kpk47
kpk47
> I've been wondering the same thing. I don't have an answer, but I've got a couple of questions/thoughts that may help shape the decision. > > * Do we...
Discussed in community meeting July 17, 2023. We've decided to start the process to move VSA to in-toto. I'll keep this issue open in the backlog to track progress on...
I'm not generally in favor of treating reproducibility as anything other than a strict binary. Putting that aside, I've got a few questions about how a semantic equivalency track would...
We discussed this in our weekly specification meeting and decided to move it to our backlog. It is a large issue that could be split up and possibly deduped with...
This issue was addressed as part of SLSA v1.0. The threat is consider out of scope.
This may have been addressed by https://github.com/slsa-framework/slsa/pull/568.
Thanks for bumping this issue. I've also been thinking about the hermetic requirement and how to fit it into the SLSA build model. Specifically this option: > * Using an...
I think most of the urgency is gone since in-toto changed the spot where there was a conflict between the two specs. #882 and #892 could be enough for a...
@joshuagl Does this still need to be included in 1.0, or is it covered by the requirement that package ecosystems place expectations on each package?
Got it. I reclassified it as a P2.