slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Define "trusted control plane"

Open bobcatfish opened this issue 3 years ago • 1 comments

Another phrase which occurs a few times in the SLSA requirements but is not clearly defined (or I haven't found the definition!) is trusted control plane.

It would be very useful to have this clearly defined in the SLSA terminology, especially how it could apply to different systems, for example this phrase would likely mean something different for GitHub Actions which is hosted and has complete control over the control plane vs. for something like Tekton where the trusted control plane depends on how Tekton is configured and also may include components such as Tasks

(More context available in SLSA + Tekton: Case Study - particularly the section around what trusted control plane could mean for Tekton - the doc is visible to anyone in mailing list [email protected] ).

bobcatfish avatar Apr 15 '22 00:04 bobcatfish

+1 to resolving this for v1.0.

marcelamelara avatar Oct 03 '22 21:10 marcelamelara

This may have been addressed by https://github.com/slsa-framework/slsa/pull/568.

kpk47 avatar Jan 19 '23 23:01 kpk47

This can be further clarified because requirements.md says "trusted control plane" without linking to a definition. Simple solution is to link to the corresponding page in verifying build systems.

MarkLodato avatar Mar 20 '23 18:03 MarkLodato