Zhenyu (Adam) Wu

First of all, commit IDs are very useful, and it should be part of provenance, not arguing with that. :D Second, the points I am trying to raise have no...

What is "inputAttestations[].uri" for? Who provides it? If a policy verifier implementation does not fetch attestations (i.e. the callers are responsible for supplying all necessary attestations), I guess the caller...

Bump up this issue. Although specified as optional, the key id is a really important field for centralized verification points, which may "know" hundreds of provenance signers and signing keys....

✋ I have some concerns regarding the proposal on these two fields: `verifiedLevels` and `timeVerified`. - For `verifiedLevels`: To my understanding, VSA is essentially an endorsement statement. Hence it is...

@ramonpetgrave64 I don't quite get your concerns about "closed-source producer that consumes from other closed-source producers". To my understanding, the builder requirements are not recursive or transitive. That is, the...

@ramonpetgrave64 Ah I think we misunderstood each other. :) By requiring at least some SLSA track attributes, I don't mean placing any "minimum bar" on the ladder (e.g. must be...

Yes, an empty `verifiedLevels` is a bit better than completely not having this field (in terms of defending against misinterpretation). Would you entertain the idea that SLSA introduces an *explicit*...

There are two subtle issues with the interpretation @joshuagl: 1. The "FAILED" is over-broad. Current spec only defined a single track (i.e. SLSA BUILD), so it looks like it could...

Agree with Tom. The purpose of VSA is to summarize verification, and keeping it lean and mean is essential for facilitating more complex operations to perform well at scale, such...

Sure, will do. Should I target the change to v1.1?