content: source track draft: simplify and clarify level goals

docs/spec/draft/source-requirements.md

@@ -54,33 +54,65 @@ Consumers can examine the various source provenance attestations to determine if
 | Approver | An actor that approves a particular change to the source.
 | Merger | An actor that applies a change to the source. This typically involves creating the new revision and updating a branch. This person may be the proposer or a different trusted person, depending on the version control platform.
 
-## Source Platform Requirements
 
-The version control system MUST provide at least:
+## Safe Expunging Process
 
-- **[Immutable reference]** There exists a deterministic way to identify this particular revision. This is usually {project identifier + revision ID}. When the revision ID is a digest of the revision, as in git, nothing more is needed. When the revision ID is a number or otherwise not a digest, then the project server MUST guarantee that revisions cannot be altered once created.
+(placeholder text)
 
-- **[Change history]** There exists a record of the history of changes that went into the revision. Each change MUST contain:
- - The immutable reference to the new revision.
- - The identities of the proposer, reviewers (if any), and merger (if different to the proposer).
- - Timestamps of change submission. If a change is reviewed, then the change history MUST also include timestamps for any reviews.
- - The change description/justification.
- - The content of the change.
- - The parent revisions.
+Administrators have the necessary permissions to replace the source in a known repo without publishing a change record.
 
-Most popular version control systems meet these requirement, such as git, Subversion, Mercurial, and Perforce.
+This includes changing files, history, or changing references in git.
 
-The source control platform MUST provide at least:
+When used as an attack, this is called “repo hijacking” (or “repo-jacking”) and is one of the primary threats source provenance attestations protect against.
 
-- An account system or some other means of identifying persons.
-- A mechanism for modifying the canonical source through a **revision process**.
+If an organization must change the source without publishing a change record, the organization will need to demonstrate that the change was necessary and executed responsibly.
 
-The source control platform SHOULD additionally provide:
+## Source Control Platform and Version Control System Requirements
 
-- A mechanism for assigning roles and/or permissions to identities.
-- A mechanism for including code review in the revision process.
-- Two-factor authentication for the account system (L2+ only).
+The combination of SCP and VCS MUST provide:
+
+### Immutable reference
+
+There exists a deterministic way to identify a particular revision.
+
+This is usually a combination of the repository ID and revision ID.
+When the revision ID is a digest of the revision, as in git, nothing more is needed.
+When the revision ID is a number or otherwise not a digest, then the repository server MUST guarantee that revisions cannot be altered once created.
+The SCP MUST guarantee that repository IDs track the complete history of changes that occur to the source while hosted on the platform.
+
+### Identity Management
+
+There exists an identity management system or some other means of identifying actors.
+
+The SCP will use these identities to:
+
+- Implement actor-based rules (such as required review from code experts)
+- Record contributors to a code revision process
+- Issuing source provenance attestations.
+
+### Revision process
+
+There exists a trusted mechanism for modifying the source pointed-to by a [branch](#definitions).
+For each [branch](#definitions), the SCP MUST record and keep the full history of changes conducted on this SCP, with exceptions allowed following the [Safe Expunging Process](#safe-expunging-process).
+
+The revision process MUST:
+- Provide an accurate description of the currently proprosed change, or instructions to recreate it.
+- Provide the ability to review a change before it is accepted
+- Provide the ability to require pre-approval from specific actors before a change proposal is accepted.
+- Record all actors that contributed to the process, including the proposers, merger and reviewers (if any).
+- Record timestamps of critical activities including process start, process completion, reception of change proposals by the SCP, and reviews.
+- Record the specific state of the process when each approval was granted. This is most relevant when the proposal content is allowed to change after aprovals have been granted.
+
+
+### Additional features
+
+The combination of SCP and VCS SHOULD provide:
+
+- A mechanism for assigning roles and/or permissions to [actors](#source-roles).
+- A mechanism for including code review in the [revision process](#revision-process).
+- Two-factor authentication for the [identity management system](#identity-management).
 - Audit logs for sensitive actions, such as modifying security controls.
+- A mechanism to define code ownership for all files in the source.
 
 ## Levels