Clarify requirements around cache use by the build platform.

Addresses #894 Signed-off-by: arewm <arewm@users.noreply.github.com>
slsa-framework · Jul 6, 2023 · b984852 · b984852
1 parent cdf14cc
commit b984852
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md
@@ -301,13 +301,18 @@ The build platform MUST guarantee the following:
 -   It MUST NOT be possible for one build to persist or influence the build
     environment of a subsequent build. In other words, an ephemeral build
     environment MUST be provisioned for each build.
+-   The build platform MUST NOT open services that allow for remote influence
+    unless all such interactions are captured as `externalParameters` in the
+    provenance.
+
+If the build platform leverages a cache for builds, it MUST guarantee the following:
+
 -   It MUST NOT be possible for one build to inject false entries into a build
     cache used by another build, also known as "cache poisoning". In other
     words, the output of the build MUST be identical whether or not the cache is
     used.
--   The build platform MUST NOT open services that allow for remote influence
-    unless all such interactions are captured as `externalParameters` in the
-    provenance.
+-   The resolved dependencies used to generate the cached artifacts MUST be captured
+    in the provenance.
 
 There are no sub-requirements on the build itself. Build L3 is limited to
 ensuring that a well-intentioned build runs securely. It does not require that