-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: Steve Winslow <[email protected]>
- Loading branch information
Showing
10 changed files
with
608 additions
and
608 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,18 +1,18 @@ | ||
| # SLSA Contributor License Agreement 1.0 | ||
|
|
||
| By making a Contribution to a repository in the slsa-framework GitHub organization, I agree to the terms of the following documents located at https://github.com/slsa-framework/governance: | ||
|
|
||
| (a) Community Specification License 1.0 (0._Community_Specification_License-v1.md) | ||
|
|
||
| (b) SLSA Governance Policy 1.0 (5._Governance.md) | ||
|
|
||
| (c) SLSA Contribution Policy 1.0 (6._Contributing.md) | ||
|
|
||
| (d) SLSA Code of Conduct (8._Code_of_Conduct.md) | ||
|
|
||
|
|
||
| In addition, for source code contributions, I certify that: | ||
|
|
||
| (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this working group and the contribution may be public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this agreement or the open source license(s) involved. | ||
|
|
||
| I represent that I am legally entitled to make the grants set forth in the documents above. If my employer(s) has rights to intellectual property that may be infringed by the materials developed by this Working Group, I represent that I have received permission to enter these agreements on behalf of that employer. | ||
| # SLSA Contributor License Agreement 1.0 | ||
|
|
||
| By making a Contribution to a repository in the slsa-framework GitHub organization, I agree to the terms of the following documents located at https://github.com/slsa-framework/governance: | ||
|
|
||
| (a) Community Specification License 1.0 (0._Community_Specification_License-v1.md) | ||
|
|
||
| (b) SLSA Governance Policy 1.0 (5._Governance.md) | ||
|
|
||
| (c) SLSA Contribution Policy 1.0 (6._Contributing.md) | ||
|
|
||
| (d) SLSA Code of Conduct (8._Code_of_Conduct.md) | ||
|
|
||
|
|
||
| In addition, for source code contributions, I certify that: | ||
|
|
||
| (a) The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file; or (b) The contribution is based upon previous work that, to the best of my knowledge, is covered under an appropriate open source license and I have the right under that license to submit that work with modifications, whether created in whole or in part by me, under the same open source license (unless I am permitted to submit under a different license), as indicated in the file; or (c) The contribution was provided directly to me by some other person who certified (a), (b) or (c) and I have not modified it. (d) I understand and agree that this working group and the contribution may be public and that a record of the contribution (including all personal information I submit with it, including my sign-off) is maintained indefinitely and may be redistributed consistent with this agreement or the open source license(s) involved. | ||
|
|
||
| I represent that I am legally entitled to make the grants set forth in the documents above. If my employer(s) has rights to intellectual property that may be infringed by the materials developed by this Working Group, I represent that I have received permission to enter these agreements on behalf of that employer. |
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,14 @@ | ||
| # Scope | ||
|
|
||
| The Supply chain Levels for Software Artifacts (SLSA) specification defines an open standard for establishing artifact integrity and resilient build processes for the software supply chain. | ||
|
|
||
| SLSA defines multiple "security levels" of increasing security guarantees and the corresponding technical requirements necessary to achieve each such level. | ||
|
|
||
| SLSA's scope includes requirements relating to: | ||
|
|
||
| * source integrity and availability, to ensure changes to source code are intentional and documented; | ||
| * build integrity, to ensure packages are built as intended and remain unmodified; | ||
| * provenance, to ensure metadata about the build process is documented, verifiable, complete and available; and | ||
| * system security, to ensure systems used in the build process are themselves secure. | ||
|
|
||
| Any changes of Scope are not retroactive. | ||
| # Scope | ||
|
|
||
| The Supply chain Levels for Software Artifacts (SLSA) specification defines an open standard for establishing artifact integrity and resilient build processes for the software supply chain. | ||
|
|
||
| SLSA defines multiple "security levels" of increasing security guarantees and the corresponding technical requirements necessary to achieve each such level. | ||
|
|
||
| SLSA's scope includes requirements relating to: | ||
|
|
||
| * source integrity and availability, to ensure changes to source code are intentional and documented; | ||
| * build integrity, to ensure packages are built as intended and remain unmodified; | ||
| * provenance, to ensure metadata about the build process is documented, verifiable, complete and available; and | ||
| * system security, to ensure systems used in the build process are themselves secure. | ||
|
|
||
| Any changes of Scope are not retroactive. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,56 +1,56 @@ | ||
| # Notices | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| Contact for Code of Conduct issues or inquires: | ||
| * (TBD) | ||
|
|
||
| ## License Acceptance | ||
|
|
||
| Per Community Specification License 1.0 Section 2.1.3.3, Licensees may indicate their acceptance of the Community Specification License by issuing a pull request to the Specification repository’s Notices.md file, including the Licensee’s name, authorized individuals' names, and repository system identifier (e.g. GitHub ID), and specification version. | ||
|
|
||
| A Licensee may consent to accepting the current Community Specification License version or any future version of the Community Specification License by indicating "or later" after their specification version. | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| Licensee’s name: | ||
