Crosswalk with SLSA

Question

Crosswalk with SLSA

david-a-wheeler opened this issue 2 years ago · 4 comments

Crosswalk with SLSA

Answer 1 · 2023-05-23T19:19:23.000Z

FYI: Melba did some work to identify potential overlaps.

Answer 2 · 2023-06-20T15:27:36.000Z

In the Appendix of our guide, we mapped our requirements to 6 other frameworks/guides, and SLSA was one of them. There was very little overlap, but this mapping was done prior to SLSA achieving 1.0 and might need to be double checked, but at least we have an existing mapping to start from:

AUD-1 | Verify the provenance of your OSS | SLSA: Provenance – Dependencies complete

REB-1 | Rebuild the OSS in a trusted build environment, or validate that it is reproducibly built | SLSA: Build - Reproducible

Answer 3 · 2023-06-23T22:50:17.000Z

Following the release of SLSA 1.0, we do not believe there are any overlapping requirements anymore. However, the SLSA: Producing Artifacts - Distribute Provenance requirement is a touch-point with the S2C2F's AUD-1: Verify the provenance of your OSS.

I will update the Appendix to reflect this.

Answer 4 · 2023-07-18T20:17:49.000Z

Updated appendix to reflect SLSA v1.0 touchpoint