From b780838c8a96f0dbfe68a71a0e8fc01347ee4911 Mon Sep 17 00:00:00 2001
From: kpk47 <1079282+kpk47@users.noreply.github.com>
Date: Mon, 30 Jan 2023 15:19:54 -0800
Subject: [PATCH] Add SLSA conformance to requirements page (#572)

* Add SLSA conformance to requirements page

#515

Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>

* lint

Signed-off-by: kpk47 <kkris@google.com>

* Update docs/spec/v1.0/requirements.md

Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>

* Update docs/spec/v1.0/requirements.md

Co-authored-by: Joshua Mulliken <joshua@mulliken.net>
Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>

* review comments & added requirement that attestation include SLSA levels

Signed-off-by: kpk47 <kkris@google.com>

* review comments

Signed-off-by: kpk47 <kkris@google.com>

* Update docs/spec/v1.0/requirements.md

Co-authored-by: Mark Lodato <lodatom@gmail.com>
Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>

* line wrap

Signed-off-by: kpk47 <kkris@google.com>

---------

Signed-off-by: kpk47 <1079282+kpk47@users.noreply.github.com>
Signed-off-by: kpk47 <kkris@google.com>
Co-authored-by: Arnaud J Le Hors <lehors@us.ibm.com>
Co-authored-by: Joshua Mulliken <joshua@mulliken.net>
Co-authored-by: Mark Lodato <lodatom@gmail.com>
---
 requirements.md | 26 ++++++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/requirements.md b/requirements.md
index c14cfc652..4111b61ed 100644
--- a/requirements.md
+++ b/requirements.md
@@ -282,7 +282,9 @@ The build system is responsible for isolating between builds, even within the
 same tenant project. In other words, how strong of a guarantee do we have that
 the build really executed correctly, without external influence?
 
-The SLSA Build level describes the minimum bar for isolation strength.
+The SLSA Build level describes the minimum bar for isolation strength. For more
+information on assessing a build system's isolation strength, see
+[Verifying build systems](verifying-systems.md).
 
 <table>
 <tr><th>Requirement<th>Description<th>L1<th>L2<th>L3
@@ -545,12 +547,24 @@ showing what the options are:
 A package's <dfn>consumer</dfn> is the organization or individual that uses the
 package.
 
-The only requirement on the consumer is that they MAY have to opt-in to enable
-SLSA verification, depending on the package ecosystem.
-
+The consumer MAY have to opt-in to enable SLSA verification, depending on the
+package ecosystem.
+  
 > **TODO:** Anything else? Do they need to make risk-based decisions? Respond to
-> errors/warnings?
-
+> errors/warnings? Do consumers trust builders, or is that up to the package ecosystem?
+  
+## Auditor
+
+An <dfn>auditor</dfn> is an organization or individual that certifies build
+systems for conformance with the SLSA requirements.
+  
+A consumer MAY act as their own auditor.
+  
+An auditor SHOULD use the prompts in [verifying systems](verifying-systems.md)
+when assessing build systems. Auditors MAY go beyond these prompts.
+  
+An auditor SHOULD periodically reassess build systems for conformance.
+  
 ## Source control
 
 [Source control]: #source-control