Shaun Lowry
Shaun Lowry
Currently, the spec for predicate metadata includes: > metadata.buildInvocationId string, optional > > Identifies this particular build invocation, which can be useful for finding associated logs or other ad-hoc analysis....
For build systems which are capable of building many millions of individual packages and versions, it's not practical to require that every individual package version has its own unique build...
Some ecosystems struggle to produce bitwise-identical artifacts for multiple runs of the exact same toolchain ([discussion](https://docs.google.com/document/d/1ZUchp6wY-wBwTScASL748kY7guUazvQdLZ8_r0XJWg8/edit)). We should consider the wording of the requirement for reproducibility and the SLSA level...
There are certain things we'd like to do as part of producing usable artifacts which are necessarily not executable in a hermetic context or easily reproducible, an example being authenticode...
At ActiveState, we're producing a build system which is capable of building arbitrary sets of open source components. Even when considering just the Perl and Python ecosystems, there are tens...
Images from digital cameras with embedded EXIF data which indicates they need rotation sometimes won't display as resetCropHost is called too early
Visual Studio 2010 and later come with stdint.h but also define uint32_t and others elsewhere which cause compilation failures