-
> What does "documented process" mean?
_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722381816_
-
Please consider adding [SLSA provenance](https://slsa.dev/) to your releases, e.g. via [GitHub Artifact attestations](https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-availa…
-
related to: https://github.com/slsa-framework/slsa/pull/1097#discussion_r1718489268
## Level 2
my initial thoughts are that we're trying to get across the following concepts:
teams can have more th…
-
Should we address submodules and other 'indirection' elsewhere in the spec or is it better to keep it aligned with the attestations themselves?
_Originally posted by @TomHennen in htt…
-
See https://github.com/cli/cli/pull/8698/ for required code changes
-
**Motivation**
We have signatures with cosign, and our next step is to add provenance attestations to images and artifacts as well, in the same way we have in Falcoctl
cc @cpanato @developer-guy
-
> "Reliable" may be too strong a qualifier here. It's still up to the consumer to decide if they deem the information as such, so we might want to instead use a term like "auditable" or "verifiable" h…
-
Please add [SLSA provenance ](https://slsa.dev/)to your releases.
It is quick and easy to do on on Github:
https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/gen…
-
> To my knowledge, branch protection is a feature of specific cloud-hosted SCPs, not git/VCS, so I suggest making this requirement for Continuity more generally about the intent/objectives. Then we ca…
-
**Description**
Re: https://github.com/slsa-framework/slsa-verifier/pull/791#discussion_r1693621800
I'm proposing that we change `NewLiveTrustedRoot` to accept an existing client, instead of…