Shaun Lowry
Shaun Lowry
I think we're wandering into the distinction between Isolated (SLSA 3) and Hermetic (SLSA 4). I think if containers don't provide a good enough boundary for Isolated here because it's...
Is having a complete set of guidelines alongside the core spec in scope for the 1.0 milestone?
I still think there's value in non-falsifiability of claims here, and I think the statement that there's no point in signing provenance until you've reached SLSA 4 including the optional...
This one's tough. If level 3 is the highest we're proposing for v1.0 I think we need to be a bit tougher here and clearly identify the action that was...
I think it's dangerous to start arbitrarily removing environment variables from provenance just because they're redundant on a specific platform (or set of platforms). What about build steps that run...
I think _anything_ that could potentially affect the output of the build in any way needs to be recorded, e.g. PATH, LANG, LC_* could all have subtle effects on the...
+1 on this. Our use case is for developers that work in multiple dependent repos. Many of our developers work exclusively in our main app repo which has a devcontainer.json...