Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
editorial: Clarify language in VSA spec #882
editorial: Clarify language in VSA spec #882
Changes from 5 commits
8b0b25e
1233829
68adac3
956dc5a
b0a877b
60396db
a71652a
0d386cf
f841bcf
46dcb8f
abe634c
b1ef965
7800f4b
ee07742
359c50a
79fdfe1
2f22cf3
4cde255
c0e01a1
d0ef5f4
f2e1d11
614a115
a219938
3c8ee37
1febf58
1fa3fa9
e214c2a
03fe050
ead4e1c
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you update the PR title and description to be more, er, descriptive?
This is also a breaking change (change to required field) so we should use the
BREAKING CHANGE:
footer as per https://www.conventionalcommits.org/en/v1.0.0/.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
There's a lot of content in this PR. Do you think the summary does it justice?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Personally I would go into more detail, particularly to explain the reason for the change. Something like:
policy
andtimeVerified
optional because [...]SLSA_BUILD_LEVEL_UNEVALUATED
entry because [...]resourceUri
is required.Hmm, this PR is getting a bit big. Might make sense to split...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to splitting the PR. I'll keep "how to verify" in this one and move the rest to new ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm worried that this new version is in a weird limbo where it's half SLSA-specific and half generic. For example, it's not clear if you need to list a SLSA build level even if you're saying nothing about the build level.
Would it make sense to make it fully generic and perhaps move it to the in-toto repo? Moving it to in-toto would have the side benefit of avoiding a SLSA version number bump.
Note that provenance would still remain within the SLSA repo because it's inextricably tied to the SLSA build model and SLSA build levels. VSA, on the other hand, seems actually quite generic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've been wondering the same thing. I don't have an answer, but I've got a couple of questions/thoughts that may help shape the decision.
If we do keep the VSA spec under slsa-framework, then the community needs to articulate a clearer vision of its role in the SLSA ecosystem. If nothing else, we should update the "How-to SLSA" pages with more VSA examples.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this section is saying: if the transitive dependencies have VSAs themselves, then this VSA summarizes them also. And if there's provenance but no VSA for a dependency, this top-level VSA will summarize the provenance, essentially creating transitive VSAs within a top-level VSA. And if there's no provenance for dependencies, the VSA does nothing for them.
Is that correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The basic idea is that, the
dependencyLevels
in a VSA summarizes the policy verification results for all transitive dependencies.The policy verification result of a dependency could either come from an "actual" verification, i.e. evaluation the provenance of the dependency against a policy for the dependency Uri; or from a VSA that summarizes a prior policy verification on this dependency.
Effectively, VSA functions as a verification "shortcut" -- if a matching and valid VSA is found, the verifier no longer needs to evaluate the artifact provenance and its entire dependency sub-tree.
If a dependency has no VSA nor provenance, what happens really depends on the policy for its Uri.
The
dependencyLevels
in the dependent's VSA will record the recursive verification results accordingly.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, interesting, thanks! @kpk47 would you be open to including some of this language? This explanation makes sense to me, but I'm not sure I'd have gleaned that from the current paragraph.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I gave it a go, but went slightly higher level and removed the decision points. @olivekl @AdamZWu does my summary make sense to you and match your understanding of the chained verification process?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Why is it recommended? (or alternatively just remove the recommendation if we don't have a good reason)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Line 175 says required but here it says it's optional. Which is it?
If required, what does that mean? Is one of the
SLSA_
values required? When we have more than one track, is it required to have exactly one entry for each track?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this div go down near line 352? Should there be a different div id for 'how to verify'?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I actually think SlsaResult should move up here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's fine too, as long as they go together. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would you feel about a diagram here, or earlier in the page showing the process generally? Would it be overkill to show a high-level process diagram of who is creating what, who is verifying what, who is consuming that verification, etc?
Maybe not in scope of this PR, though!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on having a diagram with names, and use the names consistently. I left a few comments where the use of
users
,party
,verifiers
(VSA consumer or VSA producer) is not always obvious to readers.May even be simpler to call the "verifier" the "VSA producer" :)
iiuc, the examples in the text assume that the consumer is the same as the producer, and that's why the X and Y can negotiate. But that's not always the case: Example Chromium -> Google VSA -> consumers. Can we illustrate this example as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like the idea of a diagram, but I'm having trouble imagining what it would look like. There's a lot of overlap in the roles
And the flow loops on itself because each VSA verifier can itself create VSAs indicating that some combination of VSAs passed its policy.
Any suggestions on how to represent that in a picture?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Should this enum name be changed to something not slsa specific?