Andrew McNamara

I am not opposed to reproducible builds, just to including them in the build track. I will try to add some commentary to the document.

Based on my reading of the npm issue presented above, this arises when there is no package lock present. The inconsistency arises when packages are installed from local caches vs....

What is the actual problem that we are trying to resolve with the mismatch of package names between the API and the package.json? The ability to create an accurate provenance?...

Apologies for the detour. I was coming at this from a perspective of a build platform which is only consuming npm packages and not one that is producing the packages...

@ianlewis , this also seems related to #966 (around self-hosted runners). I tried to address the need for clarification by adding to the FAQs: https://github.com/slsa-framework/slsa/pull/989. Does this help the current...

> Discussed in community meeting July 17, 2023. We've decided to start the process to move VSA to in-toto. > > I'll keep this issue open in the backlog to...

I should have looked before I asked. @kpk47, I see that you opened https://github.com/in-toto/attestation/issues/277 :)

I commented on potential levels for a "reproducible" track in https://github.com/slsa-framework/slsa/issues/230#issuecomment-1563332926. One related set of requirements from the 0.1 spec is pinned dependencies. Content from the linked comment: > Splitting...

I wasn't able to attend the call today again unfortunately. Would properties related to this be added in L4 and above or would there be "properties of reproducibility" that are...

> I wasn't able to attend the call today again unfortunately. Would properties related to this be added in L4 and above or would there be "properties of reproducibility" that...