Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move Provenance to SLSA repo #54

Closed
MarkLodato opened this issue Jul 26, 2021 · 6 comments · Fixed by #57
Closed

Move Provenance to SLSA repo #54

MarkLodato opened this issue Jul 26, 2021 · 6 comments · Fixed by #57
Assignees
@MarkLodato

Comments

@MarkLodato
Copy link
Contributor

The current Provenance predicate is described as a generic way to express provenance, but it was designed expressly for SLSA. It makes certain assumptions and trade-offs, such as carefully designing the fields to avoid mistakes when applying a SLSA policy. Other use cases of "provenance" may make different trade-offs, such as including the list of build steps that were performed to allow policies to detect curl | bash, which for SLSA is unnecessary and may lead to confusion.

To avoid these issues, it might be best to move all of the predicates out of this repo and instead maintain an index of links.

  • Provenance -> SLSA
  • Link -> in-toto (a different repo)
  • SPDX -> something maintained by SPDX team

That would make it more clear that (a) other definitions of "provenance" are OK for different use cases, and (b) not all predicates need to be defined in this repo.

Any thoughts? cc @adityasaky @TomHennen @dlorenc
@joshuagl
Copy link
Contributor

Moving predicate definitions out of this repo makes sense to reinforce that this is the format definition and to encourage definition of use-case specific predicates.

Do you think there would need to be any categorisation or review of predicates we link to?

@MarkLodato
Copy link
Contributor Author

Do you think there would need to be any categorisation or review of predicates we link to?

Perhaps eventually, if we get a lot of them. Initially I'm assuming there will only be a few.

@TomHennen
Copy link
Contributor

This makes sense to me.

@adityasaky
Copy link
Member

I think this makes sense. Should we emphasize a "list your predicate here" mechanism that incorporates review, and also discusses ongoing review for any possible changes made after a predicate is listed here?

@dlorenc dlorenc mentioned this issue Jul 28, 2021
Closed
@TomHennen
Copy link
Contributor

I like that idea.

I guess it would take the form of some doc that gives a blub about the predicate and links to wherever it's actually defined. Is that what you're thinking?

Do we have agreement on this? If so I can move 'Provenance' to the SLSA repo and create an initial doc of predicates.

@adityasaky
Copy link
Member

I think that makes sense, and we can formalize any review processes we feel is necessary when we have more predicates as @MarkLodato said.

@TomHennen TomHennen self-assigned this Aug 2, 2021
@MarkLodato MarkLodato mentioned this issue Aug 3, 2021
Merged
@TomHennen TomHennen assigned MarkLodato and unassigned TomHennen Aug 3, 2021
MarkLodato added a commit to MarkLodato/attestation that referenced this issue Aug 3, 2021
@MarkLodato
Remove Provenance predicate and ci_survey.
df11e1e 
The Provenance predicate has been moved to https://slsa.dev/predicate,
as per issue in-toto#54. We leave the old page in existence to allow old links
to continue to function.

Also remove the ci_survey.md file since it was specific to provenance.
@MarkLodato MarkLodato mentioned this issue Aug 3, 2021
Merged
MarkLodato added a commit to MarkLodato/attestation that referenced this issue Aug 3, 2021
@MarkLodato
Remove Provenance predicate and ci_survey.
fc873ae 
The Provenance predicate has been moved to https://slsa.dev/predicate,
as per issue in-toto#54. We leave the old page in existence to allow old links
to continue to function.

Also remove the ci_survey.md file since it was specific to provenance.
MarkLodato added a commit to MarkLodato/attestation that referenced this issue Aug 4, 2021
@MarkLodato
Remove Provenance predicate and ci_survey.
f554cc1 
The Provenance predicate has been moved to https://slsa.dev/predicate,
as per issue in-toto#54. We leave the old page in existence to allow old links
to continue to function.

Also remove the ci_survey.md file since it was specific to provenance.
@TomHennen TomHennen mentioned this issue Aug 4, 2021
Open
@adityasaky adityasaky mentioned this issue Aug 4, 2021
Closed
MarkLodato added a commit to MarkLodato/github-actions-demo that referenced this issue Aug 5, 2021
@MarkLodato
Rename predicateType to new slsa.dev name.
61a3193 
Context: in-toto/attestation#54
This was referenced Aug 5, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MarkLodato MarkLodato

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove Provenance predicate and ci_survey. MarkLodato/attestation
4 participants
@MarkLodato @TomHennen @adityasaky @joshuagl