Joshua Lock

There's some good context in "Could npm use VSAs instead of a custom 'publish' attestation?" https://github.com/slsa-framework/slsa/issues/801

Thanks for the initial thoughts on this. This seems worth documenting indeed. I agree strongly with the assertion that any transformation process --> build and that data inputs seem to...

A proposal to address this issue has been submitted to the slsa-proposals repository: [Add proposal Steering Committee application, terms, and role](https://github.com/slsa-framework/slsa-proposals/pull/15). We are keen to see feedback and strongly encourage...

Thanks for summarising @MarkLodato! I think we should move the (excellent) longer term idea into a separate issue and track only the short term item in this issue. @behnazh-w, would...

> @joshuagl do you mind filing a separate issue for the long-term fix (presumably for v1.1)? Done. https://github.com/slsa-framework/slsa/issues/949

> What if we simplify the ladder by moving "unforgeable" to L2 and drop/merge the redundant requirements? I'm all for moving unforgeable to L2 and merging with authentic. The hosted...

The discussion of removing "Builds Hosted" from Build L2 may need to be forked into a separate issue. We keep coming back to this, so I think it's worth some...

The change to dedicated seems reasonable to me, especially with the removal of dedicated before build platform. 👍

One reason the requirement exists is to reduce the number of systems a consumer must trust. I think of this often in the context of getting packages from a Linux...

I don't think any more is required at this time. Provenance v1.0 has a good level of design rationale and guidance.