Andrew McNamara

I was looking into creating a PR for this and I stopped once I looked at the schema -- https://slsa.dev/provenance/v1#schema ``` // Standard attestation fields: "_type": "https://in-toto.io/Statement/v1", "subject": [...], //...

One of the challenges that we will have to contend with is who is an "appropriate" entity for generating the attestations. The build system would not be appropriate in my...

My primary issues with the original source attestations are resolved as the PR states that the source control platform generates them. +1 from me to close this.

What are the threats to compromising the source repo that exist outside of submitting unauthorized changes? Would this consider threats against the hosting of the version control system?

> I don't know if I can speak for the attestation maintainers / other in-toto spec authors but for me "admission controller" is quite generic. A dependency review attestation (https://github.com/in-toto/attestation/pull/151)...

This topic came up in the SLSA specification call today. Namely, the question was raised whether in-toto might need a new attestation type or whether [SCAI](https://github.com/in-toto/attestation/blob/main/spec/predicates/scai.md) would be able to...

This has been mentioned elsewhere, but the SLSA specification does not pertain to any guarantees about what is _in_ the code repositories themselves. Some diligence will be required by producers...

It is not a requirement that the provenance at SLSA build L3 is complete. This means that it is not a requirement to resolve all of the git branch/tag references...

+1 to this feature. It is currently very hard to identify the sources for tekton bundles that are in a repository. It may even be possible to fill out some...

In the above PR that @ralphbean linked, annotations were added to link `USAGE.md` and `TROUBLESHOOTING.md` files using the keys `dev.tekton.docs.usage` and `dev.tekton.docs.troubleshooting`, respectively. Unlike the `dev.tekton.image.*` annotations, however, these are...