Google Online Security Blog

How to SLSA Part 1 – The Basics

Posted by Tom Hennen, Software Engineer, BCID & GOSST 

One of the great benefits of SLSA (Supply-chain Levels for Software Artifacts) is its flexibility. As an open source framework designed to improve the integrity of software packages and infrastructure, it is as applicable to small open source projects as to enterprise organizations. But with this flexibility can come a bewildering array of options for beginners—much like salsa dancing, someone just starting out might be left on the dance floor wondering how and where to jump in.

Though it’s tempting to try to establish a single standard for how to use SLSA, it’s not possible: SLSA is not a line dance where everyone does the same moves, at the same time, to the same song. It’s a varied system with different styles, moves, and flourishes. The open source community, organizations, and consumers may all implement SLSA differently, but they can still work with each other.

In this three-part series, we’ll explore how three fictional organizations would apply SLSA to meet their different needs. In doing so, we will answer some of the main questions that newcomers to SLSA have:

Part 1: The basics

  • How and when do you verify a package with SLSA?
  • How to handle artifacts without provenance?

Part 2: The details

  • Where is the provenance stored?
  • Where is the appropriate policy stored and who should verify it?
  • What should the policies check?
  • How do you establish trust & distribute keys?

Part 3: Putting it all together

  • What does a secure, heterogeneous supply chain look like?

The Situation

Our fictional example involves three organizations that want to use SLSA:

Squirrel: a package manager with a large number of developers and users

Oppy: an open source operating system with an enterprise distribution

Acme: a mid sized enterprise.

Squirrel wants to make SLSA as easy for their users as possible, even if that means abstracting some details away. Meanwhile, Oppy doesn’t want to abstract anything away from their users under the philosophy that they should explicitly understand exactly what they’re consuming.

Acme is trying

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Google Online Security Blog

Read the original article: