Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

verifying-source should discuss verifying all the commits directly on a protected ref #1238

Open
zachariahcox opened this issue Nov 18, 2024 · 0 comments
Open

verifying-source should discuss verifying all the commits directly on a protected ref #1238

zachariahcox opened this issue Nov 18, 2024 · 0 comments
Assignees
@zachariahcox
Labels
source-track

Comments

@zachariahcox
Copy link
Contributor

Thanks for handling this one @adityasaky !
I think we can safely close it now with the merge of #1175

I'll track a slight follow up to handle the "but how to do know the rules were always followed?" question.

In verifying source, we talk about this, which is more about ensuring that a PR means the final revision was looked at.

I think we can add a new item there that says "all the revisions on the protected ref should have provenance".

That's pretty much begged question for these "rules continuity" topics. I'll track a follow up and take a crack at it.

Originally posted by @zachariahcox in #1136
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zachariahcox zachariahcox

Labels
source-track
Projects
Issue triage
Status: 🆕 New
SLSA Source Track
Status: New!
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zachariahcox