Oops. i did not mean to add the list. please disregard. Sending to BCC On Thu, Aug 15, 2024 at 10:46 AM Brandon Lum via lists.spdx.org <lumb= [email protected]> wrote:
> Since the build profile maps to more than just SLSA provenance, we'd > likely want to snapshot definitions and then create a mapping towards the > various document types. We don't want a tight dependency between standards, > but as long as we are compatible in expressibility. > > For the future, i wonder if it would be helpful to something like a > slsa-users@ mailer for a "list of ecosystem users" that it can include in > its release process like a mailer (not as verbose mailer as the main > mailing list, but something like a pre-release announcer?) to include > [email protected] to the list. > > On Thu, Aug 15, 2024 at 10:33 AM Nisha Kumar <[email protected]> wrote: > >> I have to admit: I haven't been following SLSA's evolution as I have been >> mostly focused on SPDX implementation. Currently, the yocto project >> generates SPDX 3.x conforming with the build profile, but I am not sure if >> they use any of the SLSA provenance variables. >> >> nisha >> >> On 8/14/24 11:01, Tom Hennen wrote: >> >> Hmm, what could we do in SLSA that would make this better in the future? >> >> On Wed, Aug 14, 2024 at 2:51 PM Brandon Lum <[email protected]> wrote: >> >>> Hmm... i think that perhaps we should snapshot the definitions. I think >>> it may be a bit late to rename these variables but at least we can be >>> consistent with the definitions since SLSA is one of a few applications of >>> the build profile. >>> My thought is to have a "patch version" size documentation change to >>> change the statement. >>> >>> FYI @Tom Hennen <[email protected]> from the SLSA side. >>> >>> "Definitions of "buildType", "configSourceEntrypoint", >>> "configSourceUri", "parameters" and "environment" follow those defined in >>> SLSA >>> Provenance v0.2 <https://slsa.dev/provenance/v0.2>." >>> >>> >>> On Thu, Aug 8, 2024 at 2:24 PM Nisha Kumar <[email protected]> >>> <[email protected]> wrote: >>> >>>> Hi There, >>>> >>>> SLSA 1.0 has some breaking changes that conflict with some Build >>>> Profile terms. Specifically, some provenance terms have been lifted off >>>> SLSA 0.2 that have now been removed from SLSA 1.0 >>>> <https://slsa.dev/spec/v1.0/provenance#v10>. I would like to re-align >>>> the SPDX 3.0 build profile with SLSA 1.0. Should we restart the build >>>> profile meetings for this? >>>> >>>> --- >>>> nisha >>>> >>>> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5706): https://lists.spdx.org/g/Spdx-tech/message/5706 Mute This Topic: https://lists.spdx.org/mt/107795144/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
