laurentsimon

cc @enck interesting research problem

> I guess it depends on who and what you trust. It might be a bit easier for a company to do by providing policies and best practices around the...

re: build tracing. One could also perform the tracing post-build (say, at ingestion time on the consumer side) by replaying the build command reported in the SLSA provenance. This may...

> What do you mean by "the same system". Do you mean the same actual machine/service or do you mean "org 1 built this on their own Debian 11 machine...

The dependencies of the builder itself are reported in the `material` section of the SLSA provenance. So although it may not prevent the attack, it should be retroactively detectable once...

Hey @naveensrinivasan yes please review 10 PRs as suggested by @inferno-chromium and take a feature you'd like as "onboarding" to familiarize yourself with code (the one on hash computation using...

> Is the main difference that when a self hosted runner is involved we have to trust a build service which is GitHub + self-hosted runner, rather than just GitHub?...

@crazy-max sorry if I confused you. I've added the context from the corresponding issue https://github.com/docker/buildx/issues/1242 Anything I can clarify?

friendly ping. Any question I can help answer?

> Sorry for the delay. I have some concerns and questions about this workflow. > > First I would like to know what is the maturity/stability of this action/project? Looking...