|
| 1 | +# Source Code Integrity |
| 2 | + |
| 3 | +This breakout session was proposed to discuss source code integrity in the |
| 4 | +context of software supply chain security efforts like the SLSA framework and |
| 5 | +gittuf. After a round of introductions, the session discussed what SLSA is and |
| 6 | +its draft proposal for source code integrity (known as the SLSA source track). |
| 7 | + |
| 8 | +## Open Discussion |
| 9 | + |
| 10 | +* SLSA is meant to establish standards / language to communicate how trustworthy development processes are |
| 11 | +* Breaks standards into levels: higher the level, the better the guarantees |
| 12 | +* V1.0 has Build track: how builders can secure transforming source code to build artifacts like binaries |
| 13 | + * Build level 1: protects against mistakes, documentation |
| 14 | + * Build level 2: protects against tampering after the build |
| 15 | + * Build level 3: some protections during build with isolation requirements, etc. |
| 16 | + * Build track allows for mapping a binary artifact to the source code that produced it |
| 17 | + * But raises the question about how to trust the source code |
| 18 | +* Q: does build level 3 include reproducible builds? |
| 19 | + * No, this was discussed extensively and was part of the spec pre v1.0 |
| 20 | + * On a related note, there’s a separate track being worked on to get hardware attested trust for a build, that provides some similar guarantees |
| 21 | +* For the source track, we want to enable repository maintainers to be able to say “repo at revision X meets level Y” |
| 22 | + * This statement would be via a cryptographically signed attestation |
| 23 | + * Which would enable a level of verifiability, inspection of evidence, etc. |
| 24 | +* Would any of the SLSA source track requirements help with the xz-utils maintainer incident? |
| 25 | + * The source track would not address this |
| 26 | + * Level 1 today just requires a modern VCS (Git, Mercurial, etc.) |
| 27 | + * Level 2 is branch history: disallow rewriting protected branches |
| 28 | + * Level 3 is provide source provenance attestations that connect a revision to its prior revision |
| 29 | + * Safe expunging process: legal or security reasons where history rewrites are required |
| 30 | +* Are there connections to existing standards / compliance requirements? |
| 31 | + * Somewhere in the build track, there was an effort to map requirements to the SSDF so as to say “if you meet this requirement, you can check these SSDF requirements” |
| 32 | +* Are there liability concerns by adopting SLSA? |
| 33 | + * Will I be involved in more legal situations as a consequence of adopting SLSA? |
| 34 | +* How does this relate to CRA? |
| 35 | + * Not 100% sure about CRA, but maps to requirements in SSDF etc and perhaps similar? |
| 36 | + * Additionally, SLSA is more verifiable with tooling rather than a human-filled checklist |
| 37 | +* SLSA \<-\> gittuf |
| 38 | + * SLSA doesn’t want to require a specific toolchain for enforcing source code |
| 39 | + integrity |
| 40 | + * Requiring a specific toolchain would also stop the development of new tools |
| 41 | +* Is the ambition of SLSA to get bigger players (Google etc.) to align on these goals? Startups? |
| 42 | + * Large enterprises and startups |
| 43 | + * Related: do we expect small orgs / engineers to implement controls? |
| 44 | + * One set of SLSA’s consumers are in fact developer tooling / platforms builders who can build requirements into tooling to make it available invisibly to end users |
| 45 | +* Individual developers driven repositories |
| 46 | + * A significant number of repositories have one or so significant developers |
| 47 | + * Requirements being imposed on a developer doing this as a hobby |
| 48 | + * Side note: Does the CRA impose more requirements on such hobby developers? |
| 49 | + * SLSA does not set requirements, thinking more along the lines of sane defaults and making it part of the tooling itself |
| 50 | + * Ideal: Most developers needn’t even know SLSA is a thing, just gets built into the tooling. |
| 51 | +* Do you foresee something like “this thing we’re bringing into our enterprise is a particular SLSA level?” |
| 52 | + * Yes, that could well be the case |
| 53 | + * If the vendor is a hobbyist, it’s on the enterprise to compensate the hobbyist |
| 54 | +* What’s the tooling to verify the attestations for some repo you’re consuming? |
| 55 | + * One option is to trust the provider of the attestation to an extent, check the revision matches the attestation, etc. |
| 56 | + * Who makes the attestation (maintainer of repository vs someone else for example) is an interesting question |
| 57 | +* Back to gittuf |
| 58 | + * SLSA isn’t prescriptive about tooling |
| 59 | + * You can meet a lot of these requirements by trusting a platform to do them |
| 60 | + * But maybe we can go further and remove the need to trust the platform |
| 61 | + * What does it mean to be SLSA Level 3 if the system enforcing those things can be compromised? That's what gittuf addresses in the context of the source track |
| 62 | +* Thoughts on code review as a source track requirement |
| 63 | + * Anonymity / pseudo-anonymity are important |
| 64 | + * Individuals can’t meet this requirement |
| 65 | + * In startups: requiring code reviews would be difficult |
| 66 | + * Quality of code reviews vary so the review may not mean much |
| 67 | + * What is reviewed is important to define |
| 68 | + * But code review as a whole is not well defined |
| 69 | +* From the consumer’s perspective |
| 70 | + * Would a consumer expect code review from a vendor? |
| 71 | +* Automated tests may be better signal than code review |
| 72 | + |
| 73 | +## Links |
| 74 | + |
| 75 | +* SLSA community: [https://slsa.dev/community](https://slsa.dev/community) |
| 76 | +* SLSA Source Track *Draft*: [https://slsa.dev/spec/draft/source-requirements](https://slsa.dev/spec/draft/source-requirements) |
| 77 | +* gittuf: [https://github.com/gittuf/gittuf](https://github.com/gittuf/gittuf) |
0 commit comments