Require config as code at levels L3+ #141
Conversation
TomHennen
force-pushed
the
config-as-code-reqs
branch
from
b4ddf69 to
0d02b9f
Compare
|
Matt could you give this a quick check before I request 'official' review? |
docs/requirements.md
Outdated
| <td>Config as code | ||
| <td> | ||
|
|
||
| The build service configuration is defined in source control and drives the build automatically. |
There was a problem hiding this comment.
"drives the build automatically"
I'm a little hesitant about requiring there to be automation triggering the build. I think it'd be fine to just limit build configuration to "use this workflow" regardless of how/when it's triggered.
There was a problem hiding this comment.
Oh, I didn't intend for 'build automatically' to mean "triggered automatically", just that the this config is the set of instructions the builder followed automatically to do the build. E.g. no person needed to feed it the individual steps.
There was a problem hiding this comment.
Is there an alternative phrasing that avoids the implication of automation?
There was a problem hiding this comment.
"The build service configuration is defined in source control and drives the build automatically." -->
"The build service configuration is defined in source control and is executed by the build service."
?
There was a problem hiding this comment.
maybe "and is used as the build entrypoint"?
There was a problem hiding this comment.
I'm not that hot on using 'entrypoint' here because later we distinguish between 'entrypoint' (a singular field to reference) and 'steps' (details about how the build progressed) as being two different things. Yet here both of them count as the build instructions.
I think I'll go with "The build service configuration is defined in source control and is executed by the build service." and we can see what others think.
TomHennen
force-pushed
the
config-as-code-reqs
branch
3 times, most recently
from
4ab49cf to
e48fd4d
Compare
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Also see if there's a 'comment' type that doesn't look bad. (JSON doesn't support comments but we want to explain some things inline in these examples). Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
TomHennen
force-pushed
the
config-as-code-reqs
branch
from
e48fd4d to
5dc2dc4
Compare
Signed-off-by: Tom Hennen <tomhennen@google.com>
This will let us link to them with anchors. Also change "Manually Run Commands" to "Explicitly Run Commands" as some builders may take this list from an RPC that wasn't really defined 'manually'. Signed-off-by: Tom Hennen <tomhennen@google.com>
Also rpc -> RPC in provenance example. Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
|
@trishankatdatadog @joshuagl @brunodom @david-a-wheeler @mlieberman85 @zakgreant - thoughts on this. we would definitely benefit from 1-2 additional eyes on this requirement review. |
Signed-off-by: Tom Hennen <tomhennen@google.com>
| <td>Config as code | ||
| <td> | ||
|
|
||
| The build service configuration is defined in source control and is executed by the build service. |
There was a problem hiding this comment.
I'm trying to understand what this means for something like GCF where the build definition is entirely specified by the service itself (GCF), but is not part of the user's source control at all.
(I realize there are source provenance questions for GCF, but set those aside for the moment.)
There was a problem hiding this comment.
GCF just builds/runs whatever is in a specific repo right?
My suggestion:
- Have a recipe.type specific to GCF 'http://google.com/cloud/gcf_recipe/v1' (or whatever)
- Set recipe.entrypoint to 'gcf_implicit' (or whatever)
- Put the repo that GCF actually built in materials (should be doing this anyways)
- Set recipe.definedInMaterial to the index of the repo in 3.
Thoughts?
There was a problem hiding this comment.
GCF can build a repo, or an arbitrary zip file.
I'm not familiar with the recipe.* things - can you point me to a reference?
There was a problem hiding this comment.
https://slsa.dev/provenance/v0.1#recipe.type
If GCF is building from a zip file it wouldn't qualify at SLSA Level 3 as SLSA Level 2 requires the use of source control https://github.com/slsa-framework/slsa/blob/main/docs/requirements.md#version-controlled
but
The way I'd represent building a zip file in the provenance for GCF would probably be very similar:
- Have a recipe.type specific to GCF 'http://google.com/cloud/gcf_recipe/v1' (or whatever)
- Set recipe.entrypoint to 'gcf_implicit' (or whatever)
- Put the path of the zip file and it's hash that GCF actually built in materials (should be doing this anyways)
- Set recipe.definedInMaterial to the index of the zip file in 3.
So the provenance would basically look the same, but the artifacts built from zip files shouldn't qualify for anything higher than SLSA L1.
There was a problem hiding this comment.
Okay, so the recipe.* parts are within the provenance.
My question is more specifically about the phrase "build service configuration is defined in source control" - in GCF, the build configuration is not defined in source control - even in the case of the source being in version control.
There was a problem hiding this comment.
Right. I think since GCF is basically a fixed function in that regard (you can think of the build configuration as being as simple as 'gcf ') that it would be completely fine to take the approach I outlined in #141 (comment)
There was a problem hiding this comment.
I think the way to think about it is "With GCF the configuration is defined in the source repo being built." So all you have to do is point to that repo and say "GCF built this".
So there doesn't seem to be a reason to have these as separate requirements.
This PR does not take a position on how/if requiring all sources or dependencies be recorded in the provenance. That should
be handled in a different PR addressing a different issue.
Note #115 suggested the language "require that the provenance identify the independent inputs", but I found "independent inputs" to be fairly broad. The rest of the text of #115 indicated that this was really about tracking what the build did, so "build instructions" seems to cover the spirit of #115.
fixes #115