TomHennen
commented
2 weeks ago From what I can tell this phrase is only used once in "Known example" text for "Use compromised dependency". So it's referring to a specific event (the event-stream attack).
In that attack the idea is that the maintainer had a package that purported to be from GitHub repo X, but uploaded a package that wasn't from repo X. Since there wasn't any SLSA verification in place, I don't think it's correct to say the update used unauthorized build inputs.
Perhaps "The updated binary was not built from the purported source code"?
this phrase is used a few times here, but I'm not sure what it means. I think it has to mean basically "use of compromised dependency." IE, the revision consumed was not the one provided in the build inputs, but I think that's not very clear from this sentence.
I recommend replacing all usage with: "The update used unauthorized build inputs."
_Originally posted by @zachariahcox in https://github.com/slsa-framework/slsa/pull/1209#discussion_r1806499521_