Andrew McNamara
Andrew McNamara
From @MarkLodato > Should `parameters` be standardized or type-specific? Maybe define standard names but allow other ones? From @joshuagl > I think we should define standard names for `parameters`. I...
Interesting, the part that makes the least sense to me is > This communication is not captured directly in the provenance, but is instead implied by builder.id I generally read...
Let me try to restate my argument instead of directly responding to all of the questions. I see a cache as an implementation detail of a build system. It saves...
> Cached intermediate artifacts MUST be considered dependencies and SHOULD have their own provenance. This mostly has an impact for the future Build L4 where all dependencies MUST be recorded...
The cache requirements cannot be enforced if the build platform is not in full control of it. Therefore, I think that we can clarify in L3 to indicate that a...
Would a Bazel-based system be able to differentiate between intermediate artifacts and the resolved dependencies? I wasn't trying to say that everything pulled from the cache should be indicated as...
In order to have a reasonable guarantee about the authenticity of the provenance (i.e. L3), all build activity needs to happen within the trust boundary and the threat model needs...
I started to fix this in #810 but then the PR exploded to unify on `platform`. In the PR, however, I did call out whether the wording that I added...
Should the change then be to include the `MUST` wording and to include it in verifying systems or to change it to `SHOULD` (and still include it in verifying systems)?