Aditya Sirish

Indeed, but that work needs some more clarity on the status of VSA as a generic predicate type. https://github.com/in-toto/attestation-verifier is a great place to test out how VSAs can work...

(It's a bit late but I hope this comment is fairly clear...) I recognize there's a lot of overlap in that VSA and SCAI both capture some set of (arbitrary-ish)...

> So, I've been thinking about whether we could introduce a way to sub-class existing predicates in cases like these. Without going too far off topic, I think this has...

I think this may overlap with #124. I _am_ a bit worried about fragmentation though.

So the other thread is about a "source" attestation recording artifact sources. Each source is then going to be a resource descriptor. As it's proposed, I think we're essentially talking...

There's also https://github.com/testifysec/witness/blob/main/docs/attestors/material.md to consider. cc @colek42 @mikhailswift

> Regarding the artifact information: Isn't this the goal of the subject (at the statement level)? Since the attestation format allows for multiple subjects the code review attestation could require...

Given the consensus about handling vuln scans and the like independently, I'm going to generalize this to handle "human reviews", as @iamwillbar suggested. I'll rewrite the original issue to reflect...

> My understanding is that Gerrit and GitHub reviews work differently. I actually plan to use some time this coming break to review some of the popular systems / services...

> I actually plan to use some time this coming break to review some of the popular systems / services to understand how much we can abstract. I should have...