levels are broken down into producer and platform requirements (see change from benefits to focus in cc812c3) and are a descriptive overview requirements, whereas the newly added source requirements are detailed and specific enough that they run the risk of seeming authoritative and contradictory to the track text.

The formatting and structure of the Source requirements doesn’t match the “Producing artefacts” document, where the requirements are in a table with check marks for which level they apply to (and further, there are tables per requirement category: provenance generation and isolation, I’m not sure this split makes sense for the source track).

Note: we should update future-directions to remove the source track and/or update it to mention what could come next. Threats and mitigations should be updated too.

Final thought, is adding a new level appropriate for a minor release, or should we consider a major release for this?

Originally posted by @joshuagl in #1037 (review)
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Jun 17, 2024
@TomHennen
Copy link
Contributor Author

Also see the discussion here.

I believe @Nikokrock is working on fixing this.

@zachariahcox
Copy link
Contributor

I don't have permission to edit this title @TomHennen but we should probably rename this: "source track formatting should follow the slsa project standards"

@TomHennen TomHennen changed the title Structure & formatting don't match the build track source track formatting should follow the slsa project standards Oct 15, 2024
@TomHennen TomHennen self-assigned this Oct 15, 2024
@TomHennen TomHennen mentioned this issue Oct 15, 2024
Merged
TomHennen added a commit that referenced this issue Oct 16, 2024
@TomHennen
style: Put detailed requirements into table form (#1194)
8f55fa1 
This follows the pattern from requirements.md where each requirement is
listed along with what level it applies at.

I separate 'platform requirements' from 'change management tool'
requirements to mirror the 'Provenance generation' / "Isolation
strength" from requirements.md.

Future PRs will add a summary like the 'Build levels' table from
requirements.md.

Refs #1069

---------

Signed-off-by: Tom Hennen <[email protected]>
@TomHennen TomHennen moved this from Ready for work! to In review in SLSA Source Track Oct 16, 2024
@TomHennen TomHennen moved this from In review to In progress in SLSA Source Track Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TomHennen TomHennen

Labels
source-track
Projects
Issue triage
Status: 🆕 New
SLSA Source Track
Status: In progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TomHennen @zachariahcox