From cff3f3bade9b358f95541af0331d310e756f8016 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 6 Jul 2023 15:34:49 -0400 Subject: [PATCH 1/6] editorial: Clarify requirements around cache use by the build platform. Addresses #894 Signed-off-by: arewm --- docs/spec/v1.0/requirements.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index 23827046f..016933116 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -307,13 +307,18 @@ The build platform MUST guarantee the following: - It MUST NOT be possible for one build to persist or influence the build environment of a subsequent build. In other words, an ephemeral build environment MUST be provisioned for each build. +- The build platform MUST NOT open services that allow for remote influence + unless all such interactions are captured as `externalParameters` in the + provenance. + +If the build platform leverages a cache for builds, it MUST guarantee the following: + - It MUST NOT be possible for one build to inject false entries into a build cache used by another build, also known as "cache poisoning". In other words, the output of the build MUST be identical whether or not the cache is used. -- The build platform MUST NOT open services that allow for remote influence - unless all such interactions are captured as `externalParameters` in the - provenance. +- The resolved dependencies used to generate the cached artifacts MUST be captured + in the provenance. There are no sub-requirements on the build itself. Build L3 is limited to ensuring that a well-intentioned build runs securely. It does not require that From a3ab2526119ea8e800f1bf7028919203452b843c Mon Sep 17 00:00:00 2001 From: arewm Date: Fri, 7 Jul 2023 14:16:33 -0400 Subject: [PATCH 2/6] editorial: clarify provenance consistency Signed-off-by: arewm --- docs/spec/v1.0/requirements.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index 016933116..bfeefde51 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -317,15 +317,18 @@ If the build platform leverages a cache for builds, it MUST guarantee the follow cache used by another build, also known as "cache poisoning". In other words, the output of the build MUST be identical whether or not the cache is used. -- The resolved dependencies used to generate the cached artifacts MUST be captured - in the provenance. +- If the build platform is capable of providing the provenance for an external + resource without a cache, then the provenance SHOULD remain unchanged if a cache + is used. In other words, the output of the provenance MUST be identical whether + or not the cache is used. There are no sub-requirements on the build itself. Build L3 is limited to ensuring that a well-intentioned build runs securely. It does not require that a build platform prevents a producer from performing a risky or insecure build. In particular, the "Isolated" requirement does not prohibit a build from calling out to a remote execution service or a "self-hosted runner" that is outside the -trust boundary of the build platform. +trust boundary of the build platform. Additionally, build L3 does not prohibit +builds from resolving dependencies outside of the knowledge of the build platform. NOTE: This requirement was split into "Isolated" and "Ephemeral Environment" in the initial [draft version (v0.1)](../v0.1/requirements.md). From cb467ddb2ed7532ecc005701f7c13debc25ad1ed Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 11 Jul 2023 13:12:23 -0400 Subject: [PATCH 3/6] change SHOULD to MUST Signed-off-by: arewm --- docs/spec/v1.0/requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index bfeefde51..2e70b9a5d 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -318,7 +318,7 @@ If the build platform leverages a cache for builds, it MUST guarantee the follow words, the output of the build MUST be identical whether or not the cache is used. - If the build platform is capable of providing the provenance for an external - resource without a cache, then the provenance SHOULD remain unchanged if a cache + resource without a cache, then the provenance MUST remain unchanged if a cache is used. In other words, the output of the provenance MUST be identical whether or not the cache is used. From e1c551ee9bb6a7452d1646cc6fe30f4dc3273243 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 13 Jul 2023 15:15:37 -0400 Subject: [PATCH 4/6] link cache communication to resolvedDependencies at build L3 Signed-off-by: arewm --- docs/spec/v1.0/provenance.md | 3 ++- docs/spec/v1.0/requirements.md | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/docs/spec/v1.0/provenance.md b/docs/spec/v1.0/provenance.md index a533f3ca2..8107b1f81 100644 --- a/docs/spec/v1.0/provenance.md +++ b/docs/spec/v1.0/provenance.md @@ -87,7 +87,8 @@ The model is as follows: captured directly in the provenance, but is instead implied by `builder.id` and subject to [SLSA Requirements](requirements.md). Such communication SHOULD NOT influence the definition of the build; if it does, - it SHOULD go in `resolvedDependencies` instead. + it SHOULD go in `resolvedDependencies` instead. Cache communications MUST NOT + be present at SLSA Build L3. - Finally, the build process outputs one or more artifacts, identified by `subject`. diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index 2e70b9a5d..61aefde7a 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -320,7 +320,8 @@ If the build platform leverages a cache for builds, it MUST guarantee the follow - If the build platform is capable of providing the provenance for an external resource without a cache, then the provenance MUST remain unchanged if a cache is used. In other words, the output of the provenance MUST be identical whether - or not the cache is used. + or not the cache is used. Communication with the build cache MUST NOT be present + in `resolvedDependencies`. There are no sub-requirements on the build itself. Build L3 is limited to ensuring that a well-intentioned build runs securely. It does not require that From 4cfb812544853c56592e5a33751d6103921b07ee Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 22 Aug 2023 09:51:44 -0400 Subject: [PATCH 5/6] distill to core changes Signed-off-by: arewm --- docs/spec/v1.0/provenance.md | 3 +-- docs/spec/v1.0/requirements.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/docs/spec/v1.0/provenance.md b/docs/spec/v1.0/provenance.md index 8107b1f81..a533f3ca2 100644 --- a/docs/spec/v1.0/provenance.md +++ b/docs/spec/v1.0/provenance.md @@ -87,8 +87,7 @@ The model is as follows: captured directly in the provenance, but is instead implied by `builder.id` and subject to [SLSA Requirements](requirements.md). Such communication SHOULD NOT influence the definition of the build; if it does, - it SHOULD go in `resolvedDependencies` instead. Cache communications MUST NOT - be present at SLSA Build L3. + it SHOULD go in `resolvedDependencies` instead. - Finally, the build process outputs one or more artifacts, identified by `subject`. diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index 61aefde7a..0fc7ad07b 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -328,8 +328,7 @@ ensuring that a well-intentioned build runs securely. It does not require that a build platform prevents a producer from performing a risky or insecure build. In particular, the "Isolated" requirement does not prohibit a build from calling out to a remote execution service or a "self-hosted runner" that is outside the -trust boundary of the build platform. Additionally, build L3 does not prohibit -builds from resolving dependencies outside of the knowledge of the build platform. +trust boundary of the build platform. NOTE: This requirement was split into "Isolated" and "Ephemeral Environment" in the initial [draft version (v0.1)](../v0.1/requirements.md). From a57d6354d7d05400fa6e4dc2a0cf24bfb3014930 Mon Sep 17 00:00:00 2001 From: arewm Date: Tue, 22 Aug 2023 09:53:04 -0400 Subject: [PATCH 6/6] reword change Signed-off-by: arewm --- docs/spec/v1.0/requirements.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md index 0fc7ad07b..25c1a08ee 100644 --- a/docs/spec/v1.0/requirements.md +++ b/docs/spec/v1.0/requirements.md @@ -317,11 +317,12 @@ If the build platform leverages a cache for builds, it MUST guarantee the follow cache used by another build, also known as "cache poisoning". In other words, the output of the build MUST be identical whether or not the cache is used. -- If the build platform is capable of providing the provenance for an external - resource without a cache, then the provenance MUST remain unchanged if a cache - is used. In other words, the output of the provenance MUST be identical whether - or not the cache is used. Communication with the build cache MUST NOT be present - in `resolvedDependencies`. +- If the build platform is capable of providing the provenance information for + an external resource when a cache is not in use, then the provenance + information MUST remain unchanged if a cache is used. In other words, the + information in the provenance MUST be identical whether or not the cache is + used. Communication with the build cache MUST NOT be represented in + `resolvedDependencies`. There are no sub-requirements on the build itself. Build L3 is limited to ensuring that a well-intentioned build runs securely. It does not require that