Is 'branch protection' only applicable for cloud-hosted SCPs?

[TomHennen]

To my knowledge, branch protection is a feature of specific cloud-hosted SCPs, not git/VCS, so I suggest making this requirement for Continuity more generally about the intent/objectives. Then we can maybe just include an example like "This can be achieved using the branch protection features in services like GitHub, for example."

_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722209349_

[TomHennen]

FWIW I think that GitTuf might make this possible outside of a hosted SCP. @adityasaky would know for sure.

[zachariahcox]

good question! It's not branded in exactly the same way (because it's way more powerful), but git supports this kind of feature via pre-receive githooks.

The current wording in the pitch is: "On VCS like git, the organization MUST enable branch protections that prohibit updating the branch to point to revisions that are not direct descendants of the current revision."

That does make it sound like there's a button to click somewhere! We could make it more generic by saying "enforce branch protections."

cc: @marcelamelara

[adityasaky]

I think this may in part be addressed with #1128 and #1142. I think #1142 in particular would allow us to set requirements that may be achieved wildly differently depending on what constitutes the source control system as a whole.

As for the rest of it, I think the requirement could use further clarification. The full set of branch protections (whether via an SCP, pre-receive hooks, etc.) could go quite a bit further than disallowing force pushes and deletions (which are stated as the baseline in the spec atm), so I think clarification is in order as to what the requirement exactly is. Maybe we could reuse this issue for that? 😄