You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
SLSA is a promising work that aims at improving the security posture of open source software and protecting against supply chain attacks. I believe this template provides a good opportunity to adopt SLSA. Even though SLSA is still a work in progress, I don't think we should wait for them to finalize the specs, and the earlier we start the better.
The current layout of the repo looks like this, which misses a build step (the quality assurance steps don't modify code, but build does)
To make this template and the repos created from it meet the highest SLSA levels, we need to prepare the repo to meet their requirements. To begin with, I propose to make the repo ready for level 1. This level helps publishing an artifact provenance in a common format, in-toto. For that we need a more explicit build and packaging steps, which developers can develop further based on their needs. This would satisfy the Scripted Build requirement.
Once the repo meets level 1, we can use in-toto to generate the provenance and verify it.
The text was updated successfully, but these errors were encountered:
PR #248 modifies the CodeQL workflow somewhat, and it references two more related issues.
Also, I wanted to track one more problems we should address as we rebuild the workflows for improved SLSA compliance: both, Release Notification workflow and the (soon to come) Wiki Documentation workflow are triggered by the release event — and so they run simultaneously. However, the Release Notification workflow should run only if the Wiki Documentation was successful.
SLSA is a promising work that aims at improving the security posture of open source software and protecting against supply chain attacks. I believe this template provides a good opportunity to adopt SLSA. Even though SLSA is still a work in progress, I don't think we should wait for them to finalize the specs, and the earlier we start the better.
The current layout of the repo looks like this, which misses a build step (the quality assurance steps don't modify code, but build does)
To make this template and the repos created from it meet the highest SLSA levels, we need to prepare the repo to meet their requirements. To begin with, I propose to make the repo ready for level 1. This level helps publishing an artifact provenance in a common format, in-toto. For that we need a more explicit
build
andpackaging
steps, which developers can develop further based on their needs. This would satisfy the Scripted Build requirement.Once the repo meets level 1, we can use in-toto to generate the provenance and verify it.
The text was updated successfully, but these errors were encountered: