kpk47
kpk47
SlsaResult needs to change from SLSA_LEVEL_* to BUILD_LEVEL_*, and we need to add a version field.
policy_level also needs to change.
Now that we've closed the 'verifying systems' bug, we can close this one as well.
I think this issue was made obsolete by the build system compliance program. Feel free to reopen.
@haydentherapper @steiza I'd like your input
Thanks for the discussion, everyone! I'm seeing the objections fall into a few categories (let me know if I miss any): - This change would be tying the Sigstore and...
> Sorry, but I still don't understand why the _payload_ --- more precisely, an in-toto attestation, and more specifically, the SLSA v1 provenance --- should impose any requirement on the...
Another possibility comes to mind: we could have a split somewhere based on whether you can make statements about the process used to generate the source or you can only...
> I've been thinking about this from the verification side and parallels to SLSA Build Provenance. The docs for build provenance today separate [verifying artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) and [verifying build platforms](https://slsa.dev/spec/v1.0/verifying-systems). Is...
This fell a bit by the wayside as we prepared for v1.0-RC2. @JoshuaMulliken and I met with a member of the Linux Foundation to discuss setting up a conformance program....