Clarify the value of L1 in the source track

slsa-framework / slsa

Supply-chain Levels for Software Artifacts

https://slsa.dev

Other

1.53k stars 222 forks source link

Clarify the value of L1 in the source track #1070

Closed TomHennen closed 3 weeks ago

TomHennen commented 3 months ago

There’ve been outstanding questions on the value of L1 given that most projects already use source control. This can definitely be clarified.

TomHennen commented 3 months ago

If #1071 is resolved that might help clarify the L1 value? E.g. if L1 is about ensuring the communications infrastructure exists that might be equivalent to build level 1 requiring some provenance?

joshuagl commented 3 months ago

If we end up with something closer to the objectives proposed in #1072, then we might consider L1 to be using an SCP w/ a PR workflow which produces provenance.

zachariahcox commented 3 weeks ago

closing as a duplicate of #1112