Zachariah Cox
Zachariah Cox
fixes https://github.com/slsa-framework/slsa/issues/1072 ## Context Based on discussion from https://github.com/slsa-framework/slsa/pull/1037 See [discussion here](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.svjr333bawb). Copied from [draft proposal here](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#bookmark=id.4qr65cfy6ufj). Google document requires [email protected] membership. ## Source revision provenance Repos contain many revisions,...
closes out the remainder of the pre-merge [issues](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.au8zjzii8lgw). ## changes 1. adds high-level document status section. 2. convert outstanding TODOs to a dynamic link to `label:source-track` issues in slsa repo...
Goals: * new functionality added to scorecard app in a topic branch * demonstrate reading from rulesets and repositories APIs to validate at least one best practice * demonstrate summarization...
The source-requirements document should have a table mapping out the responsibilities of the organization / producer and the "source platform" (a combination of standard modern developer tools). ``` LGTM I...
related to: https://github.com/slsa-framework/slsa/pull/1097#discussion_r1718489268 ## Level 2 my initial thoughts are that we're trying to get across the following concepts: teams can have more than one branch teams may need to...
There is a bunch of doc formatting work to do after we decide what the doc should say! Collect it here.
> Thanks @steiza and @zachariahcox! This is a great start. My team has thought about this topic quite significantly and I'm happy to share those thoughts as well (matches fairly...
> This will be related to the general SLSA guidance of "trust the platforms, verify the outputs." > We have some initial content in [verifying-source.md](https://github.com/slsa-framework/slsa/blob/main/docs/spec/draft/verifying-source.md) _Originally posted by @zachariahcox in...
Ideally someone familiar with generation of intoto specifications will propose a suitable, exensible solution to "provenance claims" made from the perspective of the SCP. Here is a _very_ rough summary...
continued from: * https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714090149 * https://github.com/slsa-framework/slsa/pull/1097#discussion_r1714293116 Zac's thoughts: I think this is what would need to be covered: * A target branch (EG: `refs/heads/main`) has at least minimal branch protections...