{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":346517502,"defaultBranch":"main","name":"slsa","ownerLogin":"slsa-framework","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2021-03-10T23:11:57.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/80431187?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1722616657.0","currentOid":""},"activityList":{"items":[{"before":"f3c54b12de2666628039f8478ac5b6f286dbe3ae","after":null,"ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.2","pushedAt":"2024-08-02T16:37:37.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/https/github.com/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"}},{"before":null,"after":"cee173986e26d9ca07dd318bcfcb39935a343702","ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.3","pushedAt":"2024-08-02T16:37:33.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/https/github.com/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.8 to 3.3.3.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.8...v3.3.3)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n  dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] <support@github.com>","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.8 to 3.3.3 in /docs"}},{"before":null,"after":"f3c54b12de2666628039f8478ac5b6f286dbe3ae","ref":"refs/heads/dependabot/bundler/docs/rexml-3.3.2","pushedAt":"2024-07-23T21:15:02.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/https/github.com/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.8 to 3.3.2 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.8 to 3.3.2.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.8...v3.3.2)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n  dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] <support@github.com>","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.8 to 3.3.2 in /docs"}},{"before":"ac0c409577020382f8ba5941576a741eb6961ee4","after":"a7a5084c65b829d333a311f8df50dcd0c4bd08bf","ref":"refs/heads/main","pushedAt":"2024-07-15T09:19:29.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"nonspec: add instructions for checking markdown formatting (#1096)\n\nAdd instructions for checking markdown formatting using\r\nmarkdownlint-cli2.\r\n\r\nI got tired of getting errors after sending and updating PRs but didn't\r\nknow how to run the style checker locally. Once I figured it out I\r\nsuspected other folks might have a similar problem.\r\n\r\nSigned-off-by: Tom Hennen <tomhennen@google.com>","shortMessageHtmlLink":"nonspec: add instructions for checking markdown formatting (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2405906463\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1096\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1096/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1096\">#1096</a>)"}},{"before":"7c6ba2398027a00e69a9e2497a61d2e45b1355bf","after":"ac0c409577020382f8ba5941576a741eb6961ee4","ref":"refs/heads/main","pushedAt":"2024-07-15T09:18:17.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: Add v1.1 without source track (#1092)\n\nThis is meant to include all the updates we have accumulated so far\r\nagainst 1.0, without any of the new levels or tracks. The goal is to\r\npublish this ASAP as a minor update to 1.0.\r\n\r\nSigned-off-by: Arnaud J Le Hors <lehors@us.ibm.com>","shortMessageHtmlLink":"content: Add v1.1 without source track (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2398934396\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1092\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1092/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1092\">#1092</a>)"}},{"before":"772967cdccd5db07563d8a96be1aad4fcc9a59fa","after":"7c6ba2398027a00e69a9e2497a61d2e45b1355bf","ref":"refs/heads/main","pushedAt":"2024-07-15T09:17:37.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: draft: define source-track objective in terms of revisions and provenance.  (#1083)\n\nfixes https://github.com/slsa-framework/slsa/issues/1072\r\n\r\nThis PR modifies _draft_ content of the slsa spec. \r\n\r\n## Context\r\nBased on discussion from\r\nhttps://github.com/slsa-framework/slsa/pull/1037\r\n\r\nSee [discussion\r\nhere](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.svjr333bawb).\r\n\r\nCopied from [draft proposal\r\nhere](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#bookmark=id.4qr65cfy6ufj).\r\n\r\nGoogle document requires slsa-discussion@googlegroups.com membership.