Open TomHennen opened 1 week ago
I think this is a general question for SLSA. @paveliak and I were having this exact discussion about the build environment attestations today as well. We also don't want to be too prescriptive, but provide some practical recommendations.
Perhaps we should require the Source Control System (or Build system in the case of the build environment attestations) to document where they're stored and then provide examples in the sample profiles (#1142)?
For git
we might suggest "store in the VCS like so", for other systems maybe we suggest a "content addressable storage system by
We should provide guidance on where source attestations are stored.
We may not want to be too prescriptive but should provide an allowance for how a source control system (#1128) should do so.
Note that summary and 'full' attestations may be stored in different places.