laurentsimon

we need to support both v0.2 and v1.0 provenance

I'll wait for https://github.com/slsa-framework/slsa-verifier/pull/572 to land since it defines new functions to retrieve provenance information, including the entryPoint.

Thanks. Not sure what happened here. @asraa @ianlewis thoughts?

I think `github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1.0` was renamed `github.com/in-toto/in-toto-golang/in_toto/slsa_provenance/v1` in https://github.com/in-toto/in-toto-golang/commit/8d135cb0fcd6c53e83f05c12a624e9199284a14f, but not sure why this suddenly broke the build

I think I know what's happening. Dependabot is trying to update the go.mod / go.sum, even though the slsa-verifier code / version was not updated - so the code still...

I think the root cause of the problem is that dependabot is unable to figure that we only want the CLI installed, not the library. So it treats the dependencies...

It would fix it for now, but it may break again in the future :/ Would be good to have a more reliable solution.

Please let us know if the suggestion works or not, and we'll update the README accordingly. Thanks @asraa for the suggestion. I thought that `direct` was the default `By default...

Here are additional thoughts. Since we're going to release the generic provenance generator soon, we're going to need to be able to differentiate between the types of builders and the...

> > This would be a new flag that mirrors the https://slsa.dev/spec/v0.1/requirements requirements. It would need to be flexible enough. > > Having a single flag with sub-options is pretty...