Today we’re releasing the SLSA Version 1.1 RC2 for public review. We are seeking comments on these spec changes by April 18, 2025. This release brings several changes aimed at enhancing the clarity and usability of the original specification. It also introduces backwards-compatible clarifications to the SLSA threat model, attestation model and verification procedure. This includes the addition of verifier metadata to the Verification Summary Attestation (VSA) format. Please, refer to the What’s new section for further details.
What does this update mean for SLSA implimentors? Good news! This means that SLSA 1.1 is backwards compatible with SLSA 1.0.
Although this is a relatively minor update, the SLSA working group has also been busy developing several new tracks covering areas such as source and build environment. We had originally hoped to release these 1.1 improvements as part of larger update but in the end we felt that the 1.1 release was warranted.
So what’s next? The SLSA specification follows the Community Specification lifecycle going through several stages of maturation. The publication of a candidate for Approved Specification starts a 2 week review period during which the community at large is invited to review the draft and raise any issues. If you do find any issue, please, open an issue on GitHub. If no major issues are found during this review period the V1.1 RC2 draft will then be published as Version 1.1, the new Approved Specification, effectively replacing Version 1.0.