slsa icon indicating copy to clipboard operation
slsa copied to clipboard
verified publisher icon slsa-framework

Provenance: remove or clarify duplication between `configSource` and `materials`

Open AdamZWu opened this issue 4 years ago • 0 comments

In SLSA provenance v0.2 specification, there two separate places for build material references:

  1. build entry point in invocation.configSource;
  2. build materials in materials.

The examples presents the top-level source repo in both places, i.e. two identical copies of "uri" and "digest" tuples. However, some may find this duplication undesirable, as it could lead to inconsistencies.

Alternatively, could we adopt a no-duplication presentation, i.e. top-level source only appear in invocation.configSource, not again in materials? The downside is that the materials list won't contain all build materials.

Please clarify. Thanks~

AdamZWu avatar Dec 13 '21 17:12 AdamZWu