Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should checklevelprov be less strict about time? #60

Open
TomHennen opened this issue Feb 10, 2025 · 1 comment
Open

Should checklevelprov be less strict about time? #60

TomHennen opened this issue Feb 10, 2025 · 1 comment

Comments

@TomHennen
Copy link
Contributor

checklevelprov doesn't consider the 'Control' Since time that GitHub reports. Instead it only considers what the previous provenance says.

That makes it pretty brittle in cases when we've lost provenance for some reason (like this tool that's in active development breaks ).

What if we add a --strict mode that if not enabled will take the older of the time reported in the prior provenance or the control time.

This should make things less brittle and help out if folks update their control but the provenance hasn't been lost.
@TomHennen
Copy link
Contributor Author

With #103 the source provenance now records the times that controls have been enabled since according to the GitHub API.

It also records the earliest available 'provenance' time.

Policy verification still requires that all the controls have been enabled at least since the date listed in the policy.

This change may make it easier to address failure to generate provenance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@TomHennen