1.0 proposal and next steps

[Joshua Lock]

Hi specification team,

Unfortunately, I won’t make the meeting next week, so I wanted to share my high-level feedback on Mark’s proposal doc and what we might tackle as next steps.

I think our next release should be a 1.0, to signal that the specification is ready for adoption. In order to do that with the greatest level of confidence, I believe we should limit ourselves to SLSA levels 1-3 and drop 4 from the initial release. However, I’d like to make sure level 4 doesn’t disappear completely from slsa.dev, so that those who are familiar with the current levels aren’t surprised to see level 4 go missing – we might have a draft version of the spec including L4 viewable on the site?

Ignoring level 4 for now would, I think, let us defer on Evidence of security claims (though it would be nice to keep the two-party review of administrative operations), Corroboration of security claims, and Drop source integrity.

That leaves Versioning, Redefine levels as outcomes, not requirements, and Policy verification as priorities for development. These both feel manageable and like they are distinct enough that they could be worked on in parallel.

I look forward to catching up on the discussion next week,

Joshua