Explore the challenges and insights gained from automating SLSA-compliance evaluation in this 42-minute conference talk by Daniel Nebenzahl from Scribe-security. Delve into the SLSA framework, focusing on provenance and evidence-based trust. Examine pipeline dynamics and the initial steps towards SLSA Level 1 compliance. Discover the complexities of log file management and the importance of immutable references. Learn about the automation process for SLSA Levels 1 and 2 evaluation, including source verification and retention requirements. Investigate the challenges of implementing SLSA Level 3, particularly regarding ephemeral environments and isolation. Witness a demonstration of untrusted logs and unfalsifiable provenance. Conclude with key takeaways on build parameterlessness, hermeticity, and the path to SLSA Level 4 compliance.
Lessons Learned from Automating SLSA-Compliance Evaluation
Overview
Syllabus
Intro
Agenda Storyline
SLSA Overview
Provenance: Evidence Based Trust
Our Pipelines
Pipeline Dynamics
First Steps: SLSA L1
No Brainer
The Requirements
Compliance
Provenance Authenticity Options
Sample log files
Anecdote: Not All Logs Created Equal
Anecdote: Logs and Immutable Reference
SLSA L1+L2 Evaluation Automation
Source-Verified
SLSA Source - Retained Indefinitely Req.
SLSA L3 Source Reqs Options
SLSA L3 Ephemeral & Isolation Challenge
Implementing SLSA L3 Ephemeral & Isolation
Evaluation of Ephemeral & Isolation Reqs.
SLSA L3 - Provenance - Non-Falsifiable
Demo: Untrusted log
Unfalsifiable Provenance
Build Parameterless & Hermetic
Defeated by SLSA L4
Takeaways
Taught by
Linux Foundation
