Edits Part 01 - About SLSA and new combined Terminology #1533
Conversation
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
| --- | ||
| title: About SLSA | ||
| description: With supply chain attacks on the rise, a shared vocabulary and universal framework are needed to provide incremental guidance to harden supply chains for more secure software production. This page introduces the main concepts behind SLSA and explains how it can help anyone involved in producing, consuming, or providing infrastructure for software. | ||
| title: About SLSA |
There was a problem hiding this comment.
nit: I don't think we want these extra spaces at the end of these lines?
There was a problem hiding this comment.
Markdown doesn't care but some of the other tools might care. I don't know.
There was a problem hiding this comment.
I just ran the linter on these files, and this space is indeed not a problem. But we did get several other linter errors we may want to resolve once all edits are done.
…g conceptual material from Terminology.
Co-authored-by: Tom Hennen <TomHennen@users.noreply.github.com> Signed-off-by: Seth McEvoy <mcevoy.building7@gmail.com>
Co-authored-by: Tom Hennen <TomHennen@users.noreply.github.com> Signed-off-by: Seth McEvoy <mcevoy.building7@gmail.com>
marcelamelara
left a comment
marcelamelara
left a comment
There was a problem hiding this comment.
Thanks @mcevoy-building7 ! I've left several comments in the About doc and will send reviews for the other files soon.
| @@ -0,0 +1,10 @@ | |||
| 5d--- | |||
There was a problem hiding this comment.
Looks like some errant characters made it in
| 5d--- | |
| --- |
| both software producers and consumers: producers can follow SLSA's guidelines to | ||
| make their software supply chain more secure, and consumers can use SLSA to make | ||
| decisions about whether to trust a software package. | ||
| The term SLSA ("salsa") is an acronym that stands for Supply-chain Levels for Software Artifacts. It is a set of incrementally adoptable guidelines for supply chain security that has been established by industry consensus. The specification set by SLSA is useful for |
There was a problem hiding this comment.
This may be my personal preference, but the first sentence strikes me as a bit too abstract for the first thing someone might see when they visit this About page. The (current) index, for instance, describes SLSA as a security framework, so maybe we could include that detail, rather than only describe the acronym.
| - A way to measure your efforts toward compliance with the [Secure Software Development Framework (SSDF)](https://csrc.nist.gov/Projects/ssdf) | ||
| - **A common vocabulary** to help people talk about software supply chain security across domains. | ||
| - **Security for your incoming supply chain** by evaluating the trustworthiness of the artifacts you consume. | ||
| - **Actionable checklists** to improve your software's security. |
There was a problem hiding this comment.
Perhaps add something like
| - **Actionable checklists** to improve your software's security. | |
| - **Actionable checklists** to improve your software's security throughout its development lifecycle. |
| public, disruptive, and costly in today's environment when exploited. These attacks have also shown that there are inherent risks not just in code itself, but at | ||
| multiple points in the complex process of getting that code into software | ||
| systems—that is, in the **software supply chain**. Since these attacks are on | ||
| systems; that is, into the *software supply chain*. Since these attacks are on |
There was a problem hiding this comment.
The "into" here, I think, changes the meaning of this sentence. What this sentence was trying to convey is that the "the complex process of getting that code..." is the software supply chain. Maybe the misleading part is actually "getting that code into software systems" because it's an uncommon description of what happens in the software supply chain.
I wonder if a simplification like this could work here: "multiple points in the the complex process of creating and distributing that code as software; that is, the software supply chain"
| each link in a typical software supply chain, from source to build through | ||
| packaging and distribution. Any weaknesses in the supply chain undermine | ||
| each stage of a typical software supply chain, from source to build through | ||
| packaging and distribution. Weaknesses in the supply chain undermines |
There was a problem hiding this comment.
grammar nit
| packaging and distribution. Weaknesses in the supply chain undermines | |
| packaging and distribution. Weaknesses in the supply chain undermine |
| analysis and review performed on the source code still applies to | ||
| the binary consumed after the build and distribution process is complete. |
There was a problem hiding this comment.
Not entirely sure where, but I feel like there's a comma missing somewhere here.
| A SLSA track focuses on a particular aspect of a supply chain, such as the Build | ||
| Track. | ||
| We talk about SLSA in terms of *tracks* and *levels*. | ||
| A SLSA track focuses on a particular portion of a supply chain, such as the Build or Source parts. |
There was a problem hiding this comment.
nit:
| A SLSA track focuses on a particular portion of a supply chain, such as the Build or Source parts. | |
| A SLSA track focuses on a particular portion of a supply chain, such as the Build or Source stages. |
|
These files will be split into new pull requests. Sorry! |
3 participants
Part 1 of SLSA edits from Seth McEvoy.
Branch: front-matter
Files:
about.md - About SLSA -standard edits: smooth and clarify technical complexity.
slsa-terms.md - SLSA Terminology - combined single terminology gathered and alphabetized from all tracks.
Ignore other files in this branch for now.
Please review but do not merge. We need to create a workflow for editing feedback.
Thanks!