slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

feat: remove support for special handling of material verification for npm

Open laurentsimon opened this issue 1 year ago • 6 comments

See https://github.com/slsa-framework/slsa-verifier/pull/521#discussion_r1131610475

laurentsimon avatar Mar 09 '23 21:03 laurentsimon

I suppose we may want to be able to verify provenance generated during the public beta. So maybe we can check if it's been generated as of a certain date so that we can check this for provenance generated after the GA?

ianlewis avatar Mar 10 '23 01:03 ianlewis

This should work, good idea.

laurentsimon avatar Mar 10 '23 02:03 laurentsimon

Or maybe there's a versioning in their buildType or something else to identify stable format?

asraa avatar Mar 10 '23 15:03 asraa

Or maybe there's a versioning in their buildType or something else to identify stable format?

That's maybe an even better idea.

ianlewis avatar Mar 23 '23 03:03 ianlewis

Last time we talk they did not have, ie it was tied to the CLI version. But I think they will change that, so need to follow-up

laurentsimon avatar Mar 23 '23 23:03 laurentsimon

This will get fixed by #641

ianlewis avatar Jun 27 '23 22:06 ianlewis

#641 is merged.

ramonpetgrave64 avatar Jul 03 '24 16:07 ramonpetgrave64