search

slsa-framework / slsa

Supply-chain Levels for Software Artifacts
https://slsa.dev
Other
1.52k stars 219 forks source link

Workstream: SLSA Build L4 #977

Open MarkLodato opened 11 months ago

MarkLodato commented 11 months ago

This is a tracking issue for creating a Build Level 4. Build L4 will likely cover some notion of the completeness of the provenance, e.g. that the resolvedDependencies are complete in SLSA Provenance format. This is based on discussions and v0.1, but nothing has been decided yet.

Workstream shepherd: David A Wheeler (@david-a-wheeler)

Related: We might want to merge with #975 (hardware attested builds) and/or #985 (build platform operations track) as discussed in https://github.com/slsa-framework/slsa/issues/975#issuecomment-1757645142.

Sub-issues:

david-a-wheeler commented 11 months ago

Note that I'm currently proposing entries for build levels L4 and L5. See: https://github.com/slsa-framework/slsa/issues/873

arewm commented 11 months ago

I mentioned in the comments for the Reproducible Build requirements in SLSA (an early proposal) about how I am not convinced that we should add reproducibility onto the SLSA build levels. Where would be the best place to have this conversation? In this issue, in that document, in a community call, elsewhere? I wasn't able to attend a previous call where this discussion happened.

MarkLodato commented 11 months ago

What we did in SLSA Source Track brainstorming was for each person to write down some thoughts as separate sections, then people commented on those sections and the original authors refined their ideas. Then once the comments died down, the lead (@kpk47) coalesced the ideas into one proposal. That seems to be working ok?

So if we want that model, then perhaps you could create a section in the doc and write down your thoughts on L4 and/or reproducible builds. That would allow us to critique the argument and you can hone it. It would also leave us something more durable than a docs comments and more readable than a GitHub issue comment. What do you think?

david-a-wheeler commented 11 months ago

If you have ways to improve the proposal, currently the Google doc would be the right start.

If you oppose the concept of being able reproduce builds, I guess https://github.com/slsa-framework/slsa/issues/873 would be the place. Are you opposed to being able to reproduce builds, or are you opposed to including them in the "build track", or is it something else? I'm not sure I understand your objection.

arewm commented 11 months ago

I am not opposed to reproducible builds, just to including them in the build track. I will try to add some commentary to the document.

david-a-wheeler commented 11 months ago

@arewm - I understand! Sorry, I was a little confused about your point. I originally proposed that they be a separate track, but many in the community preferred that they be in the same build track. Please do add commentary.

I think we can separate the issues of (1) what might be usefully added to SLSA and (2) whether or not reproducible builds belongs in a different track. Indeed, as we refine the potential requirements, it may be easier to decide if they belong in the same or different track.