laurentsimon

> > You can substitute VSA publish attestation in the demo. > > Is the Publish attestation here what eventually became the [Release](https://github.com/in-toto/attestation/blob/b382eb5dafece256feb135f075855def414e5e5e/spec/predicates/release.md) attestation? no. It's a simple VSA with...

> > Do you have pointer to runtime attestation? Never heard of the term before. Thanks! > > Sorry, I should have clarified that I coined it on the spot...

> > no. It's a simple VSA with the specific purpose of publication (and not tied to SLSA), created by an _org_ (possibly a dev / team if they are...

> I also thought about sub-classing, but I couldn't convince myself that it really solved a problem unless it were paired with different expectations for how to define the types....

Hey (scorecard maintainers here) I like the idea of having scorecard generate attestations - surprise :-) ! We have this on our roadmap. We think we'll have something for Q2...

yeah it's really strange. it happens regularly too...

Do you know what 1st vs 2nd source generation is?

Given it's a simple fix, is it worth backporting?

2 options to achieve this: 1. Rename `BINARY` env variables to `BINARIES`, which can take a list of binaries separated by a `,`. The scripts can split the string and...

We also need scope to create releases.