John Speed Meyers

Friendly ping, @bureado.

Ah, that works! I'll go join now and find you two.

@inferno-chromium, @MarkLodato, and @david-a-wheeler, I worked on a proof of concept blog post about how SLSA can help OSS compromises. link - https://blog.chainguard.dev/slsa-vs-software-supply-chain-attacks/ If expanded, this is the type of...

@tstromberg, any thoughts here? I thought your sigstore-the-local-way chops might lead to an intuition.

Thought I would drop in this link from @SantiagoTorres since it includes related rekor visualizations: https://medium.com/@torresariass?p=1950b7c150df

That sounds good. I'm afraid I'll dork up the best way to explain this, so I've unassigned myself and will let someone more familiar with the project or documentation to...

Would adding `permissions: read-all` to the GitHub action YAML files be sufficient to address the "Token Permissions should follow principle of least privilege" bullet point? That's what my reading of...

Huh, `scorecard` says, as of 10/19/22 for this repo, `0/10` for `Token-Permissions` and that `non read-only tokens detected`. Let me do a little digging.

Could it be this line? https://github.com/slsa-framework/slsa-github-generator/blob/61d71969e88ad66f920aa17d86d822f428aa49cf/.github/workflows/generator_container_slsa3.yml#L88-L91 Seems like the keyless signing requires non-read permissions, so I'm not sure there's any way to get around this `0/10` `Token-Permissions` scorecard score. If...

cc @meretp This patch grew out of the use of `ntia-conformance-checker`. Thanks, @meretp, for helping with the transition to the new `tools-python` version for `ntia-conformance-checker` a few months back.