Since the build profile maps to more than just SLSA provenance, we'd likely want to snapshot definitions and then create a mapping towards the various document types. We don't want a tight dependency between standards, but as long as we are compatible in expressibility.
For the future, i wonder if it would be helpful to something like a slsa-users@ mailer for a "list of ecosystem users" that it can include in its release process like a mailer (not as verbose mailer as the main mailing list, but something like a pre-release announcer?) to include [email protected] to the list. On Thu, Aug 15, 2024 at 10:33 AM Nisha Kumar <[email protected]> wrote: > I have to admit: I haven't been following SLSA's evolution as I have been > mostly focused on SPDX implementation. Currently, the yocto project > generates SPDX 3.x conforming with the build profile, but I am not sure if > they use any of the SLSA provenance variables. > > nisha > > On 8/14/24 11:01, Tom Hennen wrote: > > Hmm, what could we do in SLSA that would make this better in the future? > > On Wed, Aug 14, 2024 at 2:51 PM Brandon Lum <[email protected]> wrote: > >> Hmm... i think that perhaps we should snapshot the definitions. I think >> it may be a bit late to rename these variables but at least we can be >> consistent with the definitions since SLSA is one of a few applications of >> the build profile. >> My thought is to have a "patch version" size documentation change to >> change the statement. >> >> FYI @Tom Hennen <[email protected]> from the SLSA side. >> >> "Definitions of "buildType", "configSourceEntrypoint", >> "configSourceUri", "parameters" and "environment" follow those defined in >> SLSA >> Provenance v0.2 <https://slsa.dev/provenance/v0.2>." >> >> >> On Thu, Aug 8, 2024 at 2:24 PM Nisha Kumar <[email protected]> >> <[email protected]> wrote: >> >>> Hi There, >>> >>> SLSA 1.0 has some breaking changes that conflict with some Build Profile >>> terms. Specifically, some provenance terms have been lifted off SLSA 0.2 >>> that have now been removed from SLSA 1.0 >>> <https://slsa.dev/spec/v1.0/provenance#v10>. I would like to re-align >>> the SPDX 3.0 build profile with SLSA 1.0. Should we restart the build >>> profile meetings for this? >>> >>> --- >>> nisha >>> >>> -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5705): https://lists.spdx.org/g/Spdx-tech/message/5705 Mute This Topic: https://lists.spdx.org/mt/107795144/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
