Explain how SLSA can help with typosquatting.

Previously the doc said flatly that typosquatting was out of scope. But SLSA can be a partial mitigation, so we should clarify that. Signed-off-by: Mark Lodato <lodato@google.com>

Explain how SLSA can help with typosquatting.
Previously the doc said flatly that typosquatting was out of scope. But SLSA can be a partial mitigation, so we should clarify that. Signed-off-by: Mark Lodato <lodato@google.com>
c506ccc0 · Mark Lodato · bb21d3e0 · c506ccc0
Commit c506ccc0 authored Dec 16, 2021 by Mark Lodato
--- a/docs/_spec/v0.1/threats.md
+++ b/docs/_spec/v0.1/threats.md
@@ -552,7 +552,10 @@ cryptographic signature is no longer valid.
 *Threat:* Register a package name that is similar looking to a popular package
 and get users to use your malicious package instead of the benign one.

-*Mitigation:* **Outside the scope of SLSA.**
+*Mitigation:* **Mostly outside the scope of SLSA.** That said, the requirement
+to make the source available can be a mild deterrent, can aid investigation or
+ad-hoc analysis, and can complement source-based typosquatting solutions.
+<sup>[[Verified history] and [Retained indefinitely] @ SLSA 3]</sup>

 </details>