From c8c42ac3b0522818c5ea4eed2bb476c414ae958d Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Mon, 1 Jul 2024 14:53:24 -0400
Subject: [PATCH 1/9] address remainder of outstanding issues.

---
 docs/spec/v1.1/source-requirements.md | 18 ++++--------------
 docs/spec/v1.1/whats-new.md           |  1 +
 2 files changed, 5 insertions(+), 14 deletions(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 42c828423..8aba86062 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -1,22 +1,12 @@
 # SLSA Source Track
 
-## Objective
-
-The SLSA Source Track mitigates [Threat A ("Submit unauthorized change")](/spec/v1.0/threats#a-submit-unauthorized-change), scoped to a code repository and the organization that owns that repository. Concretely: an attacker must compromise the accounts of two organization members to publish code in a Source Level 3-conformant repository, and the evidence of those unauthorized changes cannot be destroyed without further attacks.
-
-## Changes from v0.1
+## Status: DRAFT
+Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
--   **Scope** The Source track is now scoped to Revisions rather than builds.
-Why?: To facilitate verification without anchoring it to a build.
 
--   **Model** Added a model, definitions, and the concept of verification.
-Why?: SLSA does not yet have a model for version control systems, and we need such a model to be able to discuss them.
-
-## Outstanding TODOs
+## Objective
 
--   [] Flesh out the definition and bounds of 'identity', and why they're required.
--   [] Refine requirements/guidance for trusted robots.
--   [] Either identify the unique value of L1 or merge it with L2.
+The SLSA Source Track mitigates [Threat A ("Submit unauthorized change")](/spec/v1.0/threats#a-submit-unauthorized-change), scoped to a code repository and the organization that owns that repository. Concretely: an attacker must compromise the accounts of two organization members to publish code in a Source Level 3-conformant repository, and the evidence of those unauthorized changes cannot be destroyed without further attacks.
 
 ## Source model
 
diff --git a/docs/spec/v1.1/whats-new.md b/docs/spec/v1.1/whats-new.md
index 36d1a005c..e484ba74f 100644
--- a/docs/spec/v1.1/whats-new.md
+++ b/docs/spec/v1.1/whats-new.md
@@ -17,6 +17,7 @@ changes in v1.1 relative to the prior release, [v1.0].
 -   It is now recommended that the `digest` field of `ResourceDescriptor` is
     set in a Verification Summary Attestation's (VSA) `policy` object.
 -   Further refine the [threat model](threats).
+-   Add draft of [SLSA Source Track](source-requirements.md).
 
 <!-- Footnotes and link definitions -->
 

From d48aa10bee7612f5cee594b1197f619de686c3fb Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Mon, 1 Jul 2024 15:02:31 -0400
Subject: [PATCH 2/9] remove use of the word 'time'

---
 docs/spec/v1.1/source-requirements.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 8aba86062..25590e27c 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -18,7 +18,7 @@ The Source track is scoped to a single project that is controlled by some organi
 | Organization | A collection of people who collectively create the Source. Examples of organizations include an open-source projects, a company, or a team within a company.
 | Change | A set of modifications to one or more source files and associated metadata. Change metadata MUST include any information required to situate the change in relation to other changes (e.g. parent revision).
 | Version Control System | Software for tracking and managing changes to source. Git and Subversion are examples of version control systems.
-| Revision | The canonical source at a given point in time as identified by the version control system. As an example, you can identify a git revision by its tree hash.
+| Revision | A specific identifier provided by the version control system that identifies a given state of the source. As an example, you can identify a git revision by its tree hash.
 | Change History | A record of the history of changes that went into the revision.
 | Source Control Platform | A service or suite of services for hosting version controlled software. GitHub and GitLab are examples of source control platforms, as are combinations of tools like Gerrit code reviews with GitHub source control.
 

