content: draft: Remove provenance requirement

[TomHennen]

Creating this PR to get an idea of what it would mean to remove the provenance (and VSA) requirement from the spec.

It seems like the majority of what we're looking for in provenance can be subsumed by other existing requriements we already track with provenance becoming a (convenient) implementation detail.

If we do this we might also want to move the provenance and VSA parts of this page to their own page to keep the level requirements clear.

If we accept this change it would mean that 'provenance' becomes a nice feature of any particular SLSA Source Track implementation but won't be required.

[netlify]

✅ Deploy Preview for slsa ready!

Name	Link
🔨 Latest commit	59bfd38
🔍 Latest deploy log	https://app.netlify.com/projects/slsa/deploys/69036345e808c40008a689f7
😎 Deploy Preview	https://deploy-preview-1505--slsa.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[zachariahcox]

do we have an example or idea for this?
It seems like this was most of what a "provenance" attestation provided.

[TomHennen]

Ah, so in git you probably need something else. Since this is an example I can put the provenance back in here and maybe qualify (in a git implementation using provenance)

[zachariahcox]

This "contemporaneous, tamper-resistant" piece still seems valuable for generating VSAs.
For volume / storage reasons, it seems necessary that things like ruleset insights data will need to age out.

[TomHennen]

If it's just a practical perspective then this change doesn't preclude a SCS from taking that approach, it just doesn't require it. There can be other implementations (not necessarily git/GitHub!) that keep that data ~forever.

If we think there's some specific outcome that we might lose, the history requirement does specifically state the SCS has to prevent tampering it. We can have something similar for technical controls/continuity if needed.

[arewm]

@TomHennen , were you suggesting to move the source provenance content elsewhere? It could be part of the repository even if it isn't a core part of the spec itself.

[TomHennen]

@TomHennen , were you suggesting to move the source provenance content elsewhere? It could be part of the repository even if it isn't a core part of the spec itself.

Yes, I was just thinking we could move it to a different page within the repo. If we even decide to make this change :)

[arewm]

This change generally seems to be aligned with Mark's viewpoint expressed in #1010. If we merge this, could we also try to clarify the guidance on new tracks? As it relates to the source track, who are the entities that we need to trust (primarily the SCS) and how would consumers verify/validate their trust in those entities?

[arewm]

Are we being too broad with this deletions? I feel like it would still be beneficial for organizations to provide evidence even if we don't specify provenance or VSAs.

[TomHennen]

It might go above and beyond what's needed in this PR. However I think providing evidence might be more of the responsibility of the SCS and is covered here?

If nothing else, for the purposes of this PR, we needed to remove the provenance specific requirements. If the SCS is recording this information, is there anything for the org to do?

[arewm]

Is it clear enough that this only holds in the example? The lack of a VSA doesn't mean Source Level 0 unless the the VSA is the mode of communication.

[TomHennen]

Fair point. Updated.

[arewm]

Should these occurrences still be capitalized if it isn't something that we are introducing in "the spec?"

[TomHennen]

It is still a defined term which we discuss further below. But we should revisit depending on what we decide to do with that content.

[arewm]

@TomHennen , were you suggesting to move the source provenance content elsewhere? It could be part of the repository even if it isn't a core part of the spec itself.

[adityasaky]

I'd like to understand more of the motivation for this change.

It seems like the majority of what we're looking for in provenance can be subsumed by other existing requriements we already track with provenance becoming a (convenient) implementation detail.

I think this is a signal we need to do a better job in the source track of explaining what source attestations add over the other requirements. 😄

The requirements themselves tell me, a consumer, what controls to enable to get certain security properties. This, in and of itself, does not differentiate SLSA from numerous best practices guides which tell me to enable branch protection rules, disable force pushes to main, require code review, etc (e.g., the OpenSSF itself has https://best.openssf.org/SCM-BestPractices/). The attestations enable me to keep the SCS implementing the requirements honest. With SLSA, I can verify that I'm safe for every revision that matters rather than rely on enabling the right controls. So, while I understand the emphasis on the source track's requirements, I worry that we'll be losing a core value proposition of SLSA as a whole.

Looking at the alternatives proposed to the (optional) source provenance in this PR, I'd like to understand how they improve some aspect (e.g., adoption) of SLSA over requiring provenance. For instance, logging metadata to a transparency log sounds like the SCS is essentially implementing support for attestations which it then records in a transparency log. Adding an API that returns information again sounds like something the SCS could wrap in an attestation at the time a revision is created. OTOH, without attestations, we lose verifiability, non-repudiation, and the powerful interoperability across SLSA tracks we get using attestations as a common, consistent interface for each track.

[patzielinski]

I'm still trying to wrap my head around the source track as well as these changes on top, apologies if I misunderstand.

In a similar vein to the points @adityasaky raised above, it might be useful to spell out how the SCS can supply evidence of compliance to end users, but with the what (i.e. the evidence) no longer being attestations, there's a concern (in my mind) about just how interoperability is going to work. I do think there's value in at least mentioning transparency logs in the spec, fwiw. Maybe as an additional level above L4 or somehow else?

I think this is a signal we need to do a better job in the source track of explaining what source attestations add over the other requirements. 😄

I agree, I think the spec needs to motivate this better.

[patzielinski]

Is this bit still relevant with these edits?

[TomHennen]

I think so? What's being presented here is an example where the status of technical controls is tracked via attestations. So it seems fair to reference provenance.

Still, perhaps it could be generalized more.

[TomHennen]

Thanks for the comments everyone, I still need to review them a bit more. I did realize that the context of this change might not have been sufficiently clear, here's what I provided in another chat thread:

Context:

• @MarkLodato's original feedback
• His feedback on a PR that addressed the reorganization but not the provenance & VSA requirement
• Notes about our discussion on how we can keep it as is for now but reword later if needed

And also, this is just a 'pathfinder' an example of what this might look like if we wanted to pursue it, but we don't need to do anything with it and might just close it.

[TomHennen]

Note: if we do keep this we'll also want to update some of https://slsa.dev/spec/draft/assessing-source-systems as it is attestation heavy. :)

[TomHennen]

I think this PR has served its purpose and we can now close it.