This project is mirrored from https://github.com/slsa-framework/slsa.git. Pull mirroring updated .
  1. 24 Jun, 2021 1 commit
  2. 23 Jun, 2021 6 commits
  3. 22 Jun, 2021 7 commits
  4. 21 Jun, 2021 6 commits
  5. 18 Jun, 2021 1 commit
  6. 17 Jun, 2021 3 commits
  7. 14 Jun, 2021 2 commits
  8. 11 Jun, 2021 2 commits
  9. 10 Jun, 2021 4 commits
  10. 09 Jun, 2021 4 commits
    • Mark Lodato's avatar
      Merge pull request #56 from MarkLodato/provisional · 21e12e71
      Mark Lodato authored
      Remove "proposed" wording.
      21e12e71
    • Mark Lodato's avatar
      Remove "proposed" wording. · 529afa03
      Mark Lodato authored
      Minor changes to remove the notion that this is a "proposal" and instead
      just describe SLSA as it is.
      
      Also explain that levels 2-3 are likely to change in the future, rather
      than using some sort of symbol (*) or term (provisional), since
      technically all requirements are subject to change. It's just that 2-3
      are more likely to change.
      529afa03
    • Mark Lodato's avatar
      Merge pull request #55 from MarkLodato/clarification · acc814a1
      Mark Lodato authored
      Clarify SLSA requirements.
      acc814a1
    • Mark Lodato's avatar
      Clarify SLSA requirements. · d0c79147
      Mark Lodato authored
      Changes to requirements:
      - Remove "Source Integrity", add immutable references to "Hermetic".
      - Drop "Common" from SLSA 2 because it is likely expensive.
      
      Clarifications:
      - Split out "Ephemeral Environment" from "Isolation" (from #52).
      - Explain that GH-generated merge commits meet Verified History (from #52).
      - Clarify that all artifact references are immutable (from #52).
      - Rename "Dependencies" to "Dependencies Complete" to avoid confusion.
      - Define "SLSA level", "provenance", and "top-level source."
      - Other minor cleanups.
      d0c79147
  11. 08 Jun, 2021 4 commits
    • Mark Lodato's avatar
      Merge pull request #54 from MarkLodato/diagrams · 17b77918
      Mark Lodato authored
      Update Vision section with latest changes.
      17b77918
    • Mark Lodato's avatar
      Update Vision section with latest changes. · 6ee42edd
      Mark Lodato authored
      - Make the vision diagrams consistent with the terminology section:
        - Output is on the right, input is on the left.
        - Use colors consistently.
        - Rename "resource" to "artifact locator".
        - Simplify the diagram to reduce confusion (fixes #31).
      - Update the level explanations based on recent changes:
        - SLSA 1 is unsigned.
        - Add SLSA 1.5 (merged with the SLSA 2 section).
        - Minor wording updates.
      - Remove Deployment Policies section. We will eventually need to explain
        policies, but for now let's omit it until we agree on what that should
        look like.
      6ee42edd
    • Mark Lodato's avatar
      Merge pull request #53 from MarkLodato/terminology · 6f552a33
      Mark Lodato authored
      Remove Resource and Deploy to simplify the model.
      6f552a33
    • Mark Lodato's avatar
      Remove Resource and Deploy to simplify the model. · 03699118
      Mark Lodato authored
      Previously, we differentiated between Resources and Artifacts, and SLSA
      was a property of a Resource's security policy. However, many readers
      found this concept very confusing.
      
      Now, SLSA is purely a property of the artifact. If provenance exists
      showing that it met the requirements, the artifact meets the level. No
      policy or notion of "resource" is required. This simplifies the model at
      some cost of security, which we have collectively decided is worth the
      trade-off.
      
      NOTE: The Vision section will be updated in a future change.
      03699118