Workstream: SLSA Build L4

[MarkLodato]

This is a tracking issue for creating a Build Level 4. Build L4 will likely cover some notion of the completeness of the provenance, e.g. that the resolvedDependencies are complete in SLSA Provenance format. This is based on discussions and v0.1, but nothing has been decided yet.

Workstream shepherd: David A Wheeler (@david-a-wheeler)

Related: We might want to merge with #975 (hardware attested builds) and/or #985 (build platform operations track) as discussed in #975 (comment).

Sub-issues:

• Semantic equivalency, reproducible builds, and a new "verifiable build" track #873
• Unique builder.id for SLSA Build > L3 #849
• TODO: add more issues if any

[david-a-wheeler]

Note that I'm currently proposing entries for build levels L4 and L5. See: #873

[arewm]

I mentioned in the comments for the Reproducible Build requirements in SLSA (an early proposal) about how I am not convinced that we should add reproducibility onto the SLSA build levels. Where would be the best place to have this conversation? In this issue, in that document, in a community call, elsewhere? I wasn't able to attend a previous call where this discussion happened.

[MarkLodato]

What we did in SLSA Source Track brainstorming was for each person to write down some thoughts as separate sections, then people commented on those sections and the original authors refined their ideas. Then once the comments died down, the lead (@kpk47) coalesced the ideas into one proposal. That seems to be working ok?

So if we want that model, then perhaps you could create a section in the doc and write down your thoughts on L4 and/or reproducible builds. That would allow us to critique the argument and you can hone it. It would also leave us something more durable than a docs comments and more readable than a GitHub issue comment. What do you think?

[david-a-wheeler]

If you have ways to improve the proposal, currently the Google doc would be the right start.

If you oppose the concept of being able reproduce builds, I guess #873 would be the place. Are you opposed to being able to reproduce builds, or are you opposed to including them in the "build track", or is it something else? I'm not sure I understand your objection.

[arewm]

I am not opposed to reproducible builds, just to including them in the build track. I will try to add some commentary to the document.

[david-a-wheeler]

@arewm - I understand! Sorry, I was a little confused about your point. I originally proposed that they be a separate track, but many in the community preferred that they be in the same build track. Please do add commentary.

I think we can separate the issues of (1) what might be usefully added to SLSA and (2) whether or not reproducible builds belongs in a different track. Indeed, as we refine the potential requirements, it may be easier to decide if they belong in the same or different track.