\r\n\r\n## Source revision provenance\r\nRepos contain many revisions, most of which are not \"official\" or\r\notherwise approved for release.\r\nThe goal of the source track is to attest to why a specific revision\r\n_was_ approved for release.\r\n\r\nWe can think of the SCP / code review tool as “building” the next\r\nofficial revision of a repository using a codified process that involves\r\ncollecting commits, acquiring reviews, running CI, etc.\r\nIf the change review process is successful, the code review tooling will\r\nmerge the code changes and attest to the process used to produce the new\r\nrevision.\r\n\r\nThe source provenance attestations associate a specific revision of a\r\nrepository to security claims and documents (basically build logs) of\r\nthe process that produced it.\r\n\r\nIn GitHub terms, a merged pull request and its associated rules\r\nevaluation justify why and how a specific git SHA is reachable from a\r\nprotected branch.\r\n\r\n## Example Scenario\r\n1. A CI system is trying to build some artifact and will download all\r\nnecessary resources, including repos and packages.\r\n2. After download, the system will proceed to verify all fetched\r\nresources.\r\n1. For package artifacts, it takes the hash and looks for build\r\nprovenance attestations from sigstore or github.\r\n1. For source artifacts that are not packaged (EG, cloned via git), it\r\ntakes the revision id and looks for the source provenance from sigstore\r\nor github.\r\n5. Based on the claims in the provenance attestations, the CI system can\r\ndetermine if all resources comply with required policy and choose to\r\nproceed.\r\n\r\n---------\r\n\r\nSigned-off-by: Zachariah Cox <zachariahcox@github.com>\r\nCo-authored-by: Joshua Lock <joshuagloe@gmail.com>\r\nCo-authored-by: Tom Hennen <TomHennen@users.noreply.github.com>","shortMessageHtmlLink":"content: draft: define source-track objective in terms of revisions a…"}},{"before":"fd2670bc2b6c52583b26af35f781ca6e67efbae9","after":"772967cdccd5db07563d8a96be1aad4fcc9a59fa","ref":"refs/heads/main","pushedAt":"2024-07-13T07:23:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: Update actions/setup-node action to v4.0.3 (#1098)\n\n[![Mend\r\nRenovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)\r\n\r\nThis PR contains the following updates:\r\n\r\n| Package | Type | Update | Change |\r\n|---|---|---|---|\r\n| [actions/setup-node](https://togithub.com/actions/setup-node) | action\r\n| patch | `v4.0.2` -> `v4.0.3` |\r\n\r\n---\r\n\r\n### Release Notes\r\n\r\n<details>\r\n<summary>actions/setup-node (actions/setup-node)</summary>\r\n\r\n###\r\n[`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)\r\n\r\n[Compare\r\nSource](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)\r\n\r\n</details>\r\n\r\n---\r\n\r\n### Configuration\r\n\r\n📅 **Schedule**: Branch creation - \"every weekend\" (UTC), Automerge - At\r\nany time (no schedule defined).\r\n\r\n🚦 **Automerge**: Disabled by config. Please merge this manually once you\r\nare satisfied.\r\n\r\n♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the\r\nrebase/retry checkbox.\r\n\r\n🔕 **Ignore**: Close this PR and you won't be reminded about this update\r\nagain.\r\n\r\n---\r\n\r\n- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check\r\nthis box\r\n\r\n---\r\n\r\nThis PR has been generated by [Mend\r\nRenovate](https://www.mend.io/free-developer-tools/renovate/). View\r\nrepository job log\r\n[here](https://developer.mend.io/github/slsa-framework/slsa).\r\n\r\n<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjUuMSIsInVwZGF0ZWRJblZlciI6IjM3LjQyNS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update actions/setup-node action to v4.0.3 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2406570830\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1098\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1098/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1098\">#1098</a>)"}},{"before":"9a04d1ee393b5be2773b1ce204f61fe0fd02366a","after":"fd2670bc2b6c52583b26af35f781ca6e67efbae9","ref":"refs/heads/main","pushedAt":"2024-07-13T07:17:33.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"nonspec: Add TomHennen as a maintainer (#1091)\n\nI'd like to propose making myself a maintainer.\r\n\r\nI believe I meet the requirements [listed\r\nhere](https://github.com/slsa-framework/slsa/blob/main/MAINTAINERS.md#becoming-a-maintainer).