-
Based on discussions within the Supply Chain integrity working group and S2C2F Project we wanted to open discussions on a path for S2C2F to align with SLSA as its dependency track. This would be conti…
-
Currently I need to hack together some regular expressions, which probably aren't necessarily 100% accurate see: https://github.com/slsa-framework/slsa/blob/0e1182e951f59ab5934bdb0906681a7d84941fd4/sc…
-
This is a tracking issue for SLSA 1.0 support. Feel free to edit this ticket with issues related to supporting SLSA 1.0 requirements/spec.
-
Should be more straightforward now with the new "[Bring your own Builder](https://slsa.dev/blog/2023/08/bring-your-own-builder-github)" feature.
Since we're likely to want SLSA build provenance lat…
-
Now this workflow builds and releases assets using GoReleaser in the same job.
But in terms of security, and to meet SLSA Level 3, we should separate build and release jobs.
One of concerns is rel…
-
> What does "exist in the present context" mean?
_Originally posted by @marcelamelara in https://github.com/slsa-framework/slsa/pull/1094#discussion_r1722360178_
@zachariahcox
> for git repos,…
-
https://slsa.dev/spec/v0.1/requirements
In addition to #3440, we need to meet the following for SLSA 2:
Source:
- ~~Version controlled: Every change to the source is tracked in a version contro…
-
-
#6873 was caused by what looks like human error when preparing an official Transmission release.
As I suggested in https://github.com/transmission/transmission/issues/6873#issuecomment-2313508165:
…
-
**What would you like to be added**:
SLSA Attestation Generated with new releases.
**Why is this needed**:
SLSA's are resources that show evidence that the release consumers receive has no…