versioning source

[laurentsimon]

It's possible for an attacker to ask a trusted builder (#515) to build a source repo at a commit sha of their choice. This means that merely verifying the source repo will leave us open to downgrade attacks.

So I'm wondering whether versioning and version verification should be part of the SLSA specs. I imagine something to the effect of:

"externalParameters": {
        "source": {
          "artifactRef": {
              "uri": "git+https://github.com/octocat/hello-world@refs/heads/main",
              "digest": { "sha1": "c27d339ee6075c1f744c5d4b200f7901aad2c369" },
              "version": { "semver": "v1.2.3" },
          }
      },

This would also simplify verification when appending attestation to existing bundles slsa-framework/slsa-github-generator#1565 (comment)

There are caveats, like the fact that an artifact not intended to be released but used for staging / testing won't have a "release version".

There are other types of information (e.g., dev vs prod builds, branch) that could be part of the SLSA specs, but may require broader discussion.

NOTE: not all trusted builders allow building arbitrary repositories. For example, the GitHub generators only allow the maintainers of the project to build it. (In this scenario the risk is low)

[laurentsimon]

Another use case that came up if whether tests were run as part of the release process.