\r\n\r\nSigned-off-by: Tom Hennen <tomhennen@google.com>","shortMessageHtmlLink":"nonspec: Add TomHennen as a maintainer (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2398810450\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1091\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1091/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1091\">#1091</a>)"}},{"before":"4b969addc129ef585d141278ed838656a386ef50","after":"9a04d1ee393b5be2773b1ce204f61fe0fd02366a","ref":"refs/heads/main","pushedAt":"2024-07-09T18:23:03.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: Rename latest draft (v1.1) to draft (#1090)\n\nAdd clear disclaimer about the status of this document, and unhide it.\r\n\r\nThis closes issue #1086\r\n\r\n---------\r\n\r\nSigned-off-by: Arnaud J Le Hors <lehors@us.ibm.com>","shortMessageHtmlLink":"impl: Rename latest draft (v1.1) to draft (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2396487281\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1090\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1090/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1090\">#1090</a>)"}},{"before":"dae80acb36e2c8c9a8d404397270d5bb9a3d1933","after":"4b969addc129ef585d141278ed838656a386ef50","ref":"refs/heads/main","pushedAt":"2024-07-08T19:06:55.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"content: source track v.next draft, address remainder of pre-merge issues (#1088)\n\ncloses out the remainder of the pre-merge\r\n[issues](https://docs.google.com/document/d/13Xt8mA_2b00McGX2vkyhu4GQdFAqtXPu7YXE8ZA6ISE/edit?resourcekey=0-EqfHF79tUWAKp4PzsE3z1A#heading=h.au8zjzii8lgw).\r\n\r\n## changes\r\n\r\n1. adds high-level document status section. \r\n2. add outstanding TODOs from ☝️ gdoc\r\n3. add link to `label:source-track` issues in slsa repo\r\n4. removes reference to \"time\" in the definition of \"revision.\"\r\n5. adds source track links to what's new file.\r\n\r\n---------\r\n\r\nSigned-off-by: Zachariah Cox <zachariahcox@github.com>\r\nCo-authored-by: Joshua Lock <joshuagloe@gmail.com>","shortMessageHtmlLink":"content: source track v.next draft, address remainder of pre-merge is…"}},{"before":"694afabcc0d0b6f8246ca497d67cad9ebc95755c","after":"dae80acb36e2c8c9a8d404397270d5bb9a3d1933","ref":"refs/heads/main","pushedAt":"2024-07-08T19:04:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"editorial: Expand SLSA acronym in docs (#1087)\n\nWhen visiting slsa.dev/spec/$version/about, I didn't see any mention of\r\nwhat the SLSA acronym actually stands for.\r\nThis change simply expands the acronym in the docs.","shortMessageHtmlLink":"editorial: Expand SLSA acronym in docs (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2386509168\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1087\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1087/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1087\">#1087</a>)"}},{"before":"0a6dbca72bcfc1fb2fdc2181059be43639399d98","after":"694afabcc0d0b6f8246ca497d67cad9ebc95755c","ref":"refs/heads/main","pushedAt":"2024-07-01T16:23:31.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"impl: Update amannn/action-semantic-pull-request action to v5.5.3 (#1084)\n\namannn/action-semantic-pull-request v5.5.2 -> v5.5.3\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update amannn/action-semantic-pull-request action to v5.5.3 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2381354705\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1084\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1084/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1084\">#1084</a>"}},{"before":"306642f21dbdaca2eaafe2df8e98432b4d4f2f02","after":"0a6dbca72bcfc1fb2fdc2181059be43639399d98","ref":"refs/heads/main","pushedAt":"2024-06-28T16:17:20.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: Add draft of the Source track. (#1037)\n\nThis change adds the working draft of SLSA's Source track. It includes\nbasic terminology and level requirements.\n\n---------\n\nSigned-off-by: kpk47 <kkris@google.com>\nSigned-off-by: Mark Lodato <lodatom@gmail.com>\nSigned-off-by: Joshua Lock <joshuagloe@gmail.com>\nCo-authored-by: Mark Lodato <lodatom@gmail.com>\nCo-authored-by: Zachariah Cox <zachariahcox@github.com>\nCo-authored-by: Joshua Lock <joshuagloe@gmail.com>","shortMessageHtmlLink":"content: Add draft of the Source track. (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2184658063\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1037\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1037/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1037\">#1037</a>)"}},{"before":"bee177a10283a62b26c9c9afe3b951c9a7cdbda0","after":"306642f21dbdaca2eaafe2df8e98432b4d4f2f02","ref":"refs/heads/main","pushedAt":"2024-06-17T09:03:59.