Replace 'package repo' with 'package registry' in spec 1.0

slsa-framework · Oct 10, 2023 · 4c987a0 · 4c987a0
1 parent 50c47b8
commit 4c987a0
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 8 deletions.
diff --git a/docs/spec/v1.0/threats-overview.md b/docs/spec/v1.0/threats-overview.md
@@ -80,8 +80,8 @@ Many recent high-profile attacks were consequences of supply chain integrity vul
 <td>Provenance of the artifact in the GCS bucket would have shown that the artifact was not built in the expected manner from the expected source repo.
 <tr>
 <td>G
-<td>Compromise package repo
-<td><a href="https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf">Attacks on Package Mirrors</a>: Researcher ran mirrors for several popular package repositories, which could have been used to serve malicious packages.
+<td>Compromise package registry
+<td><a href="https://theupdateframework.io/papers/attacks-on-package-managers-ccs2008.pdf">Attacks on Package Mirrors</a>: Researcher ran mirrors for several popular package registries, which could have been used to serve malicious packages.
 <td>Similar to above (F), provenance of the malicious artifacts would have shown that they were not built as expected or from the expected source repo.
 <tr>
 <td>H

diff --git a/docs/spec/v1.0/threats.md b/docs/spec/v1.0/threats.md
@@ -389,30 +389,30 @@ cryptographic signature is no longer valid.
 
 </details>
 
-### (G) Compromise package repo
+### (G) Compromise package registry
 
-An adversary modifies the package on the package repository using an
+An adversary modifies the package on the package registry using an
 administrative interface or through a compromise of the infrastructure.
 
 <details><summary>De-list artifact</summary>
 
-*Threat:* The package repository stops serving the artifact.
+*Threat:* The package registry stops serving the artifact.
 
 *Mitigation:* N/A - This threat is out of scope of SLSA v1.0.
 
 </details>
 
 <details><summary>De-list provenance</summary>
 
-*Threat:* The package repository stops serving the provenance.
+*Threat:* The package registry stops serving the provenance.
 
 *Mitigation:* N/A - This threat is out of scope of SLSA v1.0.
 
 </details>
 
 ### (H) Use compromised package
 
-An adversary modifies the package after it has left the package repository, or
+An adversary modifies the package after it has left the package registry, or
 tricks the user into using an unintended package.
 
 <details><summary>Typosquatting</summary>

diff --git a/docs/spec/v1.0/use-cases.md b/docs/spec/v1.0/use-cases.md
@@ -43,7 +43,7 @@ Example ways an organization might use SLSA internally:
 -   A large company uses SLSA to require two person review for every production
     change, scalably across hundreds or thousands of employees/teams.
 -   An open source project uses SLSA to ensure that compromised credentials
-    cannot be abused to release an unofficial package to a package repostory.
+    cannot be abused to release an unofficial package to a package registry.
 
 **Case study:** [Google (Binary Authorization for Borg)](https://cloud.google.com/docs/security/binary-authorization-for-borg)