-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SLSA conformance to requirements page #572
Conversation
slsa-framework#515 Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thrilled with the progress we've made so far. There are a few areas we can refine to make things even better.
Thanks @kpk47!
Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>
Co-authored-by: Joshua Mulliken <joshua@mulliken.net> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>
Signed-off-by: kpk47 <kkris@google.com>
Signed-off-by: kpk47 <kkris@google.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to hear @lehors's opinion as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I must admit that I don't see much value in the AUDITOR section. It merely contains a MAY and a couple of SHOULDs that don't buy us much.
I would much prefer that we scrap this off and instead add that consumers MUST ensure that the build systems they depend on are conformant and that to do so they can either do their own audit leveraging the prompts in the verifying systems or leverage the certification program which lists conformant systems.
We can leave it to the certification program to get into the details of what certifiers are required to do.
Co-authored-by: Mark Lodato <lodatom@gmail.com> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>
@kpk47 I think it was premature to merge this. I said that I thought the AUDITOR section should be deleted and @MarkLodato agreed. |
I'm so sorry. I'm still not used to tracking code reviews in GitHub and thought that I'd addressed all the open comments. I'll send another PR. |
* Add SLSA conformance to requirements page slsa-framework#515 Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com> * lint Signed-off-by: kpk47 <kkris@google.com> * Update docs/spec/v1.0/requirements.md Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com> * Update docs/spec/v1.0/requirements.md Co-authored-by: Joshua Mulliken <joshua@mulliken.net> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com> * review comments & added requirement that attestation include SLSA levels Signed-off-by: kpk47 <kkris@google.com> * review comments Signed-off-by: kpk47 <kkris@google.com> * Update docs/spec/v1.0/requirements.md Co-authored-by: Mark Lodato <lodatom@gmail.com> Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com> * line wrap Signed-off-by: kpk47 <kkris@google.com> --------- Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com> Signed-off-by: kpk47 <kkris@google.com> Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com> Co-authored-by: Joshua Mulliken <joshua@mulliken.net> Co-authored-by: Mark Lodato <lodatom@gmail.com>
#515
Signed-off-by: kpk47 1079282+kpk47@users.noreply.github.com