Joshua Lock
Joshua Lock
I'd prefer GitHub too, it feels like that would be easier for review? I'm on-board with lazy consensus, but worry that two days might be too short? Perhaps it's enough...
I like /blog/
Hi Naveen. We don't yet have a contributor ladder defined, but we are working on formalising our governance and I'd like to see a contributor ladder defined in future. Maintainer...
Looks like the threat model diagram and example of mitigated attacks were created for the blog post here https://security.googleblog.com/2021/06/introducing-slsa-end-to-end-framework.html It would be good to get these added to the repo...
> The main page now has the list of example attacks from the blog post. 💯 > Next step is to add an exhaustive list of attacks. I started a...
I am indeed one of the confused parties. This issue and #130 will go a long way to clearing things up, I think. What we are effectively saying, then, is...
> Something we could do, which would be easy enough, is require that the builder contain a reference to source code from a source control system (meets the "L2 requires...
The spec separates "build system" and "provenance generation" requirements. Two of these overlapping requirements are provenance generation requirements and one a build system requirement. Does that distinction makes the **[Isolated](https://slsa.dev/spec/v0.1/requirements#isolated)**...
We most definitely want to have generic libraries which can generate attestations for integration into different CI/CD and build platforms. Is there a particular language you are looking for? There...