Tom Hennen

I can see the utility in something like this, but as @mfietz points out, you'd really want it to be feed specific. Unfortunately the auto download algorithm just gets all...

If this feature was restricted to API>=15 that would be fine with me.

I do think 'Select Media Renderer' is too techy. "Stream to another device"?

@sttan, what episode of what podcast were you trying to download? Does this happen every time? Does it only happen with one podcast or all of them? On Wed, Oct...

I think that's right. Treat these as failed downloads and then let them get retried? Unless we need to worry about servers that lie about the size. On Sun, Jan...

Note that the SLSA requirements now includes "Includes all transitive dependencies" at L4. That requirement should probably be part of whatever clarification we do as a part of this issue.

I wonder if the solution is to list all the relevant things in the digest? This was discussed a bit here: https://github.com/in-toto/attestation/issues/28 What if `digest` contained both `git-commit-sha1` and `git-tree-sha1`?...

@msuozzo was looking into something like that, Matt WDYT?

Here are some thoughts we've been having about how to do verification, etc... https://docs.google.com/document/d/11a3u-_CcHwzPRX8x-qFzQodQoF0qnwhrE546Lt7XI2E/edit?usp=sharing Shared with https://groups.google.com/g/slsa-discussion We'd love to get feedback from everyone else working on SLSA.

This is what I was hoping to address in https://github.com/in-toto/attestation/issues/47 (before we moved SLSA provenance back to this project). I had a proposal I was running past @joshuagl but we...