in-toto / attestation

in-toto Attestation Framework
Other
252 stars 69 forks source link

Making predicateTypes consistent with predicate names #371

Open marcelamelara opened 5 months ago

marcelamelara commented 5 months ago

We recently introduced the notion of the predicate name, which we use in a couple ways: as a hint in the envelope mediaType, and in the predicateType URI for predicates in the in-toto/attestation namespace (see step 4).

Most predicates in the in-toto/attestation namespace already follow this convention for the predicateTypes, but we have two that were defined before we introduced this convention and don't:

How should we resolve these two cases?

My recommendation for SCAI is to remove the "attribute-report" piece since it somehow implies that there may be other subtypes of SCAI, and we don't currently support predicate subtypes. This may break existing tooling (mostly in-toto/scai-demos), and we may need to bump the predicate version number.

My suggestion for vuln may be to update the predicate name to vulns.md since that won't break current tools.

Any other thoughts? If this looks good, I'll open a PR to make the relevant changes.

marcelamelara commented 3 months ago

Update: We may probably also move the expected naming convention to the predicate template in spec/predicates/templates.

adityasaky commented 2 months ago

My suggestion for vuln may be to update the predicate name to vulns.md since that won't break current tools.

This seems reasonable to me.