Meder Kydyraliev comments

Repositories
Issues
Comments

Results 12 comments of


                                            Meder Kydyraliev

Discussion on path to S2C2F aligning with SLSA as its dependency track

@bureado 1. ack, thank you. 2. Great question. Dependency track covers "build dependencies", which are currently [defined in SLSA](https://slsa.dev/spec/v1.0/terminology) as: "Artifacts fetched during initialization or execution of the build process,...

TODO: Need mitigation description for "Dependency confusion" threat

I suppose there are two ways to look at the mitigations on the threats page: using existing SLSA tracks vs best practices. I was leaning towards applying the existing SLSA...