Open TomHennen opened 1 week ago
In a comment thread on a doc on this topic I said:
@roche@adacore.com I don't think the intent was to drop it from the track entirely for v1.1, just to drop it from this draft of the PR to allow it to be iterated on separately.
I think it's definitely something that should be in scope for the final v1.1.
FWIW internally we did wind up taking a different approach where the SCP provides an API for the builder to call and get metadata about the protection status of the repo at that commit. The builder then embeds that information directly to the build provenance. That would up being easier for our internal partners to implement and it did make evaluation easier too. But it does have its downsides.
It winds up looking something like this:
"resolvedDependencies": [{
// The git repo that contains the build.yaml referenced above.
"uri": "git+[https://github.com/foo/bar.git](https://www.google.com/url?q=https://github.com/foo/bar.git&sa=D&source=docs&ust=1718640718887393&usg=AOvVaw2K9aO8Nvg5jQpiLdhA9hlj)",
// The resolved git commit hash reflecting the version of the repo used for this build.
"digest": {"gitCommit": "abc..."}
"annotations": {
"SLSA_STATUS": { "level": "SLSA_SOURCE_L2" }
}
}]
But the main point is... yes, we absolutely need some method of communicating this data, I think it should absolutely be > in v1.1, but let's handle defining it in a separate issue/PR?
Builds have provenance. Source track doesn’t (it was explicitly removed from this PR).
@Nikokrock says:
In the SLSA specification meeting on June 17th this [was discussed] (https://docs.google.com/document/d/1PwhekVB1iDpcgCQRNVN_aesoVdOiTruoebCs896aGxw/edit#bookmark=id.oqoqjt4urxm) (note that this isn't necessarily 'final' we can discuss more here?):