Joshua Lock

Agreed, I think we should add documentation calling out these libraries/implementations. I think it's out of the scope of the issue here (to document a GitHub case study), so perhaps...

On "platform" vs "service": Microsoft calls [Cloudbuild](https://www.microsoft.com/en-us/research/publication/cloudbuild-microsofts-distributed-and-caching-build-service/) a "build service".

Other terminology related issues: * https://github.com/slsa-framework/slsa/issues/369 * https://github.com/slsa-framework/slsa/issues/366 * https://github.com/slsa-framework/slsa/issues/367

For examples, listing/linking to adoptions – public examples of systems that can generate SLSA provenance – might be a useful start? Some I know of: * Tekton via the Chains...

Agree that we should label these as best effort at SLSA level 3. > So in GitHub Action's case, I'm leaning towards: > > * Disallow self-hosted runners. > *...

> This also gets into the issue that Ephemeral Environment and Isolated are really two sides of the same coin and need to be designed hand-in-hand. It's worth considering merging...

Will take a look next week

It may make sense to hold on updating the reference implementation until a similar change has been made to the specification, see https://github.com/in-toto/docs/issues/42

> First thanks so much for taking a deeper look! Two comments > (1) The generation of UTC if my mistake, since I manually set the Expiration and didn't convert...

We faced similar scaleability problems in python-tuf, the changes we made to the legacy implementation to [support abstract files and directories](https://github.com/theupdateframework/python-tuf/issues/1009) might make sense in go-tuf too? The new python-tuf...