kpk47
kpk47
We currently have two regular meetings: a weekly SLSA Specification meeting and a monthly SLSA Community meeting. Roughly the same group of people attend each, so we should consolidate. I...
I was chatting with @woodruffw about how SLSA interacts with Sigstore, and he pointed out that a lot of the information in SLSA provenance is already present in Fulcio certificates...
I'm starting to think that the higher levels of the source track will look fundamentally different for closed source and open source projects, and we would benefit from making the...
This is a tracking issue for creating a Source track. The main idea is to cover properties of how the source code was developed. The exact thrust of this track...
This is a tracking issue for releasing v1.1. The primary goal of v1.1 is to release small updates to v1.0 to address issues that are too significant for an in-place...
We discussed a dependency track in the community meeting on Aug 28, 2023. It may have significant overlap with the Source Track, so we should discuss them together.
I'm worried that this new version is in a weird limbo where it's half SLSA-specific and half generic. For example, it's not clear if you need to list a SLSA...
**Description** There's a lot of duplicated and almost-duplicated code in the verify, verify-blob, verify-attestation, and verify-blob-attestation subcommands. I wrote a short doc suggesting how to refactor them and would like...
This change adds the working draft of SLSA's Source track. It includes basic terminology, level requirements, and an attestation format.
To clarify, I was wondering if we wanted to distinguish between attestations for source platform specific claims and those that may apply (I was thinking "pertain" earlier) more specifically to...