Revised build environment track files #1537
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
marcelamelara
requested changes
Jan 12, 2026
Contributor
marcelamelara
left a comment
marcelamelara
left a comment
There was a problem hiding this comment.
Thanks @mcevoy-building7 ! I've mostly got smaller edits.
Contributor
There was a problem hiding this comment.
Is there a reason this file is being removed altogether? Is the idea to replace it with the new build-verification.md file below?
|
|
||
| **About this page:** the *Build Environment Track: Basics* page defines its levels, describes their security objectives and general requirements. | ||
|
|
||
| **Intended audience:** {add appropriate audience} |
Contributor
There was a problem hiding this comment.
Suggested change
| **Intended audience:** {add appropriate audience} | |
| **Intended audience:** Infrastructure providers (i.e., build platform and compute platform admins), software consumers with very strict security requirements |
Contributor
There was a problem hiding this comment.
@paveliak wdyt? Are we missing any other audiences here?
|
|
||
| **Intended audience:** {add appropriate audience} | ||
|
|
||
| **Topics covered:** build track terminology, threats to build environments, explaination for build environment model, level specifics |
Contributor
There was a problem hiding this comment.
Suggested change
| **Topics covered:** build track terminology, threats to build environments, explaination for build environment model, level specifics | |
| **Topics covered:** build environment track terminology, threats to build environments, a model for build environments, level specifics |
| ## What the Build Environment Track does | ||
|
|
||
| <p align="center"><img src="images/build-env-model.svg" alt="Build Environment Model"></p> | ||
| {clean} The SLSA [Build track] defines requirements for the provenance that is produced for the build artifacts. Trustworthiness of the build process largely depends on the trustworthiness of the [build environment] the build runs in. The Build track assumes full trust into the [Build Platform], and provides no requirements to verify integrity of the build environment. BuildEnv track intends to close this gap. |
Contributor
There was a problem hiding this comment.
Nits
Suggested change
| {clean} The SLSA [Build track] defines requirements for the provenance that is produced for the build artifacts. Trustworthiness of the build process largely depends on the trustworthiness of the [build environment] the build runs in. The Build track assumes full trust into the [Build Platform], and provides no requirements to verify integrity of the build environment. BuildEnv track intends to close this gap. | |
| {clean} The SLSA [Build track] defines requirements for the provenance that is produced for the build artifacts. Trustworthiness of the build process largely depends on the trustworthiness of the [build environment] a build runs in. The Build track assumes full trust in the [Build Platform], and provides no requirements to verify the integrity of the build environment. The BuildEnv track intends to close this gap. |
| For the example threats refer to the [Build Threats] section. | ||
| For the example threats, refer to the [Build Threats] section. | ||
|
|
||
| ## Build environment concept model |
Contributor
There was a problem hiding this comment.
I still think this section should come at least before the threats, because we think it's difficult to understand some of the threats and requirements of this track without this important background.
| L3 provides evidence of continuous integrity of the build environment for the whole lifetime. | ||
| TEE technologies are not infallible, so physical human access to hardware and side channel attacks are still a risk that is accepted at L3. | ||
|
|
||
| ### Build image lifetimes diagram |
Contributor
There was a problem hiding this comment.
I think this section has quite a bit of overlap with the build environment model (this was an issue we already had noted before these revisions), so I think we should just move this diagram / mini-section to the build environment model section.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Build Environment Track
File: build-env-track-basics.md
These track files have a new header block structure to provide a consistent table of contents to help users improve navigation and easily identify key details for each page. This will also help spec writers ensure that their information is complete and organized.
Additional edits have been made to headings and content to increase the logic flow and add clarity to each page.
DO NOT MERGE