sbp opened a new issue, #250: URL: https://github.com/apache/tooling-trusted-releases/issues/250
Following on from #87, our attestation story is far less well developed than our bill of materials story. We need to decide what we're going to attest to in the first round of implementation, what format we're going to use, and (if applicable) what the UI contribution will be. At the very least, even if we have an automatable attestation we want users to be able to be aware that it was produced and able to review it. We should try to follow the lead of GitHub and PyPI et al. here. Although the attestation ecosystem is less well developed than the SBOM ecosystem, there are already some _de facto_ standardised practices emerging. We have been aware of this since the start of development, but we need to make some decisions for the proof of concept. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
