This project is mirrored from https://github.com/slsa-framework/slsa.git. Pull mirroring updated .
  1. 02 Jun, 2021 1 commit
  2. 26 May, 2021 1 commit
  3. 18 May, 2021 3 commits
  4. 10 May, 2021 2 commits
  5. 07 May, 2021 1 commit
  6. 30 Apr, 2021 2 commits
  7. 26 Apr, 2021 1 commit
    • Mark Lodato's avatar
      Remove broken links to SRS Book PDF (#25). · 85861abf
      Mark Lodato authored
      Looks like Google took down the free copy of the book, so we just have
      to link to the landing page. That also means we can't use that as one of
      our "benefits of reproducible builds" links. :-(
      85861abf
  8. 22 Apr, 2021 1 commit
  9. 21 Apr, 2021 1 commit
  10. 19 Apr, 2021 2 commits
  11. 13 Apr, 2021 2 commits
  12. 12 Apr, 2021 3 commits
    • Mark Lodato's avatar
      Require Reproducibility or a justification. · fdcd336d
      Mark Lodato authored
      Previously we only "recommended" reproducibility. This was both very
      weak and also unenforceable.
      
      Now we require Reproducibility unless there is a justification why it is
      not. This is a much stronger motivation to make things Reproducible: it
      is the path of least resistance. Furthermore, this can now be checked
      in an automated way: either the "reproducible" bit is set or the
      "justification" is non-empty. We will likely want to have an enum of
      valid justifications, but that will be decided once we write detailed
      builder requirements.
      fdcd336d
    • Mark Lodato's avatar
      Add Reproducibility as a recommendation for SLSA 3. · 5310e40a
      Mark Lodato authored
      At SLSA 3, we now recommend reproducible builds. This is not a strict
      requirement because not all builds can become reproducible, as explained
      in the text. Once we write the detailed requirements, we will likely
      want to somehow explain that reproducible should be the default, while
      still allowing individual projects to opt-out.
      
      The reason for adding this recommendation is to move the industry
      towards reproducibility, which is a generally useful property. By having
      it as the "default" path, most software will just go with the past of
      least resistance rather than opting out.
      
      Note that this does not require *verifying* the reproduction for
      security. Instead, the builder just claims that it was reproducible,
      presumably by building it twice and making sure that the output is
      identical.
      5310e40a
    • Mark Lodato's avatar
      Merge pull request #16 from MarkLodato/nits · 684bbf7c
      Mark Lodato authored
      Small fixes 
      684bbf7c
  13. 09 Apr, 2021 2 commits
  14. 06 Apr, 2021 2 commits
  15. 02 Apr, 2021 3 commits
  16. 01 Apr, 2021 2 commits
    • Mark Lodato's avatar
      attestations: add more words about typing · a9e27a41
      Mark Lodato authored
      a9e27a41
    • Mark Lodato's avatar
      attestations: Simplify the model. · 5be970bc
      Mark Lodato authored
      - Add an Overview section explaiing the relationship between raw
        signatures and attestations.
      - Remove the policy diagram since it's not germaine to this doc.
      - Remove the Type fields, since they are an implementation detail.
      - Remove most of the requirements since they're not super helpful.
        Instead, make the Summary section explain the most important bits.
      - Move "Materials" to the Predicate layer and rename to "Link", since
        that is where it logically belongs and matches English.
      - Add a bunch of future items, based on feedback.
      5be970bc
  17. 30 Mar, 2021 2 commits
  18. 23 Mar, 2021 2 commits
  19. 19 Mar, 2021 1 commit
  20. 18 Mar, 2021 1 commit
  21. 17 Mar, 2021 2 commits
  22. 16 Mar, 2021 3 commits