Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Safe Expunging and 'legal' restrictions #1222

Closed
TomHennen opened this issue Oct 25, 2024 · 1 comment · Fixed by #1252
Closed

Safe Expunging and 'legal' restrictions #1222

TomHennen opened this issue Oct 25, 2024 · 1 comment · Fixed by #1252
Labels
source-track

Comments

@TomHennen
Copy link
Contributor

I'm also not sure the scs can be on the hook for enforcing that the data removals were for legal reasons.
Generally I think "the owner of the intellectual property in the repo (the root repo owner, in gh terms) can remove data. They should only do this for legal or privacy reasons due to the risk of severe reputational consequences (damage to artifact chain of custody)." Ie: it's indistinguishable from a repo hijack so you should have a good reason.

Originally posted by @zachariahcox in #1203 (review)
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Oct 25, 2024
@TomHennen
Copy link
Contributor Author

That's probably right. One thing I was thinking of doing is following the build tracks example and making it clear which requirements are on the Organization (build track calls it the producer) and which are on the SCS.

I think that would resolve this?

@TomHennen TomHennen mentioned this issue Oct 25, 2024
Merged
@zachariahcox zachariahcox moved this to In review in SLSA Source Track Nov 18, 2024
TomHennen added a commit to TomHennen/slsa that referenced this issue Dec 3, 2024
@TomHennen
clarify orgs are responsible for what gets expunged
9fa4997 
The prior language made it sound like the SCS was responsible for
only performing expunging for legal requests.  That's not
reasonable from a technical perspective.  With this update we
clarify that it's the _organization's_ responsibility to ensure
this bar is met.

fixes slsa-framework#1222

Signed-off-by: Tom Hennen <[email protected]>
@TomHennen TomHennen mentioned this issue Dec 3, 2024
Merged
TomHennen added a commit that referenced this issue Dec 4, 2024
@TomHennen
content: draft: clarify orgs are responsible for what gets expunged (#…
e68ed5d 
…1252)

The prior language made it sound like the SCS was responsible for only
performing expunging for legal requests. That's not reasonable from a
technical perspective. With this update we clarify that it's the
_organization's_ responsibility to ensure this bar is met.

I had thought about adding a whole section of requirements just for the
organization, but that seems out of scope for this change and it would
be a lot of work. We can still do so if we want, but not here.

fixes #1222

Signed-off-by: Tom Hennen <[email protected]>
@github-project-automation github-project-automation bot moved this from 🆕 New to ✅ Done in Issue triage Dec 4, 2024
@github-project-automation github-project-automation bot moved this from New! to Done in SLSA Source Track Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
source-track
Projects
Issue triage
Status: Done
SLSA Source Track
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

content: draft: clarify orgs are responsible for what gets expunged TomHennen/slsa
2 participants
@TomHennen @zachariahcox