Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

content: resourceUri SHOULD match the download URI #1220

Merged
merged 3 commits into from
Nov 7, 2024
Merged

content: resourceUri SHOULD match the download URI #1220

merged 3 commits into from
Nov 7, 2024
+7 −0

Conversation

TomHennen
Copy link
Contributor

When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value.

fixes #1212

@TomHennen
resourceUri SHOULD match the download URI
f3974cf 
When verifying VSAs consumers are expected to match the resourceUri
with the 'expected value' but the spec doesn't currently indicate
how that expected value is to be determined.

In this change we suggest the resourceUri be set to the URI
the consumer will fetch the artifact from. If it's set to something
else the producer MUST tell the user how to determine the expected
value.

fixes slsa-framework#1212

Signed-off-by: Tom Hennen <tomhennen@google.com>
@netlify Netlify
Copy link

netlify bot commented Oct 24, 2024
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit cbe3b40
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/671bdf068cd82e000874c35f
😎 Deploy Preview https://deploy-preview-1220--slsa.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@TomHennen TomHennen changed the title resourceUri SHOULD match the download URI content: resourceUri SHOULD match the download URI Oct 24, 2024
@TomHennen
Copy link
Contributor Author

@adityasaky this was your suggestion, so I'd love your thoughts too.

@TomHennen
missing word
883570f 
Signed-off-by: Tom Hennen <tomhennen@google.com>
@TomHennen TomHennen mentioned this pull request Oct 25, 2024
Merged
@TomHennen
improve grammar
cbe3b40 
Signed-off-by: Tom Hennen <tomhennen@google.com>
hepwori
hepwori approved these changes Oct 25, 2024
View reviewed changes
Copy link
Contributor

@hepwori hepwori left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

adityasaky
adityasaky approved these changes Oct 28, 2024
View reviewed changes
Copy link
Member

@adityasaky adityasaky left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@TomHennen
Copy link
Contributor Author

I think we need one more maintainer to approve this PR before we merge. @lehors, @trishankatdatadog, or @mlieberman85 would you mind taking a look?

mlieberman85
mlieberman85 approved these changes Nov 7, 2024
View reviewed changes
Copy link
Member

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@adityasaky adityasaky merged commit 5fea409 into slsa-framework:main Nov 7, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@trishankatdatadog trishankatdatadog trishankatdatadog approved these changes

@arewm arewm arewm approved these changes

@adityasaky adityasaky adityasaky approved these changes

@hepwori hepwori hepwori approved these changes

@mlieberman85 mlieberman85 mlieberman85 approved these changes

@lehors lehors Awaiting requested review from lehors

Assignees
No one assigned
Labels
slsa 1.1
Projects
Issue triage
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clarify how end-users can know the expected value of resourceUri in a VSA
6 participants
@TomHennen @mlieberman85 @hepwori @adityasaky @arewm @trishankatdatadog