Joshua Lock

@david-a-wheeler suggested verified reproducible builds in #5

I believe @jorydotcom was planning to work on this? If so, could you comment here and we can assign this issue to you. Thank you.

Apologies for the delayed response here, I thought I had replied already 🤦‍♂️ I agree that approval by a majority of @slsa-framework/slsa-steering-committee members is an appropriate way to handle projects...

I filed https://github.com/slsa-framework/governance/issues/17 to define and document a process and expectations.

Relates to #196. The two-party approval requirements will most likely not make 1.0, except the recommendation to use two-party approval for all administrative changes to the build service. Therefore I...

Thanks for raising this, I certainly think it's worth some thought – achieving reproducible builds for large pipelines of diverse inputs is non-trivial. The ActiveState case must be close to...

Pinging @slsa-framework/slsa-steering-committee to review the [proposed project roadmap](https://github.com/slsa-framework/slsa-proposals/blob/main/0002/README.md) and raise discussion items here.

Great discussion and suggestions, I like the suggestions for 1.0.

Given that the [OpenSSF Charter](https://cdn.platform.linuxfoundation.org/agreements/openssf.pdf) requires Governing Board approval to use a different license for specifications we might consider this a bug, indicating that this is simply a case of...

Note: `invocation.parameters` is "an arbitrary JSON object with a schema defined by `buildType`.", therefore it's perfectly reasonable for a build service to define a schema which makes sense for them...