This section may be mixing concerns between the VCS and the source control platform (SCP).
Git commit metadata is forgeable from the perspective of the SCP.
The SCP typically provides an identity / authz layer which is separate from the git content it manages, and it maintains its own timestamps for when activities happened from its perspective. EG: a commit may claim it was authored last year, but all the SCP knows for sure is that it was uploaded last week.
Authentic contributions will typically be built in terms of the SCP's identity and timestamp models, not the VCS's.
Git commit metadata is forgeable from the perspective of the SCP. The SCP typically provides an identity / authz layer which is separate from the git content it manages, and it maintains its own timestamps for when activities happened from its perspective. EG: a commit may claim it was authored last year, but all the SCP knows for sure is that it was uploaded last week.
Authentic contributions will typically be built in terms of the SCP's identity and timestamp models, not the VCS's.
_Originally posted by @zachariahcox in https://github.com/slsa-framework/slsa/pull/1037#discussion_r1588404016_