You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, with Source being temporarily out of scope for SLSA in 1.0, would like to request that maintainers consider updating this image to reflect that Source Threats are not addressed in current SLSA scope.
docs/images/supply-chain-threats.svg
A casual observer skimming the documentation but not reading everything may misunderstand that SLSA currently addresses Source Threats A-C without such an update. Options might include greying out Source Threats A-C or removing them until they're in scope again someday.
The graphic is really focused on threats and not what SLSA currently covers so I don't know that we should necessarily change the graphic itself but I think we could add a note next to it to point out that not all these threats are currently addressed by SLSA or even states that SLSA 1.0 focuses on Build threats.
In addition, looking at the rest of the page I think there are several sections that can be misleading and would benefit some clarification, such as "Source integrity: [...] SLSA approximates this as approval from two authorized representatives." or the "How SLSA can help" column. It sure "can" but does not yet...
lehors
added a commit
to lehors/slsa
that referenced
this issue
Nov 30, 2023
It might also help to show how each level applies to each threat. Something like supply-chain-threats-build-verification.svg but per-level. I tried and failed doing this in the past, but maybe we should try again.
Hi, with Source being temporarily out of scope for SLSA in 1.0, would like to request that maintainers consider updating this image to reflect that Source Threats are not addressed in current SLSA scope.
docs/images/supply-chain-threats.svg
A casual observer skimming the documentation but not reading everything may misunderstand that SLSA currently addresses Source Threats A-C without such an update. Options might include greying out Source Threats A-C or removing them until they're in scope again someday.
@MarkLodato
@devmoran
The text was updated successfully, but these errors were encountered: