slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

copy: clarify names of source levels

Open zachariahcox opened this issue 1 year ago • 2 comments

related to: https://github.com/slsa-framework/slsa/pull/1097#discussion_r1718489268

Level 2

my initial thoughts are that we're trying to get across the following concepts:

teams can have more than one branch teams may need to indicate that consumers can / should / must ignore commits on users/* and only ship commits on /releases/* because branches have different security postures only some branches have protected history, IE, we allow force push to user branches. the logical VSA for this rule would need to verify that "the previous revision id is reachable from this new revision id" (IE: there was no potential for data loss due to force push or repo hijack)

https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714156093

Level 3

  • https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714081313

Image

zachariahcox avatar Aug 15 '24 14:08 zachariahcox

possible duplicate of: https://github.com/slsa-framework/slsa/issues/1070, though this one is more broad.

zachariahcox avatar Aug 27 '24 16:08 zachariahcox

I think the only level name that could maybe use some improvement is level 3. I bet once we have #1143 nailed down we can use that language in the title somehow.

TomHennen avatar Oct 15 '24 19:10 TomHennen