I have to admit: I haven't been following SLSA's evolution as I have
been mostly focused on SPDX implementation. Currently, the yocto project
generates SPDX 3.x conforming with the build profile, but I am not sure
if they use any of the SLSA provenance variables.
nisha
On 8/14/24 11:01, Tom Hennen wrote:
Hmm, what could we do in SLSA that would make this better in the future?
On Wed, Aug 14, 2024 at 2:51 PM Brandon Lum <[email protected]> wrote:
Hmm... i think that perhaps we should snapshot the definitions. I
think it may be a bit late to rename these variables but at least
we can be consistent with the definitions since SLSA is one of a
few applications of the build profile.
My thought is to have a "patch version" size documentation change
to change the statement.
FYI @Tom Hennen <mailto:[email protected]> from the SLSA side.
"Definitions of "buildType", "configSourceEntrypoint",
"configSourceUri", "parameters" and "environment" follow those
defined in SLSA Provenance v0.2 <https://slsa.dev/provenance/v0.2>."
On Thu, Aug 8, 2024 at 2:24 PM Nisha Kumar <[email protected]> wrote:
Hi There,
SLSA 1.0 has some breaking changes that conflict with some
Build Profile terms. Specifically, some provenance terms have
been lifted off SLSA 0.2 that have now been removed from SLSA
1.0 <https://slsa.dev/spec/v1.0/provenance#v10>. I would like
to re-align the SPDX 3.0 build profile with SLSA 1.0. Should
we restart the build profile meetings for this?
---
nisha
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5704): https://lists.spdx.org/g/Spdx-tech/message/5704
Mute This Topic: https://lists.spdx.org/mt/107795144/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
