Today we’re releasing SLSA Version 1.1 as the latest Approved Specification of SLSA, effectively replacing Version 1.0.
Following the Community Specification lifecycle, the SLSA v1.1 Release Candidate 2 specification went through a 2-week review period during which no major issues were raised. As a result, SLSA v1.1 is now being published as an Approved Specification.
This release brings several changes aimed at enhancing the clarity and usability of the v1.0 specification. It also introduces backwards-compatible clarifications to the SLSA threat model, attestation model and verification procedure. This includes the addition of verifier metadata to the Verification Summary Attestation (VSA) format. Please, refer to the What’s new section for further details.
SLSA 1.1 is backwards compatible with SLSA 1.0.
So what’s next? The SLSA specification group has been busy developing several new tracks covering critical areas of the software supply chain. Read more about them here in the future directions section. Come join the group and contribute to the next version of SLSA!