Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Workstream: SLSA Build L4 #977

Open
3 tasks
Tracked by #1
MarkLodato opened this issue Oct 9, 2023 · 6 comments
Open
3 tasks
Tracked by #1

Workstream: SLSA Build L4 #977

MarkLodato opened this issue Oct 9, 2023 · 6 comments
Assignees
Labels
workstream Major effort comprising multiple sub-issues

Comments

@MarkLodato
Copy link
Member

MarkLodato commented Oct 9, 2023

This is a tracking issue for creating a Build Level 4. Build L4 will likely cover some notion of the completeness of the provenance, e.g. that the resolvedDependencies are complete in SLSA Provenance format. This is based on discussions and v0.1, but nothing has been decided yet.

Workstream shepherd: David A Wheeler (@david-a-wheeler)

Related: We might want to merge with #975 (hardware attested builds) and/or #985 (build platform operations track) as discussed in #975 (comment).

Sub-issues:

@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 9, 2023
@MarkLodato MarkLodato changed the title SLSA Build L4 Project: SLSA Build L4 Oct 10, 2023
@MarkLodato MarkLodato added the workstream Major effort comprising multiple sub-issues label Oct 10, 2023
@david-a-wheeler
Copy link
Member

Note that I'm currently proposing entries for build levels L4 and L5. See: #873

@arewm
Copy link
Member

arewm commented Oct 11, 2023

I mentioned in the comments for the Reproducible Build requirements in SLSA (an early proposal) about how I am not convinced that we should add reproducibility onto the SLSA build levels. Where would be the best place to have this conversation? In this issue, in that document, in a community call, elsewhere? I wasn't able to attend a previous call where this discussion happened.

@MarkLodato
Copy link
Member Author

What we did in SLSA Source Track brainstorming was for each person to write down some thoughts as separate sections, then people commented on those sections and the original authors refined their ideas. Then once the comments died down, the lead (@kpk47) coalesced the ideas into one proposal. That seems to be working ok?

So if we want that model, then perhaps you could create a section in the doc and write down your thoughts on L4 and/or reproducible builds. That would allow us to critique the argument and you can hone it. It would also leave us something more durable than a docs comments and more readable than a GitHub issue comment. What do you think?

@david-a-wheeler
Copy link
Member

If you have ways to improve the proposal, currently the Google doc would be the right start.

If you oppose the concept of being able reproduce builds, I guess #873 would be the place. Are you opposed to being able to reproduce builds, or are you opposed to including them in the "build track", or is it something else? I'm not sure I understand your objection.

@arewm
Copy link
Member

arewm commented Oct 12, 2023

I am not opposed to reproducible builds, just to including them in the build track. I will try to add some commentary to the document.

@david-a-wheeler
Copy link
Member

@arewm - I understand! Sorry, I was a little confused about your point. I originally proposed that they be a separate track, but many in the community preferred that they be in the same build track. Please do add commentary.

I think we can separate the issues of (1) what might be usefully added to SLSA and (2) whether or not reproducible builds belongs in a different track. Indeed, as we refine the potential requirements, it may be easier to decide if they belong in the same or different track.

@MarkLodato MarkLodato changed the title Project: SLSA Build L4 Workstream: SLSA Build L4 Oct 17, 2023
johnandersen777 added a commit to publicdomainrelay/reference-implementation that referenced this issue Nov 2, 2024
Related: #8
Related: slsa-framework/slsa#977
Related: slsa-framework/slsa#873
Signed-off-by: John Andersen <johnandersen777@protonmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
workstream Major effort comprising multiple sub-issues
Projects
Status: 🆕 New
Development

No branches or pull requests

4 participants
@MarkLodato @david-a-wheeler @arewm and others