Shaun Lowry
Shaun Lowry
> Do you think that logs would provide additional information for verification on top of the above? Would this verification be more about being able to check the build service...
There are some use cases for the VSA where input attestations may be unviable. It's potentially useful to use a VSA to terminate the graph of attestations at points where...
+1 on resolving for 1.0. If they're optional at a given level, we should just push them up a level and make them mandatory, even if that means having a...
+1 on resolving for 1.0
+1 on resolving for 1.0, even if the resolution is "this is fine as is"
related https://github.com/slsa-framework/slsa/issues/414 https://github.com/slsa-framework/slsa/pull/415 The wording has already changed to allow for non-falsifiable attestations secured by mechanisms other than digital signatures, let's ensure that intent is preserved.
Resurfacing this one. Firstly, just to spell it out: - a digital signature is (usually) an encrypted, secure digest of the message it signs. - If you have a digitally...
Happy to contribute here. I'm particularly interested in how SLSA and SBOM overlap where SLSA gives you highly detailed information on the provenance of individual software artifacts and SBOM gives...
+1 on deferring this
I think this makes sense. FWIW at ActiveState, we think of a build producing a number of artifacts, each created by a number of steps with distinct builders. Users can...