Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

content: source track draft: simplify and clarify level goals #1097

Merged
merged 45 commits into from
Aug 15, 2024
Merged
Changes from 3 commits
Commits
Show all changes
45 commits
Select commit Hold shift + click to select a range
989aeb8
initial content, waiting for main to be updated.
zachariahcox Jul 12, 2024
b4f8b7b
Merge branch 'slsa-framework:main' into users/zacox/scp
zachariahcox Jul 15, 2024
68e8632
react to pr feedback.
zachariahcox Jul 16, 2024
5d5df51
linter
zachariahcox Jul 16, 2024
b2071c0
clarity
zachariahcox Jul 16, 2024
cc8a51c
linter
zachariahcox Jul 17, 2024
5a456d6
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 22, 2024
ad62f09
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 22, 2024
e4050b4
address pr feedback.
zachariahcox Jul 22, 2024
47f8ad3
clarify "code owners"
zachariahcox Jul 22, 2024
d212e08
reimagine as a level 1 requirement
zachariahcox Jul 22, 2024
8bf4205
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 29, 2024
2343b07
Update docs/spec/draft/source-requirements.md
zachariahcox Jul 29, 2024
a7fd4fe
pr feedback
zachariahcox Jul 29, 2024
b003548
cleanup
zachariahcox Jul 29, 2024
09b0c67
add two more useful definitions
zachariahcox Jul 29, 2024
6d3e582
large rewrite
zachariahcox Jul 31, 2024
99f372a
talk vaguely about unit testing
zachariahcox Jul 31, 2024
6b82d6d
every revision
zachariahcox Jul 31, 2024
a583425
cleanup
zachariahcox Jul 31, 2024
64132b8
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
9ab53dc
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
7269b05
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
1be7b2a
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
7faa87d
typos!
zachariahcox Aug 2, 2024
843729c
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
69f611c
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
08ec500
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
6515598
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
f962ac4
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 2, 2024
d809349
pr feedback, remove trusted review process stuff
zachariahcox Aug 8, 2024
2f86109
consumable branch clarity?
zachariahcox Aug 8, 2024
834d64c
pr comment feedback
zachariahcox Aug 9, 2024
9b72a77
adding scenarios to the expunging section
zachariahcox Aug 12, 2024
006a4c1
hopefully last rewrite.
zachariahcox Aug 12, 2024
febc191
update cyoa
zachariahcox Aug 12, 2024
6e3f3e3
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 12, 2024
6c05dc1
move choose your own adventure stuff out.
zachariahcox Aug 12, 2024
3919bad
source attestation copy edits
zachariahcox Aug 12, 2024
cb63de3
add disclaimer about use of git VCS
zachariahcox Aug 14, 2024
f2398a4
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 15, 2024
d1219c6
Update docs/spec/draft/verifying-source.md
zachariahcox Aug 15, 2024
5527616
Update docs/spec/draft/verifying-source.md
zachariahcox Aug 15, 2024
6df6b33
Update docs/spec/draft/source-requirements.md
zachariahcox Aug 15, 2024
31d63ba
Update docs/spec/draft/source-requirements.md
TomHennen Aug 15, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
68 changes: 50 additions & 18 deletions docs/spec/draft/source-requirements.md
Original file line number Diff line number Diff line change
Expand Up @@ -54,33 +54,65 @@ Consumers can examine the various source provenance attestations to determine if
| Approver | An actor that approves a particular change to the source.
| Merger | An actor that applies a change to the source. This typically involves creating the new revision and updating a branch. This person may be the proposer or a different trusted person, depending on the version control platform.

## Source Platform Requirements

The version control system MUST provide at least:
## Safe Expunging Process
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

- **[Immutable reference]** There exists a deterministic way to identify this particular revision. This is usually {project identifier + revision ID}. When the revision ID is a digest of the revision, as in git, nothing more is needed. When the revision ID is a number or otherwise not a digest, then the project server MUST guarantee that revisions cannot be altered once created.
(placeholder text)

- **[Change history]** There exists a record of the history of changes that went into the revision. Each change MUST contain:
- The immutable reference to the new revision.
- The identities of the proposer, reviewers (if any), and merger (if different to the proposer).
- Timestamps of change submission. If a change is reviewed, then the change history MUST also include timestamps for any reviews.
- The change description/justification.
- The content of the change.
- The parent revisions.
Administrators have the necessary permissions to replace the source in a known repo without publishing a change record.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

Most popular version control systems meet these requirement, such as git, Subversion, Mercurial, and Perforce.
This includes changing files, history, or changing references in git.

The source control platform MUST provide at least:
When used as an attack, this is called “repo hijacking” (or “repo-jacking”) and is one of the primary threats source provenance attestations protect against.

- An account system or some other means of identifying persons.
- A mechanism for modifying the canonical source through a **revision process**.
If an organization must change the source without publishing a change record, the organization will need to demonstrate that the change was necessary and executed responsibly.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

The source control platform SHOULD additionally provide:
## Source Control Platform and Version Control System Requirements

- A mechanism for assigning roles and/or permissions to identities.
- A mechanism for including code review in the revision process.
- Two-factor authentication for the account system (L2+ only).
The combination of SCP and VCS MUST provide:

### Immutable reference

There exists a deterministic way to identify a particular revision.