From 893952884bff63e8e441f72713369bb9ede24d0f Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Tue, 2 Jul 2024 11:49:53 -0400
Subject: [PATCH 3/9] add space for linter

---
 docs/spec/v1.1/source-requirements.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 25590e27c..7490dd1b2 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -1,6 +1,7 @@
 # SLSA Source Track
 
 ## Status: DRAFT
+
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
 

From 56d8e5481e85c90c74f569933087190e9fd31312 Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Tue, 2 Jul 2024 16:05:51 -0400
Subject: [PATCH 4/9] address linter findings

---
 docs/spec/v1.1/source-requirements.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 7490dd1b2..579d9527a 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -4,7 +4,6 @@
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
-
 ## Objective
 
 The SLSA Source Track mitigates [Threat A ("Submit unauthorized change")](/spec/v1.0/threats#a-submit-unauthorized-change), scoped to a code repository and the organization that owns that repository. Concretely: an attacker must compromise the accounts of two organization members to publish code in a Source Level 3-conformant repository, and the evidence of those unauthorized changes cannot be destroyed without further attacks.

From 0f9754445689268daf4b718a6b20885cc8b320af Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Wed, 3 Jul 2024 10:03:25 -0700
Subject: [PATCH 5/9] Update docs/spec/v1.1/source-requirements.md

Co-authored-by: Joshua Lock <joshuagloe@gmail.com>
Signed-off-by: Zachariah Cox <zachariahcox@github.com>
---
 docs/spec/v1.1/source-requirements.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 579d9527a..ca0b5b394 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -1,6 +1,5 @@
 # SLSA Source Track
 
-## Status: DRAFT
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 

From 3345409cf26f993fe6de12aebd4325dc38231e42 Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Wed, 3 Jul 2024 13:20:33 -0400
Subject: [PATCH 6/9] add back the todos header

---
 docs/spec/v1.1/source-requirements.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index ca0b5b394..177914be0 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -1,5 +1,6 @@
 # SLSA Source Track
 
+## Outstanding TODOs
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 

From 6e001490e4a91e386c8d360598d15ae31bc936e2 Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Wed, 3 Jul 2024 15:02:13 -0400
Subject: [PATCH 7/9] update with issues identified in gdoc

---
 docs/spec/v1.1/source-requirements.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 177914be0..405d295ee 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -4,6 +4,18 @@
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
+- [] https://github.com/slsa-framework/slsa/issues/1069
+- [] https://github.com/slsa-framework/slsa/issues/1070
+- [] https://github.com/slsa-framework/slsa/issues/1071
+- [] https://github.com/slsa-framework/slsa/issues/1072
+- [] https://github.com/slsa-framework/slsa/issues/1074
+- [] https://github.com/slsa-framework/slsa/issues/1075
+- [] https://github.com/slsa-framework/slsa/issues/1076
+- [] https://github.com/slsa-framework/slsa/issues/1077
+- [] https://github.com/slsa-framework/slsa/issues/1078
+- [] https://github.com/slsa-framework/slsa/issues/1079
+- [] https://github.com/slsa-framework/slsa/issues/1080
+
 ## Objective
 
 The SLSA Source Track mitigates [Threat A ("Submit unauthorized change")](/spec/v1.0/threats#a-submit-unauthorized-change), scoped to a code repository and the organization that owns that repository. Concretely: an attacker must compromise the accounts of two organization members to publish code in a Source Level 3-conformant repository, and the evidence of those unauthorized changes cannot be destroyed without further attacks.

From eef7ae7e6585c687d6eb98bbdd9890fcf7f77f8a Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Wed, 3 Jul 2024 15:53:30 -0400
Subject: [PATCH 8/9] linter errors

