Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 'profiles' for the Source Track #1142

Open
TomHennen opened this issue Sep 20, 2024 · 7 comments
Open

Add 'profiles' for the Source Track #1142

TomHennen opened this issue Sep 20, 2024 · 7 comments
Labels
source-track

Comments

@TomHennen
Copy link
Contributor

@adityasaky suggested that it might make the source track more clear if we

  1. Define 'profiles' for source control systems as a combination of VCS, SCP, attestation issuers, etc...
  2. Each profile should explain how it would meet the various source level requirements
  3. Remove many of the examples that are currently inlined with the requirements themselves

@adityasaky mentions this would be made easier once we define a source control system #1128 .
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Sep 20, 2024
@TomHennen
Copy link
Contributor Author

This is probably a good way to address @marcelamelara's comment here #1128 (comment)

@adityasaky adityasaky mentioned this issue Sep 20, 2024
Closed
@TomHennen TomHennen mentioned this issue Sep 20, 2024
Open
@zachariahcox zachariahcox moved this to In review in SLSA Source Track Sep 23, 2024
@zachariahcox zachariahcox moved this from In review to Ready for work! in SLSA Source Track Oct 2, 2024
@adityasaky adityasaky mentioned this issue Oct 3, 2024
Merged
TomHennen pushed a commit that referenced this issue Oct 14, 2024
@adityasaky
content: draft: Clarify branch protection in source track (#1175)
3f435fe 
Re: #1136

I'm trying to separate "branch protection" which is typically associated
with SCP features from the property we want for the branches intended
for consumption. I've also applied the SCS terminology we adopted in
another PR.

The framing of how this can be accomplished is still a bit TBD, if we
decide to adopt something like #1142 suggests, we could move the Git +
GitHub/GitLab piece out? That's also where we could discuss server side
pre-receive hooks etc.?
@TomHennen
Copy link
Contributor Author

I'm wondering if we think this is a blocker for releasing the source track. It seems like a good amount of work that we haven't made much progress on. I also think that perhaps it's not required right now? (Or we can address it in another point release)

@adityasaky
Copy link
Member

I think this really applies for presenting different ways of adopting the source track. I guess the question is if we expect to cut a release that includes the source track even if there aren't 1+ ways people can adopt it? (i.e., integrations into github, changes needed in gittuf for attestation pieces, etc.)

@TomHennen
Copy link
Contributor Author

I know some folks (myself included) were hoping to get source track out the door soon. Since we haven't had any work done on profiles, I don't see how we can get both things (e.g. release soon with profiles).

Right now I don't think there's anything that limits source track adoption to just one way, it's more that we don't have any specific documented ways to adopt it.

Perhaps we can:

  1. Release without profiles.
  2. Start implementing some methods of achieving it.
  3. Document those methods as 'profiles'?
  4. Cut a new release?

@adityasaky
Copy link
Member

I think not blocking on this is fine. I also wonder if this is really a cross-slsa issue rather than limited to the source track. We could use this idea to communicate "known ways" to implement any SLSA track. Eg: using github-attest-provenance in gha is an example for the build track.

@marcelamelara
Copy link
Contributor

marcelamelara commented Jan 6, 2025
edited
Loading

How much more work is needed to define "profiles"? My interpretation of most of the early feedback on this topic was more related to clearly defining the roles and SCS model, which the Source track has already largely done.

EDIT: So I agree that we don't need to block on this for the initial release of the Source track.

@adityasaky
Copy link
Member

My interpretation of most of the early feedback on this topic was more related to clearly defining the roles and SCS model, which the Source track has already largely done.

In my view, this proposal was related to clearly defining the roles and SCS model in the spec itself but went further in that a profile would say specifically which system is responsible for a particular role. So, you could imagine a GitHub + Scorecard profile, a gittuf profile, etc. for the source track.

I still think this may be a cross-SLSA proposal, perhaps even related to some of the recent discussions around communicating conformance with the SLSA spec?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
source-track
Projects
Issue triage
Status: 🆕 New
SLSA Source Track
Status: Ready for work!
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TomHennen @adityasaky @marcelamelara