Clarify level 1 - getting started - Provenance Exists

[abacchilb]

If someone is using a build platform that does not have provenance generation tooling built out yet (so not GitHub or GitLab etc) - in order to meet level 1 there seems to be a conflict in the get started page and requirements.

Get Started Page: https://slsa.dev/get-started

Tooling A build configuration file (i.e., GitHub workflow) qualifies for SLSA 1. It would be considered unsigned, unformatted provenance.

VS: Requirements: https://slsa.dev/spec/v1.0/requirements#provenance-exists

The build process MUST generate provenance that unambiguously identifies the output package by cryptographic digest and describes how that package was produced.

A GitHub workflow (or other build configuration file) will not display the output package cryptographic digest because it is a set of instructions on how to build the artifact, correct?

Does this mean the reference on the get started page is incorrect? For just level 1 is that ok and the build configuration file is acceptable as provenance at level 1?

[abacchilb]

I spoke with @mlieberman85 in person- we agreed that the get-started statement is wrong and a configuration file should not qualify for SLSA 1. The provenance should point to the artifact produced.

[joshuagl]

Agreed. Would you like to submit a PR? :-)

[mlieberman85]

Would you be willing to open a PR on this?

Edit: @joshuagl beat me to it by SECONDS