Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
content: draft: define how downstream users can verify the SLSA source track level of revisions #1094
content: draft: define how downstream users can verify the SLSA source track level of revisions #1094
Changes from 38 commits
aa087ad
6ebf749
2b076ab
48f5301
d028178
da726cd
0c2d8af
a310289
1c51364
9b05f90
62d9375
9c1b891
a540709
d310507
fd051aa
c7e6fd7
88f4fbc
a50bfb5
c54d16b
f8b87a4
be65286
55b7108
7916e37
21cadb0
858d37f
72d3163
7f2ad75
3e502cf
ef1eb82
63d5c48
c5ab4a9
2844f59
85a6c7f
2de9531
7955011
fb001a4
01a55cd
0741877
bd71904
b197be7
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is supposed to help consumers who only want
releases/*
refs?They would be able to see if this revision was reachable from any release ref when this attestation was minted.
For a single revision / subject, a normal git late branching flow would keep reminting these things when important branches point to it.
I'd be nice not to have to do that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something like that yes.
Could they be minted on-demand?
If not, do you have any other thoughts about how to capture this information (or perhaps we should see if we can make it inconsequential?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that sounds tricky! like, do you include forks? user branches? etc. Probably we need to avoid needing it.
I think the intent is to say: I can deploy this revision because X, where X is the set of rules required to land in the /refs/heads/release/ refspec on this date.
Ideally, you'd be able to reverify the qualifications for X and not need to use the refname as a place holder.
If you do need the refname, I think we'd pretty much always need to explain why so we can know if any mapping is required when the ref rules change over time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh so we typically use the branch name to convey semantic between the folks managing the code and the folks writing the individual policies.
The automated rules that get applied to a 'experimental' and 'release' branch might very well be the same, but the code you put in them would be different. Being able to convey downstream if something was good enough for the 'release' branch is very helpful! These names will likely differ from team to team as they set up their branches and development flows differently.
So I suppose I view the refname(?) as orthogonal to the actual rules the SCP is enforcing at any point in time.
Does that explanation help explain why we'd want such a thing? (Even if we do decide it's too hard to actually implement)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In our last discussion I think we agreed that having some way to reference the branch names is useful, so I think this can be resolved?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we can definitely reference the branch names in the revision-creation claims -- it's not likely to be feasible to mint attestations on demand or on every ref update, but potentially on every closed pull request?
@TomHennen maybe we can focus the discussion just on that part going forward?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, let me make a proposal on how this happens. Might be worth merging with other language that @zachariahcox added (?) about which branches on 'consumable'. I'll have to go look for the specifics. (suggestion per @adityasaky ).
Another suggestion: don't define how it's done here but instead leave it up to the implementing systems to define when they set these things. However I think it's probably helpful to have some minimum path that a system like GitHub could use (as a sort of 'existence proof').
WDYT @zachariahcox ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I've made a concrete proposal. PTAL?