Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content: source track draft: simplify and clarify level goals #1097

Merged
merged 45 commits into from
Aug 15, 2024
Merged

content: source track draft: simplify and clarify level goals #1097

Changes from 1 commit
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
989aeb8
initial content, waiting for main to be updated.
zachariahcox Jul 12, 2024
b4f8b7b
Merge branch 'slsa-framework:main' into users/zacox/scp
zachariahcox Jul 15, 2024
68e8632
react to pr feedback.
zachariahcox Jul 16, 2024
5d5df51
linter
zachariahcox Jul 16, 2024
b2071c0
clarity
zachariahcox Jul 16, 2024
cc8a51c
linter
zachariahcox Jul 17, 2024
5a456d6
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 22, 2024
ad62f09
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 22, 2024
e4050b4
address pr feedback.
zachariahcox Jul 22, 2024
47f8ad3
clarify "code owners"
zachariahcox Jul 22, 2024
d212e08
reimagine as a level 1 requirement
zachariahcox Jul 22, 2024
8bf4205
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 29, 2024
2343b07
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 29, 2024
a7fd4fe
pr feedback
zachariahcox Jul 29, 2024
b003548
cleanup
zachariahcox Jul 29, 2024
09b0c67
add two more useful definitions
zachariahcox Jul 29, 2024
6d3e582
large rewrite
zachariahcox Jul 31, 2024
99f372a
talk vaguely about unit testing
zachariahcox Jul 31, 2024
6b82d6d
every revision
zachariahcox Jul 31, 2024
a583425
cleanup
zachariahcox Jul 31, 2024
64132b8
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
9ab53dc
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
7269b05
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
1be7b2a
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
7faa87d
typos!
zachariahcox Aug 2, 2024
843729c
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
69f611c
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
08ec500
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
6515598
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
f962ac4
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
d809349
pr feedback, remove trusted review process stuff
zachariahcox Aug 8, 2024
2f86109
consumable branch clarity?
zachariahcox Aug 8, 2024
834d64c
pr comment feedback
zachariahcox Aug 9, 2024
9b72a77
adding scenarios to the expunging section
zachariahcox Aug 12, 2024
006a4c1
hopefully last rewrite.
zachariahcox Aug 12, 2024
febc191
update cyoa
zachariahcox Aug 12, 2024
6e3f3e3
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 12, 2024
6c05dc1
move choose your own adventure stuff out.
zachariahcox Aug 12, 2024
3919bad
source attestation copy edits
zachariahcox Aug 12, 2024
cb63de3
add disclaimer about use of git VCS
zachariahcox Aug 14, 2024
f2398a4
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 15, 2024
d1219c6
Update docs/spec/draft/verifying-source.md
zachariahcox Aug 15, 2024
5527616
Update docs/spec/draft/verifying-source.md
zachariahcox Aug 15, 2024
6df6b33
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 15, 2024
31d63ba
Update docs/spec/draft/source-requirements.md
TomHennen Aug 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 43 additions & 13 deletions docs/spec/draft/source-requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,33 +47,63 @@ The Source track is scoped to a single project that is controlled by some organi
| Approver | The role that approves a particular change to the source.
| Merger | The role that applies a change to the source. This person may be the proposer or a different trusted person, depending on the version control platform.

## Source Platform Requirements
## Source Control Platform and Version Control System Requirements

The version control system MUST provide at least:
The combination of SCP and VCS MUST provide:

- **[Immutable reference]** There exists a deterministic way to identify this particular revision. This is usually {project identifier + revision ID}. When the revision ID is a digest of the revision, as in git, nothing more is needed. When the revision ID is a number or otherwise not a digest, then the project server MUST guarantee that revisions cannot be altered once created.
### **[Immutable reference]**
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

- **[Change history]** There exists a record of the history of changes that went into the revision. Each change MUST contain:
There exists a deterministic way to identify a particular revision.

This is usually a combination of the repository ID and revision ID.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume the repository ID is different from the URL to locate the repository on the SCP? For example, the repository ID for this one is 346517502 per https://api.github.com/repos/slsa-framework/slsa.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I had imagined the repository ID is the URL (e.g. https://github.com/slsa-framework/slsa).

Having it be something that's meaningful to humans would be pretty beneficial.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think that's partly what I was getting at. I wonder if there's an endpoint to translate the numeric ID to the URL or if the current definition for repository (even without the ID) inherently has a URL associated with it because we only consider a repository on the SCP at the moment. This is part of the massaging I wonder if I should take a stab at separately.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should consider the numeric ID to be an implementation detail and not worry about it?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's an interesting question -- today we definitely have resurrection and rename attacks (so you need the gh repo numeric id to disambiguate), but I think in combination with the git object id, the url is probably fine.
IE, it doesn't likely matter much if a hijacked repo (with a different numeric id) has the same url and ships the same revision, we can ship the corresponding attestation. I'd want to think through it some more.

When the revision ID is a digest of the revision, as in git, nothing more is needed.
When the revision ID is a number or otherwise not a digest, then the repository server MUST guarantee that revisions cannot be altered once created.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
The SCP MUST guarantee that repository IDs track the complete history of changes that occur to the source while hosted on the platform.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

### **[Identity Management]**
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

There exists an identity management system or some other means of identifying actors.

The SCP will use these identities for recording change history and writing provenance attestations.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

### **[Change history]**
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

There exists a record of the history of changes conducted on this SCP that went into the revision.

A merged GitHub pull request is an example of a change record.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
Each change MUST contain:
- The immutable reference to the new revision.
TomHennen marked this conversation as resolved.
Show resolved Hide resolved
- The identities of the proposer, reviewers (if any), and merger (if different to the proposer).
- Timestamps of change submission. If a change is reviewed, then the change history MUST also include timestamps for any reviews.
- The list of parent revisions.
- The change description/justification.
- The content of the change.
- The parent revisions.
- The [Merger](#source-roles) of the change.
- The timestamp when the change was received by the SCP

Administrators have the necessary permissions to replace the source in a known repo.
In mechanical terms, this means changing the source for a known repository ID without publishing a change record.
This includes changing files, history, or changing references in git.
When used as an attack, this is called “repo hijacking” (or “repo-jacking”) and is one of the primary threats source provenance attestations protect against.
If an organization must change the source without publishing a change record, the organization will need to demonstrate that the change was necessary and executed responsibly.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

### **[Change Management]**

There exists a trusted mechanism for modifying the canonical source through a **revision process**.

Most popular version control systems meet these requirement, such as git, Subversion, Mercurial, and Perforce.
The revision process MUST record at least:

The source control platform MUST provide at least:
- The identities of the proposer, reviewers (if any), and merger (if different from the proposer).
- Timestamps of change submission. If a change is reviewed, then the change history MUST also include timestamps for any reviews.
- The specific change reviewed during the revision process or instructions to recreate it. In git, this might be the two compared object ids and the computed best merge base between them at the time of review.

- An account system or some other means of identifying persons.
- A mechanism for modifying the canonical source through a **revision process**.
### Additional features
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

The source control platform SHOULD additionally provide:
The combination of SCP and VCS SHOULD additionally provide:
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

- A mechanism for assigning roles and/or permissions to identities.
- A mechanism for assigning roles and/or permissions to actors.
- A mechanism for including code review in the revision process.
- Two-factor authentication for the account system (L2+ only).
- Audit logs for sensitive actions, such as modifying security controls.
- A mechanism to define code ownership for all files in the source repository.

## Levels

Expand Down