content: draft: Clarify name of Source L3 #1204
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
adityasaky
approved these changes
Oct 20, 2024
|
I think the change from 'attestations' to 'provenance' should be uncontroversial. So I'm going to go ahead and merge. If anyone feels otherwise please let me know! |
Updating name of Source Level 3 to make it more clear by removing the somewhat ambiguous 'Source Provenance' and including the language from PR slsa-framework#1143 instead. Signed-off-by: Tom Hennen <[email protected]>
Co-authored-by: Aditya Sirish <[email protected]> Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
TomHennen
added a commit
to TomHennen/slsa
that referenced
this pull request
Oct 23, 2024
Previously level 3 just required the provenance/attestations to be tamper-resistant but didn't require those attestations to be created at any particular time. If an SCS were to create these attestations on-demand it would leave revisions more susceptible to tampering within the SCS between the time of their production and the time of the request. By creating the attestations contemporaneously it reduces the period of time during which a threat actor would be able to falsify this evidence. Also changed 'Source Attestations' to 'Source Provenance' to be inline with slsa-framework#1204 where we call it 'Provenance' and not 'Attestations'. fixes slsa-framework#1216 Signed-off-by: Tom Hennen <[email protected]>
TomHennen
added a commit
that referenced
this pull request
Oct 31, 2024
Previously level 3 just required the provenance/attestations to be tamper-resistant but didn't require those attestations to be created at any particular time. If an SCS were to create these attestations on-demand it would leave revisions more susceptible to tampering within the SCS between the time of their production and the time of the request. By creating the attestations contemporaneously it reduces the period of time during which a threat actor would be able to falsify this evidence. Also changed 'Source Attestations' to 'Source Provenance' to be inline with #1204 where we call it 'Provenance' and not 'Attestations'. fixes #1216 --------- Signed-off-by: Tom Hennen <[email protected]> Signed-off-by: Tom Hennen <[email protected]> Co-authored-by: Aditya Sirish <[email protected]> Co-authored-by: Zachariah Cox <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updating name of Source Level 3 to make it more clear by removing the somewhat ambiguous 'Source Provenance' and including the language from PR #1143 instead.
fixes #1112