threats-overview.md with big changes#1534
threats-overview.md with big changes#1534mcevoy-building7 wants to merge 10 commits intoslsa-framework:mainfrom
Conversation
…g conceptual material from Terminology.
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
| @@ -0,0 +1,10 @@ | |||
| 5d--- | |||
There was a problem hiding this comment.
I think the 5d is a typo?
| This page introduces two key SLSA software models: [framework system models](threats-overview.md#SLSA-framework-system-models) and [supply chain threat model](threats-overview.md#supply-chain-threat-model). It also shows how they can help mitigate possible attacks throughout the supply chain. For a more technical discussion of SLSA's threat methodology, see [Threats & mitigation solutions](threats.md). | ||
|
|
||
| ## Summary | ||
| <!-- Filename will change to "Threats & mitigation solutions" --> |
There was a problem hiding this comment.
I suspect that won't be the 'filename'. Do you mean the title?
| SLSA uses the following software manufacturing *models* that are based on real-world supply chain systems to define their framework criteria. | ||
|
|
||
| 1. [Build model](threats-overview#Build-model) - defines the production of software artifacts | ||
| 2. [Distribution model](threats-overview#distribution-model) - generates artifact provenence |
There was a problem hiding this comment.
The distribution model isn't how provenance is generated, it's how it's distributed. Provenance is generated during the build.
These models may also be specific to the track, I don't recall.
|
|
||
| ### Build model | ||
|
|
||
| When SLSA's build model defines the production process of software artifacts, the build runs on a multi-tenant *build platform*, where each execution is independent. |
There was a problem hiding this comment.
I'm not sure I follow this sentence.
|
|
||
| ### Distribution model | ||
|
|
||
| SLSA's distribution model generates artifact provenence to guarantee the integrity of the distribution of software <dfn>packages</dfn>, once they are manufactured. These packages are created according to the rules and conventions of standard <dfn>package ecosystems</dfn>. |
There was a problem hiding this comment.
FWIW the models generally don't do anything. The model, AIUI, is really just there to help people understand the terminology and requirements.
There was a problem hiding this comment.
There are some issues with the content changes in this file. While I appreciate the work to rearrange things to make them easier to follow, some of the changes here are incorrect and impact the meaning and interpretation of the spec. I've left a few more detailed comments, but let's chat to see if we can find a better path forward.
2 participants
The original threats-overview.md file was focused on Supply chain threats. I moved a lot of concepts from the old Terminology topic to this topic and made the whole file more about concepts, which needed better integration and structure.
DO NOT MERGE!