search

slsa-framework / slsa

Supply-chain Levels for Software Artifacts
https://slsa.dev
Other
1.54k stars 223 forks source link

Revisit 'reliable' language for L3 #1137

Open TomHennen opened 3 weeks ago

TomHennen commented 3 weeks ago

"Reliable" may be too strong a qualifier here. It's still up to the consumer to decide if they deem the information as such, so we might want to instead use a term like "auditable" or "verifiable" here.

_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722231751_

TomHennen commented 3 weeks ago

@zachariahcox

yeah, like "as reliable as the issuer?" I doubt if they will always be auditable or verifiable in anyway. It would feel more or less like "SCP says X with no real way to prove it. Trust it or don't."

zachariahcox commented 3 weeks ago

yeah, are issuers "reliable?" I guess the answer is "hopefully!"

I'd support cutting this word if it's confusing things.

zachariahcox commented 2 weeks ago

@TomHennen I left a comment on the linked pr. maybe "authentic" is the best we can claim here.