slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Provenance v1.0

Open MarkLodato opened this issue 3 years ago • 3 comments

This issue is for tracking and building consensus on what will go in the next version of the provenance spec, tentatively called v1.0.

Current proposal

Schema changes:

  • #349
  • #246
  • #401
  • #319

Documentation changes:

  • #353
  • #350
  • #397
  • #396

Meta:

  • #459

There is also a milestone, but it's not as useful because it does not show prioritization.

Discussion

I initially populated the list with every every issue tagged as provenance.

If you have any opinions on adding more things or removing some things, please comment on this thread.

MarkLodato avatar Aug 05 '22 14:08 MarkLodato

Do we want the provenance to have a URL to download the source code? AFAIK, a git history rewrite makes it hard to recover the source code for a particular commit. Wdut?

laurentsimon avatar Aug 08 '22 16:08 laurentsimon

Another thing worth discussing is the material section for all the dependencies. Would it be acceptable to allow a sha256 of a corresponding SBOM generated by the untrusted build steps?

It provides different guarantees (it's forgeable), but would quickly allow the 2 standards to co-exist... (Note: I've not followed all the SBOM efforts closely)

laurentsimon avatar Aug 13 '22 14:08 laurentsimon

A better option may be to use the SBOM as an additional subject, since it's an output of a build.

laurentsimon avatar Aug 17 '22 21:08 laurentsimon

Closing this as a duplicate of the #497

MarkLodato avatar Mar 29 '23 20:03 MarkLodato