OpenSSF SLSA Biweekly, 19 May 2023

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: SLSA Tooling Meeting (May 19, 2023)

Description

Meeting notes: https://docs.google.com/document/d/15Xp8-0Ff_BPg_LMKr1RIKtwAavXGdrgb1BoX4Cl2bE4/edit#heading=h.yfiy9b23vayj

A

A

B

Give it a few more minutes for uh folks to join.

B

As folks are joining uh feel free to put your attendance in the meeting list.

B

All right, I guess we can uh get started here, um probably be a a quick one, because I think most of us. The feedback has been regarding some of the uh um GitHub stuff, but uh so just as a reminder, this meeting's being recorded it'll be uploaded to shoot yeah YouTube shortly after, and um your participation in this meeting is an agreement to abide by the open, ssf uh code of conduct all right.

B

um So uh the only thing I had on the agenda was just you know, going over open source, uh Summit North America feedback specifically around. Like the stuff we heard about some of the tooling coming out of um salsa, uh but if anybody else had any other agenda items, they wanted to add feel free to add it on there as well.

B

um So I'll just go quickly and then I'll open it up to the floor. So most of the feedback got on salsa. The salsa 1.0 stuff was was really good. The stuff you know, there's a lot of different things about the spec and some things that can maybe be clarified or additional examples, and and that kind of a thing.

B

But there were a couple of clear things from the tooling perspective that we probably wanted to start to take a look at um one was one of the big pieces of feedback uh was hey I started looking at this thing, um there's this big push for 1.0 uh there's this new V1 spec, but all the GitHub workflows seem to still be using V 0.2 of the spec and what's the sort of status of moving on to V1, and so uh it we don't have any hooks on right now who who tend to for um because I think it's mostly the googlers who've been working on um that side of thing, but I can definitely uh reach back out to them, see.

B

If there's uh you know, if there's any updates um anything that they're they're working on on that end, because yeah I think um I know, one of the big things is like Hey we're doing all this stuff with 1.0. If we don't have, um if folks are not using V1 of the spec like uh it, you know how like, what's that sort of Journey look like how do we make sure that we also don't confuse people, because people might look at? Oh, it's v0.2 of the spec.

B

That means they're not using V1 of the requirements, and that might not be the actual case. We want to make sure that um we can sort of clear up some of that that confusion and if we can get uh V1 support sooner rather than later it would be great um and then the second piece uh was um a lot of folks were asking for something along the lines of you know uh test examples of sorts of attacks. You know um the salsa could prevent to help with testing of salsa tooling.

B

B

So this was something like some folks were saying: hey I, think I built something that is salsa conformant, I'm, not sure and I, don't know how to actually like what sorts of attacks could you know what is an example attack that somebody could run against this build system that um this should detect, prevent yeah yeah provide you know, we'd have the data around um so that that was another uh thing. That's that folks, there uh were asking about.

B

Cool uh thoughts, um anything else from open source Summit uh from the tooling side of things that folks wanted to bring up.

A

Not exactly, but it reminds me that uh we need to update the get started page on salsa. That says, Fresca is salsa too.

B

uh You mean uh salsa, three yeah.

A

Yeah right now it says it's two yeah.

B

Yeah, yes, yes, we got it. We gotta update that I'll I'll uh I will add that to my uh list of things to do for today,.

B

Cool, if there's nothing else on the open source, uh North America side, what other uh agenda items did folks have regarding um salsa tooling, as you know, as a reminder, we're open to you know whatever open source uh salsa tooling folks have been building. If folks have questions around uh integrating the tooling or using the tooling or generating new tooling. um You know this is a. This is the place for it.

B

Cool and if there's uh nothing else, we can end early.

C

If I may take the risk of the asking a question sure so say: I have a salsa tool that creates a provenance for the build track and maybe another tool and the future that for other tracks or whatever I, create evidence and I signed them and I'm able to bring a salsa too, at least by doing that right.

C

But now I need the build system to to basically create this. For me. So in GitHub you have an action and, if I understand correctly, the the trust comes from like a reusable workflow kind of trick.

C

So I'm asking if that is like, what's going to happen across, like all the other services, the build systems, uh it's going to be like extendable by any action, any salsa tool, or is it going to be like only the salsa official tools.

B

Oh, no, no anybody can um so we're building a conformance program. So if you publicly state that your your tool is salsa conformant, the idea would be you would provide either a self attestation or you would provide uh proof. Vienna auditor. That said you know, yep I, looked at their build system and I believe it to be.

B

You know doing those you know uh doing those things and like with some human readable, like content as to why, right, because, even with the GitHub actions right, um if, for example, GitHub itself was not doing the right things, um it wouldn't matter that there's a workflow, a reusable workflow right like um that, the trust doesn't come for that reusable workflow. The trust comes from a couple places.

