Michael Lieberman
Michael Lieberman
I recognize this is an edge case. If I have something like schema.json: ``` ... "type": string "enum": [ "GPL-3.0", "GPL-3.0+", ] ``` This will lead to golang code like:...
Description: Apply best practices as defined by the Supply Chain Security WG's Best Practices guide as well as any additional practices as defined in the Secure Software Factory ref arch....
Description: The Security TAG has done some work based on work by @SantiagoTorres. OpenSSF is looking at potentially starting their own catalog or want to contribute to existing catalogs. There...
There is some confusion around whether trusted, validated builders that don't run developer code count as service generated or literally only the control plane.
SLSA currently doesn't provide guidance or elaborate on the distinction between the things that are being built and packaged and the how the packaging itself is being maintained. For example:...
Related somewhat to: #129 Even though the provenance spec does allow you to point to source control for "materials," it doesn't allow for the ability to attest to "verified history,"...
This is a placeholder for initial discussion and work. This came out of 8/11/2021's SLSA community meeting. Currently it is not completely clear what is or is out of scope...
Had a discussion with some of the folks who do a lot of the work on Nix and one of the things they highlighted was where you can't do reproducible...
This mostly copies the functionality of image attestation and blob signing. Signed-off-by: Michael #### Summary This will allow users to attest local blobs similar to attesting images, following a similar...
Some people, for example in the mailing list have reported that the slack link on: https://slsa.dev/community is asking for an LF account whereas the slack link on https://openssf.org/getinvolved/ let's folks...