dlorenc

+1 to @puerco and keeping them separate for now.

> Thanks @inferno-chromium . This is actually the first time I see an active reference to a "steering committee". The discussions around the OpenSSF governance have been leaning towards forgoing...

FWIW I like the original goal as you stated, and think it's not worth giving up on yet. It can be made more clear in the blog itself, the contribution...

Here's one more definition set for the mix: > **Provenance** is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data....

Cc @asraa as well, we were just talking about how the TUF/sigstore integration could help here

With https://github.com/slsa-framework/slsa/pull/141 now further clarifying the difference between "source" and "build instructions", we're now (still) in a spot where there are no requirements about the provenance for the "source" itself...

My high level hand-wavy idea is that it would be really nice if we could require the provenance to contain a reference to the actual primary, direct source code used...

+1 there!

> It's almost as to say: 'we know it’s all mystery meat but hey at least we double-checked and signed off on it' To put this a bit more charitably,...

I like this in general. Another check we could add is that the timestamp in the commit is during the validity window of the cert, to prevent signing "backdated" commits.