Aditya Sirish
Aditya Sirish
ITE-9 has been accepted!
Sounds good!
+1, I think **requiring** squash merge is not the best idea. IMO, there's value in preserving not just the history of the feature branch but also the signatures on the...
I'm going to drop some thoughts / reasoning we've been using as we've been building gittuf. :smile: In my mind, the question about source attestations are across two axes. First,...
@TomHennen I personally think that'd be a good start! It unblocks the early levels (where we trust the SCP fully anyway), and we can build on what we're putting in...
Thanks for opening this issue! I think this ties into the threats the track is attempting to address. The current draft is focused on mitigating threat A (submit unauthorized changes)...
Yeah. The PHP Git server incident mentioned in https://slsa.dev/spec/v1.0/threats-overview#real-world-examples is one example, but in my mind this would also extend to being able to verify the enforcement of security controls...
> Should the spec recommend/suggest/mention a format which implements the proposed properties? i.e., DSSE ITE-5 recommends DSSE while leaving the door open for other options. The reason the TAP currently...
Just opened https://github.com/theupdateframework/go-tuf/issues/176 to track implementing DSSE in go-tuf.
After that's merged, the TAP should be updated in the signature format section: https://github.com/theupdateframework/taps/blob/master/tap18.md#signature-format. Specifically, `BUNDLE` should be replaced in favour of the DSSE signature extension and possible similar custom...