|
|
||
| Authorized individual and system identifier: | ||
|
|
||
| Specification version: | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| ## Withdrawals | ||
|
|
||
| Name of party withdrawing: | ||
|
|
||
| Date of withdrawal: | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| ## Exclusions | ||
|
|
||
| This section includes any Exclusion Notices made against a Draft Deliverable or Approved Deliverable as set forth in the Community Specification Development License. Each Exclusion Notice must include the following information: | ||
|
|
||
| - Name of party making the Exclusion Notice: | ||
|
|
||
| - Name of patent owner: | ||
|
|
||
| - Specification: | ||
|
|
||
| - Version number: | ||
|
|
||
| **For issued patents and published patent applications:** | ||
|
|
||
| - (i) patent number(s) or title and application number(s), as the case may be: | ||
|
|
||
| - (ii) identification of the specific part(s) of the Specification whose implementation makes the excluded claim a Necessary Claim. | ||
|
|
||
| **For unpublished patent applications must provide either:** | ||
|
|
||
| - (i) the text of the filed application; or | ||
|
|
||
| - (ii) identification of the specific part(s) of the Specification whose implementation makes the excluded claim a Necessary Claim. | ||
|
|
||
| ----------------------------------------------------------------------------------------- | ||
| # Notices | ||
|
|
||
| ## Code of Conduct | ||
|
|
||
| Contact for Code of Conduct issues or inquires: | ||
| * (TBD) | ||
|
|
||
| ## License Acceptance | ||
|
|
||
| Per Community Specification License 1.0 Section 2.1.3.3, Licensees may indicate their acceptance of the Community Specification License by issuing a pull request to the Specification repository’s Notices.md file, including the Licensee’s name, authorized individuals' names, and repository system identifier (e.g. GitHub ID), and specification version. | ||
|
|
||
| A Licensee may consent to accepting the current Community Specification License version or any future version of the Community Specification License by indicating "or later" after their specification version. | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| Licensee’s name: | ||
|
|
||
| Authorized individual and system identifier: | ||
|
|
||
| Specification version: | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| ## Withdrawals | ||
|
|
||
| Name of party withdrawing: | ||
|
|
||
| Date of withdrawal: | ||
|
|
||
| --------------------------------------------------------------------------------- | ||
|
|
||
| ## Exclusions | ||
|
|
||
| This section includes any Exclusion Notices made against a Draft Deliverable or Approved Deliverable as set forth in the Community Specification Development License. Each Exclusion Notice must include the following information: | ||
|
|
||
| - Name of party making the Exclusion Notice: | ||
|
|
||
| - Name of patent owner: | ||
|
|
||
| - Specification: | ||
|
|
||
| - Version number: | ||
|
|
||
| **For issued patents and published patent applications:** | ||
|
|
||
| - (i) patent number(s) or title and application number(s), as the case may be: | ||
|
|
||
| - (ii) identification of the specific part(s) of the Specification whose implementation makes the excluded claim a Necessary Claim. | ||
|
|
||
| **For unpublished patent applications must provide either:** | ||
|
|
||
| - (i) the text of the filed application; or | ||
|
|
||
| - (ii) identification of the specific part(s) of the Specification whose implementation makes the excluded claim a Necessary Claim. | ||
|
|
||
| ----------------------------------------------------------------------------------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,13 +1,13 @@ | ||
| # Licenses | ||
|
|
||
| ## Specification License | ||
|
|
||
| Specifications in this GitHub organization are subject to the **Community Specification License 1.0** available at [https://github.com/CommunitySpecification/1.0](https://github.com/CommunitySpecification/1.0). | ||
|
|
||
| ## Source Code License | ||
|
|
||
| If source code is included in repositories in this GitHub organization, or for sample or reference code included in the specification itself, that code is subject to the Apache-2.0 license unless otherwise designated. | ||
|
|
||
| If source code is included in a repository in this GitHub organization, or for sample or reference code included in the specification itself, that code is subject to the Apache-2.0 license unless otherwise marked. | ||
|
|
||
| In the case of any conflict or confusion within a specification repository in this GitHub organization between the Community Specification License and the designated source code license, the terms of the Community Specification License shall apply. | ||
| # Licenses | ||
|
|
||
| ## Specification License | ||
|
|
||
| Specifications in this GitHub organization are subject to the **Community Specification License 1.0** available at [https://github.com/CommunitySpecification/1.0](https://github.com/CommunitySpecification/1.0). | ||
|
|
||
| ## Source Code License | ||
|
|
||
| If source code is included in repositories in this GitHub organization, or for sample or reference code included in the specification itself, that code is subject to the Apache-2.0 license unless otherwise designated. | ||
|
|
||
| If source code is included in a repository in this GitHub organization, or for sample or reference code included in the specification itself, that code is subject to the Apache-2.0 license unless otherwise marked. | ||
|
|
||
| In the case of any conflict or confusion within a specification repository in this GitHub organization between the Community Specification License and the designated source code license, the terms of the Community Specification License shall apply. |
Oops, something went wrong.