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"impl: Update actions/checkout action to v4.1.7 (#1068)\n\nactions/checkout `v4.1.6` -> `v4.1.7`\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update actions/checkout action to v4.1.7 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2354412647\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1068\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1068/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1068\">#1068</a>)"}},{"before":"96cdd135351885e380bd34c4c03be152cf395d20","after":"bee177a10283a62b26c9c9afe3b951c9a7cdbda0","ref":"refs/heads/main","pushedAt":"2024-06-11T11:03:36.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"blog: Add blog post on Tekton Chains and IBM DevSecOps (#1048)\n\nAs discussed on a recent call, Tekton Chains supports SLSA Provenance v1\r\nbut the configuration isn't the most straightforward. This post\r\nhighlights support for SLSA and gives people the right configuration to\r\nuse to get the v1 format. It also informs people that IBM has an\r\noffering based on this technology and gives them a few pointers to the\r\nrelevant documentation.\r\n\r\n---------\r\n\r\nSigned-off-by: Arnaud J Le Hors <lehors@us.ibm.com>","shortMessageHtmlLink":"blog: Add blog post on Tekton Chains and IBM DevSecOps (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2254966952\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1048\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1048/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1048\">#1048</a>)"}},{"before":"d28bc77c445662e7b43b3f4b3f6e64b3b08ecfb7","after":"96cdd135351885e380bd34c4c03be152cf395d20","ref":"refs/heads/main","pushedAt":"2024-06-05T15:54:24.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"content: refactor threat diagram and add overview (#1057)\n\nRefactor the threat diagram to address clarity concerns and to expand it\r\nbeyond tampering. The intent is that this threat model can be useful for\r\nany software supply chain security effort. Many of the threats\r\npreviously called \"out of scope\" should be listed here, even if the SLSA\r\nladder does not (yet!) cover them.\r\n\r\nNOTE: this is a partial solution, but more work is needed. I want to\r\nat least merge what we have so far so that others can iterate on it.\r\n\r\nThis design is the result of much discussion on Slack. Thank you to\r\n@adityasaky, @arewm, @david-a-wheeler, @jkjell, @mlieberman85,\r\n@marcelamelara, and @trishankatdatadog for your contributions and\r\nsuggestions.\r\n\r\nSummary of major changes:\r\n\r\n* Add threat indicators for Producer and Consumer, remove for\r\n  Dependencies.\r\n* Rename \"Package\" to \"Distribution\".\r\n* Rewrite titles to describe the position rather than the tampering\r\n  threat.\r\n\r\nDetailed diagram changes:\r\n\r\n* Update the threat markers:\r\n  - Add a threat for Producer to cover malicious intent. For example, if you\r\n    install malware, it's not tampering---the producer really did intend to\r\n    write malware, and no amount of code review will \"fix\" that! (Previously\r\n    this was called \"out of scope\".)\r\n  - Add a threat for Consumer to cover...? It makes the diagram nicer and I\r\n    assume we want something here, but I don't know what that is yet!\r\n  - Remove the threat for Dependency, since it generated a lot of confusion. The\r\n    intent was that it is recursive, so the hope is that the diagram and text\r\n    make this clear enough.\r\n  - Re-letter the threat markers accordingly.\r\n  - Update the threat titles to describe the position rather than the tampering\r\n    threat. The old titles generated a lot of disagreement, and they relied on\r\n    understanding the non-obvious interpretation of the model. Now, the new\r\n    titles just describe that model, which is hopefully more clear to everyone.\r\n* Rename \"Package\" to \"Distribution\" to better reflect what that box means.\r\n* Move the arrow from Distribution to Dependency to make it clear that (H) is\r\n  also recursive.\r\n  - Also make the arrow solid instead of dashed, but keep the dashed box around\r\n    Dependency. The idea is that the use of the dependency is a real input to\r\n    the build, while Dependency itself is really just another package.\r\n* Move \"build params\" to \"Build threats\" instead of \"Source threats\",\r\n  and add new \"Usage threats\" category.