Make "Identifies Source"/"Identifies Entry Point" recommended at L1/L2.

Many builders don't necessarily have this information available to populate the provenance.

In the interest of making the lower levels easier to adopt I propose we remove this requirement at
the lower levels so that builders can comply without having to make major architectural changes
or requiring that users use them in any particular manner.

Explicitly allow multiple provenance hashes

Lay disallowance emphasis on RFC2119 MUST NOT

Joshuagl/more markdown

Reformat the attacks table, fix link to reqs.

Fix typo within case study (SLSA 3 -> 4)

Fixes #89. Thanks to @rtmorgan for reporting.

In the "How SLSA could have helped" column of the row describing threat D
"Compromise build platform" instead of linking to the generic requirements
document, link directly to the build requirements section.

Add word "later" to brief description of event-stream attack to better
indicate that the attacker was deliberate and patient.

Have dependabot keep npm modules up-to-date also

As we now keep npm packaging metadata in the repository, have dependabot
monitor it and notify of updates.
Signed-off-by: Joshua Lock <jlock@vmware.com>

This makes the table easier to maintain. Although the long lines are
annoying, we get the benefit of not having to deal with HTML.

Reformat the attacks table to make it easier to maintain:
- Remove unnecessary closing `tr` and `td` tags.
- Merge short columns onto one line.
- Separate each row with a blank line.
- Break lines at natural boundaries.

Fix a stale link to build-requirements.md, which (a) was an absolute
link instead of relative, (b) pointed to a file that has since been
deleted, and (c) didn't work on slsa.dev since the jekyll-relative-links
plugin only works on Markdown links, not HTML links.

Set up `npm run lint` to call markdownlint.

This makes it easier for other developers to run markdownlint, and
checking in package-lock.json ensures that we're all using the same
version.

Futhermore, this commit calls `npm run lint` directly instead of using
the GitHub Action because the action doesn't seem to be working.

Make workflow permissions read only

Reformat using markdownlint and set up GH Action.

Also set up dependabot to keep the GitHub Action up-to-date.

Allow a service other than the 'build service' to generate provenance

Link to slsa.dev, remove duplicate content, and clean up formatting.

When viewing the page on GitHub, there is now a link telling the reader
that it is best viewed at https://slsa.dev. This does not show up when
rendered via GitHub Pages.

Include threat model and wording updates from blogpost

Remove TODO link reminders; remove "How to Get Started" section; fix/clean up links and wording.

Add links; remove "finalized" from SLSA 1 description.

This is just an initial thought.  We might only want this adjustment at L2 but still make the build service generate the provenance at L3+.

On the other hand, maybe as long as the builder _reports_ the data and it's confident in that data, it would be fine for some other service to generate the provenance?

That would allow for a 'trusted service' to translate one provenance format to another (in addition to gathering the data from API calls).

Add link to GitHub issues.

This makes it easier to open an issue, especially from slsa.dev.