Comments (3)
Yes, there would definitely be interest! We've talked about doing more in this space internally (but obviously haven't actually gotten to it yet) - I think it would very much be useful, and (as you point out) it is something Please should have all the information to be able to produce.
from please.
I will try to add some context and some references here related to provenance so its possible to come to an implementation plan. And for others to learn about it later.
The Supply-chain Levels for Software Artifacts, or SLSA ("salsa") framework is one of the more generic security frameworks that has been developed and embraced over the last few years. It aims to implement "standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure." The framework has there levels in which you can mature as an software producer.
A few core principles are:
- Store code in an authorised manner and making that the source for creating artifacts that are used by consumers.
- Use automation to create the artifacts.
- Create attestation(s) (authenticated metadata about artifacts) that make a statement about its source and outcome. Its provenance.
More details can be read on the https://slsa.dev website.
Many of the requirements of the SLSA framework are already covered implicitly by Please Build. On major thing that ties all the parts together in the SLSA framework is the use of Attestations. An Attestation is a statement of proof of a thing. In this case an output artifact. And there is a lot that Please Build can prove.
To get a better view of what an Attestation looks like take a look at this Attestation model. https://slsa.dev/attestation-model#model-and-terminology
A Provenance Attestation (https://slsa.dev/spec/v1.0/provenance) is an Attestation that will prove that some artifacts (plz-out/{bin,gen}
files) are created by Please Build while executing targets.
An example of such an Provenance Attestation could be like this for Please Build.
{
// This is predefined
"_type": "https://in-toto.io/Statement/v1",
// This is predefined
"predicateType": "https://slsa.dev/provenance/v1",
// This follows a schema.
"predicate": {
"buildDefinition": {
"buildType": "https://please.build/buildtypes/run/v1",
// Maybe put the command arguments in here.
"externalParameters": {
"profile": [".plzconfig.ci", ".plzconfig.local"],
"target": "//foo:bar",
"include": ["baz"],
"exclude": ["pop"]
},
// Maybe put the final config in here.
"internalParameters": {
"version": "v17.8.5",
"buildConfig": {
"build_id": "123456",
},
"buildEnv": {
"DOO": "tee"
},
"plugins": [{
"shell": {
"uri": "git+https://github.com/please-build/shell.git",
"digest": {
"gitCommit": "c27d339ee6075c1f744c5d4b200f7901aad2c369"
}
}}
]
},
"resolvedDependencies": [
{
"uri": "git+https://github.com/octocat/hello-world@refs/heads/main",
"digest": {
"gitCommit": "c27d339ee6075c1f744c5d4b200f7901aad2c369"
}
},
{
"uri": "https://github.com/actions/virtual-environments/releases/tag/ubuntu20/20220515.1"
}
]
},
"runDetails": {
"builder": {
"id": "https://please.build/slsa-framework/slsa-level-1@refs/tags/v0.0.1"
},
// Optional. Maybe set the invocationId with a command argument.
"metadata": {
"invocationId": "https://ci.example.com/job/1",
"startedOn": "2023-01-01T12:34:56Z",
"finishedOn": "2023-01-01T12:44:56Z"
}
}
},
"subject": [
{
"name": "file://plz-out/gen/foo/bar.txt",
"digest": {
"sha256": "fe4fe40ac7250263c5dbe1cf3138912f3f416140aa248637a60d65fe22c47da4"
}
}
]
}
from please.
I'm working on an initial implementation draft that collects all kinds of information that belongs inside a Provenance Attestation. This is based on the state and config data at the end of the run command. You can see it in the PR mentioned which is in draft at this point.
from please.
Related Issues (20)
- Re-enable //test/proto_plugin:proto_rules_test
- Bug in codelab - wrong port
- Crash on tab completion
- Target not found from subrepo
- Support instantiation_stack when querying HOT 1
- Panic / segfault when using query command with --arch option that doesn't match the platform
- Intermediate build results (phase A and B) HOT 6
- Tools not found with --shell & remote execution
- .plzconfig key with empty value HOT 4
- review Go analysis.Pass.Module proposal HOT 1
- Third party dependencies fail to add with please_go HOT 4
- Adding please to a large repo - how to migrate to please and best practices for upkeep HOT 3
- pkl + plz: multi-directory genrule outs HOT 2
- plz clean doesn't remove LinkGeneratedSources'ed links HOT 3
- plz query codelab still references go_get()
- plz init still suggests getting auxiliary rules from the Pleasings repo
- Support for tab escape charcter missing. HOT 1
- List concatenation bug HOT 1
- Race condition when depending on rules created in post_build. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from please.