kpk47
kpk47
> > There is so much more to publication than build, including delegation of this verification policy (VSA), policy definition, etc... > > Yes, all of this is part of...
Maybe this is a documentation issue? I think I'm mainly looking for validation of the idea and feedback on whether it's in or out of in-toto's scope. Inheritance is the...
There may also be a documentation problem, as all the examples I found discuss applying in-toto policies at admission control time. If in-toto supports moving policy checks earlier, then perhaps...
I think "inheritance" may be the wrong word. I'm thinking of something more like [extensions](https://protobuf.dev/programming-guides/proto2/#extensions) in Protocol Buffers. Users could optionally add fields to the attestation to give supplemental information...
Glad to hear there's interest in moving VSA to in-toto. I'm working on closing out the remaining VSA PRs on the SLSA repo and should have that done shortly.
> The main issue with using SCAI out of the box is that the predicateType doesn't convey the semantics. VSA also has that issue, which is part of the reason...
I agree with @asraa that source should be a resourceDescriptor. The provenance spec recommends string values in externalParameters, but they aren't required. > The externalParameters and internalParameters are the top-level...
I support that change. I've opened an issue on the SLSA spec repo to get input.
I bisected commits and found that this bug was introduced in the May 2021 Breaking Change.