content: source-track: rename SCP to SCS, replace open issues section with links to project and label queries #1166
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zachariahcox
requested review from
TomHennen,
marcelamelara and
trishankatdatadog
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
zachariahcox
commented
Sep 30, 2024
| @@ -121,18 +110,18 @@ The source MUST have a location where the "official" revisions are stored and ma | |||
| #### Revisions are immutable and uniquely identifiable | |||
|
|
|||
| This requirement ensures that a consumer can determine that the source revision they have is the same as a canonical revision. | |||
| The combination of SCP and VCS MUST provide a deterministic way to identify a particular revision. | |||
There was a problem hiding this comment.
@marcelamelara I definitely like having a single term for "the combination of". I'm not sure it really helps bring clarity to what we mean by it, but "the system must provide X" is at least less clunky to read.
zachariahcox
commented
Sep 30, 2024
| The SCP MUST declare which forms of identity it considers to be trustworthy for this purpose. | ||
| For cloud-based SCPs, this will typically be the identity used to push to a git server. | ||
| The SCS MUST declare which forms of identity it considers to be trustworthy for this purpose. | ||
| For cloud-based SCSs, this will typically be the identity used to push to a repository. |
There was a problem hiding this comment.
also removed the casual use of the word "git" here
zachariahcox
commented
Sep 30, 2024
| @@ -168,7 +168,7 @@ It is not sufficient to indicate that a file changed without showing the content | |||
|
|
|||
| Require a squash merge strategy for the protected branch. | |||
|
|
|||
| To guarantee that only commits representing reviewed diffs are cloned, the SCP MUST rebase (or "squash") the reviewed diff into a single new commit (the "squashed" commit) that has only a single parent (the revision previously pointed-to by the protected branch). | |||
| To guarantee that only commits representing reviewed diffs are cloned, the SCS MUST rebase (or "squash") the reviewed diff into a single new commit (the "squashed" commit) that has only a single parent (the revision previously pointed-to by the protected branch). | |||
There was a problem hiding this comment.
edited this use case for completeness, but this one is "the tool that generates commits on behalf of the code review tool".
For github (and probably other all-in-one systems, these are the same tool.
zachariahcox
changed the title
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github-pages](https://togithub.com/github/pages-gem) | `231` -> `232` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>github/pages-gem (github-pages)</summary> ### [`v232`](https://togithub.com/github/pages-gem/releases/tag/v232) [Compare Source](https://togithub.com/github/pages-gem/compare/v231...v232) #### What's Changed - Bump docker/build-push-action from 5 to 6 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/916](https://togithub.com/github/pages-gem/pull/916) - Fix obscured gemfile issue by [@​mrmanc](https://togithub.com/mrmanc) in [https://github.com/github/pages-gem/pull/912](https://togithub.com/github/pages-gem/pull/912) - Add webrick as Ruby 3 doesn’t include it by [@​mrmanc](https://togithub.com/mrmanc) in [https://github.com/github/pages-gem/pull/914](https://togithub.com/github/pages-gem/pull/914) - Update nokogiri CVE-2024-25062 by [@​naxhh](https://togithub.com/naxhh) in [https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911) - Parkr jekyll3.10 by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/919](https://togithub.com/github/pages-gem/pull/919) - Fix improperly bound regex by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/921](https://togithub.com/github/pages-gem/pull/921) - Prep 232 by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/923](https://togithub.com/github/pages-gem/pull/923) #### New Contributors - [@​naxhh](https://togithub.com/naxhh) made their first contribution in [https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911) **Full Changelog**: github/pages-gem@v231...v232 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com> Co-authored-by: Tom Hennen <TomHennen@users.noreply.github.com>
This PR proposes to change the status of v1.1 to Candidate Release in preparation for final publication. I ought to point out that there is a bunch of VSA related issues that had been targeted for this release and that have not been addressed. See Issue slsa-framework#900. However, until someone works on any of these issues there is no hope of making progress and waiting for these to close will delay getting 1.1 out indefinitely. Although not ideal I therefore propose to defer these and publish what we have. Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [github-pages](https://togithub.com/github/pages-gem) | `231` -> `232` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>github/pages-gem (github-pages)</summary> ### [`v232`](https://togithub.com/github/pages-gem/releases/tag/v232) [Compare Source](https://togithub.com/github/pages-gem/compare/v231...v232) #### What's Changed - Bump docker/build-push-action from 5 to 6 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/github/pages-gem/pull/916](https://togithub.com/github/pages-gem/pull/916) - Fix obscured gemfile issue by [@​mrmanc](https://togithub.com/mrmanc) in [https://github.com/github/pages-gem/pull/912](https://togithub.com/github/pages-gem/pull/912) - Add webrick as Ruby 3 doesn’t include it by [@​mrmanc](https://togithub.com/mrmanc) in [https://github.com/github/pages-gem/pull/914](https://togithub.com/github/pages-gem/pull/914) - Update nokogiri CVE-2024-25062 by [@​naxhh](https://togithub.com/naxhh) in [https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911) - Parkr jekyll3.10 by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/919](https://togithub.com/github/pages-gem/pull/919) - Fix improperly bound regex by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/921](https://togithub.com/github/pages-gem/pull/921) - Prep 232 by [@​yoannchaudet](https://togithub.com/yoannchaudet) in [https://github.com/github/pages-gem/pull/923](https://togithub.com/github/pages-gem/pull/923) #### New Contributors - [@​naxhh](https://togithub.com/naxhh) made their first contribution in [https://github.com/github/pages-gem/pull/911](https://togithub.com/github/pages-gem/pull/911) **Full Changelog**: github/pages-gem@v231...v232 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC4yNi4xIiwidXBkYXRlZEluVmVyIjoiMzguMjYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com> Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
…1109) Blogpost that looks at dependency confusion and typosquatting attacks from defender's perspective and defines "managed ingestion" as an important capability for supply chain risk management. --------- Signed-off-by: Meder Kydyraliev <1212257+meder@users.noreply.github.com> Co-authored-by: Joshua Lock <joshuagloe@gmail.com> Co-authored-by: Marcela Melara <marcela.melara@intel.com>
I noticed that the jekyll build was producing an error because the `description` variable in the front matter of the `verifying-source.md` file contained multiple lines. This fixes the format so that there is no longer any error and as a consequence the page title is now displayed correctly. However, I must admit that although every page contains a description I cannot find whether it is actually used anywhere... Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
1. Only check for duplicate headings in siblings. It's useful to have allow duplicated headings that aren't in siblings to let docs have parallel construction across the entire doc. 2. Remove absolute references to slsa.dev Signed-off-by: Tom Hennen <tomhennen@google.com>
slsa-framework#1123) This patch focuses on merely editorial changes such as moving sections around and changing 'out of scope' to 'not currently addressed'. There are a lot more TODOs to go through but that's a first step... Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
](https://renovatebot.com){kind=link}
…e track level of revisions (slsa-framework#1094) fixes slsa-framework#1071 fixes slsa-framework#1042 refs slsa-framework#241 This PR modifies _draft_ content of the SLSA spec. See [discussions here](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A&tab=t.0#heading=h.fhg4lsemfpz2) [and here](https://docs.google.com/document/d/1PwhekVB1iDpcgCQRNVN_aesoVdOiTruoebCs896aGxw/edit#bookmark=id.oqoqjt4urxm). Google document requires [slsa-discussion@googlegroups.com](mailto:slsa-discussion@googlegroups.com) membership. Define how downstream users can verify the SLSA source track level of revisions by using a [VSAs](http://slsa.dev/verification_summary) produced by the Source Control Platform (SCP). To use these VSAs users do not need to know the specifics of how any given SCP or Version Control System (VCS) meets the SLSA source requirements (which may vary greatly from implementation to implementation). Instead it is left to the SCP or another trusted 'authority' to make that determination for downstream users. The question of _how_ the authority ensures those claims to be true is left undefined in this change. Future updates can include guidance for how to verify source level when combined with [build provenance](https://slsa.dev/provenance). 1. A user wants to verify slsa-framework@9a04d1e is SLSA source level 3. 2. The user 'trusts' GitHub as the authority for source revisions managed by GitHub. 3. The user requests a VSA for slsa-framework@9a04d1e from a TBD API 4. The user verifies the VSA following [the standard instructions](https://slsa.dev/spec/draft/verification_summary#how-to-verify) or using [standard tooling](https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#verification-summary-attestations-vsa) and looking for `SLSA_SOURCE_LEVEL_2` in the `verifiedLevels` field. --------- Signed-off-by: Tom Hennen <tomhennen@google.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com> Co-authored-by: Zachariah Cox <zachariahcox@github.com> Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Co-authored-by: Marcela Melara <marcela.melara@intel.com>
