Support supply-chain security (slsa)

[alexeagle]

Someone would need to gather requirements on what data a tool like salsa needs for establishing provenance of binaries.

In theory an aspect could visit the build graph to collect these.

It also needs to interact with every package manager to know the origin of third-party library code/binaries.

This is a superset of the rules_license problem, to track metadata transitively through the graph.

If we had a recommendation for what rules authors ought to do, we could document that, provide verification tooling for this feature. We could supply "BCID level numbering". Maybe there's a test rule that can verify a binary has the following provenance.