SLSA v1.0: shift emphasis to expectations + verification in levels.md

[MarkLodato]

Preview: https://deploy-preview-503--slsa.netlify.app/spec/v1.0/levels

(As discussed in #130 and the Specification SIG meeting)

Previously the specification only required the publication of provenance but did not say anything about its verification. The latter is what actually detects or prevents attacks, so this was a big gap. Futhermore, the previous "scripted build" requirement did not have a clear reason why it was included.

Now there is explicit language around:

• Defining an expectation of how the package should be built, replacing the previous "scripted build" requirement.
• Verifying that the provenance meets expectations.

NOTE: This PR only changes levels.md. A future commit will make an equivalent change to the rest of the spec, e.g. requirements.md.

Related issues (not fully fixed): #46, #130, #371

[netlify]

✅ Deploy Preview for slsa ready!

Name	Link
🔨 Latest commit	de5117a
🔍 Latest deploy log	https://app.netlify.com/sites/slsa/deploys/634d5289f538cc0008943832
😎 Deploy Preview	https://deploy-preview-503--slsa.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site settings.

[joshuagl]

Great to see this being fleshed out. I made suggestions inline to consistently use "as expected" rather than "as documented/expected".

[MarkLodato]

Thanks. I updated the language as suggested and rebased onto the latest version of #502.

[joshuagl]

LGTM, thanks. Do you think we should provide guidance on how to verify provenance meets expectations (and is signed) for users of the SLSA provenance format?

[MarkLodato]

LGTM, thanks. Do you think we should provide guidance on how to verify provenance meets expectations (and is signed) for users of the SLSA provenance format?

Yes. I assume that would be a necessary part of #46. This PR here is only a first step.

[mlieberman85]

LGTM