From 44bc49b4eca798df3e2beb4b3c4891f83189f177 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Wed, 16 Oct 2024 19:53:05 +0000
Subject: [PATCH 1/8] content: draft: reword "Change management process"
 requirement

fixes #1139

Per #1139, 'documented process' was somewhat confusing and could
be interpreted as meaning some _prose_ documentation. I think the
real aim is to ensure all the rules for making a change to a
branch were followed.

So I changed the text to talk about those rules, rather than
'documented process'.  I think this is more aligned with what
we're looking for?

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index 406ebd840..ebed2b31e 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -219,20 +219,24 @@ If a consumer is authorized to access source on a particular branch, they MUST b
 It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
 <td><td><td>✓
-<tr id="change-management-process"><td>Change management process<td>
+<tr id="change-management-process"><td>Enforced change management process<td>
+The repo MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
-The repo must define how the content of a [branch](#definitions) is allowed to change.
-This is typically done via the configuration of branch protection rules.
-It MUST NOT be possible to modify the content of a branch without following its documented process.
+1. Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
+2. Are discoverable by authorized users of the repo.
+
+For example, this can be accomplished:
+
+- Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)).
+- Via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies.
+- Or some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
 
-SLSA Source Level 2 ensures that all changes are recorded and attributable to an actor.
-SLSA Source Level 3 ensures that the documented process was followed.
 <td><td><td>✓
 </table>
 
 ## Change management tool requirements
 
-The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the process.
+The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the [process](#change-management-process).
 
 <table>
 <tr><th>Requirement<th>Description<th>L1<th>L2<th>L3

From df91cc9e1b65c6656c6a551d437449c1787d4105 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Wed, 16 Oct 2024 19:56:08 +0000
Subject: [PATCH 2/8] make linter happy

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index ebed2b31e..ea6bbd948 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -222,14 +222,14 @@ For example, this would happen if the revision was created on another SCS, or if
 <tr id="change-management-process"><td>Enforced change management process<td>
 The repo MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
-1. Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
-2. Are discoverable by authorized users of the repo.
+1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
+2.  Are discoverable by authorized users of the repo.
 
 For example, this can be accomplished:
 
-- Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)).
-- Via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies.
-- Or some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
+-   Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)).
+-   Via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies.
+-   Or some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
 
 <td><td><td>✓
 </table>

From 1a72f76b957b1fc72c6057d0bd1184edd088ef24 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Thu, 17 Oct 2024 13:25:36 +0000
Subject: [PATCH 3/8] repo -> SCS enforces controls

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index ea6bbd948..c7ad1f783 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -220,7 +220,7 @@ It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
 <td><td><td>✓
 <tr id="change-management-process"><td>Enforced change management process<td>
-The repo MUST ensure that all technical controls governing changes to a [branch](#definitions)
+The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
 1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
 2.  Are discoverable by authorized users of the repo.

From 8908ad5b489070794d45c7964852125fce29e5c5 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Thu, 17 Oct 2024 13:42:15 +0000
Subject: [PATCH 4/8] try adding another character to see if that fixes the
 link rendering...

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index c7ad1f783..3314fc194 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -220,7 +220,7 @@ It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
 <td><td><td>✓
 <tr id="change-management-process"><td>Enforced change management process<td>
-The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
+The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions):
 
 1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
 2.  Are discoverable by authorized users of the repo.

From 6d36c5e7eff730c52a29ed6911f4c5c1937eb6dd Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Thu, 17 Oct 2024 13:43:30 +0000
Subject: [PATCH 5/8] maybe a space? idk :/

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index 3314fc194..1762f7ee8 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -220,7 +220,7 @@ It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
 <td><td><td>✓
 <tr id="change-management-process"><td>Enforced change management process<td>
-The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions):
+The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions) 
 
 1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
 2.  Are discoverable by authorized users of the repo.

From 54fbc1ca9d7b5a3cb27ed102429f1358be16e9e5 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Thu, 17 Oct 2024 13:44:45 +0000
Subject: [PATCH 6/8] revert space change, not sure what's up with this link

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index 1762f7ee8..c7ad1f783 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -220,7 +220,7 @@ It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
 <td><td><td>✓
 <tr id="change-management-process"><td>Enforced change management process<td>
-The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions) 
+The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
 1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
 2.  Are discoverable by authorized users of the repo.

From 90e8b353883ec53bf8c5991eefa71dc97c143525 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Thu, 17 Oct 2024 13:45:45 +0000
Subject: [PATCH 7/8] add spacing around html

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index c7ad1f783..c8a4b963d 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -218,8 +218,10 @@ If a consumer is authorized to access source on a particular branch, they MUST b
 
 It is possible that an SCS can make no claims about a particular revision.
 For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.
+
 <td><td><td>✓
 <tr id="change-management-process"><td>Enforced change management process<td>
+
 The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
 1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).

From 2a440e083296b924b262563d1c3d0a3f5fa030d9 Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Wed, 23 Oct 2024 17:16:52 +0000
Subject: [PATCH 8/8] respond to pr comments

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/source-requirements.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/docs/spec/draft/source-requirements.md b/docs/spec/draft/source-requirements.md
index c8a4b963d..e2cb85f78 100644
--- a/docs/spec/draft/source-requirements.md
+++ b/docs/spec/draft/source-requirements.md
@@ -224,14 +224,14 @@ For example, this would happen if the revision was created on another SCS, or if
 
 The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)
 
-1.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
-2.  Are discoverable by authorized users of the repo.
+1.  Are discoverable by authorized users of the repo.
+2.  Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).
 
-For example, this can be accomplished:
+For example, this could be accomplished by:
 
--   Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)).
--   Via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies.
--   Or some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
+-   Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)), or
+-   via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies, or
+-   some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).
 
 <td><td><td>✓
 </table>