This project is mirrored from Pull mirroring updated .
  1. 25 Jun, 2021 3 commits
    • Tom Hennen's avatar
      Update · 447b5291
      Tom Hennen authored
    • Tom Hennen's avatar
      Update · 269cfe0f
      Tom Hennen authored
    • Tom Hennen's avatar
      Allow a service other than the 'build service' to generate provenance · 5f253fb9
      Tom Hennen authored
      This is just an initial thought.  We might only want this adjustment at L2 but still make the build service generate the provenance at L3+.
      On the other hand, maybe as long as the builder _reports_ the data and it's confident in that data, it would be fine for some other service to generate the provenance?
      That would allow for a 'trusted service' to translate one provenance format to another (in addition to gathering the data from API calls).
  2. 24 Jun, 2021 2 commits
  3. 23 Jun, 2021 6 commits
  4. 22 Jun, 2021 7 commits
  5. 21 Jun, 2021 6 commits
  6. 18 Jun, 2021 1 commit
  7. 17 Jun, 2021 3 commits
  8. 14 Jun, 2021 2 commits
  9. 11 Jun, 2021 2 commits
  10. 10 Jun, 2021 4 commits
  11. 09 Jun, 2021 4 commits
    • Mark Lodato's avatar
      Merge pull request #56 from MarkLodato/provisional · 21e12e71
      Mark Lodato authored
      Remove "proposed" wording.
    • Mark Lodato's avatar
      Remove "proposed" wording. · 529afa03
      Mark Lodato authored
      Minor changes to remove the notion that this is a "proposal" and instead
      just describe SLSA as it is.
      Also explain that levels 2-3 are likely to change in the future, rather
      than using some sort of symbol (*) or term (provisional), since
      technically all requirements are subject to change. It's just that 2-3
      are more likely to change.
    • Mark Lodato's avatar
      Merge pull request #55 from MarkLodato/clarification · acc814a1
      Mark Lodato authored
      Clarify SLSA requirements.
    • Mark Lodato's avatar
      Clarify SLSA requirements. · d0c79147
      Mark Lodato authored
      Changes to requirements:
      - Remove "Source Integrity", add immutable references to "Hermetic".
      - Drop "Common" from SLSA 2 because it is likely expensive.
      - Split out "Ephemeral Environment" from "Isolation" (from #52).
      - Explain that GH-generated merge commits meet Verified History (from #52).
      - Clarify that all artifact references are immutable (from #52).
      - Rename "Dependencies" to "Dependencies Complete" to avoid confusion.
      - Define "SLSA level", "provenance", and "top-level source."
      - Other minor cleanups.