GitLab

This is just an initial thought.  We might only want this adjustment at L2 but still make the build service generate the provenance at L3+.

On the other hand, maybe as long as the builder _reports_ the data and it's confident in that data, it would be fine for some other service to generate the provenance?

That would allow for a 'trusted service' to translate one provenance format to another (in addition to gathering the data from API calls).

Add link to GitHub issues.

This makes it easier to open an issue, especially from slsa.dev.

Convert Source and Common requirements to tables

The format now matches that of the Build requirements.

Remove all the indentation from the requirements table to avoid
confusion and mistakes. Previously we indented each level with one
space, which happened to work because we never used more than three
spaces. But this is misleading because four or more spaces are
interpreted as a code block. Instead, do not indent the HTML table at
all, which is what the CommonMark specification recommends.

Also remove the </tr> tags because they are not needed.

Merge all requirements docs into one.

This allows us to add a link to the top of the website, and it also
makes it easier to see all requirements on one page.

NOTE: In a future change, I will reformat the source and common
requirements into table form, to match the build requirements.

Linkify reqs table; remove duplicate descriptions.

In the "Level requirements" section, add links in the table from each
requirement the corresponding entry in the detailed source/build/common
doc, and remove the duplicate "summary" descriptions below it. This
avoids confusion and the need to keep the two in sync, at the cost of
making it slightly harder to skim. This seems like a worthwhile
tradeoff.

Also convert the table to pure Markdown, for two reasons:
- To make the table easier maintain.
- To allow us links to work in both GitHub and GitHub Pages. This is
  achieved by the jekyll-relative-links plugin, which only works with
  markdown links, not HTML links.

The downside to converting to Markdown is that we can't use rowspan and
colspan. This isn't too bad of a hit to readability.

Create GitHub Pages and move example to separate page.

This was out of date and is no longer needed.

Right now it is just the same as the README.

Remove extra "build"

Minor fix to avoid the use of double "build"

Rename signing-spec to DSSE.

This is the new official name.

Define SLSA 0.

Fixes #29.

typofix: "reviewed"

Fixes #65.

SLSA 3->4

Clarify where the sha256 comes from in the Alpine build process.

SLSA 4 section should say that once these controls are enabled the artifact will be SLSA 4, not 3.

Define build requirements; add "Parameterless".

Fully define all build requirements. The document still needs an
introduction, including diagram, threat model, and high-level
description.

Add a "Parameterless" requirement to SLSA 4, which we forgot previously.

Renumber levels to be integers.

That is:
- 1.5 => 2
- 2 => 3
- 3 => 4

Add detailed source requirements.

This should now give enough detail that platforms can start implementing
SLSA 1.5 and above. Further clarifications are likely needed, but this
is a good start.

Remove "proposed" wording.

Minor changes to remove the notion that this is a "proposal" and instead
just describe SLSA as it is.

Also explain that levels 2-3 are likely to change in the future, rather
than using some sort of symbol (*) or term (provisional), since
technically all requirements are subject to change. It's just that 2-3
are more likely to change.

Clarify SLSA requirements.