Open TomHennen opened 3 weeks ago
Some thoughts on this topic.
Submodules are just files. In that sense, nothing special is needed.
However, if you direct a tool to act on the content of those files (EG: git clone --recurse-submodules
), you will end up with other repos in your repo.
In this sense, submodule objects are similar to dependency lock files.
Not all submodules are required (it might not be necessary to clone every submodule) and there are other ways to get the nested repo pattern needed by a project (EG: just clone them directly from a makefile
).
I think we say that slsa levels are not transitive like that, so the answer is "yes."
I'd agree, so long as we require that the builder include each submodule repo as a separate 'resolvedDependency' so that it's easy for package verifiers to know that all these other repos were used.
Would that be reasonable?
_Originally posted by @TomHennen in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1672743142_