In 2023, Sonatype reported a 200\% increase in software supply chain attacks, including major build infrastructure attacks. To secure the software supply chain, practitioners can follow security framework guidance like the Supply-chain Levels for Software Artifacts (SLSA). However, recent surveys and industry summits have shown that despite growing interest, the adoption of SLSA is not widespread. To understand adoption challenges, \textit{the goal of this study is to aid framework authors and practitioners in improving the adoption and development of Supply-Chain Levels for Software Artifacts (SLSA) through a qualitative study of SLSA-related issues on GitHub}. We analyzed 1,523 SLSA-related issues extracted from 233 GitHub repositories. We conducted a topic-guided thematic analysis, leveraging the Latent Dirichlet Allocation (LDA) unsupervised machine learning algorithm, to explore the challenges of adopting SLSA and the strategies for overcoming these challenges. We identified four significant challenges and five suggested adoption strategies. The two main challenges reported are complex implementation and unclear communication, highlighting the difficulties in implementing and understanding the SLSA process across diverse ecosystems. The suggested strategies include streamlining provenance generation processes, improving the SLSA verification process, and providing specific and detailed documentation. Our findings indicate that some strategies can help mitigate multiple challenges, and some challenges need future research and tool enhancement.

翻译：2023年，Sonatype报告显示软件供应链攻击（包括重大构建基础设施攻击）增加了200%。为保障软件供应链安全，从业者可遵循软件制品供应链等级（SLSA）等安全框架指南。然而，近期调查及行业峰会表明，尽管关注度日益增长，SLSA的采用仍未普及。为理解其采用障碍，本研究的目标是通过对GitHub上SLSA相关问题的定性研究，协助框架作者与从业者改进软件制品供应链等级（SLSA）的采用与发展。我们分析了从233个GitHub存储库中提取的1,523个SLSA相关问题，并采用主题引导的专题分析法，结合潜在狄利克雷分布（LDA）无监督机器学习算法，探究了采用SLSA面临的挑战及其应对策略。我们识别出四项主要挑战与五项建议采用策略。其中报告的两大核心挑战是实施过程复杂与沟通不明确，这凸显了在不同生态系统中实施和理解SLSA流程的困难。建议策略包括简化来源证明生成流程、改进SLSA验证过程，以及提供具体详尽的技术文档。我们的研究结果表明，部分策略可助力缓解多项挑战，而某些挑战仍需未来研究与工具增强予以解决。