Define 'source control system' in source track

[TomHennen]

We currently talk about 'VCS' and 'SCP' but don't have a term to talk about the system as a whole.

Defining such a term would make some things easier when we don't have a strong opinion about which specific component of the system fulfills a given role as long as it is filled somewhere.

Let's define the term and then update the source track to use it where appropriate.

[TomHennen]

Let's also incorporate @marcelamelara's feedback from #1094 (review)

Thanks for the updates! My main high-level suggestion is that the source track ought to make the roles and requirements of the VCS vs. SCP vs. producer clearer. In the Build track, the distinction between what the hosted build platform vs the producer is responsible for is called out. In the current source track spec, I feel like there are a lot of assumptions/expectations about the SCP, the producer and the VCS that we aren't including right now. So it might be helpful to draw a clearer separation between who is responsible for achieving which requirements.

[TomHennen]

Proposal (which we can iterate on):

Source Attestation Issuer

A party that evaluates evidence and issues attestations (summary or provenance) about source revisions.

Source Control System (SCS)

A combination of a VCS, SCP, and Source Attestation Issuers that are trusted to manage the source for a Repository by the Organization which controls it. A SCS is the entity responsible for meeting the SLSA requirements through how it assembles and configures the VCS, SCP, and Source Attestation Issuers.