Add SLSA conformance to requirements page (#572)

* Add SLSA conformance to requirements page #515 Signed-off-by: kpk47 <[email protected]> * lint Signed-off-by: kpk47 <[email protected]> * Update docs/spec/v1.0/requirements.md Co-authored-by: Arnaud J Le Hors <[email protected]> Signed-off-by: kpk47 <[email protected]> * Update docs/spec/v1.0/requirements.md Co-authored-by: Joshua Mulliken <[email protected]> Signed-off-by: kpk47 <[email protected]> * review comments & added requirement that attestation include SLSA levels Signed-off-by: kpk47 <[email protected]> * review comments Signed-off-by: kpk47 <[email protected]> * Update docs/spec/v1.0/requirements.md Co-authored-by: Mark Lodato <[email protected]> Signed-off-by: kpk47 <[email protected]> * line wrap Signed-off-by: kpk47 <[email protected]> --------- Signed-off-by: kpk47 <[email protected]> Signed-off-by: kpk47 <[email protected]> Co-authored-by: Arnaud J Le Hors <[email protected]> Co-authored-by: Joshua Mulliken <[email protected]> Co-authored-by: Mark Lodato <[email protected]>
slsa-framework · Jan 30, 2023 · cf646c3 · cf646c3
1 parent 56c08ea
commit cf646c3
Showing 1 changed file with 20 additions and 6 deletions.
diff --git a/docs/spec/v1.0/requirements.md b/docs/spec/v1.0/requirements.md
@@ -282,7 +282,9 @@ The build system is responsible for isolating between builds, even within the
 same tenant project. In other words, how strong of a guarantee do we have that
 the build really executed correctly, without external influence?
 
-The SLSA Build level describes the minimum bar for isolation strength.
+The SLSA Build level describes the minimum bar for isolation strength. For more
+information on assessing a build system's isolation strength, see
+[Verifying build systems](verifying-systems.md).
 
 <table>
 <tr><th>Requirement<th>Description<th>L1<th>L2<th>L3
@@ -545,12 +547,24 @@ showing what the options are:
 A package's <dfn>consumer</dfn> is the organization or individual that uses the
 package.
 
-The only requirement on the consumer is that they MAY have to opt-in to enable
-SLSA verification, depending on the package ecosystem.
-
+The consumer MAY have to opt-in to enable SLSA verification, depending on the
+package ecosystem.
+  
 > **TODO:** Anything else? Do they need to make risk-based decisions? Respond to
-> errors/warnings?
-
+> errors/warnings? Do consumers trust builders, or is that up to the package ecosystem?
+  
+## Auditor
+
+An <dfn>auditor</dfn> is an organization or individual that certifies build
+systems for conformance with the SLSA requirements.
+
+A consumer MAY act as their own auditor.
+
+An auditor SHOULD use the prompts in [verifying systems](verifying-systems.md)
+when assessing build systems. Auditors MAY go beyond these prompts.
+
+An auditor SHOULD periodically reassess build systems for conformance.
+
 ## Source control
 
 [Source control]: #source-control