Zhenyu (Adam) Wu
Zhenyu (Adam) Wu
In SLSA provenance v0.2 specification, there two separate places for build material references: 1. build entry point in `invocation.configSource`; 2. build materials in `materials`. The examples presents the top-level source...
SLSA provenance define digests as "cryptographic digests for the **contents** of the artifact". However, the git examples use "commit hash" which does not match the specification. A possible fix is...
The definition of Build describes the inputs "may be sources, dependencies, or ephemeral build outputs." To my understanding, "dependencies" are persistent build output artifacts. Is that correct? If so, I...
The current documentation seems to refer to two separate ladders. - The SLSA build ladder, which currently goes from 0 to 3, and the value is dependent on the builder,...
@msuozzo and I had a discussion on a potential builder pitfall when reporting source material in the build provenance. With a "regular" git clone, the entire history of the repo...
SLSA v1.0 specs refer to the in-toto v1 ResourceDescriptor, does that mean a SLSA v1.0 predicate can only be encapsulated by an in-toto statement v1? (i.e. we should not expect...
An In-Toto attestation has several layers, e.g., DSSE, in-toto statement, and predicate. The DSSE layer is responsible for ensuring the data integrity, while the predicate layer delivers data intended for...
The in-toto specs use DSSE to contain the statement data and carry signatures. - The statement is first serialized as a **JSON string**; - Then **base64 encoded** and stored in...
VSA is intended to present a summary of verification results, so that consumers (who trust the attestor) can avoid re-perform verification. However, practically there are two types of verification results:...
The attestation "bundle" provides a good mechanism to generalize, allowing supply chain components to handle all kinds of attestations in a homogeneous way, which is great when the components don't...