Planned provenance v0.2 release

47 views
Skip to first unread message

Mark Lodato

unread,
Nov 3, 2021, 3:44:39 PM11/3/21
to slsa-di...@googlegroups.com
Hi all,

We plan to finalize the provenance v0.2 schema on Monday. If you have any feedback on the design, please comment before Monday either on this thread or via GitHub issues. In particular, it would be great to hear from those who have used v0.1 and found it confusing. We hope this new design makes it easier to use.

Changes listed here for your convenience:

  • 0.2: Refactored to aid clarity and added buildConfig. The model is unchanged.
    • Replaced definedInMaterial and entryPoint with configSource.
    • Renamed recipe to invocation.
    • Moved invocation.type to top-level buildType.
    • Renamed arguments to parameters.
    • Added buildConfig, which can be used as an alternative to configSource to validate the configuration.
You can view a full diff on GitHub.

Best regards,
Mark

Trishank Kuppusamy

unread,
Nov 3, 2021, 3:48:48 PM11/3/21
to Mark Lodato, slsa-di...@googlegroups.com, marco.f...@philips.com

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAG1DgwQ55B1qwxauzko75ppjOaHQ0ZEf8R2kstuTJ1sHK%3D0PWg%40mail.gmail.com.

Michael Lieberman

unread,
Nov 3, 2021, 4:36:41 PM11/3/21
to slsa-discussion
I used 0.1 and find this a bit easier and more straight forward.

Marco Franssen

unread,
Nov 8, 2021, 6:04:42 AM11/8/21
to slsa-discussion
Personally I'm missing the mapping from 0.1 to 0.2. E.g. how should the `definedInMaterial: 0` be replaced with the new structure?

How is the new spec resolving the issue of having one or many materials?

See this issue where we would like to implement the spec to provide some feedback

Also see the workflow on how the action is currently generating provenance from a GitHub release


What if my build uses multiple invocation types?
e.g. make, docker build, goreleaser?

What would be the buildtype in such a combined release.

e.g. I'm using goreleaser to build my backend including docker images, using some shell script to build my static webpage using nextjs, and then use some shell script to build the docker images for the static webpage. This together is bundled as a GitHub release and pushed to various registries.

Mark Lodato

unread,
Nov 8, 2021, 2:00:49 PM11/8/21
to Marco Franssen, slsa-discussion
Thanks for the feedback, Marco!

On Mon, Nov 8, 2021 at 6:04 AM Marco Franssen <marco.f...@gmail.com> wrote:
Personally I'm missing the mapping from 0.1 to 0.2. E.g. how should the `definedInMaterial: 0` be replaced with the new structure?

 
How is the new spec resolving the issue of having one or many materials?

Do you mean the case where the recipe (now "invocation") was defined in more than one material (now "configSource")?

The new version does not address this, but we still don't have a concrete use case where this happens. Are you running into this?
 

See this issue where we would like to implement the spec to provide some feedback

Also see the workflow on how the action is currently generating provenance from a GitHub release


What if my build uses multiple invocation types?
e.g. make, docker build, goreleaser?

What would be the buildtype in such a combined release.

e.g. I'm using goreleaser to build my backend including docker images, using some shell script to build my static webpage using nextjs, and then use some shell script to build the docker images for the static webpage. This together is bundled as a GitHub release and pushed to various registries.

I think the build type should just be "GitHub Actions Workflow". That's the top-level configuration that ties it all together. The SLSA provenance is not designed to record all of the sub-steps that happen during your build.

Or perhaps I'm misunderstanding?
 
On Wednesday, November 3, 2021 at 9:36:41 PM UTC+1 mliebe...@gmail.com wrote:
I used 0.1 and find this a bit easier and more straight forward.

On Wednesday, 3 November 2021 at 15:48:48 UTC-4 trishank....@datadoghq.com wrote:

On Wed, Nov 3, 2021 at 3:44 PM 'Mark Lodato' via slsa-discussion <slsa-di...@googlegroups.com> wrote:
Hi all,

We plan to finalize the provenance v0.2 schema on Monday. If you have any feedback on the design, please comment before Monday either on this thread or via GitHub issues. In particular, it would be great to hear from those who have used v0.1 and found it confusing. We hope this new design makes it easier to use.

Changes listed here for your convenience:

  • 0.2: Refactored to aid clarity and added buildConfig. The model is unchanged.
    • Replaced definedInMaterial and entryPoint with configSource.
    • Renamed recipe to invocation.
    • Moved invocation.type to top-level buildType.
    • Renamed arguments to parameters.
    • Added buildConfig, which can be used as an alternative to configSource to validate the configuration.
You can view a full diff on GitHub.

Best regards,
Mark

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/slsa-discussion/CAG1DgwQ55B1qwxauzko75ppjOaHQ0ZEf8R2kstuTJ1sHK%3D0PWg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "slsa-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to slsa-discussi...@googlegroups.com.

Mark Lodato

unread,
Nov 9, 2021, 10:05:33 AM11/9/21
to Marco Franssen, slsa-discussion
Update: I just merged the change to mark this as v0.2. As always, further feedback and improvements are welcome.
Reply all
Reply to author
Forward
0 new messages