Update supply-chain-threats.svg to reflect current 1.0 scope #1004
Comments
|
Thanks for the feedback. The graphic is really focused on threats and not what SLSA currently covers so I don't know that we should necessarily change the graphic itself but I think we could add a note next to it to point out that not all these threats are currently addressed by SLSA or even states that SLSA 1.0 focuses on Build threats. In addition, looking at the rest of the page I think there are several sections that can be misleading and would benefit some clarification, such as "Source integrity: [...] SLSA approximates this as approval from two authorized representatives." or the "How SLSA can help" column. It sure "can" but does not yet... |
This addresses issue slsa-framework#1004. Signed-off-by: Arnaud J Le Hors <lehors@us.ibm.com>
lehors
added
the
clarification
|
It might also help to show how each level applies to each threat. Something like supply-chain-threats-build-verification.svg but per-level. I tried and failed doing this in the past, but maybe we should try again. |
Hi, with Source being temporarily out of scope for SLSA in 1.0, would like to request that maintainers consider updating this image to reflect that Source Threats are not addressed in current SLSA scope.
docs/images/supply-chain-threats.svg
A casual observer skimming the documentation but not reading everything may misunderstand that SLSA currently addresses Source Threats A-C without such an update. Options might include greying out Source Threats A-C or removing them until they're in scope again someday.
@MarkLodato
@devmoran
The text was updated successfully, but these errors were encountered: