blog: post for Build-Your-Own-Builder on GHA

[laurentsimon]

Adds a guest blog post for Build-Your-Own-Builder on GHA.
ETA 14 Aug 2023. (May change if needed)

Images needed for the post:

Notes: a few TODOs in the text.

cc @aalmiray, @AdamKorcz, @steiza, @feelepxyz, @asraa @ianlewis @loosebazooka

[netlify]

✅ Deploy Preview for slsa ready!

Name	Link
🔨 Latest commit	5554f3b
🔍 Latest deploy log	https://app.netlify.com/sites/slsa/deploys/64dfbd982a2a4e00085dd93b
😎 Deploy Preview	https://deploy-preview-929--slsa.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[laurentsimon]

Can someone advise on showing $ signs correctly in the snippet (They don't show when viewing the webpage preview)?

[laurentsimon]

@MarkLodato can you take a second look to see if your comments are addressed?

[laurentsimon]

Looking for a second round of reviews. Thanks everyone

[inferno-chromium]

Can someone from @slsa-framework/slsa-steering-committee please take a look at this. Thanks!

[MarkLodato]

Thanks!

[trishankatdatadog]

Thanks for the blog post! Great idea, but needs a bit more explication of what the problems are, why the solution addresses them, and what this all means for the everyday user. Thanks again!

[AdamKorcz]

Suggestion: Have a more direct answer to the question in the previous sentence/paragraph.

[AdamKorcz]

It could for example be:

change

"To empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders we are releasing the "Build Your Own Builder" (BYOB) framework for GitHub Actions."

to

"Today we release "Build Your Own Builder" (BYOB) framework for GitHub Actions which will empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders."

or a bit more casual:

"Enter the "Build Your Own Builder" (BYOB) framework which will empower the community to create their own provenance builders and leverage the secure architecture of the official SLSA builders."

[laurentsimon]

Please don't merge. I'll merge once we're ready (release cut, etc). Thanks

[trishankatdatadog]

LGTM in the interest of unblocking

[trishankatdatadog]

LGTM in the interest of unblocking

Bah, it didn't let me finish. I still think the threat model is unclear, but I think as long as readers get the idea that, "Hey, I really should use BYOB instead of my own stuff due to some apparently complicated details pertaining security", then that's good enough. Thanks for all of your hard work!

[lehors]

Reviewing this made me wonder about some meta questions about how this work is positioned with regard to the OpenSSF governance structure but I think this is a good post and I applaud the effort to make it easier for people to support SLSA.

[lehors]

Who decides what's an "official SLSA builder"? And who's "we"?
Sorry again for bugging everybody with process and governance questions... :-)

[laurentsimon]

good question. Till now we've been calling them "official" because their code lives under the slsa-framework org... Happy to re-phrase if you have a suggestion

[ianlewis]

FWIW I don't think we've specifically used the word "official" to describe them in our blog posts or documentation so we could technically drop it.

We have used "SLSA Tooling SIG" and "SLSA Tooling working group" in our past blog posts to describe "us". I think that might be the best way to go instead of just saying "SLSA".
See:

• https://slsa.dev/blog/2023/05/bringing-improved-supply-chain-security-to-the-nodejs-ecosystem
• https://slsa.dev/blog/2023/02/slsa-github-workflows-container-ga

The SLSA Tooling SIG is listed on the community page: https://slsa.dev/community

[lehors]

The problem is that SIGs aren't meant to be primarily about producing code, Projects are:
https://github.com/ossf/tac/blob/main/organizational-structure-overview.md
So, we should move from SLSA Tooling SIG to SLSA Tooling Project and get it listed on the TAC page:
https://github.com/ossf/tac/blob/main/README.md

[laurentsimon]

fine with me. I'll update to "SLSA Tooling Project". Can you make the change to the TAC's README?

[ianlewis]

I suppose the TAC page update would include the reporting WG.

[ianlewis]

This is also just a side note, but it seems strange that SLSA wouldn't be mentioned anywhere on the TAC page if it is indeed owned by OpenSSF

[lehors]

Ok, so I think what we should do is to get a page for the project in the SCI WG repo that is linked from its README. I don't think it's worth creating a whole new repo for that since it would merely contained a README. That page can just explain what the project is about and point to the different tools already available and any other info that is relevant.
Then we can get it also listed on and linked from the TAC page.
I'm happy to help with all of that.

I agree it's unfortunate that SLSA doesn't appear on the TAC page at all. This is because it's a SIG and currently SIGs are not listed... I think it'd be worth adding but that requires the WGs to play along and submit changes to reflect changes in their WGs.

[lehors]

FYI, I just submitted a PR to give the Tooling project a home page and official standing in the openssf governance structure: ossf/wg-supply-chain-integrity#72

[ianlewis]

Should we make the release status clear and say that BYOB is being released in beta?

[joshuagl]

Really nice work on BYOB and implementations for Java. 👏