…1153) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [webrick](https://redirect.github.com/ruby/webrick) | `1.8.1` -> `1.8.2` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." --- ### Release Notes <details> <summary>ruby/webrick (webrick)</summary> ### [`v1.8.2`](https://redirect.github.com/ruby/webrick/releases/tag/v1.8.2) [Compare Source](https://redirect.github.com/ruby/webrick/compare/v1.8.1...v1.8.2) #### What's Changed - Drop commented-out line by [@​olleolleolle](https://redirect.github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://redirect.github.com/ruby/webrick/pull/108) - Add Ruby 3.1 & 3.2 to CI matrix by [@​tricknotes](https://redirect.github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - Fix/redos by [@​ooooooo-q](https://redirect.github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://redirect.github.com/ruby/webrick/pull/120) - Bump actions/checkout from 3 to 4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://redirect.github.com/ruby/webrick/pull/121) - Improve CI by [@​hsbt](https://redirect.github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://redirect.github.com/ruby/webrick/pull/123) - Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@​KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - Fix bug chunk extension detection by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://redirect.github.com/ruby/webrick/pull/125) - Fix CI. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://redirect.github.com/ruby/webrick/pull/131) - Merge multiple cookie headers, preserving semantic correctness. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://redirect.github.com/ruby/webrick/pull/130) - Test on macos-latest by [@​byroot](https://redirect.github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - Require CRLF line endings in request line and headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://redirect.github.com/ruby/webrick/pull/138) - Prefer squigly heredocs. by [@​ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://redirect.github.com/ruby/webrick/pull/143) - Only strip space and horizontal tab in headers by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://redirect.github.com/ruby/webrick/pull/141) - Treat missing CRLF separator after headers as an EOFError by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://redirect.github.com/ruby/webrick/pull/142) - Return 400 response for chunked requests with unexpected data after chunk by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://redirect.github.com/ruby/webrick/pull/136) - Fix reference to URI::REGEXP::PATTERN::HOST by [@​casperisfine](https://redirect.github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) - Prevent request smuggling by [@​jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://redirect.github.com/ruby/webrick/pull/146) #### New Contributors - [@​tricknotes](https://redirect.github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - [@​ooooooo-q](https://redirect.github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - [@​KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - [@​byroot](https://redirect.github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - [@​casperisfine](https://redirect.github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) **Full Changelog**: ruby/webrick@v1.8.1...v1.8.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | patch | `v4.0.3` -> `v4.0.4` | --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC44MC4wIiwidXBkYXRlZEluVmVyIjoiMzguODAuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>
Suggest PR authors assign specific reviewers and ping the Slack channel if they want. The goal is to make it more clear who is expected to take the next action on PRs vs the current situation where the maintainers may think someone else will take a look or that they may have missed the initial PR request. fixes slsa-framework#1149 --------- Signed-off-by: Tom Hennen <tomhennen@google.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com> Co-authored-by: Marcela Melara <marcela.melara@intel.com>
…k#1157) Closes slsa-framework#1155. Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
TomHennen
pushed a commit
that referenced
this pull request
Oct 2, 2024
…with project board links. (#1171) fixes: #1128 (cleaned up version of #1166) This change is in response to the 9.30 slsa specification meeting on this topic. A SCS is the full suite of services and ideas relied upon by the organization to create source revisions. VCS stuff should mostly fall out of the discussion Repositories can be used as the concept used when we need to talk about authN and authZ w.r.t. authentic contributions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change is in response to the 9.30 slsa specification meeting on this topic.
A SCS is the full suite of services and ideas relied upon by the organization to create source revisions.
VCS stuff should mostly fall out of the discussion
Repositories can be used as the concept used when we need to talk about authN and authZ w.r.t. authentic contributions.