slsa-framework/slsa

Issues

• cleanup verifying-source content

  #1242 opened 7 days ago by zachariahcox
  0

• Add figure for build environment lifecycle

  #1245 opened 6 days ago by marcelamelara
  0

• Add figures for build environment track spec

  #1165 opened 2 months ago by marcelamelara
  0

• Write detailed requirements/guidance for BuildEnv track

  #1243 opened 7 days ago by marcelamelara
  0

• start discussion with ossf/scorecard team to build an initial prototype

  #1160 opened 2 months ago by zachariahcox
  4

• fill in or cut this bit about merge trains

  #1239 opened 7 days ago by zachariahcox
  0

• verifying-source should discuss verifying all the commits directly on a protected ref

  #1238 opened 7 days ago by zachariahcox
  0

• propose intoto format for source provenance attestations

  #1161 opened 2 months ago by zachariahcox
  8

• Which Build Threat corresponds to "pwn request"

  #1235 opened 13 days ago by fproulx-boostsecurity
  9

• Clarify how end-users can know the expected value of resourceUri in a VSA

  #1212 opened 18 days ago by TomHennen
  3

• 'verifiying-artifacts' needs to be updated to match new threat diagram

  #1233 opened 20 days ago by TomHennen
  2

• Add search to published doc

  #1232 opened 22 days ago by shalper
  3

• Fix broken link - SUSE source

  #1230 opened 21 days ago by shalper
  1

• Safe Expunging and 'legal' restrictions

  #1222 opened a month ago by TomHennen
  1

• Improve strength of Source Level 3

  #1216 opened a month ago by TomHennen
  0

• Clarify 'Tamper with provenance or VSA' threat

  #1223 opened a month ago by TomHennen
  1

• Relationship of VSA's `resourceUri` with the attestation `subject`

  #1219 opened a month ago by adityasaky
  1

• Grant Pavel triage access

  #1218 opened a month ago by marcelamelara
  1

• Threats overview page needs to be updated for 1.1

  #1208 opened a month ago by TomHennen
  1

• Source 'systems' need strong auth too, not just change management tools

  #1199 opened a month ago by TomHennen
  3

• Clarify why builder level is meaningful in threats

  #1215 opened a month ago by TomHennen
  1

• TODO: Need to fill out description of "(I) Usage" in threat and mitigation section

  #1182 opened a month ago by lehors
  1

• TODO: Need to fill out threat and mitigation of "(G) Distribution channel"

  #1180 opened a month ago by lehors
  1

• TODO: Need mitigation description for "Use a compromised build tool" threat

  #1184 opened 2 months ago by lehors
  2

• TODO: Need mitigation description for "Dependency confusion" threat

  #1181 opened 2 months ago by lehors
  4

• Rephrase "The update did not match the code submitted to GitHub"?

  #1213 opened a month ago by TomHennen
  1

• Document detailed attested build environment verification flow

  #1169 opened 2 months ago by marcelamelara
  2

• Clarify that it's the CI's control plane that gives it privileged access

  #1211 opened a month ago by marcelamelara
  0

• Clarify the connection between the Build and BuildEnv tracks

  #1210 opened a month ago by marcelamelara
  0

• Summarized verification results in VSA, timeless vs. time-sensitive

  #1207 opened a month ago by AdamZWu
  8

• TODO: Need mitigation description for "Include a vulnerable dependency" threat

  #1183 opened 2 months ago by lehors
  2

• TODO: Need mitigation description for "Software producer intentionally submits bad code" threat

  #1178 opened 2 months ago by lehors
  2

• Fix threats.md's outdated links

  #1189 opened a month ago by TomHennen
  0

• TODO: Need mitigation description for "Platform admin abuses privileges" threat

  #1179 opened a month ago by lehors
  0

• Document implementation of the BuildEnv track for non-Linux environments

  #1198 opened a month ago by marcelamelara
  0

• Add reference to TPM 2.0 spec defining "Quote"

  #1197 opened a month ago by marcelamelara
  0

• Explicitly mention that BuildEnv L2 build platform MUST verify the SLSA Provenance OR its VSA.

  #1196 opened a month ago by marcelamelara
  0

• Explicitly note that the build image should be included in the external parameters field of Provenance for artifacts built on BuildEnv platforms

  #1195 opened a month ago by marcelamelara
  0

• More cleanly separate container vs. VM requirements in BuildEnv L2+

  #1192 opened a month ago by marcelamelara
  0

• Update threats.md to discuss SLSA Source Track

  #1187 opened a month ago by TomHennen
  0

• final source track copy edit

  #1172 opened 2 months ago by zachariahcox
  2

• Cover use case of build environments without a build agent

  #1185 opened a month ago by marcelamelara
  0

• Link build environment terms to their definitions

  #1177 opened 2 months ago by marcelamelara
  1

• Add more example provenance and VSAs

  #1156 opened 2 months ago by TomHennen
  4

• source track: clarify definition of "contributor" and recommend best practices for SCPs.

  #1162 opened 2 months ago by zachariahcox
  1

• Clarify that the build executor and agent may not be on the rootfs

  #1170 opened 2 months ago by marcelamelara
  0

• Cover replay attacks for attested build environments

  #1167 opened 2 months ago by marcelamelara
  0

• Attested build environment verification policy should have provenance/integrity guarantees

  #1168 opened 2 months ago by marcelamelara
  0

• Clarify what is within the scope of the build agent/executor measurement

  #1164 opened 2 months ago by marcelamelara
  0

• verifying-source levels should match final source-requirements terminology

  #1163 opened 2 months ago by zachariahcox
  0