Andrew McNamara
Andrew McNamara
SHOULD + noting in verifying systems or without the note? I support having it as a SHOULD as it is a best practice and can be used to inform other...
> Provenance: Maybe as a new subsection under [Model](https://slsa.dev/provenance/v1#model) talking about the platform implementer carefully thinking about the security model and defining trust boundaries? I worry about adding yet another...
PR #816 is up for review.
Bringing in a comment from https://github.com/slsa-framework/slsa-proposals/pull/9#discussion_r1186528337 @kpk47 mentioned > if a platform is capable of producing different level provenance based on user inputs then we have to trust it to...
Coming from a background in Tekton, I had a similar views that I expressed in https://github.com/slsa-framework/slsa/issues/849. For me, however, I see it as being reasonable to have the `builder.id` as...
To add onto the first nit > For example, if a producer wishes to distribute their artifact through a package ecosystem that requires explicit metadata about the build process in...
@jchestershopify, I updated the wording around isolated and ephemeral. Does the content change in #700 resolve this issue? You can see the latest rendered content at https://slsa.dev/spec/v1.0/requirements.
I created #751 as well to clarify some points made here. I think that #717 should hopefully add additional clarification -- especially around the generated provenance accuracy as it needs...
An example of the lack of clarity is that the [attestation model](https://slsa.dev/attestation-model) seems to indicate that provenance is part of the full attestation (i.e. its predicate) while the [provenance](https://slsa.dev/provenance/v1) page...
According to the [attestation-model#recommended-suite](https://slsa.dev/attestation-model#recommended-suite), provenance is a component of an attestation, namely the predicate of the attestation. In [attestation-model#model-and-terminology](https://slsa.dev/attestation-model#model-and-terminology), the attestation is the entire package including the authentication and binding....