content: Add 'principle' protecting anonymous and pseudonymous contri…

…bution in SLSA As work on the source track progresses the topic of 'identity' comes up quite a bit. There has been some confusion about what this means, that it could be that SLSA intends to require legal identities for all contributors. That isn't the case. Many in the open source world prefer to contribute without revealing their 'real' identities as has been practiced for many years. SLSA does not intend to change that. This PR tries to make it clear that SLSA does not require real identities. refs slsa-framework#1133 Signed-off-by: Tom Hennen <[email protected]>
TomHennen · Dec 2, 2024 · 44e796a · 44e796a
1 parent a266027
commit 44e796a
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/docs/spec/draft/principles.md b/docs/spec/draft/principles.md
@@ -107,10 +107,28 @@ In practice, though, these configurations are almost impossible to get right and
 keep right. There are often over-provisioning, confused deputy problems, or
 mistakes. Even if a platform is configured properly at one moment, it might not
 stay that way, and humans almost always end up getting in the access control
-lists.  
+lists.
 
 Access control is still important, but SLSA goes further to provide defense in depth: it **requires proof in
 the form of attestations that the package was built correctly**.
 
 **Benefits**: The attestation removes intermediate platforms from the trust base and ensures that
 individuals who are accidentally granted access do not have sufficient permission to tamper with the package.
+
+## Support anonymous and pseudonymous contribution
+
+SLSA supports anonymous and pseudonymous 'identities' within the software supply chain.
+While organizations that implement SLSA may chose otherwise, SLSA itself does not require,
+or encourage, participants to be mapped to their legal identities.
+
+**Nothing in this specification should be taken to mean that SLSA requires participants to
+to reveal their legal identity.**
+
+**Reasoning**: One of SLSA's other principles is to [trust code, not individuals](#trust-code-not-individuals).
+The legal identity of actor is largely not relevant from a supply chain security perspective.  Further,
+_requiring_ a legal identity would likely preclude the participation of many of open source software's most
+valued participants.
+
+**Benefits**: By _not_ requiring legal identities SLSA lowers the barriers to its adoption, enabling
+all of its other benefits and maintaining support for anonymous and pseudonymous contribution as has been
+practiced in the software industry for decades.