Tom Hennen
Tom Hennen
I think with the introduction of verifiedLevels as a list VSAs aren't restricted to describing if something just met SLSA expectations, they can describe much more than that. Internally we're...
Yeah I think each ecosystem would need to establish their own convention for resources in VSAs. My weak suggestion for npm would be to use [purls](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst) with the package name...
> So my counter-ask would be how the SLSA team feel about owning the specification for a publish attestation? This would make sense to me. I'm not sure if it...
I don't know how well it would work but I'd always imagined that in cases where there's not a solid package name per-se that the download URL might be usable...
Sorry, I think that was a bit of a non-sequitur and was just a response to "what do we do if there's not a package name". I guess I expect...
> Discussed in community meeting July 17, 2023. We've decided to start the process to move VSA to in-toto. > > I'll keep this issue open in the backlog to...
Letting intermediates act as roots, definitely isn't what I expected! Here's a test where I try to cover the existing 'offline' uses and where I'm surprised that I can leave...
Leaving to an SBOM makes sense to me.
Will this be based on [this work](https://github.com/secure-systems-lab/dsse/pull/61)? (Apologies if I should have know that already, the change is spread out across a number of places)
I've also been experiencing messages not being announced.