slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

source track: create a "levels" table for the source track

Open zachariahcox opened this issue 1 year ago • 4 comments

The source-requirements document should have a table mapping out the responsibilities of the organization / producer and the "source platform" (a combination of standard modern developer tools).

LGTM I think this looks good for this draft. One other thing that I think we might want to include is a bit more clarity around the separation of concerns between the code management/review tools like Gerrit, Github, Gitlab, and the usage of those tools, e.g. repo with a particular set of rules on Github.

In the build track I think we do a reasonable job at saying your build tool should have these features and when using them you must make sure that you take advantage of those features. I think that could be done with a table similar to the table here https://slsa.dev/spec/v1.0/requirements#build-levels that splits Producer from Build Platform. This is unclear from the current open issues if it would be covered.

Originally posted by @mlieberman85 in https://github.com/slsa-framework/slsa/pull/1097#pullrequestreview-2238845363

zachariahcox avatar Aug 14 '24 18:08 zachariahcox

https://slsa.dev/spec/v1.0/requirements#provenance-generation

In the current draft, only "source level 3" has any provenance attestation to speak of, so theoretically all of exists, authentic, unforgeable should be true only for level 3?

zachariahcox avatar Aug 14 '24 18:08 zachariahcox

Reading the title of this issue I figured it was about creating an easy to read levels table that gives a brief synopsis of the SLSA Source Levels (like we see here). However reading the description it sounds like the idea is that we should break out the requirements a bit more based on who does what.

I think we can do that and split by 'Producer' and 'Source Control System'.

Looking at the current set of requirements I'd be inclined to split out 'Producer' (without a table of it's own, as in the build track) and give 'Producer' "Use modern tools", "Canonical location", and (a new one) "Distribute summary attestations" (which mirrors 'Distribute Provenance' from the build track).

TomHennen avatar Oct 16 '24 21:10 TomHennen

Oh, I'd also be inclined to merge the "change management tool" requirements back under the 'System' requirements since in some sense it seems odd to separate them.

TomHennen avatar Oct 16 '24 21:10 TomHennen

My original comment was based on a bit of both. It was hard to glean from what was written what the separation of responsibilities was, and once we clarify it in the text we should have a table.

A lot of implementers of SLSA keep referring back to the table as an easy way for them to understand the delineation of responsibilities between systems/actors.

mlieberman85 avatar Oct 17 '24 14:10 mlieberman85

removing 1.1 -- this feature is really needed for "whenever the source track ships"

zachariahcox avatar Dec 09 '24 17:12 zachariahcox

We now have the detailed requirements in table form. We still don't have a summary table like this. This seems like a nice to have that has to wait for the full requirements table to be completed.

Suggestion: leave this open and complete before 1.2 RC1.

TomHennen avatar Jun 02 '25 14:06 TomHennen