Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Common Requirements track is missing from Future Directions #674

Open
seaylg opened this issue Mar 8, 2023 · 3 comments
Open

Common Requirements track is missing from Future Directions #674

seaylg opened this issue Mar 8, 2023 · 3 comments
Labels
clarification Clarification of the spec, without changing meaning

Comments

@seaylg
Copy link

seaylg commented Mar 8, 2023

Common requirements is listed as one of 4 areas of requirements in https://slsa.dev/blog/2023/02/slsa-v1-rc but is not mentioned in the https://slsa.dev/spec/v1.0-rc1/future-directions. There is mention of "Security Best Practices" in https://slsa.dev/spec/v1.0-rc1/requirements. Is the reference in this section intended to cover Common requirements? If so, how does a company measure and verify that it is meeting this common requirement "to be conformant all implementations MUST use industry security best practices" IF "the exact definition of what constitutes a secure system is beyond the scope"?

Proposed solution:

  1. Clarify (distinction or correlation) between "security best practices" and "common requirements" on Requirements page https://slsa.dev/spec/v1.0-rc1/requirements
  2. Add plans for the Common track to the Future Directions page https://slsa.dev/spec/v1.0-rc1/future-directions
@seaylg
Copy link
Author

seaylg commented Mar 8, 2023

"Verifying build systems provides a list of prompts for evaluating a build system’s SLSA conformance. Some content comes from v0.1’s Common requirements; the rest is new to v1.0.", then it is now mixing the build and common tracks. What content was mixed in and why is that content special enough to be in scope?

@MarkLodato
Copy link
Member

Agreed that this needs fixing.

There are no future plans for a Common Track. It was removed in v1.0 and folded into "Verifying Build Systems". Basically, we gave up on the idea that we could create a list of requirements that are sufficient to be trustworthy. There exist other standards that try to do this an they're really huge, and even then I'm not sure that if someone technically meets every checkbox that there isn't some other gaping hole that was left out of the spec. In practice, our feeling is that it ends up being a judgement call based on the particulars of the system in question.

So instead we are shifting focus to say that the trustworthiness is a judgement call and giving guidance on the types of things one ought to consider when making a trust determination. In other words, it is orthogonal to the SLSA level.

@MarkLodato MarkLodato added the clarification Clarification of the spec, without changing meaning label Mar 27, 2023
@mattfarina
Copy link
Contributor

It appears there the Build track is for those using a build service. The future direction discusses more of the build track and a source track.

What's missing is a build system operations track. A build system could be operated as a complete mess or in a secure manner. One has no way to know.

@mattfarina mattfarina mentioned this issue Apr 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
clarification Clarification of the spec, without changing meaning
Projects
Issue triage
Status: Untriaged
Specification v1.0
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@MarkLodato @mattfarina @seaylg