---
 docs/spec/v1.1/source-requirements.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index 405d295ee..e0a4ff9ee 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -4,17 +4,17 @@
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
-- [] https://github.com/slsa-framework/slsa/issues/1069
-- [] https://github.com/slsa-framework/slsa/issues/1070
-- [] https://github.com/slsa-framework/slsa/issues/1071
-- [] https://github.com/slsa-framework/slsa/issues/1072
-- [] https://github.com/slsa-framework/slsa/issues/1074
-- [] https://github.com/slsa-framework/slsa/issues/1075
-- [] https://github.com/slsa-framework/slsa/issues/1076
-- [] https://github.com/slsa-framework/slsa/issues/1077
-- [] https://github.com/slsa-framework/slsa/issues/1078
-- [] https://github.com/slsa-framework/slsa/issues/1079
-- [] https://github.com/slsa-framework/slsa/issues/1080
+-   [] https://github.com/slsa-framework/slsa/issues/1069
+-   [] https://github.com/slsa-framework/slsa/issues/1070
+-   [] https://github.com/slsa-framework/slsa/issues/1071
+-   [] https://github.com/slsa-framework/slsa/issues/1072
+-   [] https://github.com/slsa-framework/slsa/issues/1074
+-   [] https://github.com/slsa-framework/slsa/issues/1075
+-   [] https://github.com/slsa-framework/slsa/issues/1076
+-   [] https://github.com/slsa-framework/slsa/issues/1077
+-   [] https://github.com/slsa-framework/slsa/issues/1078
+-   [] https://github.com/slsa-framework/slsa/issues/1079
+-   [] https://github.com/slsa-framework/slsa/issues/1080
 
 ## Objective
 

From e95e3b6040e288097c7cefe97e0eae4311d0dde3 Mon Sep 17 00:00:00 2001
From: Zachariah Cox <zachariahcox@github.com>
Date: Mon, 8 Jul 2024 06:56:47 -0700
Subject: [PATCH 9/9] Update docs/spec/v1.1/source-requirements.md

Co-authored-by: Joshua Lock <joshuagloe@gmail.com>
Signed-off-by: Zachariah Cox <zachariahcox@github.com>
---
 docs/spec/v1.1/source-requirements.md | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/docs/spec/v1.1/source-requirements.md b/docs/spec/v1.1/source-requirements.md
index e0a4ff9ee..347b99839 100644
--- a/docs/spec/v1.1/source-requirements.md
+++ b/docs/spec/v1.1/source-requirements.md
@@ -4,17 +4,17 @@
 
 Open issues are tracked with the [source-track](https://github.com/slsa-framework/slsa/issues?q=is%3Aissue+is%3Aopen+label%3Asource-track) label in the [slsa-framework/slsa](https://github.com/slsa-framework/slsa) repository.
 
--   [] https://github.com/slsa-framework/slsa/issues/1069
--   [] https://github.com/slsa-framework/slsa/issues/1070
--   [] https://github.com/slsa-framework/slsa/issues/1071
--   [] https://github.com/slsa-framework/slsa/issues/1072
--   [] https://github.com/slsa-framework/slsa/issues/1074
--   [] https://github.com/slsa-framework/slsa/issues/1075
--   [] https://github.com/slsa-framework/slsa/issues/1076
--   [] https://github.com/slsa-framework/slsa/issues/1077
--   [] https://github.com/slsa-framework/slsa/issues/1078
--   [] https://github.com/slsa-framework/slsa/issues/1079
--   [] https://github.com/slsa-framework/slsa/issues/1080
+-   [] [Structure & formatting don't match the build track](https://github.com/slsa-framework/slsa/issues/1069)
+-   [] [Either identify the unique value of L1 or merge it with L2](https://github.com/slsa-framework/slsa/issues/1070)
+-   [] [How to communicate SLSA source track metadata?](https://github.com/slsa-framework/slsa/issues/1071)
+-   [] [Clarify source track objective](https://github.com/slsa-framework/slsa/issues/1072)
+-   [] [Clarify the 'merger' identity in source track](https://github.com/slsa-framework/slsa/issues/1074)
+-   [] [Flesh out the definition and bounds of 'identity', and why they're required](https://github.com/slsa-framework/slsa/issues/1075)
+-   [] [VCS and SCP concerns are mixed or too prescriptive](https://github.com/slsa-framework/slsa/issues/1076)
+-   [] [Clarify that self-hosted SCPs are allowed](https://github.com/slsa-framework/slsa/issues/1077)
+-   [] [Create guidance for consumers on how to evaluate the source platform](https://github.com/slsa-framework/slsa/issues/1078)
+-   [] [Clarify what must be retained during source migrations](https://github.com/slsa-framework/slsa/issues/1079)
+-   [] [Refine requirements/guidance for trusted robots](https://github.com/slsa-framework/slsa/issues/1080)
 
 ## Objective