Closed TomHennen closed 3 weeks ago
netlify[bot]
commented
1 month ago | Name | Link |
|---|---|
| Latest commit | 0934c4c145a469b95af9af16f87aa6d215a11ac8 |
| Latest deploy log | https://app.netlify.com/sites/slsa/deploys/672387a3511b020008e07ee0 |
| Deploy Preview | https://deploy-preview-1217--slsa.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site configuration.
TomHennen
commented
1 month ago @adityasaky I'd also like your thoughts here. I think this is inline with how gittuf works anyways?
TomHennen
commented
3 weeks ago I think this is probably good enough. We have approval from two Maintainer's (good enough for draft).
I would still be interested to hear if @trishankatdatadog has any thoughts but I can incorporate those into future PRs if he'd like changes made.
Previously level 3 just required the provenance/attestations to be tamper-resistant but didn't require those attestations to be created at any particular time. If an SCS were to create these attestations on-demand it would leave revisions more susceptible to tampering within the SCS between the time of their production and the time of the request.
By creating the attestations contemporaneously it reduces the period of time during which a threat actor would be able to falsify this evidence.
Also changed 'Source Attestations' to 'Source Provenance' to be inline with #1204 where we call it 'Provenance' and not 'Attestations'.
fixes #1216