Tom Hennen
Tom Hennen
We send the GpodnetEpisodeAction PLAY when items are marked as read. At least we do in some when the user users the menu item to mark something as 'Played'. However,...
There was a lot of discussion in #37 that seems to indicate there's still an apparent disconnect on policy (who produces/owns it) and evaluation (when/where to evaluate that policy). I...
There seems to be some confusion around if 'dependencies complete' means that the provenance lists all transitive dependencies. My view is that I don't think it does, but others have...
The 'Common Requirements' requires multi party auth but doesn't explicitly require 2FA. Should this be a requirement? Could we make the requirement be the use of a hardware backed security...
### Description iron-a11y-announcer exposes a 'mode' property that users can use to control the politeness setting, but they can only do this if they create the element themselves and not...
Currently the OPML import task isn't shown if the user shares an OPML link from a web browser. They will get the 'Add Podcast' option though. This is something we...
npm has [a custom publish attestation](https://github.com/npm/attestation/tree/main/specs/publish/v0.1) as a part of implementing [this RFC](https://github.com/npm/rfcs/blob/main/accepted/0049-link-packages-to-source-and-build.md). I wonder if it would be possible to use [a VSA](https://slsa.dev/verification_summary/v1-rc2) instead? Perhaps with some tweaks to...
Currently the [Build Requirements](https://github.com/slsa-framework/slsa/blob/main/build-requirements.md#build-requirements) say > All transitive build steps, sources, and dependencies were fully declared up front **with immutable references** and > The user-defined build script: > > MUST...
I've heard from a couple of folks that they weren't aware that SLSA had a specification for how to exchange metadata, despite the fact that SLSA Provenance is linked from...
**Description** The [types page](https://github.com/sigstore/rekor/blob/main/types.md) doesn't cover DSSEs or in-toto attestations, should it? FWIW [the usage blub](https://github.com/sigstore/rekor#usage) suggests that page should cover all the supported types.