search

slsa-framework / slsa

Supply-chain Levels for Software Artifacts
https://slsa.dev
Other
1.53k stars 221 forks source link

What does "documented process" mean? #1139

Open TomHennen opened 4 days ago

TomHennen commented 4 days ago

What does "documented process" mean?

_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722381816_

adityasaky commented 3 days ago

The full text is:

The repo must define how the content of a branch is allowed to change. This is typically done via the configuration of branch protection rules. It MUST NOT be possible to modify the content of a branch without following its documented process.

In addition to @zachariahcox's suggestion of saying "this documented process", we may want to clarify who the consumer of this documented process is. Is it visible to anyone (eg. github ruleset definitions around a PR, gittuf policy metadata) who can read the repository? Is there a minimum expectation on a set of entities having access to the documented process (eg. the full set of verifiers issuing VSAs)? Is this just back to whoever the repository owners allow to view the process (I imagine VSA issuers would likely be allow-listed)? We should also discuss how process changes are tracked as that can be really important for rewinding time and auditing some past change.

adityasaky commented 3 days ago

From a discussion at Git Merge between @TomHennen and I:

"documented process" seems to mean the configured rules governing the change management process. Tom and I agree this is likely what we want, but Tom highlighted that the term can be parsed to mean a longform textual description of a change process (eg. CONTRIBUTING.md). Another term may be in order if we all agree that we really mean the configurations / rules.

If we agree on that note, the next question goes back to my previous comment about who can see these configurations, the ability to see how they evolve etc. Among other things, I think this would tie into the ability to verify the source provenance attestations introduced in #1094.

TomHennen commented 3 days ago

Quick follow up: we'd also discussed that perhaps this can be simplified to ACLing. E.g. "the actors involved in creating the revision met the requirements of the access control list at the time the revision was created"

?