Aditya Sirish

Adding interoperability tests would definitely be great!

This PR may be impacted by https://github.com/secure-systems-lab/go-securesystemslib/issues/5, depending on when PAE is used here.

Wouldn't generating attestations using [DSSE](https://github.com/secure-systems-lab/dsse) help here? There's already some support for it...

Yes, but we won't be using cjson if the attestations are in DSSE as I understand it. Edit: so we can validate them using JSON schema as originally suggested?

We should add `-x / --no-command` to the CLI to indicate no commands.

Yes, the field should just be empty. The reference implementation supports it too. Also note that links generates via record always have the command field empty.

> Just to be sure: > > > We should add -x / --no-command to the CLI to indicate no commands. > > The `-x` flag is for the subcommand...

@shibumi @pxp928 I think this is good to go, please take a look. If we merge this in, we can soon cut a release I think.

This came up in #191. There was an artifact path collision when it should have recorded the link paths (both would still have the same hash). The python implementation does...

Adding explicit models for v0.1 and v0.2 right now should be a minor diff, and will probably help us evaluate the work that goes into keeping multiple provenance versions around....