ediverse Explorer la plateforme

À la une PEPPOL BIS Billing 3.0 L’obligation européenne d’e-invoicing arrive : France sept 2026, Belgique janv 2026, Allemagne 2025.

SLSA-SOURCE-TRACKS

SLSA Source Tracks v1.1 draft separate Build + Source.

Définition

SLSA Source Tracks levels proposal v1.1 draft : (1) Source L1 : source code version-controlled (Git, Mercurial, SVN, etc.), commit history preserved, source identifier (e.g., Git commit SHA) tracked + included in provenance. (2) Source L2 : two-person review required (minimum 1 reviewer approval) for changes merged to release branches (e.g., main), protected branch rules, no direct push by single individual to release branches. (3) Source L3 : tamper-resistant source repository (no force-pushes allowed + tag protection + signed commits/tags optional but recommended), audit trail accessible + retention >18 months minimum, source repository hosted on trusted hosting platform with integrity guarantees (GitHub + GitLab + Bitbucket Enterprise level integrity controls). (4) Source provenance attestation : separate from Build provenance, includes source identifier + reviewers (if L2+) + commit signers (if L3 signed) + branch protection rules state. Use cases : separately verify Source vs Build properties (e.g., projet has Build L3 mais Source L1 only = build process tamper-resistant but source code anyone can push, less ideal). Status : draft 2024, expected stabilize SLSA v1.1 2025+.

Origine

SLSA Source Tracks proposal SLSA Working Group OpenSSF 2024 ; SLSA v1.1 draft 2024 ; expected stabilize 2025+.

Exemple en contexte

Open-source project achieves Build L3 (GitHub Actions hardened build) + Source L2 (GitHub branch protection requiring 1 reviewer approval main branch) : separately verifiable Build vs Source compliance, allows incremental improvement (Source L3 future via signed commits + tag protection).

Termes liés

Dernière mise à jour: 16 mai 2026