By Mark Lodato (Google) and David A. Wheeler (Linux Foundation)
Supply-chain Levels for Software Artifacts (SLSA, pronounced “salsa”) is an OpenSSF project that provides specifications for software supply chain security, established by industry consensus. SLSA’s framework is organized into a series of levels that describe increasing security rigor. Version 0.1 of the SLSA specification has been out for some time. We’ve been steadily working in public on updates to SLSA to have a “version 1.0” ready. Now, we have a draft version 1.0, and we’re seeking your final feedback.
For more information on what’s changed, see the v1.0 release candidate announcement on the SLSA blog. A significant conceptual change is the division of SLSA’s level requirements into multiple tracks. Previously, each SLSA level encompassed requirements across multiple software supply chain aspects: there were source, build, provenance, and common requirements. We anticipate this new division will make SLSA adoption easier for users and help the SLSA community. SLSA v1.0 RC defines the SLSA Build Track to begin this separation of requirements, with other tracks to come in future versions. The new SLSA Build Track Levels 1-3 roughly correspond to Levels 1-3 of v0.1, minus the Source requirements. We currently have plans for Build Level 4 and a Source Track.
If you’re interested in providing feedback, please review the latest draft of SLSA version 1.0 and open a GitHub issue. We particularly welcome comments in response to the following questions:
- Does the new specification clarify SLSA’s benefits for supply chain security?
- Is the specification unambiguous on how to carry out requirements?
- Is there feedback on the provenance verification guidance?
- Are there suggestions to improve the division into multiple tracks?
- Are the updated build model and provenance format easily understood?
- Is there any remaining feedback on what may be missing?
The deadline for comments is March 24, 2023. Thank you!