Aditya Sirish

Makes sense, starting with https://github.com/in-toto/attestation/issues/77#issuecomment-988733291?

> audiences That's a good question. I'd like to hear everyone's thoughts, but going back to @dn-scribe's comment above, I can see a couple of usecases where source control attestations...

``` vote-against: "This is malicious; don't install it." reproduced: "We were able to reproduce this update from the source code." Requires open source software. spot-check: "We quickly looked at the...

@MarkLodato do you have any thoughts on how to avoid negative votes for dependency reviews?

The Sig v2 spec looks great! I've looked at crev a bit but haven't come across https://github.com/git-wotr/spec/blob/master/design.org before. Taking a look...

@MarkLodato thanks for the clarifications!

Related to code review: #151 and #77

Added `strong_password` compromise - #5 Added `bootstrap-sass` - #6

https://github.com/in-toto/attestation/issues/77 is relevant here. We've been talking about defining human review predicates for code review probably starting with VCS reviews and dependency reviews like with `crev`. It'd be great to...

``` { "_type": "https://in-toto.io/Statement/v0.1", "subject": [ { "name": "[email protected]", "url": "pkg:npm/[email protected]", // requires https://github.com/in-toto/attestation/pull/95 "digest": { "sha256": "abcdef..." } } ], "predicateType": "https://github.com/ossf/alpha-omega/v0.1", "predicate": { "review_text": "This was a lot...