What does "documented process" mean? #1139
Comments
|
The full text is:
In addition to @zachariahcox's suggestion of saying "this documented process", we may want to clarify who the consumer of this documented process is. Is it visible to anyone (eg. github ruleset definitions around a PR, gittuf policy metadata) who can read the repository? Is there a minimum expectation on a set of entities having access to the documented process (eg. the full set of verifiers issuing VSAs)? Is this just back to whoever the repository owners allow to view the process (I imagine VSA issuers would likely be allow-listed)? We should also discuss how process changes are tracked as that can be really important for rewinding time and auditing some past change. |
|
From a discussion at Git Merge between @TomHennen and I: "documented process" seems to mean the configured rules governing the change management process. Tom and I agree this is likely what we want, but Tom highlighted that the term can be parsed to mean a longform textual description of a change process (eg. CONTRIBUTING.md). Another term may be in order if we all agree that we really mean the configurations / rules. If we agree on that note, the next question goes back to my previous comment about who can see these configurations, the ability to see how they evolve etc. Among other things, I think this would tie into the ability to verify the source provenance attestations introduced in #1094. |
|
Quick follow up: we'd also discussed that perhaps this can be simplified to ACLing. E.g. "the actors involved in creating the revision met the requirements of the access control list at the time the revision was created" ? |
fixes slsa-framework#1139 Per slsa-framework#1139, 'documented process' was somewhat confusing and could be interpreted as meaning some _prose_ documentation. I think the real aim is to ensure all the rules for making a change to a branch were followed. So I changed the text to talk about those rules, rather than 'documented process'. I think this is more aligned with what we're looking for? Signed-off-by: Tom Hennen <[email protected]>
fixes slsa-framework#1139 Per slsa-framework#1139, 'documented process' was somewhat confusing and could be interpreted as meaning some _prose_ documentation. I think the real aim is to ensure all the rules for making a change to a branch were followed. So I changed the text to talk about those rules, rather than 'documented process'. I think this is more aligned with what we're looking for? Signed-off-by: Tom Hennen <[email protected]>
Originally posted by @marcelamelara in #1094 (comment)
The text was updated successfully, but these errors were encountered: