Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content: draft: define source-track objective in terms of revisions and provenance. #1083

Merged
merged 17 commits into from
Jul 15, 2024
Merged

content: draft: define source-track objective in terms of revisions and provenance. #1083

merged 17 commits into from
Jul 15, 2024

Conversation

zachariahcox
Copy link
Contributor

@zachariahcox zachariahcox commented Jun 28, 2024
edited
Loading

fixes #1072

This PR modifies draft content of the slsa spec.

Context

Based on discussion from #1037

See discussion here.

Copied from draft proposal here.

Google document requires [email protected] membership.

Source revision provenance

Repos contain many revisions, most of which are not "official" or otherwise approved for release.
The goal of the source track is to attest to why a specific revision was approved for release.

We can think of the SCP / code review tool as “building” the next official revision of a repository using a codified process that involves collecting commits, acquiring reviews, running CI, etc.
If the change review process is successful, the code review tooling will merge the code changes and attest to the process used to produce the new revision.

The source provenance attestations associate a specific revision of a repository to security claims and documents (basically build logs) of the process that produced it.

In GitHub terms, a merged pull request and its associated rules evaluation justify why and how a specific git SHA is reachable from a protected branch.

Example Scenario

  1. A CI system is trying to build some artifact and will download all necessary resources, including repos and packages.
  2. After download, the system will proceed to verify all fetched resources.
    1. For package artifacts, it takes the hash and looks for build provenance attestations from sigstore or github.
    2. For source artifacts that are not packaged (EG, cloned via git), it takes the revision id and looks for the source provenance from sigstore or github.
  3. Based on the claims in the provenance attestations, the CI system can determine if all resources comply with required policy and choose to proceed.

@netlify Netlify
Copy link

netlify bot commented Jun 28, 2024
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit 20cb12d
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/66916946993b7c0008a8dc3c
😎 Deploy Preview https://deploy-preview-1083--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@zachariahcox zachariahcox changed the title source track: update objective to align with build track source track: update objective to reference revisions and provenance. Jun 28, 2024
@zachariahcox zachariahcox changed the title source track: update objective to reference revisions and provenance. content: update source-track objective to reference revisions and provenance. Jun 28, 2024
TomHennen
TomHennen requested changes Jul 1, 2024
View reviewed changes
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
joshuagl
joshuagl reviewed Jul 3, 2024
View reviewed changes
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/v1.1/source-requirements.md Outdated Show resolved Hide resolved
@zachariahcox zachariahcox mentioned this pull request Jul 8, 2024
Closed
@zachariahcox zachariahcox marked this pull request as draft July 8, 2024 14:30
@zachariahcox zachariahcox changed the title content: update source-track objective to reference revisions and provenance. content: update source-track objective in terms of revisions and provenance. Jul 10, 2024
@zachariahcox zachariahcox marked this pull request as ready for review July 10, 2024 01:05
@zachariahcox @TomHennen
Update docs/spec/draft/source-requirements.md
b643bcb 
Co-authored-by: Tom Hennen <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
TomHennen
TomHennen requested changes Jul 10, 2024
View reviewed changes
docs/spec/draft/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/draft/source-requirements.md Outdated Show resolved Hide resolved
@zachariahcox @TomHennen
Update docs/spec/draft/source-requirements.md
df7ffa4 
Co-authored-by: Tom Hennen <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
@zachariahcox zachariahcox requested review from lehors and arewm July 11, 2024 15:27
@zachariahcox zachariahcox changed the title content: update source-track objective in terms of revisions and provenance. content: define source-track objective in terms of revisions and provenance. Jul 11, 2024
@zachariahcox zachariahcox changed the title content: define source-track objective in terms of revisions and provenance. content: draft: define source-track objective in terms of revisions and provenance. Jul 11, 2024
joshuagl
joshuagl reviewed Jul 12, 2024
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor nits, but otherwise LGTM

docs/spec/draft/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/draft/source-requirements.md Show resolved Hide resolved
docs/spec/draft/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/draft/source-requirements.md Outdated Show resolved Hide resolved
docs/spec/draft/source-requirements.md Show resolved Hide resolved
zachariahcox and others added 3 commits July 12, 2024 10:33
@zachariahcox @joshuagl
Update docs/spec/draft/source-requirements.md
d494b99 
Co-authored-by: Joshua Lock <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
@zachariahcox @joshuagl
Update docs/spec/draft/source-requirements.md
5d24749 
Co-authored-by: Joshua Lock <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
@zachariahcox @joshuagl
Update docs/spec/draft/source-requirements.md
20cb12d 
Co-authored-by: Joshua Lock <[email protected]>
Signed-off-by: Zachariah Cox <[email protected]>
@joshuagl joshuagl mentioned this pull request Jul 15, 2024
Open
@joshuagl joshuagl merged commit 7c6ba23 into slsa-framework:main Jul 15, 2024
6 checks passed
@zachariahcox zachariahcox deleted the patch-1 branch October 1, 2024 13:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adityasaky adityasaky adityasaky left review comments

@joshuagl joshuagl joshuagl left review comments

@TomHennen TomHennen TomHennen approved these changes

@lehors lehors Awaiting requested review from lehors

@arewm arewm Awaiting requested review from arewm

Assignees
No one assigned
Labels
source-track
Projects
Issue triage
Status: Done
SLSA Source Track
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clarify source-track objective
4 participants
@zachariahcox @TomHennen @adityasaky @joshuagl