Aditya Sirish

Hey, has there been an update on this?

This would be great for https://r-b.engineering.nyu.edu! One thing I'd like to see (I don't know what's default) is not overwriting the configuration files. Could it be something like what pacman...

Nice! The NYU rebuilder doesn't run on Arch, so I build and install manually from source.

> However, where supported signed artefacts provide value This may be a silly question, but can we discuss the value (apart from required situations like OS repositories) they provide that...

Hi @chunteck, some of the thinking behind `env` has been captured in the new in-toto / SLSA provenance specification. Have you checked that out yet? It's got a `builder.id` field...

The SLSA provenance model is defined in in-toto-golang (https://github.com/in-toto/in-toto-golang/blob/master/in_toto/slsa_provenance/v0.2/provenance.go) but there isn't a workflow there like in-toto-run that generates it.

Hi @marmarek, thank you for the PR! I'm only now able to take a look at it and consider the implications, so I'll get back to you ASAP. @fepitre, if...

The current document format is shared with our sister project, TUF. The implementation for both projects is provided through [securesystemslib](https://github.com/secure-systems-lab/securesystemslib). The tooling for DSSE implemented can be prototyped here, in...

Hi @a-muk, sure thing! in-toto is a framework that generates metadata files which can be used to make certain verifiable claims about processes in the software supply chain. This metadata...

`SERIALIZED_BODY` is of type `bytes` and should be a JSON object which includes a `_type` field. The [protocol](https://github.com/secure-systems-lab/dsse/blob/master/protocol.md#signature-definition) only refers to `SERIALIZED_BODY` for the actual signature calculation while the envelope...