\r\n* (minor) Use the same green color throughout, rather than having a\r\n  slightly different green color for arrows.\r\n\r\nText changes:\r\n\r\n* Add an overview section that explains a bit more about the threat model.\r\n* Add Dependency Confusion.\r\n* Update text to match the new diagram (only partially done).\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>","shortMessageHtmlLink":"content: refactor threat diagram and add overview (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2293780854\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1057\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1057/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1057\">#1057</a>)"}},{"before":"0a125980dcb82e3793ee86f3d486ce7b5948ea44","after":"d28bc77c445662e7b43b3f4b3f6e64b3b08ecfb7","ref":"refs/heads/main","pushedAt":"2024-05-30T20:28:44.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update actions/checkout action to v4.1.6 (#1059)\n\nactions/checkout `v4.1.5` -> `v4.1.6`\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update actions/checkout action to v4.1.6 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2303800094\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1059\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1059/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1059\">#1059</a>)"}},{"before":"1121710a76fdc92c82f1dbb06bc2e028134ac5d8","after":"0a125980dcb82e3793ee86f3d486ce7b5948ea44","ref":"refs/heads/main","pushedAt":"2024-05-27T20:43:12.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update dependency markdownlint-cli to v0.41.0 (#1060)\n\nmarkdownlint-cli `0.40.0` -> `0.41.0`\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update dependency markdownlint-cli to v0.41.0 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2317357273\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1060\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1060/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1060\">#1060</a>)"}},{"before":"9ff9f8d2209eee46c53b11684fcbee0b3d47c88d","after":null,"ref":"refs/heads/dependabot/bundler/docs/rexml-3.2.8","pushedAt":"2024-05-17T18:19:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"}},{"before":"2197af8d848acd068c76a81897cb0dd0578103a5","after":"1121710a76fdc92c82f1dbb06bc2e028134ac5d8","ref":"refs/heads/main","pushedAt":"2024-05-17T18:19:43.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: bump rexml from 3.2.6 to 3.2.8 (#1058)\n\nSigned-off-by: dependabot[bot] <support@github.com>","shortMessageHtmlLink":"impl: bump rexml from 3.2.6 to 3.2.8 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2301379709\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1058\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1058/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1058\">#1058</a>)"}},{"before":null,"after":"9ff9f8d2209eee46c53b11684fcbee0b3d47c88d","ref":"refs/heads/dependabot/bundler/docs/rexml-3.2.8","pushedAt":"2024-05-16T21:28:17.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/https/github.com/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"build(deps-dev): bump rexml from 3.2.6 to 3.2.8 in /docs\n\nBumps [rexml](https://github.com/ruby/rexml) from 3.2.6 to 3.2.8.\n- [Release notes](https://github.com/ruby/rexml/releases)\n- [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md)\n- [Commits](https://github.com/ruby/rexml/compare/v3.2.6...v3.2.8)\n\n---\nupdated-dependencies:\n- dependency-name: rexml\n  dependency-type: indirect\n...\n\nSigned-off-by: dependabot[bot] <support@github.com>","shortMessageHtmlLink":"build(deps-dev): bump rexml from 3.2.6 to 3.2.8 in /docs"}},{"before":"9c4e9d3cae882095232c693a5a54610629c0f7a3","after":"2197af8d848acd068c76a81897cb0dd0578103a5","ref":"refs/heads/main","pushedAt":"2024-05-14T09:38:15.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"content: re-add threats (A) and (B) from v0.1 (#1056)\n\nRe-add the threat descriptions for (A) and (B) from v0.1 to v1.1. They\r\nare copied verbatim, except for removing the `<span>(SLSA 4)</span>`\r\nand `<sup>...</sup>` labels, which no longer apply to the current\r\nversion.\r\n\r\nFuture PRs will tweak the content of these threat descriptions. But for\r\nthis PR, I want to just add them as-is so that we can track cleanly in\r\nversion control.