Joshua Lock

> * It was also noted that the VSA _could_ include a hash of the provenance, which could later be used to prove to an auditor that a provenance attestation...

> This concept generalizes to future SLSA tracks as well, so perhaps the phrasing should be about whether the consumer has sufficient context to evaluate an attestation? Absolutely agree, great...

I support this proposal, especially if we do a broad survey to make sure it fits most CI/CD systems. I hope we can easily answer that question for Tekton and...

I wholeheartedly endorse this suggestion. The whole point, iirc, of the logos is to demonstrate that this is an industry collaboration --- we should invite all of our collaborators to...

I like this suggestion.

Yes, I think SLSA should recommend against using a bare SLSA when they have added their own requirements. Would the simplest thing be to encourage companies to group their requirements...

I agree that there's value in capturing locked dependencies and hermetic builds as distinct concepts. For many developers, pinned/locked dependencies are increasingly common, but capture only the ecosystem dependencies –...

nb +1 🎓 in-toto is not only a great system, it is also a frequently cited inspiration for other systems, defines standard formats that multiple systems implement, and benefits from...

> > Final thought, is adding a new level appropriate for a minor release, or should we consider a major release for this? > > We've talked about this on...

I rebased the PR on main and pushed a commit to resolve the linter warnings. Let's figure out remaining minor changes to land this PR and then build on it...