Aditya Sirish
Aditya Sirish
I'd recommend working on any new in-toto-golang issues in conjunction with Go consolidation, to ensure we still want to add the feature in question.
> Technically it is adding a new format (variant with no-payload) since you can’t take away the old one (with payload), so it’s not really simplifying the verifier. To add...
> If the build system leverages a cache in a build, the provenance should include the cached content as it was originally cached. Could you restate this? I'm having trouble...
Thanks for all the responses! I'm going to respond to some points by both of you here. > Logically a build cache SHOULD NOT have a material impact on the...
@chasen-bettinger this should unblock you: https://pypi.org/project/in-toto-attestation/
I think adding this is fine. @skinny-b do you want to take a stab at a PR? We already have an arg for in-toto-run that controls this.
I agree with clarifying this, I think in addition to the `from_signable` aspect, the confusion also arises because we're going from the predicate (legacy links) being signed to a wrapper...
@OliverShang apologies, this went missing in my notifications. I suggest familiarizing yourself with in-toto and its Python + Go implementations. Play with in-toto/demo as well to get a feel for...
@lukpueh wdyt of setting up a separate repository for these tests? The CI could pull from in-toto-python and in-toto-golang's main branches periodically as well as the latest releases :thinking:
I agree with adding a check at the point marked in the first snippet. I think, however, a warning may not suffice. Are there scenarios where an overwrite is fine...