Open TomHennen opened 4 days ago
The full text is:
The repo must define how the content of a branch is allowed to change. This is typically done via the configuration of branch protection rules. It MUST NOT be possible to modify the content of a branch without following its documented process.
In addition to @zachariahcox's suggestion of saying "this documented process", we may want to clarify who the consumer of this documented process is. Is it visible to anyone (eg. github ruleset definitions around a PR, gittuf policy metadata) who can read the repository? Is there a minimum expectation on a set of entities having access to the documented process (eg. the full set of verifiers issuing VSAs)? Is this just back to whoever the repository owners allow to view the process (I imagine VSA issuers would likely be allow-listed)? We should also discuss how process changes are tracked as that can be really important for rewinding time and auditing some past change.
From a discussion at Git Merge between @TomHennen and I:
"documented process" seems to mean the configured rules governing the change management process. Tom and I agree this is likely what we want, but Tom highlighted that the term can be parsed to mean a longform textual description of a change process (eg. CONTRIBUTING.md). Another term may be in order if we all agree that we really mean the configurations / rules.
If we agree on that note, the next question goes back to my previous comment about who can see these configurations, the ability to see how they evolve etc. Among other things, I think this would tie into the ability to verify the source provenance attestations introduced in #1094.
Quick follow up: we'd also discussed that perhaps this can be simplified to ACLing. E.g. "the actors involved in creating the revision met the requirements of the access control list at the time the revision was created"
?
_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722381816_