slsa-framework / slsa

Supply-chain Levels for Software Artifacts

Home Page:https://slsa.dev

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Threat overview uses wrong terminology

eruvanos opened this issue · comments

Like mentioned under "Terminology" the term repository should exclusively be used to mean “source repository”.
The image included within "Supply chain threats" lists "G: Compromised package repo".
In my understanding this should be changed to: "G: Compromised package registry"

Ambiguous terms to avoid
Package repository: Could mean either package registry or package name, depending on the ecosystem. To avoid confusion, we > always use “repository” exclusively to mean “source repository”, where there is no ambiguity.

Well spotted, thanks! And thanks for submitting a PR to fix it.