Behnaz Hassanshahi

> There are cases when a single release includes 100+ modules. > > They all are a part of "JUnit 5.9.1" release. However, it would be great if all those...

> Yes, I think the right way to do this would need to be via a config file that is committed to the repo. The workflow could read this file...

> > > Yes, I think the right way to do this would need to be via a config file that is committed to the repo. The workflow could read...

> @behnazh-w I suppose there's no way for you to split the builds into smaller ones? No, I can't split the build. > > One idea, like it's been suggested,...

We had a related [discussion](https://github.com/slsa-framework/slsa/pull/673/files/2b858639e3a287135384aba6029b8488dc6552f6#r1148404932) on this requirement: ```markdown The build attestation SHOULD have a filename that is directly related to the build artifact filename. ``` The guideline doesn't say...

@marcelamelara I have opened a related [issue](https://github.com/slsa-framework/slsa/issues/863) and there is already a [PR](https://github.com/slsa-framework/slsa/pull/948) to adjust the wording.

> * That ensuring trustworthiness of the provenance only really comes at Build L3, not Build L2? And that [Forge values of the provenance](https://slsa.dev/spec/v1.0/threats#e-compromise-build-process) should be marked as "Build L3"...

The plan to have a short-term and a long-term fix sounds good to me. I'm not sure though what the short-term fix would look like. @MarkLodato can you please clarify...

> What if we simplify the ladder by moving "unforgeable" to L2 and drop/merge the redundant requirements? I think its' a good idea to be more specific about unforgeable provenances:...

We have faced a similar problem too. @jenstroeger deleting the virtual env and rebuilding it doesn't fix our issue. We call `pylint` using a `pre-commit` hook. So, I ran `pre-commit...