Zachariah Cox

I super excited to see this spin up!! I have a few additional questions and thoughts to add to the discussion in no particular order. ## Attestations are explicitly from...

this has been further clarified in recent meetings and PRs. I believe the current thinking is that closed and open source projects can meet all levels of the SLSA source...

Related to: * https://github.com/slsa-framework/slsa/issues/758 * https://github.com/slsa-framework/slsa/pull/1083 > The build system would not be appropriate in my opinion as it would not have detailed knowledge of the source control system to...

The relevant terms that seem to pop out here are: * revision: a state of the source identified uniquely, such as by commit sha * claim: a statement about a...

@TomHennen what's your mental model example for this one: > Those issued by other actors in the production of changes for use by the SCP in making the determination to...

@TomHennen, is it fair to say that your analysis is similar to the topic of this issue: https://github.com/slsa-framework/slsa/issues/974#issue-1924418068 Essentially, if you know a lot about what to expect, you'll want...

> that risk can be mitigated if all commits are reviewed during the process. This is definitely the case, but not typically what happens. Almost all code review tools default...

I think the original topic raised in the description of this issue was addressed by https://github.com/slsa-framework/slsa/pull/1097. I think we can close this one now!

From the work we did in https://github.com/slsa-framework/slsa/pull/1097, I think we have a functional objective for the source track. Similar to the build track, it's about producing attestations that are trustworthy....

Marking "closed" for now! Please feel free to reopen if you feel we didn't address this topic fully 👍