You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Common requirements is listed as one of 4 areas of requirements in https://slsa.dev/blog/2023/02/slsa-v1-rc but is not mentioned in the https://slsa.dev/spec/v1.0-rc1/future-directions. There is mention of "Security Best Practices" in https://slsa.dev/spec/v1.0-rc1/requirements. Is the reference in this section intended to cover Common requirements? If so, how does a company measure and verify that it is meeting this common requirement "to be conformant all implementations MUST use industry security best practices" IF "the exact definition of what constitutes a secure system is beyond the scope"?
"Verifying build systems provides a list of prompts for evaluating a build system’s SLSA conformance. Some content comes from v0.1’s Common requirements; the rest is new to v1.0.", then it is now mixing the build and common tracks. What content was mixed in and why is that content special enough to be in scope?
There are no future plans for a Common Track. It was removed in v1.0 and folded into "Verifying Build Systems". Basically, we gave up on the idea that we could create a list of requirements that are sufficient to be trustworthy. There exist other standards that try to do this an they're really huge, and even then I'm not sure that if someone technically meets every checkbox that there isn't some other gaping hole that was left out of the spec. In practice, our feeling is that it ends up being a judgement call based on the particulars of the system in question.
So instead we are shifting focus to say that the trustworthiness is a judgement call and giving guidance on the types of things one ought to consider when making a trust determination. In other words, it is orthogonal to the SLSA level.
Common requirements is listed as one of 4 areas of requirements in https://slsa.dev/blog/2023/02/slsa-v1-rc but is not mentioned in the https://slsa.dev/spec/v1.0-rc1/future-directions. There is mention of "Security Best Practices" in https://slsa.dev/spec/v1.0-rc1/requirements. Is the reference in this section intended to cover Common requirements? If so, how does a company measure and verify that it is meeting this common requirement "to be conformant all implementations MUST use industry security best practices" IF "the exact definition of what constitutes a secure system is beyond the scope"?
Proposed solution:
The text was updated successfully, but these errors were encountered: