slsa-framework
Clarify provenance generation - every step of the pipeline?
Raised from discussion in the community meeting - July 7th 2022. SLSA provenance generation - Should it be generated for every step of the pipeline, or just if an artifact is produced in that step?
In-toto generates/verifies every step.
Jacques: Is there a step we don’t care about? (Reverse!) What steps DO we care about (Reverse reverse!)? E.g., every build & every test should produce an artifact.
- What about a deployment job? Production of an artifact that is a log of that deployment?
If a step of the pipeline doesn’t produce an artifact, then what is it that we are attesting to? Instead should information about each step in the pipeline be included in the attestation for artifacts that are produced? https://theoryof.predictable.software/articles/some-requirements-for-a-universal-asset-graph/#records-both-asset-data-and-process-data and scroll towards the bottom of that section
David: The purist in me wants everything, but we need to make it super-cheap & easy. Otherwise we need to focus on “where are the bigger risks” & focus on that. Focus on risk management not risk avoidance.
Once we have community consensus on the answer, I recommend we add this as an FAQ item on the website.
I believe this is related to #351 "Provide guidance on level of granularity for "build"", in that a provenance attestation describes a "build" per the provenance predicate model. Further attestations, to populate a universal asset graph, are not provenance attestations.
For more on alternative attestation types, see in-toto/attestation and https://github.com/in-toto/attestation/issues/98.
Since it's so close to #351, I'm going to merge it with that one to avoid having two parallel discussions.
