kpk47
kpk47
ACKing so you can assign me the issue.
No, I haven't. Sorry for the delayed response. I missed the email notification.
@woodruffw Your timing is impeccable. 😅 I'm cleaning up the tests and then the PR will be ready for review.
IIRC, we were thinking about multi-platform builds with that recommendation. For example, if the build generates `artifact_x86.gz, artifact_amd64.gz` then it should also produce `artifact_x86.attestation, artifact_amd64.attestation`. Re-reading the spec now, it...
I'm not super familiar with PyPI, but is this example demonstrative? https://packaging.python.org/en/latest/tutorials/packaging-projects/#generating-distribution-archives For a build that generates ``` dist/ ├── example_package_YOUR_USERNAME_HERE-0.0.1-py3-none-any.whl └── example_package_YOUR_USERNAME_HERE-0.0.1.tar.gz ``` I would expect the provenance files...
I've digested the brainstorming doc into a draft specification for the Source Track. Please take a look and comment: https://docs.google.com/document/d/1sKNvZzjdpL4OC5H7VdPLPGG0G3XFJc3i5q144mhOnP8/edit. I intend to accept comments on the Google Doc for...
I agree with @arewm's conclusion as to what the precent should be: > if there are multiple ways that a name can be defined in some package ecosystem then all...
Discussed in July 10 community meeting. Action items: - update [verifying artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) and [verification model](https://slsa.dev/spec/v1.0/terminology#verification-model) to be more explicit that verification is always on an {artifact, package_name} pair, never just...
Discussed again in community meeting July 17, 2023. We will update the spec to give examples of how to form expectations around an artifact's associated package name. Separately, we think...
@TomHennen What are you proposing we replace with the download URL? The package name?