content: draft: Add 'principle' protecting anonymous contribution in SLSA #1249
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…bution in SLSA As work on the source track progresses the topic of 'identity' comes up quite a bit. There has been some confusion about what this means, that it could be that SLSA intends to require legal identities for all contributors. That isn't the case. Many in the open source world prefer to contribute without revealing their 'real' identities as has been practiced for many years. SLSA does not intend to change that. This PR tries to make it clear that SLSA does not require real identities. refs slsa-framework#1133 Signed-off-by: Tom Hennen <tomhennen@google.com>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
hepwori
reviewed
Dec 2, 2024
hepwori
suggested changes
Dec 2, 2024
adityasaky
reviewed
Dec 2, 2024
Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com>
Co-authored-by: Aditya Sirish <8928778+adityasaky@users.noreply.github.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
…issue_1133_identity
TomHennen
changed the title
TomHennen
requested review from
mlieberman85,
trishankatdatadog,
zachariahcox and
arewm
trishankatdatadog
approved these changes
Dec 3, 2024
zachariahcox
reviewed
Dec 4, 2024
zachariahcox
approved these changes
Dec 4, 2024
Co-authored-by: Andrew McNamara <arewm@users.noreply.github.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com>
Co-authored-by: Andrew McNamara <arewm@users.noreply.github.com> Signed-off-by: Tom Hennen <TomHennen@users.noreply.github.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
Signed-off-by: Tom Hennen <tomhennen@google.com>
adityasaky
reviewed
Dec 6, 2024
docs/spec/draft/principles.md
Outdated
|
|
||
| **Reasoning**: SLSA uses identities for multiple purposes: as a trust anchor for attestations | ||
| (i.e. who or what is making this claim and do I trust it to do so) or for attributing actions | ||
| to an actor. Choice of identification technology is left to the platform that provides the |
There was a problem hiding this comment.
Suggested change
| to an actor. Choice of identification technology is left to the platform that provides the | |
| to an actor. Choice of identification technology (e.g. username, cryptographic signing key, etc.) is left to the specific instantiation of the SLSA specification. |
I don't know if this is the right phrasing but I was if we want something other than "platform" as the identity provider.
There was a problem hiding this comment.
I've gone a different route and went more generic. It's no longer "platform" its "organization and technical
+stacks implementing the SLSA standards". I've dropped the specific techniques used as I don't think this is the right place for it (the various tracks are).
Maybe this will also make @arewm happy?
Signed-off-by: Tom Hennen <tomhennen@google.com>
|
Alright, everyone seems happy, merging. :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As work on the source track progresses the topic of 'identity' comes up quite a bit. There has been some confusion about what this means, that it could be that SLSA intends to require legal identities for all contributors. That isn't the case.
Many in the open source world prefer to contribute without revealing their 'real' identities as has been practiced for many years. SLSA does not intend to change that.
This PR tries to make it clear that SLSA does not require real identities.
refs #1133