Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

content: draft: reword "Change management process" requirement #1206

Merged
merged 8 commits into from
Oct 24, 2024
Merged

content: draft: reword "Change management process" requirement #1206

Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
44bc49b
content: draft: reword "Change management process" requirement
TomHennen Oct 16, 2024
df91cc9
make linter happy
TomHennen Oct 16, 2024
1a72f76
repo -> SCS enforces controls
TomHennen Oct 17, 2024
8908ad5
try adding another character to see if that fixes the link rendering...
TomHennen Oct 17, 2024
6d36c5e
maybe a space? idk :/
TomHennen Oct 17, 2024
54fbc1c
revert space change, not sure what's up with this link
TomHennen Oct 17, 2024
90e8b35
add spacing around html
TomHennen Oct 17, 2024
2a440e0
respond to pr comments
TomHennen Oct 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 13 additions & 7 deletions docs/spec/draft/source-requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,21 +218,27 @@ If a consumer is authorized to access source on a particular branch, they MUST b

It is possible that an SCS can make no claims about a particular revision.
For example, this would happen if the revision was created on another SCS, or if the revision was not the result of an accepted change management process.

<td><td><td>✓
<tr id="change-management-process"><td>Change management process<td>
<tr id="change-management-process"><td>Enforced change management process<td>

The SCS MUST ensure that all technical controls governing changes to a [branch](#definitions)

1. Are discoverable by authorized users of the repo.
2. Cannot be bypassed except via the [Safe Expunging Process](#safe-expunging-process).

For example, this could be accomplished by:

The repo must define how the content of a [branch](#definitions) is allowed to change.
This is typically done via the configuration of branch protection rules.
It MUST NOT be possible to modify the content of a branch without following its documented process.
- Via the configuration of branch protection rules (e.g.[GitHub](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule), [GitLab](https://docs.gitlab.com/ee/user/project/repository/branches/protected.html)), or
- via application and verification of [gittuf](https://github.com/gittuf/gittuf) policies, or
- some other mechanism as enforced by the [Change management tool](#change-management-tool-requirements).

SLSA Source Level 2 ensures that all changes are recorded and attributable to an actor.
SLSA Source Level 3 ensures that the documented process was followed.
<td><td><td>✓
</table>

## Change management tool requirements

The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the process.
The change management tool MUST be able to authoritatively state that each new revision reachable from the protected branch represents only the changes managed via the [process](#change-management-process).

<table>
<tr><th>Requirement<th>Description<th>L1<th>L2<th>L3
Expand Down