slsa
slsa copied to clipboard
slsa-framework
copy: clarify names of source levels
related to: https://github.com/slsa-framework/slsa/pull/1097#discussion_r1718489268
Level 2
my initial thoughts are that we're trying to get across the following concepts:
teams can have more than one branch teams may need to indicate that consumers can / should / must ignore commits on users/* and only ship commits on /releases/* because branches have different security postures only some branches have protected history, IE, we allow force push to user branches. the logical VSA for this rule would need to verify that "the previous revision id is reachable from this new revision id" (IE: there was no potential for data loss due to force push or repo hijack)
https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714156093
Level 3
- https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714081313
