search

slsa-framework / slsa

Supply-chain Levels for Software Artifacts
https://slsa.dev
Other
1.55k stars 225 forks source link

Workstream: SLSA Build L4 #977

Open MarkLodato opened 1 year ago

MarkLodato commented 1 year ago

This is a tracking issue for creating a Build Level 4. Build L4 will likely cover some notion of the completeness of the provenance, e.g. that the resolvedDependencies are complete in SLSA Provenance format. This is based on discussions and v0.1, but nothing has been decided yet.

Workstream shepherd: David A Wheeler (@david-a-wheeler)

Related: We might want to merge with #975 (hardware attested builds) and/or #985 (build platform operations track) as discussed in https://github.com/slsa-framework/slsa/issues/975#issuecomment-1757645142.

Sub-issues:

david-a-wheeler commented 1 year ago

Note that I'm currently proposing entries for build levels L4 and L5. See: https://github.com/slsa-framework/slsa/issues/873

arewm commented 1 year ago

I mentioned in the comments for the Reproducible Build requirements in SLSA (an early proposal) about how I am not convinced that we should add reproducibility onto the SLSA build levels. Where would be the best place to have this conversation? In this issue, in that document, in a community call, elsewhere? I wasn't able to attend a previous call where this discussion happened.

MarkLodato commented 1 year ago

What we did in SLSA Source Track brainstorming was for each person to write down some thoughts as separate sections, then people commented on those sections and the original authors refined their ideas. Then once the comments died down, the lead (@kpk47) coalesced the ideas into one proposal. That seems to be working ok?

So if we want that model, then perhaps you could create a section in the doc and write down your thoughts on L4 and/or reproducible builds. That would allow us to critique the argument and you can hone it. It would also leave us something more durable than a docs comments and more readable than a GitHub issue comment. What do you think?

david-a-wheeler commented 1 year ago

If you have ways to improve the proposal, currently the Google doc would be the right start.

If you oppose the concept of being able reproduce builds, I guess https://github.com/slsa-framework/slsa/issues/873 would be the place. Are you opposed to being able to reproduce builds, or are you opposed to including them in the "build track", or is it something else? I'm not sure I understand your objection.

arewm commented 1 year ago

I am not opposed to reproducible builds, just to including them in the build track. I will try to add some commentary to the document.

david-a-wheeler commented 1 year ago

@arewm - I understand! Sorry, I was a little confused about your point. I originally proposed that they be a separate track, but many in the community preferred that they be in the same build track. Please do add commentary.

I think we can separate the issues of (1) what might be usefully added to SLSA and (2) whether or not reproducible builds belongs in a different track. Indeed, as we refine the potential requirements, it may be easier to decide if they belong in the same or different track.