slsa icon indicating copy to clipboard operation
slsa copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Common Requirements track is missing from Future Directions

Open seaylg opened this issue 1 year ago • 3 comments

Common requirements is listed as one of 4 areas of requirements in https://slsa.dev/blog/2023/02/slsa-v1-rc but is not mentioned in the https://slsa.dev/spec/v1.0-rc1/future-directions. There is mention of "Security Best Practices" in https://slsa.dev/spec/v1.0-rc1/requirements. Is the reference in this section intended to cover Common requirements? If so, how does a company measure and verify that it is meeting this common requirement "to be conformant all implementations MUST use industry security best practices" IF "the exact definition of what constitutes a secure system is beyond the scope"?

Proposed solution:

  1. Clarify (distinction or correlation) between "security best practices" and "common requirements" on Requirements page https://slsa.dev/spec/v1.0-rc1/requirements
  2. Add plans for the Common track to the Future Directions page https://slsa.dev/spec/v1.0-rc1/future-directions

seaylg avatar Mar 08 '23 19:03 seaylg

"Verifying build systems provides a list of prompts for evaluating a build system’s SLSA conformance. Some content comes from v0.1’s Common requirements; the rest is new to v1.0.", then it is now mixing the build and common tracks. What content was mixed in and why is that content special enough to be in scope?

seaylg avatar Mar 08 '23 19:03 seaylg

Agreed that this needs fixing.

There are no future plans for a Common Track. It was removed in v1.0 and folded into "Verifying Build Systems". Basically, we gave up on the idea that we could create a list of requirements that are sufficient to be trustworthy. There exist other standards that try to do this an they're really huge, and even then I'm not sure that if someone technically meets every checkbox that there isn't some other gaping hole that was left out of the spec. In practice, our feeling is that it ends up being a judgement call based on the particulars of the system in question.

So instead we are shifting focus to say that the trustworthiness is a judgement call and giving guidance on the types of things one ought to consider when making a trust determination. In other words, it is orthogonal to the SLSA level.

MarkLodato avatar Mar 08 '23 19:03 MarkLodato

It appears there the Build track is for those using a build service. The future direction discusses more of the build track and a source track.

What's missing is a build system operations track. A build system could be operated as a complete mess or in a secure manner. One has no way to know.

mattfarina avatar Apr 05 '23 16:04 mattfarina