We’re excited to announce SLSA v1.0 Release Candidate 2 (RC2) following the valuable feedback we received on the first release candidate. This is intended to be the final release candidate before marking v1.0 as an Approved Specification.

We ask that all community members review the full specification and raise any significant concerns as a GitHub issue by April 17, 2023. While we always appreciate clarity or editorial feedback, during this review period we are specifically looking to identify significant problems that would require a breaking change—and thus a new version—to address. (We plan to continue to addressing clarity issues via editorial changes after the v1.0 release, particularly the backlog of editorial feedback from RC1 that we have not yet addressed.)

Assuming there are no significant objections, we plan to mark this candidate as an Approved Specification on April 19.

We appreciate the continued support and engagement from the SLSA community and all early adopters who have provided valuable feedback on the previous release candidate. Thank you for your contributions to the project!

Summary of changes since RC1

There have been no major changes to requirements since RC1. Most of the changes have been editorial in nature. The following is a summary of the most significant changes:

  • Added Distributing provenance page
  • Renamed “non-forgeable” to “unforgeable”
  • Updated VSA for v1.0
  • Updated Threats & mitigations for v1.0 and relabeled the diagram (swapped labels “D” and “E”)
  • Resolved various inconsistencies, simplified terminology, and added more introductory material