B

One is that the GitHub like actions platform right, is doing the largely the right things from a security perspective and then, secondarily, um in order to prevent right like because um you know the workflow is needed, because people are um uh the the workflow is needed, because GitHub itself does not have built-in sort of salsa support like if GitHub as the actions platform had built-in salsa support that when you run a build it automatically. You know injects salsa Providence. That would be good enough as well.

B

The problem that we have right is is if we have a GitHub action, the GitHub action is user definable, and that makes it you know uh not a good fit for for salsa, but the workflow.

B

The reusable workflow is something that can be like it's sort of set in stone like you could go back and say: hey this specific code led to this specific thing and it could be audited and and all that great stuff, um and it provides us a few other things in there to say that you know yeah the the end user, workflow, sorry, the end user action can't mess with the reusable workflow.

B

So you get that as well, and once again this is based on assuming GitHub itself is doing the right things like if, for some reason, it's discovered that the GitHub action can mess with the the reasonable workflow, then it all falls apart. um We don't believe that to be the case, but in the future we imagine with a conformance program.

B

um You know GitHub would go and say: yep we're gonna. You know make a couple of assertions or you know we're going to make a couple of um you know uh we're going to self a test or whatever that we've done all the right things here um and here's why we want you to believe that you know some information there, or maybe they get a third-party auditor to do it, and so all that will go through and then assuming that's all good.

B

Then you know- and you accept that, then you know that's kind of salsa, and so when it comes to other folks, whether it's a build platform like Fresca or you know some other build platform, You're Building or whatever you would pretty much just need to provide um information to the end user to you know so that they can kind of, say, yep, I, believe you or I don't believe you, whether it's just hey. We went through an audit with this company and this company is saying they're good or it's I.

B

Self-Attested that you know my build tool is, is salsa. You know conformant, something like that. Does that make sense.

C

Yeah, it makes a lot of sense and I tried to face this. The question a bit the different thing.

C

Say I want to have my own tool, creating evidence that is not salsa. Okay, it's not connected to salsa, but I want the same.

C

A trust level that salsa gives by a defining uh the build system, needs to to create this piece of evidence and it's not affected by the Builder, the producer of the software um and then GitHub I, say it's a trick because it allows me to basically put in my own action into the same place. You would put like the same results. I could put my own action really. It could be another Providence Creator, but for salsa, but it also can be anything else.

C

On my mind, at least in my view, yep, um but like it in other build systems, I'm, not sure it's going to be like that, for example, in Fresca, Fresca, I guess you're going to like how to code this salsa provenance into your build system. It's not going to be extendable. It's a question. I'm not asked and I don't actually anymore, but.

B

So I mean Fresca, so Fresca is based on tecton, and so we are sort of what Bound, by what is coming in from you know, Upstream. So, if tecton chain supports a new version of software, supports a new provenance format or whatever we can definitely uh use that as well.

B

um There is you know uh in addition to that right. There's uh there is discussion in the tecton side to say: can we make that user definable? Can we say that, and by user definable like I would say uh uh not? Maybe that's a bad word uh like build platform owner definable, like the person who's actually running the build platform, whether you know in this case Fresca is an open source tool.

B

um There is discussion among the tecton folks about making some certain things like salsa user definable. If I, if I understand your correction of your question correctly, where you know folks might not want salsa Providence, they want something else, but they still want to follow that same sort of pattern. Where you know you have a thing, this thing sort of generates some sort of security, metadata um yeah that that's something that that uh I know. Tecton is looking at a lot of the other tools are, are starting to look at as well.

B

um You know something like making um you know whether it's salsa or similar make something that is like a just uh something like reusable workflows or or similar of like hey. This is like a or a plug-in system into some of these tools, so you might have something like a salsa plugin, for example, for Jenkins that wraps your pipelines in a bunch of stuff, and then you could take that same sort of plug-in and change it up. And now it's uh you know uh an Acme.

B

You know company uh uh metadata, you know security, metadata X. That does something slightly different.

C

Well, yeah that sounds uh awesome.

B

Cool all right.

B

Any other uh questions agenda items things folks wanted to bring up regarding uh tooling.

B

A quick update on some of the Specter stuff I've been working on, um uh so you know, Specter supports salsa uh V1 right now. It supports um spdx, 2.2 and 2.3, and it allows um generation of uh Json, schemas and ingestion of Json schemas into uh stuff for validating.

B

um You know uh validating some of these supply chain metadata documents um planning to support. uh Well, it supports also in Toto, uh just the the General in total spec.

B

um We plan to support a couple of the other sort of things like the the VSA and and some of that, and we plan to also support dizzy soon, with the ability to you know via six store, um verify signatures and that sort of thing but uh yeah.

B

um If there's nothing else, uh we can give you uh give folks Back 40 minutes or so.

A

B

I'll see you all next week.

A

All right, thank you. Bye-Bye thanks.

C