You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#764 added support for indexing the payload hash in in-toto entries. It would be nice to do the same for materials of SLSA provenance attestations, so that it would be possible, for instance, to look up all attestations that shows how a particular git commit (i.e. a material) was built into a binary artifact (i.e. the subject). This would allow for instance to check whether there are issues around reproducibility when done by different builders (e.g. GitHub actions and GCB may end up with a different artifact hash).
It would be nice to do the same for materials of SLSA provenance attestations, so that it would be possible, for instance, to look up all attestations that shows how a particular git commit (i.e. a material) was built into a binary artifact (i.e. the subject)
I can definitely do this, this is a great idea -- this would allow for recursing on entries to discover provenance for deps. cc @lumjjb
#764 added support for indexing the payload hash in in-toto entries. It would be nice to do the same for materials of SLSA provenance attestations, so that it would be possible, for instance, to look up all attestations that shows how a particular git commit (i.e. a material) was built into a binary artifact (i.e. the subject). This would allow for instance to check whether there are issues around reproducibility when done by different builders (e.g. GitHub actions and GCB may end up with a different artifact hash).
cc @bobcallaway @dlorenc @rbehjati @jul-sh @mariaschett @aferr
The text was updated successfully, but these errors were encountered: