Overview
Syllabus
Intro
Agenda Storyline
SLSA Overview
Provenance: Evidence Based Trust
Our Pipelines
Pipeline Dynamics
First Steps: SLSA L1
No Brainer
The Requirements
Compliance
Provenance Authenticity Options
Sample log files
Anecdote: Not All Logs Created Equal
Anecdote: Logs and Immutable Reference
SLSA L1+L2 Evaluation Automation
Source-Verified
SLSA Source - Retained Indefinitely Req.
SLSA L3 Source Reqs Options
SLSA L3 Ephemeral & Isolation Challenge
Implementing SLSA L3 Ephemeral & Isolation
Evaluation of Ephemeral & Isolation Reqs.
SLSA L3 - Provenance - Non-Falsifiable
Demo: Untrusted log
Unfalsifiable Provenance
Build Parameterless & Hermetic
Defeated by SLSA L4
Takeaways
Taught by
Linux Foundation