TACOS + in-toto Attestations

[adityasaky]

In a discussion on the OpenSSF slack, @laurenhanford indicated that the project is interested in emitting TACOS information as in-toto attestations. We think that's a great fit as well and that it ties in well with several other predicates the community has defined so far! A good start is to use either a custom predicate or perhaps via SCAI. Thoughts?

cc @marcelamelara @TomHennen @pxp928 @joshuagl @mikhailswift

[TomHennen]

My suspicion is that a custom predicate would be most appropriate. SCAI is great for communicating a very flexible set of information, with the downside that the flexibility requires additional coordination between producers and consumers and more generic field names.

If TACOS has the goal of being a broadly adopted method of communicating this information to lots of consumers it's probably worth the effort to define a custom predicate tailored specifically for it.

[adityasaky]

I think I agree, if there's a specific, fixed format, it'll be far simpler to consume a custom predicate.

[laurenhanford]

This is helpful context, I originally started trying to propose a predicate (through here, yeah?), but wanted to get something out a little quicker. (Happy to share that work in progress, but don't laugh! 😄)

One early question I had was if a suite of TACO statements would belong in a single attestation, or would it be a single upstream package per attestation and those would all go into an attestation bundle?

[marcelamelara]

Did a little more reading today :) +1 on developing a custom predicate, especially given the focus on SSDF.

One early question I had was if a suite of TACO statements would belong in a single attestation, or would it be a single upstream package per attestation and those would all go into an attestation bundle?

@laurenhanford From your documentation, it sounds like TACOS would like to be able to cover three sets of guidelines: SSDF, Scorecards and the CIS SW Supply Chain Security Guide? (please correct me if I'm wrong) Ideally, each set of guidelines would correspond to its own attestation predicate. This helps with portability. And the three Statements can then be shipped together in an attestation bundle.

I originally started trying to propose a predicate (through here, yeah?), but wanted to get something out a little quicker. Happy to share that work in progress

Absolutely! Please feel free to open an issue/PR if you'd like us to take a look :) A work in progress is actually really helpful because it starts to give us a concrete idea of what the predicate will look like, and how it will fit with any others, especially if folks want to use TACOS in conjunction with SLSA, for example.