|
| 1 | +# Source Code Integrity |
| 2 | + |
| 3 | +This breakout session was proposed to discuss source code integrity in the |
| 4 | +context of software supply chain security efforts like the SLSA framework and |
| 5 | +gittuf. After a round of introductions, the session discussed what SLSA is and |
| 6 | +its draft proposal for source code integrity (known as the SLSA source track). |
| 7 | + |
1 | 8 | ## Open Discussion |
2 | 9 |
|
3 | 10 | * SLSA is meant to establish standards / language to communicate how trustworthy development processes are |
4 | 11 | * Breaks standards into levels: higher the level, the better the guarantees |
5 | 12 | * V1.0 has Build track: how builders can secure transforming source code to build artifacts like binaries |
6 | | -* Build level 1: protects against mistakes, documentation |
7 | | -* Build level 2: protects against tampering after the build |
8 | | -* Build level 3: some protections during build with isolation requirements, etc. |
9 | | -* Build track allows for mapping a binary artifact to the source code that produced it |
10 | | -* But raises the question about how to trust the source code |
| 13 | +* Build level 1: protects against mistakes, documentation |
| 14 | +* Build level 2: protects against tampering after the build |
| 15 | +* Build level 3: some protections during build with isolation requirements, etc. |
| 16 | +* Build track allows for mapping a binary artifact to the source code that produced it |
| 17 | +* But raises the question about how to trust the source code |
11 | 18 | * Q: does build level 3 include reproducible builds? |
12 | 19 | * No, this was discussed extensively and was part of the spec pre v1.0 |
13 | 20 | * On a related note, there’s a separate track being worked on to get hardware attested trust for a build, that provides some similar guarantees |
|
28 | 35 | * Not 100% sure about CRA, but maps to requirements in SSDF etc and perhaps similar? |
29 | 36 | * Additionally, SLSA is more verifiable with tooling rather than a human-filled checklist |
30 | 37 | * SLSA \<-\> gittuf |
31 | | -* SLSA doesn’t want to require a specific toolchain for managing source code |
| 38 | +* SLSA doesn’t want to require a specific toolchain for enforcing source code |
| 39 | + integrity |
32 | 40 | * Requiring a specific toolchain would also stop the development of new tools |
33 | | -* Is the ambition of SLSA to get bigger players (Google etc) to align on these goals? Startups? |
| 41 | +* Is the ambition of SLSA to get bigger players (Google etc.) to align on these goals? Startups? |
34 | 42 | * Large enterprises and startups |
35 | 43 | * Related: do we expect small orgs / engineers to implement controls? |
36 | 44 | * One set of SLSA’s consumers are in fact developer tooling / platforms builders who can build requirements into tooling to make it available invisibly to end users |
|
44 | 52 | * Yes, that could well be the case |
45 | 53 | * If the vendor is a hobbyist, it’s on the enterprise to compensate the hobbyist |
46 | 54 | * What’s the tooling to verify the attestations for some repo you’re consuming? |
47 | | -* One option is to trust the attestation to an extent, check the revision matches the attestation, etc. |
48 | | -* Who makes the attestation (maintainer of repository vs someone else for eg) is an interesting question |
49 | | -* gittuf |
50 | | -* SLSA isn’t prescriptive |
| 55 | +* One option is to trust the provider of the attestation to an extent, check the revision matches the attestation, etc. |
| 56 | +* Who makes the attestation (maintainer of repository vs someone else for example) is an interesting question |
| 57 | +*Back to gittuf |
| 58 | +* SLSA isn’t prescriptive about tooling |
51 | 59 | * You can meet a lot of these requirements by trusting a platform to do them |
52 | 60 | * But maybe we can go further and remove the need to trust the platform |
53 | | -* What does it mean to be SLSA Level 3 if the system enforcing those things can be compromised |
54 | | -* Thoughts on code review |
| 61 | +* What does it mean to be SLSA Level 3 if the system enforcing those things can be compromised? That's what gittuf addresses in the context of the source track |
| 62 | +* Thoughts on code review as a source track requirement |
55 | 63 | * Anonymity / pseudo-anonymity are important |
56 | 64 | * Individuals can’t meet this requirement |
57 | 65 | * In startups: requiring code reviews would be difficult |
|
65 | 73 | ## Links |
66 | 74 |
|
67 | 75 | * SLSA community: [https://slsa.dev/community](https://slsa.dev/community) |
68 | | -* Source Track *Draft:*[https://slsa.dev/spec/draft/source-requirements](https://slsa.dev/spec/draft/source-requirements) |
| 76 | +* SLSA Source Track *Draft*: [https://slsa.dev/spec/draft/source-requirements](https://slsa.dev/spec/draft/source-requirements) |
| 77 | +* gittuf: [https://github.com/gittuf/gittuf](https://github.com/gittuf/gittuf) |
0 commit comments