Tom Hennen
Tom Hennen
So generally folks are open to some solution here. We'd probably be looking for a PR that defines whatever the proposal is along with some code that actually does it.
Discussed at today's attestation maintainers meeting. We're open to both of these things. Our main concern would be on interoperability. Having multiple ways to encode and represent attestations could significantly...
What distinguishes these three images? They are different, but what's different about them? Is it the architecture they support? You mention the name might reasonably be `registry.local/namespace/repo` but is there...
Do you happen to know the platform? Could you put the platform in the name field? That would seem to be the most helpful for users? Alternatively, how much do...
What's your ideal solution? Having two different entries in subject with the same name? They'd still only be distinguished by digest but I guess users would know what 'repo' they...
So, another option is to just leave 'name' blank? It's not required.
Seems very reasonable. I also think you can do this without any changes to the spec?
> fwiw, Name _can_ be a PURL, as of ITE-4: https://github.com/in-toto/ITE/tree/master/ITE/4. You don't need to change the name to 'uri' but rather treat is as an opaque descriptor, or a...
@colek42 do you have any docs that describe how that attestation works?
I was thinking it would be nice to have some tool to validate SLSA provenance against the spec. I've certainly run into cases where people claimed to be doing it...