Support supply-chain security (slsa)

[alexeagle]

Someone would need to gather requirements on what data a tool like salsa needs for establishing provenance of binaries.

In theory an aspect could visit the build graph to collect these.

It also needs to interact with every package manager to know the origin of third-party library code/binaries.

This is a superset of the rules_license problem, to track metadata transitively through the graph.

If we had a recommendation for what rules authors ought to do, we could document that, provide verification tooling for this feature. We could supply "BCID level numbering". Maybe there's a test rule that can verify a binary has the following provenance.

[jsharpe]

For context: https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html

[aiuto]

cc: @aiuto

[alexeagle]

My understanding is that Google is funding the slsa project, so we'd hope they can contribute resources to making the Bazel ecosystem support it.

[alexeagle]

I think we should just close this issue, since Tony is working on this problem in rules_license and there's nothing the rules authors SIG can act on right now, as far as I know.