content: add a verifier version field to VSA #905
Conversation
Signed-off-by: kpk47 <[email protected]>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Co-authored-by: Mark Lodato <[email protected]> Signed-off-by: kpk47 <[email protected]>
Signed-off-by: kpk47 <[email protected]>
|
Given that this is requiring new info shouldn't that trigger some version change of the format? |
docs/verification_summary/v1.md
Outdated
| @@ -213,7 +222,11 @@ WARNING: This is just for demonstration purposes. | |||
| "predicateType": "https://slsa.dev/verification_summary/v1", | |||
| "predicate": { | |||
| "verifier": { | |||
| "id": "https://example.com/publication_verifier" | |||
| "id": "https://example.com/publication_verifier", | |||
| "version": { | |||
There was a problem hiding this comment.
I still feel that using resource descriptor is more flexible in general, especially if we need to update this structure in the future. In this example, slsa-verifier-linux-amd64 is kinda arbitrary naming. If our goal is to help with vuln management, using more conventional naming, like purl, etc may be beneficial. Resource descriptors offer this flexibility.
There was a problem hiding this comment.
I don't think that ResourceDescriptor is the right type for tracking versions since it doesn't appear to have a version field. Also, part of the motivation for this PR is making the verifier VSA more consistent with the builder provenance field. builder uses map(string->string), so I think it's best to keep that type here.
I'm going to keep map(string->string) in this PR, and we can address whether or not to change both fields to ResourceDescriptor separately.
MarkLodato
changed the title
There are no required fields. (An earlier version said required, but it was a mistake.) So this doesn't require a major version bump, but based on this week's spec meeting, all |
Why does line # 68 read: "// Required" ? |
The "verifier": { "id": "..." }But point taken - we should clarify in the docs since the comment can clearly be misread. |
Signed-off-by: kpk47 <[email protected]>
I don't see a good way to clarify in the text since the fields are already clearly labeled required vs optional. I deleted the comment instead. |
Signed-off-by: kpk47 <[email protected]>
I added a changelog entry with a minor version bump, as required by the versioning rules (https://slsa.dev/spec-stages#versioning). Given the version bump, we shouldn't merge this PR until we're ready to have v1.1 on the website. |
That works. Thanks! |
Shouldn't we have this on a branch specific to the next version like we did when we were working on 1.0 before publication? |
Yes, this is blocked by #742. |
|
The v1.1 directory now exists as of #942. |
|
I moved the changes into the v1.1 directory, so this PR is ready for re-review. |
Signed-off-by: kpk47 <[email protected]>
Signed-off-by: kpk47 <[email protected]>
There was a problem hiding this comment.
This LGTM, thanks. However, as this is a content change, could you please add a changelog entry (per contributing)?
Co-authored-by: Joshua Lock <[email protected]> Signed-off-by: kpk47 <[email protected]>
Signed-off-by: kpk47 <[email protected]>
Add a verifier version field to the VSA schema.
This change Increases consistency between
provenance.builderandvsa.verifier, and it allows VSA producers/consumers to respond to known flaws in verification tools.fixes #809