content: draft: define how downstream users can verify the SLSA source track level of revisions #1094
Conversation
Just focusing on how to communicate levels to downstream users. Future updates can include guidance for how to verify. Open question: should this live here or someplace else? refs slsa-framework#1071 Signed-off-by: Tom Hennen <[email protected]>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
TomHennen
changed the title
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
TomHennen
changed the title
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
TomHennen
changed the title
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
| 1. `subject.uri` SHOULD be set to a human readable URI of the revision. | ||
| 2. `subject.digest` MUST include the revision identifier (e.g. `gitCommit`) and MAY include other digests over the contents of the revision (e.g. `gitTree`, `dirHash`, etc...). | ||
| SCPs that do not use cryptographic digests MUST define a canonical type that is used to identify immutable revisions (e.g. `svn_revision_id`)[^1]. | ||
| 3. `subject.annotations.source_branches` SHOULD be set to a list of branches that pointed to this revision at any point in their history. |
There was a problem hiding this comment.
at any point in their history
I think this is supposed to help consumers who only want releases/* refs?
They would be able to see if this revision was reachable from any release ref when this attestation was minted.
For a single revision / subject, a normal git late branching flow would keep reminting these things when important branches point to it.
I'd be nice not to have to do that.
There was a problem hiding this comment.
I think this is supposed to help consumers who only want releases/* refs?
Something like that yes.
For a single revision / subject, a normal git late branching flow would keep reminting these things when important branches point to it.
I'd be nice not to have to do that.
Could they be minted on-demand?
If not, do you have any other thoughts about how to capture this information (or perhaps we should see if we can make it inconsequential?)
There was a problem hiding this comment.
Could they be minted on-demand?
that sounds tricky! like, do you include forks? user branches? etc. Probably we need to avoid needing it.
I think the intent is to say: I can deploy this revision because X, where X is the set of rules required to land in the /refs/heads/release/ refspec on this date.
Ideally, you'd be able to reverify the qualifications for X and not need to use the refname as a place holder.
If you do need the refname, I think we'd pretty much always need to explain why so we can know if any mapping is required when the ref rules change over time.
There was a problem hiding this comment.
Oh so we typically use the branch name to convey semantic between the folks managing the code and the folks writing the individual policies.
The automated rules that get applied to a 'experimental' and 'release' branch might very well be the same, but the code you put in them would be different. Being able to convey downstream if something was good enough for the 'release' branch is very helpful! These names will likely differ from team to team as they set up their branches and development flows differently.
So I suppose I view the refname(?) as orthogonal to the actual rules the SCP is enforcing at any point in time.
Does that explanation help explain why we'd want such a thing? (Even if we do decide it's too hard to actually implement)
There was a problem hiding this comment.
In our last discussion I think we agreed that having some way to reference the branch names is useful, so I think this can be resolved?
There was a problem hiding this comment.
we can definitely reference the branch names in the revision-creation claims -- it's not likely to be feasible to mint attestations on demand or on every ref update, but potentially on every closed pull request?
@TomHennen maybe we can focus the discussion just on that part going forward?
There was a problem hiding this comment.
Sure, let me make a proposal on how this happens. Might be worth merging with other language that @zachariahcox added (?) about which branches on 'consumable'. I'll have to go look for the specifics. (suggestion per @adityasaky ).
Another suggestion: don't define how it's done here but instead leave it up to the implementing systems to define when they set these things. However I think it's probably helpful to have some minimum path that a system like GitHub could use (as a sort of 'existence proof').
WDYT @zachariahcox ?
There was a problem hiding this comment.
Ok, I've made a concrete proposal. PTAL?
Signed-off-by: Tom Hennen <[email protected]>
There was a problem hiding this comment.
Thanks @TomHennen for moving this one forward.
I personally think this is a great start and we can continue to work out the details in future iterations.
Co-authored-by: Zachariah Cox <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Co-authored-by: Zachariah Cox <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
Good feedback, added to #1128 (comment) to be sure we address it before we release. |
|
Ok, I think all outstanding comments have been addressed or turned into tracking issues. Can we get one more approval and merge this draft? |
TomHennen
requested review from
marcelamelara,
mlieberman85,
arewm and
adityasaky
There was a problem hiding this comment.
Some nits, but I think we can merge this! Thanks @TomHennen!
Co-authored-by: Aditya Sirish <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Co-authored-by: Aditya Sirish <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
There was a problem hiding this comment.
Thanks @TomHennen ! I only have minor comments at this point; they can either be resolved quickly or in a future PR.
| 6. `dependencyLevels` MAY be empty as source revisions are typically terminal nodes in a supply chain. | ||
|
|
||
| Verifiers MAY issue these attestations based on their understanding of the underlying system (e.g. based on design docs, security reviews, etc...), | ||
| but at SLSA Source Level 3 MUST used tamper-proof [provenance attestations](#provenance-attestations) appropriate to their SCP when making the assessment. |
There was a problem hiding this comment.
Tiny typo
| but at SLSA Source Level 3 MUST used tamper-proof [provenance attestations](#provenance-attestations) appropriate to their SCP when making the assessment. | |
| but at SLSA Source Level 3 MUST use tamper-proof [provenance attestations](#provenance-attestations) appropriate to their SCP when making the assessment. |
| revision's source level. Summary attestations convey properties about the revision as a whole and summarize properties computed over all | ||
| the changes that contributed to that revision over its history. | ||
|
|
||
| The source track issues summary attestations using [Verification Summary Attestations (VSAs)](./verification_summary.md) as follows: |
There was a problem hiding this comment.
Eventually, I think this list should be moved closer to the VSA spec itself so that users can reference the schema and these specific requirements together.
|
|
||
| #### Populating source_branches | ||
|
|
||
| The summary attestation issuer may chose to populate `source_branches` in any way they wish. |
There was a problem hiding this comment.
Tiny typo
| The summary attestation issuer may chose to populate `source_branches` in any way they wish. | |
| The summary attestation issuer may choose to populate `source_branches` in any way they wish. |
| These differences also mean that depending on the SCP and the repo's configuration the issuers of | ||
| provenance attestations may vary from implementation to implementation, often because entities with | ||
| the knowledge to issue them may vary. The authority that issues |
There was a problem hiding this comment.
I'm wondering if we can be a tad more concrete than "Entities with the knowledge to issue them". Is this about the SCP's components, or are these entities more at an organizational level? Or something else I might be missing?
fixes #1071
fixes #1042
refs #241
This PR modifies draft content of the SLSA spec.
Context
See discussions here and here.
Google document requires [email protected] membership.
VSA for source
Define how downstream users can verify the SLSA source track level of revisions by using a VSAs produced by the Source Control Platform (SCP).
To use these VSAs users do not need to know the specifics of how any given SCP or Version Control System (VCS) meets the SLSA source requirements (which may vary greatly from implementation to implementation). Instead it is left to the SCP or another trusted 'authority' to make that determination for downstream users.
The question of how the authority ensures those claims to be true is left undefined in this change.
Future updates can include guidance for how to verify source level when combined with build provenance.
Example scenario
SLSA_SOURCE_LEVEL_2in theverifiedLevelsfield.