\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>","shortMessageHtmlLink":"content: re-add threats (A) and (B) from v0.1 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2293473662\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1056\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1056/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1056\">#1056</a>)"}},{"before":"15311153fe741cb1eadbd5361d3bf4ebed189b08","after":"9c4e9d3cae882095232c693a5a54610629c0f7a3","ref":"refs/heads/main","pushedAt":"2024-05-13T18:48:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: refactor diagram in figma (no visual change) (#1055)\n\nRefactor how the diagrams are implemented in Figma so that it's easier\r\nto edit.\r\n\r\nThere's no visual change. Two SVGs are completely unchanged, and two are\r\nmodified but only have lines reordered AFAICT. The two modified SVGs\r\nseem to be a pixel off, for a reason I cannot comprehend.\r\n\r\nExplanation: Previously the diagrams were built \"up\", starting with the\r\nsimplest and successively adding more detail. This was a pain to edit,\r\nbecause you'd first have to find which diagram was the \"master\" for the\r\nchange you wanted to make. Now there's only one \"master\" with all of the\r\ndetail, and the derived diagrams just hide detail that's not wanted.\r\nThis is much easier to edit (and understand!)\r\n\r\nAlso delete some unused diagrams that were in the figma file but never\r\nexported to SVG.\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>","shortMessageHtmlLink":"impl: refactor diagram in figma (no visual change) (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2293390973\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1055\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1055/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1055\">#1055</a>)"}},{"before":"6f2053800ae684337def2e7f3770afa66b8cb332","after":"15311153fe741cb1eadbd5361d3bf4ebed189b08","ref":"refs/heads/main","pushedAt":"2024-05-13T08:55:06.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"joshuagl","name":"Joshua Lock","path":"/https/github.com/joshuagl","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/13888612?s=80&v=4"},"commit":{"message":"impl: Update actions/checkout action to v4.1.5 (#1054)\n\nactions/checkout  v4.1.4 -> v4.1.5\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update actions/checkout action to v4.1.5 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2290569280\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1054\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1054/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1054\">#1054</a>)"}},{"before":"7b55a4e8be9123ce320be18801b2fed3e7291370","after":"6f2053800ae684337def2e7f3770afa66b8cb332","ref":"refs/heads/main","pushedAt":"2024-05-07T12:07:08.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"nonspec: clean up meeting notes page (#1053)\n\nMake the meeting notes easier to find by moving all of the old meeting\r\nnotes to a \"retired\" section and renaming the single remaining meeting\r\nto \"weekly Monday meeting\".\r\n\r\nAlso clean up the wording in the intro and use a proper Jekyll layout to\r\nfix the styling.\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>","shortMessageHtmlLink":"nonspec: clean up meeting notes page (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2281365989\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1053\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1053/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1053\">#1053</a>)"}},{"before":"c1398d556eec21b7e6aedb8f10cfa6b49101bdf3","after":"7b55a4e8be9123ce320be18801b2fed3e7291370","ref":"refs/heads/main","pushedAt":"2024-05-06T13:36:01.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update dependency markdownlint-cli to v0.40.0 (#1052)\n\nmarkdownlint-cli `0.39.0` -> `0.40.0`\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update dependency markdownlint-cli to v0.40.0 (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2278620382\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1052\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1052/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1052\">#1052</a>)"}},{"before":"87919f8ed701b023c70010a447efb31d8c20a3e0","after":"c1398d556eec21b7e6aedb8f10cfa6b49101bdf3","ref":"refs/heads/main","pushedAt":"2024-05-03T16:57:49.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"content: refine dependency threats (#1046)\n\nRefine the \"dependency threats\" of the Threats & Mitigations page to\r\nbetter explain the intent and to differentiate from (H), which sounded\r\nconfusingly similar (#1039). More work is needed to refine (H), but that\r\nis left to a separate PR.