Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workstream: Release SLSA v1.1 #900

Open
3 of 7 tasks
kpk47 opened this issue Jul 6, 2023 · 10 comments
Open
3 of 7 tasks

Workstream: Release SLSA v1.1 #900

kpk47 opened this issue Jul 6, 2023 · 10 comments
Assignees
Labels
workstream Major effort comprising multiple sub-issues

Comments

@kpk47
Copy link
Contributor

kpk47 commented Jul 6, 2023

This is a tracking issue for releasing v1.1. The primary goal of v1.1 is to release small updates to v1.0 to address issues that are too significant for an in-place update to v1.0 yet we don't want to block until the next significant release.

Workstream shepherd: Joshua Lock (@joshuagl)

Sub-issues:

@kpk47
Copy link
Contributor Author

kpk47 commented Jul 6, 2023

I think most of the urgency is gone since in-toto changed the spot where there was a conflict between the two specs. #882 and #892 could be enough for a v1.1 release, so I guess the question is what else we would add if we waited.

@joshuagl
Copy link
Member

I think we should aim to have a patch release soon.

We could include:

What other changes should we consider?

@laurentsimon
Copy link
Contributor

If VSA is part of this release, it would be useful to resolve other VSA issues - at least those we consider blocking and / or a that resolving them may be backward-incompatible

@MarkLodato MarkLodato moved this from 🆕 New to 📋 Backlog in Issue triage Jul 31, 2023
@MarkLodato
Copy link
Member

Created the v1.1 directory in #942

@MarkLodato MarkLodato added the workstream Major effort comprising multiple sub-issues label Oct 10, 2023
@MarkLodato MarkLodato changed the title When to release SLSA v1.1 Project: Release SLSA v1.1 Oct 10, 2023
@joshuagl
Copy link
Member

If VSA is part of this release, it would be useful to resolve other VSA issues - at least those we consider blocking and / or a that resolving them may be backward-incompatible

Do you have any particular issues in mind? I took a look at the issues backlog and identified the following VSA related items:

@MarkLodato
Copy link
Member

Joshua, could you add those issues to the top post? I just created a template there. If you use that format, GitHub links them bi-directionally, which is nice.

@joshuagl
Copy link
Member

Good tip. Done, thanks.

@MarkLodato MarkLodato changed the title Project: Release SLSA v1.1 Workstream: Release SLSA v1.1 Oct 17, 2023
@TomHennen
Copy link
Contributor

I'm curious about how we're feeling about this issue's representation of what's in scope for SLSA 1.1. The issue suggests they'll just be small clarifications but then we're also working on the source track, a new build level etc...

Is there anything else we're trying to get in to a 1.1 release?

@joshuagl
Copy link
Member

Good question, I asked something similar when reviewing the first draft of the Source track. I'd missed a discussion on this very topic in a working meeting which Arnaud summarised:

Final thought, is adding a new level appropriate for a minor release, or should we consider a major release for this?

We've talked about this on Monday's call actually. We agreed to punt on this issue for now and wait until we decide to publish the next version of the spec. We can then discuss what change to the version number is the most appropriate based on what ends up being in the spec. For now we can still work on "1.1" without it being binding.

We could try and get a release (1.1?) out sooner while we continue to work on the source track and new build level. Would that be useful? Are there things that SLSA adopters are seeking clarity on which would benefit from a "minor" release?

@TomHennen
Copy link
Contributor

I think I'm mostly trying to understand what's left to do for 1.1 and how badly things get left behind that don't make it to 1.1.

E.g. I think it's unlikely the 'dependency track' would be complete for 1.1. So what would the path forward be?

lehors added a commit that referenced this issue Aug 26, 2024
This PR proposes to change the status of v1.1 to Candidate Release in
preparation for final publication.

I ought to point out that there is a bunch of VSA related issues that
had been targeted for this release and that have not been addressed. See
Issue #900. However, until someone works on any of these issues there is
no hope of making progress and waiting for these to close will delay
getting 1.1 out indefinitely. Although not ideal I therefore propose to
defer these and publish what we have.

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
zachariahcox pushed a commit to zachariahcox/slsa that referenced this issue Oct 1, 2024
This PR proposes to change the status of v1.1 to Candidate Release in
preparation for final publication.

I ought to point out that there is a bunch of VSA related issues that
had been targeted for this release and that have not been addressed. See
Issue slsa-framework#900. However, until someone works on any of these issues there is
no hope of making progress and waiting for these to close will delay
getting 1.1 out indefinitely. Although not ideal I therefore propose to
defer these and publish what we have.

Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
workstream Major effort comprising multiple sub-issues
Projects
Status: 📋 Backlog
Development

No branches or pull requests

5 participants