Joshua Lock

I think a generic wheel building service is a great idea that could help address the often-unintentional differences between source code repositories and the artefacts on PyPI. Furthermore, this will...

Because [PEP 458](https://www.python.org/dev/peps/pep-0458/) is long, I wanted to try and provide an elevator pitch. [PEP 458](https://www.python.org/dev/peps/pep-0458/) is a design for repository signing with TUF which is transparent to both developers...

Providing a recommended process (even a template [GitHub security policy](https://help.github.com/en/articles/adding-a-security-policy-to-your-repository)) would be a good outcome for this issue, the idea for a centralised reporting mechanism admittedly doesn't scale to a...

Great discussion topic. AIUI the provenance specification does attempt to ensure that there's enough information captured to verify the actions taken. This might be implicitly through `invocation.configSource` and the repository...

Thanks both for articulating the need. Thinking of some of the other predicate types we've observed in the wild (see https://github.com/in-toto/attestation/issues/98) I can picture this being in the statement layer....

This is sensible indeed. I think it's already implicit at L3 and L4 (i.e. ephemeral and isolated builds, provenance includes build parameters at L3; parameterless and hermetic builds, provenance includes...

Documenting this more explicitly might also help people understand which rung of the SLSA ladder to stop on.

In the proprietary software case, the attestations would (should) still exist and therefore can be referenced in the VSA, even if they are not shared with the VSA consumer. Listing...

Optional but recommended seems reasonable. I do think we should recommend inclusion.

> @joshuagl WDYT about us including this in 0.2 and then taking it out of draft? Works for me. There has been some discussion of VSA in recent spec meetings...