feat: add Linux F4 evidence promotion gate#131
Conversation
📝 WalkthroughWalkthroughAdds an official-source evidence taxonomy, manifest schema fields, and a new promotion-gate API to the Linux provisioning linter for promoting distro evidence to "verified-official-source" status. Verifier validation is extended with promotion-state-specific rules, and corresponding test coverage/helpers are added. ChangesDistro evidence promotion gate
Estimated code review effort: 4 (Complex) | ~60 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@scripts/f4_linter_linux_provisioning.py`:
- Around line 1125-1144: The promotion requirements in
linux_distro_evidence_promotion_requirements are duplicating values that are
already enforced by the verifier, so the published contract can drift from the
actual accepted set. Update this function to derive official_source_types,
official_source_kinds, and verification_scopes directly from
LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES,
LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES, and
use sorted() so the returned tuples remain deterministic.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: e4714ca3-0004-4a7a-9e91-4e5956b8539a
📒 Files selected for processing (2)
scripts/f4_linter_linux_provisioning.pytests/packaging/test_f4_linter_linux_provisioning.py
| def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]: | ||
| """Return the official-source fields required to promote distro evidence.""" | ||
| return { | ||
| "required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS, | ||
| "official_source_types": ( | ||
| "official-distro-metadata", | ||
| "upstream-project-docs", | ||
| ), | ||
| "official_source_kinds": ( | ||
| "distro-package-index", | ||
| "distro-package-recipe", | ||
| "upstream-install-doc", | ||
| "upstream-release-page", | ||
| ), | ||
| "verification_scopes": ( | ||
| "package-name-only", | ||
| "package-name-and-executable", | ||
| "package-name-executable-and-license", | ||
| ), | ||
| } |
There was a problem hiding this comment.
📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win
Derive the advertised requirements from the validation sets to avoid drift.
official_source_types, official_source_kinds, and verification_scopes are hardcoded here but the verifier validates against LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES, LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES. These two copies can silently diverge (e.g., a kind added to a frozenset but not the tuple), so the published promotion contract would no longer match what the verifier actually accepts. Derive them from the single source of truth, using sorted() for deterministic ordering.
♻️ Derive from the frozensets
return {
"required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS,
- "official_source_types": (
- "official-distro-metadata",
- "upstream-project-docs",
- ),
- "official_source_kinds": (
- "distro-package-index",
- "distro-package-recipe",
- "upstream-install-doc",
- "upstream-release-page",
- ),
- "verification_scopes": (
- "package-name-only",
- "package-name-and-executable",
- "package-name-executable-and-license",
- ),
+ "official_source_types": tuple(sorted(LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES)),
+ "official_source_kinds": tuple(sorted(LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS)),
+ "verification_scopes": tuple(sorted(LINUX_ALLOWED_VERIFICATION_SCOPES)),
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]: | |
| """Return the official-source fields required to promote distro evidence.""" | |
| return { | |
| "required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS, | |
| "official_source_types": ( | |
| "official-distro-metadata", | |
| "upstream-project-docs", | |
| ), | |
| "official_source_kinds": ( | |
| "distro-package-index", | |
| "distro-package-recipe", | |
| "upstream-install-doc", | |
| "upstream-release-page", | |
| ), | |
| "verification_scopes": ( | |
| "package-name-only", | |
| "package-name-and-executable", | |
| "package-name-executable-and-license", | |
| ), | |
| } | |
| def linux_distro_evidence_promotion_requirements() -> dict[str, tuple[str, ...]]: | |
| """Return the official-source fields required to promote distro evidence.""" | |
| return { | |
| "required_fields": DISTRO_EVIDENCE_PROMOTION_FIELDS, | |
| "official_source_types": tuple(sorted(LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES)), | |
| "official_source_kinds": tuple(sorted(LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS)), | |
| "verification_scopes": tuple(sorted(LINUX_ALLOWED_VERIFICATION_SCOPES)), | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@scripts/f4_linter_linux_provisioning.py` around lines 1125 - 1144, The
promotion requirements in linux_distro_evidence_promotion_requirements are
duplicating values that are already enforced by the verifier, so the published
contract can drift from the actual accepted set. Update this function to derive
official_source_types, official_source_kinds, and verification_scopes directly
from LINUX_OFFICIAL_DISTRO_EVIDENCE_SOURCE_TYPES,
LINUX_ALLOWED_OFFICIAL_SOURCE_KINDS, and LINUX_ALLOWED_VERIFICATION_SCOPES, and
use sorted() so the returned tuples remain deterministic.



Summary
Add a Linux F4 official-source evidence promotion gate.
This PR does not promote any current distro mapping to official-source evidence. It adds schema, helper APIs, manifest fields, verifier hardening, and tests so future promotion from
current-policy-baselinetoverified-official-sourceis contract-gated.What changed
Added official-source promotion field support for distro evidence:
official_source_nameofficial_source_urlofficial_source_kindverification_scopeverified_package_namesverified_executable_namesverification_noteAdded official source kind taxonomy:
distro-package-indexdistro-package-recipeupstream-install-docupstream-release-pageAdded verification scope taxonomy:
package-name-onlypackage-name-and-executablepackage-name-executable-and-licenseAdded promotion-gate APIs:
linux_distro_evidence_promotion_requirementslinux_distro_mapping_evidence_promotion_errorslinux_distro_mapping_evidence_can_promotelinux_distro_mapping_evidence_promotion_matrixlinux_distro_mapping_evidence_promotion_summary_for_artifactBaseline preservation
Generated evidence still defaults to:
evidence_source = OS_PACKAGE_NAMESevidence_source_type = repository-local-policyevidence_status = current-policy-baselineexternal_verification_required_for_new_mappings = trueGenerated baseline records do not claim official-source evidence and are not promotable.
No current generated record is promoted to
verified-official-source.Promotion gate behavior
A distro evidence record may be treated as
verified-official-sourceonly when it includes complete promotion data:external_verification_required_for_new_mappings = falserelease_blocking = falseonly when the promotion evidence is completeVerifier hardening
The verifier now rejects:
verified-official-sourceevidence withoutofficial_source_nameverified-official-sourceevidence withoutofficial_source_urlverified-official-sourceevidence usingrepository-local-policyofficial_source_kindverification_scopeverified_package_namesverified_executable_namesverification_noteExplicit non-scope
This PR does not:
verified-official-sourceValidation
Passed locally / by agent report:
Observed results:
Safety:
Next work
A follow-up PR can add the first real official-source evidence record for one existing package mapping, using actual official distro documentation and without changing package names.
Summary by CodeRabbit
New Features
Bug Fixes