Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLSA 2 Compliance #3442

Open
upodroid opened this issue Jul 25, 2022 · 4 comments
Open

SLSA 2 Compliance #3442

upodroid opened this issue Jul 25, 2022 · 4 comments
Assignees
@upodroid
Labels
kind/security Issues or PRs related to security or CVEs. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@upodroid
Copy link
Member

https://slsa.dev/spec/v0.1/requirements

In addition to #3440, we need to meet the following for SLSA 2:

Source:

  • Version controlled: Every change to the source is tracked in a version control system that meets the following requirements: [Change history] There exists a record of the history of changes that went into the revision. Each change must contain: the identities of the uploader and reviewers (if any), timestamps of the reviews (if any) and submission, the change description/justification, the content of the change, and the parent revisions. [Immutable reference] There exists a way to indefinitely reference this particular, immutable revision. In git, this is the {repo URL + branch/tag/ref + commit ID}.

Build:

  • Build Service: All build steps ran using some build service, not on a developer’s workstation.

Provenance:

  • Authenticated: The provenance’s authenticity and integrity can be verified by the consumer. This SHOULD be through a digital signature from a private key accessible only to the service generating the provenance.
  • Service Generated: The data in the provenance MUST be obtained from the build service (either because the generator is the build service or because the provenance generator reads the data directly from the build service).
  • Identifies source code: The provenance identifies the repository origin(s) for the source code used in the build.

/kind security
/priority important-soon
@knative-prow knative-prow bot added kind/security Issues or PRs related to security or CVEs. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Jul 25, 2022
@upodroid upodroid mentioned this issue Jun 7, 2023
Closed
26 tasks
@upodroid upodroid self-assigned this Jul 25, 2022
@upodroid upodroid mentioned this issue Aug 4, 2022
Closed
@upodroid
Copy link
Member Author

/lifecycle stale

@knative-prow knative-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 13, 2022
@upodroid
Copy link
Member Author

/remove-lifecycle stale

@knative-prow knative-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 13, 2022
@github-actions
Copy link

This issue is stale because it has been open for 90 days with no
activity. It will automatically close after 30 more days of
inactivity. Reopen the issue with /reopen. Mark the issue as
fresh by adding the comment /remove-lifecycle stale.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 12, 2023
@upodroid upodroid added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jan 13, 2023
@upodroid
Copy link
Member Author

upodroid commented Jun 7, 2023

/transfer knative/infra

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@upodroid upodroid

Labels
kind/security Issues or PRs related to security or CVEs. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@upodroid