\r\n\r\n-   Explain that \"dependency threats\" are not distinct threats but\r\n    rather threats to other pieces of software that also affect this\r\n    one. In the diagram, the diagram to color (D) differently to show\r\n    this, mirroring the existing dashed lines, and add \"(A-H\r\n    recursively\").\r\n-   State that only \"build dependencies\" are in scope for the threat\r\n    model, matching existing diagram and terminology throughout SLSA.\r\n-   Rename \"Use compromised dependency\" to \"Compromise build\r\n    dependency\", both for consistency with other threats, which are from\r\n    the adversary's point of view, and to emphasize that this is\r\n    restricted to build dependencies.\r\n-   Expand the text about dependency threats and give examples.\r\n    Highlight both \"include\" and \"build tool\" types of dependencies, and\r\n    also include both an accidental vulnerability and a malicious\r\n    backdoor.\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>","shortMessageHtmlLink":"content: refine dependency threats (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2243846312\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1046\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1046/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1046\">#1046</a>)"}},{"before":"ab92814d6e48f086474b05610310a30f75509944","after":"87919f8ed701b023c70010a447efb31d8c20a3e0","ref":"refs/heads/main","pushedAt":"2024-04-29T12:17:40.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"MarkLodato","name":"Mark Lodato","path":"/MarkLodato","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/58860?s=80&v=4"},"commit":{"message":"impl: Update github-actions (#1050)\n\nactions/checkout `v4.1.1` -> `v4.1.4`\r\namannn/action-semantic-pull-request `v5.4.0` -> `v5.5.2`\r\n\r\nSigned-off-by: Mend Renovate <bot@renovateapp.com>","shortMessageHtmlLink":"impl: Update github-actions (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2266662105\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1050\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1050/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1050\">#1050</a>)"}},{"before":"3c6bd4073260a1366fc386d66ef7123c4c29f9e8","after":"ab92814d6e48f086474b05610310a30f75509944","ref":"refs/heads/main","pushedAt":"2024-04-26T20:03:52.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"fix: fixing typos (#1049)\n\nThis PR fixes several typos I spotted in the project.","shortMessageHtmlLink":"fix: fixing typos (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2266424668\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1049\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1049/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1049\">#1049</a>)"}},{"before":"af3479bbb35528df91dda5a76ecf7f62ce23cb8c","after":"3c6bd4073260a1366fc386d66ef7123c4c29f9e8","ref":"refs/heads/main","pushedAt":"2024-04-11T10:02:43.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"lehors","name":"Arnaud J Le Hors","path":"/https/github.com/lehors","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/6464618?s=80&v=4"},"commit":{"message":"impl: add a script to easily diff two built sites (#1045)\n\nWhenever we get a pull request to update a dependency, I run a diff to\r\nmake sure it doesn't break anything. This script simplifies that process\r\nsince it now works on archives download from Netlify, and it no longer\r\nrequires copy/pasting commands.\r\n\r\nThis could easily be turned into a stand-alone script outside SLSA -\r\nseems like a generally useful tool!\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>\r\n\r\n---------\r\n\r\nSigned-off-by: Mark Lodato <lodato@google.com>\r\nSigned-off-by: Arnaud J Le Hors <lehors@us.ibm.com>\r\nCo-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>","shortMessageHtmlLink":"impl: add a script to easily diff two built sites (<a class=\"issue-link js-issue-link\" data-error-text=\"Failed to load title\" data-id=\"2236613275\" data-permission-text=\"Title is private\" data-url=\"https://github.com/slsa-framework/slsa/issues/1045\" data-hovercard-type=\"pull_request\" data-hovercard-url=\"/slsa-framework/slsa/pull/1045/hovercard\" href=\"https://github.com/slsa-framework/slsa/pull/1045\">#1045</a>)"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEkFzqywA","startCursor":null,"endCursor":null}},"title":"Activity · slsa-framework/slsa"}