arewm
commented
1 year ago To add onto the first nit
For example, if a producer wishes to distribute their artifact through a package ecosystem that requires explicit metadata about the build process in the form of a config file. That metadata includes the artifact’s source repository and build parameters that stay constant between builds. The producer MUST complete that config file and keep it up to date. [doc]
This whole block doesn't make sense to me.
- Based on the transition from the previous paragraph to this one, are you implying that producers may provide the explicit metadata to verifiers by means of required configurations provided to the package ecosystems?
- You do not define package ecosystem here (on its first use), instead you define it on its last use and link to https://slsa.dev/spec/v1.0-rc1/verifying-artifacts#package-ecosystem. Can you define it here and move the definition to the terminology page?
- Are you trying to say that producers must keep any build system configuration file which is submitted to a package ecosystem (if required) up to date?
- The first two sentences are fragments which likely enables greater confusion.
Additionally, there is no description of what type of configuration file might be of interest here or in https://slsa.dev/spec/v1.0-rc1/terminology. I assume that the most relevant line is
A tenant defines the build by specifying parameters through some sort of external interface, often including a reference to a configuration file in source controldoc
If so, can we formalize this terminology on that page?
Generally, when referring to specific terminology in the specification, can we link to the item on the terminology page on its first use (or even better, every use)?
jchestershopify
I'm a little unsure how this requirement works:
I appreciate the intent, certainly. I shouldn't be able to write a build that reachers sideways into another container or VM and interfere with its operation.
But I don't know how to consolidate the phrasing with the existence of external state. Often two jobs may be both using a shared resource (eg reading and writing to a blob store). They can potentially race on that external state.
To uphold this requirement as phrased would require locking access to external state, which might be difficult or impossible to achieve. Is that the intention?
As for the rest, all I had was nits. Firstly:
It's unclear to me if the last sentence is true of the example or whether it is true in general. I think it's meant to be true of the example, in which case I suggest the last sentence be changed to:
Next some bikeshedding:
Accuracy in this description sounds more like integrity, but later it includes factors such as ensuring that provenance is obtained from the build service and that the build service has controls to prevent tenants from tampering with the provenance.
I'm not sure what other words might have been canvassed. I think something like "trustworthiness" might go further; insofar as it is a word that expresses the degree to which something can justifiably be trusted (vs whether it is trusted, which is a property of the consumer's policies).
Next:
I got confused by this one at first. When I start to parse the sentence I begin with "SHOULD be complete" and I am immediately unsure what is meant to be complete. It's not until the end of the sentence that I have a particular object. I'd suggest starting the sentence with provenance:
Finally:
I think these are vestigial. From context they are probably meant to read "Project contributors" and "Project maintainer" respectively.