Joshua Lock

The description of the [Hermetic](https://slsa.dev/spec/v0.1/requirements#hermetic) requirement encapsulates two conditions: 1. All transitive build steps, sources, and dependencies were fully declared up front with immutable references 2. the build steps ran...

Hermetic is a relatively common term in build systems to describe a build which is unaffected by external factors; such as the libraries and binaries on the host system, requiring...

This guidance looks great to me, definitely a good start. I'd like the recommendation to list the base image/inventory of the build worker to be a bit stronger (in my...

This might be captured in current SLSA requirements in the same way reproducible builds are – as recommend, where possible?

Absolutely. I think it's aspirational in a similar way to Build Reproducibility, hence the suggestion to make this a recommendation (O). Build Reproducibility is recommended/aspirational because it's hard (and probably...

Good summary, it matches my understanding too. Thanks. Recommending signing feels out of the scope of SLSA. On the requirements around signing keys specifically, perhaps we should move that to...

Closing this issue as the discussion resolved that we do not want to recommend generic artifact signing.

I'd like to collaborate on a [proposal](https://github.com/slsa-framework/slsa-proposals) for this. My current preference would be to expand SLSA, but that's at least in part because I'm not familiar with other frameworks...

I believe this is related to #351 "Provide guidance on level of granularity for "build"", in that a provenance attestation describes a "build" per the [provenance predicate model](https://slsa.dev/provenance/v0.2#model). Further attestations,...

Great idea, demonstrating the liveliness of the project to folks not attending the community meetings and providing a space to share ideas both seem like good uses of a blog.