Wietse Z Venema

The proposal has been shared internally with laurentsimon. By my understanding, SLSA defines a single ladder. That is, an artifact can satisfy SLSA level N only if it satisfies (at...

I will not deny that custom ladders can have a place in certain contexts, but SLSA is targeting cooperation on a global scale. In the 10 years that the predecessor...

I think that you're describing a policy for SLSA level N, with selected SLSA requirements turned off. For the purpose of global interoperability, would it be possible to say that...

We appear to agree that each SLSA level implies a number of baseline requirements that won't need to be enumerated in a policy (such as individual builder or source repo...

> SGTM. And maybe also think about whether the provenance content and the policy should be treated as two different entities or not. I treated them as separate entities, you...

> Is the goal of the slsa-verifer to also verify conformance to SLSA levels for build and source? That would be interesting. That matches what I had in mind. The...

I'm proposing a solution with "Proposal: support subjects that have no digests #92". The basic idea is to allow a subject.uri (a resourceURI) instead of a subject.digest.