Joshua Lock

+1 Reasoning out loud: we would include the `attestor` in the object because we want that `id` to be explicit and in authenticated data, rather than relying on an undefined...

This request initially came from SLSA, where we've added a `byproducts` field in the v1 provenance format https://slsa.dev/provenance/v1/#byproducts

- [ ] PyPi "ssh-decorate" - https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/

- [ ] webmin backdoor http://www.webmin.com/exploit.html

I wonder if we should focus on infrastructure provider centric messaging to start? IMHO the ideal path to adoption is enabling a feature your existing tooling and infrastructure has implemented...

> This page does _not_ resolve this issue, but I think it's a step on the path. Agreed, this is a great start. Could we also link to [s2c2f](https://github.com/ossf/s2c2f)? Or...

I've just updated this PR to account for the removal of AUD-5 in #51

Any thoughts on this? It feels like a simple change which provides a readability win for new readers.

I just added a commit here which adds a threat entirely mitigated by maturity level 1, the node-ipc relicence to DBAD, to fix #49. It felt appropriate to include it...

I'd make the change myself and submit a PR, but I can't find the "source" from which the maturity diagram is generated.