-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
content: Add Source Track Level definitions #1066
base: main
Are you sure you want to change the base?
Conversation
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
4ac688e
to
6713ecd
Compare
Replace multi-factor authentication by strong authentication as other mechanisms can be considered strong authentication. Defer presentation of possible mechanisms in the separate 'source-requirements.md'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good overall but some text needs clarification.
what the expected provenance should look like for a given source revision and | ||
then compare each source revision's actual provenance to those expectations. | ||
Doing so prevents several classes of supply chain threats, mainly threats from | ||
A to C in the SLSA Supply Chain threats model. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A to C in the SLSA Supply Chain threats model. | |
A to C in the [SLSA Supply Chain threats model](threats-overview.md). |
revision followed the expected process. Consumers have some way of knowing | ||
what the expected provenance should look like for a given source revision and | ||
then compare each source revision's actual provenance to those expectations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have a hard time parsing this sentence. I assume this is meant to say that this is also what the source track enables but it doesn't say that and seems to simple state a fact, that's actually not one.
<dt>Requirements<dd> | ||
|
||
- Version Controlled: Every change to the source MUST be tracked in a | ||
version control system |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
version control system | |
version control system. |
- Makes easier for consumers the analysis of changes between two given | ||
revisions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Makes easier for consumers the analysis of changes between two given | |
revisions | |
- Makes the analysis of changes between two given revisions easier for | |
consumers. |
- Immutable references: A given revision ID MUST identify unequivocally a | ||
given revision |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this tie which revision this is about with something like:
- Immutable references: A given revision ID MUST identify unequivocally a | |
given revision | |
- Immutable references: A given revision ID MUST identify unequivocally that | |
given revision |
Organizations that are unwilling or unable to incorporate code review into | ||
their software development practices. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm wondering whether this shouldn't be stronger and say "enforce" rather than "incorporate":
Organizations that are unwilling or unable to incorporate code review into | |
their software development practices. | |
Organizations that are unwilling or unable to enforce code review into | |
their software development practices. |
- Retained History: The revision and its change history are preserved | ||
indefinitely and cannot be deleted, except when subject to an established | ||
and transparent policy for obliteration, such as a legal or policy | ||
requirement. In that later case, a justification should be emitted in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
requirement. In that later case, a justification should be emitted in | |
requirement. In that later case, a justification SHOULD be emitted in |
Attributes changes in the version history to specific actors and timestamps, | ||
which allows for post-auditing, incident response, and deterrence for bad | ||
actors. Strong authentication makes account compromise more difficult, | ||
further ensuring the integrity of change attribution. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think these are 2 different benefits that should be split according to the respective requirements:
Attributes changes in the version history to specific actors and timestamps, | |
which allows for post-auditing, incident response, and deterrence for bad | |
actors. Strong authentication makes account compromise more difficult, | |
further ensuring the integrity of change attribution. | |
- Strong authentication makes account compromise more difficult, | |
further ensuring the integrity of change attribution. | |
- Attributes changes in the version history to specific actors and timestamps, | |
which allows for post-auditing, incident response, and deterrence for bad | |
actors. |
decision about what they’re approving. The reviewer MUST be presented with | ||
a full, meaningful content diff between the proposed revision and the | ||
previously reviewed revision. For example, it is not sufficient to just |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the MUST to make sense in terms of compliance the reviewer cannot be the subject. This sentence needs to be reversed:
decision about what they’re approving. The reviewer MUST be presented with | |
a full, meaningful content diff between the proposed revision and the | |
previously reviewed revision. For example, it is not sufficient to just | |
decision about what they’re approving. A full, meaningful content diff between | |
the proposed revision and the previously reviewed revision MUST be | |
presented to the reviewer. For example, it is not sufficient to just |
Since all changes have been agreed to by at least two distinct trusted | ||
entities, a compromise of a single entity does not result in compromise | ||
of the project. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since all changes have been agreed to by at least two distinct trusted | |
entities, a compromise of a single entity does not result in compromise | |
of the project. | |
Since all changes have to be agreed to by at least two distinct trusted | |
entities, a compromise of a single entity is not sufficient to compromise | |
the project. |
Draft a the new source track level