kpk47

I've posted a proposal at https://github.com/slsa-framework/slsa-proposals/pull/9

Discussed at community meeting on Aug 28, 2023. We came to the conclusion that at Build L3 whether a build platform does a deep or shallow clone is part of...

> * SLSA Provenance format makes sense when the consumer can see the source (i.e. is within the same company as the attestor, or is consuming open source). This concept...

Discussed during the community meeting on 6/26/2023, and unfortunately most of the SLSA contributors don't have the context to make this sort of clarification. We think a good way forward...

I support this proposal, but I think I'm missing some historical context. IIUC, `buildConfigSource` and `sourceToBuild` are roughly equivalent to `configSource` and `materials` from provenance v0.2. Why did we remove...

Discussed in community meeting on 24 July 2023. Action item for community: review PR #901

To clarify: you're talking about the Build Model, right? https://slsa.dev/spec/v1.0/terminology#build-model > A few observations while reading the specs: > > 1. We don't have a definition of all the terms...

@adityasaky @arewm I think we should go back to the drawing board with the source attestation/evidence, so I've removed it from this PR. Let's get the level spec to a...

FYI - There's a related conversation happening on #1039, though about build threats rather than source threats. > Thanks for opening this issue! I think this ties into the threats...

Maybe we update our robots.txt to prevent indexing anything other than the latest official release? It would be equally bad for the top result to be the draft of v1.1.