Crosswalk with SLSA - Githubissues

ossf / s2c2f

The S2C2F Project is a group working within the OpenSSF's Supply Chain Integrity Working Group formed to further develop and continuously improve the S2C2F guide which outlines and defines how to securely consume Open Source Software (OSS) dependencies into the developer’s workflow.

Other

167 stars 23 forks source link

Crosswalk with SLSA #14

Closed david-a-wheeler closed 12 months ago

david-a-wheeler commented 1 year ago

FYI: Melba did some work to identify potential overlaps.

adriandiglio commented 1 year ago

In the Appendix of our guide, we mapped our requirements to 6 other frameworks/guides, and SLSA was one of them. There was very little overlap, but this mapping was done prior to SLSA achieving 1.0 and might need to be double checked, but at least we have an existing mapping to start from:

AUD-1 | Verify the provenance of your OSS | SLSA: Provenance – Dependencies complete

REB-1 | Rebuild the OSS in a trusted build environment, or validate that it is reproducibly built | SLSA: Build - Reproducible

jasminewang0 commented 1 year ago

Following the release of SLSA 1.0, we do not believe there are any overlapping requirements anymore. However, the SLSA: Producing Artifacts - Distribute Provenance requirement is a touch-point with the S2C2F's AUD-1: Verify the provenance of your OSS.

I will update the Appendix to reflect this.

jasminewang0 commented 12 months ago

Updated appendix to reflect SLSA v1.0 touchpoint