This is usually a combination of the repository ID and revision ID.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I presume the repository ID is different from the URL to locate the repository on the SCP? For example, the repository ID for this one is 346517502 per https://api.github.com/repos/slsa-framework/slsa.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, I had imagined the repository ID is the URL (e.g. https://github.com/slsa-framework/slsa).

Having it be something that's meaningful to humans would be pretty beneficial.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think that's partly what I was getting at. I wonder if there's an endpoint to translate the numeric ID to the URL or if the current definition for repository (even without the ID) inherently has a URL associated with it because we only consider a repository on the SCP at the moment. This is part of the massaging I wonder if I should take a stab at separately.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we should consider the numeric ID to be an implementation detail and not worry about it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's an interesting question -- today we definitely have resurrection and rename attacks (so you need the gh repo numeric id to disambiguate), but I think in combination with the git object id, the url is probably fine.
IE, it doesn't likely matter much if a hijacked repo (with a different numeric id) has the same url and ships the same revision, we can ship the corresponding attestation. I'd want to think through it some more.

When the revision ID is a digest of the revision, as in git, nothing more is needed.
When the revision ID is a number or otherwise not a digest, then the repository server MUST guarantee that revisions cannot be altered once created.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
The SCP MUST guarantee that repository IDs track the complete history of changes that occur to the source while hosted on the platform.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

### Identity Management

There exists an identity management system or some other means of identifying actors.

The SCP will use these identities to:
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

- Implement actor-based rules (such as required review from code experts)
- Record contributors to a code revision process
- Issuing source provenance attestations.

### Revision process

There exists a trusted mechanism for modifying the source pointed-to by a [branch](#definitions).
For each [branch](#definitions), the SCP MUST record and keep the full history of changes conducted on this SCP, with exceptions allowed following the [Safe Expunging Process](#safe-expunging-process).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is something that we had been considering for level 2 (at least in #1066).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could soften it to "must have a defined change process of any kind", but it seems ok to me to say that "keeping the history of those past revisions" is pretty close to the definition of version control.

Is that what you were thinking?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we talked about this the other day and I think the resolution was basically "by default all SCPs/VCSs keep the entire revision history and in fact getting rid of some of that history after a short amount of time would be pretty difficult to do safely, so we're better off just requiring it from the start and we can see if anyone complains"

But now I'm also remembering some discussion we had where you said something like "some users want to be able to get rid of 'stuff' after a certain amount of time to save storage costs". I don't remember what 'stuff' was though?


The revision process MUST:
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm parsing this bit as "there must be a mechanism to submit revisions that captures the following information", which I think may be very strict in what systems can meet the requirement, when perhaps we want the spec to focus on the data, which may be gathered in other ways. This is tied to my other comment about definitions / model used, and perhaps best left to a follow on PR I submit after this is merged?

- Provide an accurate description of the currently proprosed change, or instructions to recreate it.
- Provide the ability to review a change before it is accepted
- Provide the ability to require pre-approval from specific actors before a change proposal is accepted.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some level in this track, we may want to set code review requirements, but I think it should be an implementation detail whether this is enforced pre-merge or not. For example, a policy "all changes must be reviewed by two maintainers" can be met even if the SCP in use doesn't provide a way to require approval pre-merge. Enabling two approval as a branch protection rule on an SCP is one way to achieve the two party review requirement. Alternatively, we may have mailing list driven models where approvals / merges look very different. The system doesn't have a way to require pre-approval, but we can tell that the requirement was met. I suggest we just record the review happened, and separately set review requirements here or at some other level.

Suggested change
- Provide the ability to require pre-approval from specific actors before a change proposal is accepted.
- Record reviews / votes submitted before a change proposal is accepted.

Separate note that may be part of a requirement from the policy PoV: "specific actors" is a bit open-ended. Does this mean we must be able to require reviews with greater granularity than just "a maintainer of the repository"? More along the lines of requiring reviews from specific developers for specific files that are modified (eg: via CODEOWNERS)?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not requiring review before merge SGTM (and as you say, I can see why a SCP might still choose to require the review prior to merge). However "Record reviews / votes submitted before a change proposal is accepted." still seems to require the action take place before the change is merged?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Correct, but I think that's generally in line with recording events in the order that they happen in. Perhaps my phrasing is off. I also reckon reviews after it's accepted is a nice-to-have data point but not meaningful in policy decisions about that merge event? I may be missing some use cases though.

- Record all actors that contributed to the process, including the proposers, merger and reviewers (if any).
- Record timestamps of critical activities including process start, process completion, reception of change proposals by the SCP, and reviews.
- Record the specific state of the process when each approval was granted. This is most relevant when the proposal content is allowed to change after aprovals have been granted.


### Additional features
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

The combination of SCP and VCS SHOULD provide:

- A mechanism for assigning roles and/or permissions to [actors](#source-roles).
- A mechanism for including code review in the [revision process](#revision-process).
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved
- Two-factor authentication for the [identity management system](#identity-management).
- Audit logs for sensitive actions, such as modifying security controls.
- A mechanism to define code ownership for all files in the source.
zachariahcox marked this conversation as resolved.
Show resolved Hide resolved

## Levels

Expand Down
Loading