Learn English vocabulary for build provenance and supply chain integrity: attestation, SLSA provenance predicates, in-toto, hermetic builds, and reproducible builds.
0 / 5 completed
1 / 5
'Build provenance' in software supply chain security means:
Provenance answers 'where did this artifact come from and how was it built?' A signed provenance document lets consumers verify that a binary was built from a specific git commit by a trusted CI system — not tampered with after the fact.
2 / 5
In the SLSA framework, a 'provenance predicate' is:
SLSA provenance follows the in-toto Attestation Framework. The 'predicate' is the content: it records the builder's identity, the source repository, the commit SHA, build parameters, and build start/finish times — all signed by the build platform.
3 / 5
A 'hermetic build' is one that:
Hermetic builds declare all inputs before starting, then cut off network access. This prevents a supply chain attack where a build script fetches a malicious dependency at build time. Google's Bazel supports hermetic builds; they are a requirement for SLSA Build Level 3.
4 / 5
'Reproducible builds' means that:
Reproducible (deterministic) builds let anyone verify an artifact by rebuilding from source and comparing hashes. If a binary you downloaded matches the binary built from published source, you have strong evidence it was not backdoored. Debian and Tor project are leaders in this space.
5 / 5
The 'in-toto' framework provides supply chain security by:
In-toto captures the full supply chain: each step (checkout, test, build, sign) produces a signed link file listing inputs and outputs. The 'layout' file defines allowed steps and signers. A consumer validates the chain before trusting the artifact — used by PyPI, Sigstore, and SLSA.