Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move source track VSA info to the VSA spec? #1148

Open
TomHennen opened this issue Sep 23, 2024 · 1 comment
Open

Move source track VSA info to the VSA spec? #1148

TomHennen opened this issue Sep 23, 2024 · 1 comment
Assignees
@TomHennen
Labels
source-track

Comments

@TomHennen
Copy link
Contributor

TomHennen commented Sep 23, 2024
edited
Loading

Eventually, I think this list should be moved closer to the VSA spec itself so that users can reference the schema and these specific requirements together.

Originally posted by @marcelamelara in #1094 (comment)
@TomHennen TomHennen mentioned this issue Sep 23, 2024
Merged
@zachariahcox
Copy link
Collaborator

@TomHennen is there much work left to do here?

I think the goal is to say:

SLSA has two main phases: data production and policy evaluation. 

Provenance attestations are data production. 
They are generated by authoritative sources, sources responsible for overseeing the claims to which they attest. 

"VSAs" are policy evaluations. 
A policy can be evaluated against the tamper-resistant provenance attestations to produce a policy decision. 
The organization uses VSAs to determine whether a specific artifact, package, repository revision is suitable for the next phase of the SDLC.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TomHennen TomHennen

Labels
source-track
Projects
Issue triage
Status: 🆕 New
SLSA Source Track
Status: In review
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TomHennen @zachariahcox