Just a note – we’re about to freeze the 3.0.1 patch release which already contains some corrections which may be considered “breaking” – if these changes to the SPDX spec may be breaking, we may want to get those changes in very soon.
Gary From: [email protected] <[email protected]> On Behalf Of Tom Hennen via lists.spdx.org Sent: Wednesday, August 14, 2024 11:01 AM To: Brandon Lum <[email protected]> Cc: Nisha Kumar <[email protected]>; SPDX Technical Mailing List <[email protected]>; Joshua Watt <[email protected]> Subject: Re: [spdx-tech] Align SLSA 1.0 with SPDX 3.0 build profile Hmm, what could we do in SLSA that would make this better in the future? On Wed, Aug 14, 2024 at 2:51 PM Brandon Lum <[email protected] <mailto:[email protected]> > wrote: Hmm... i think that perhaps we should snapshot the definitions. I think it may be a bit late to rename these variables but at least we can be consistent with the definitions since SLSA is one of a few applications of the build profile. My thought is to have a "patch version" size documentation change to change the statement. FYI @Tom Hennen <mailto:[email protected]> from the SLSA side. "Definitions of "buildType", "configSourceEntrypoint", "configSourceUri", "parameters" and "environment" follow those defined in <https://slsa.dev/provenance/v0.2> SLSA Provenance v0.2." On Thu, Aug 8, 2024 at 2:24 PM Nisha Kumar <[email protected] <mailto:[email protected]> > wrote: Hi There, SLSA 1.0 has some breaking changes that conflict with some Build Profile terms. Specifically, some provenance terms have been lifted off SLSA 0.2 that have now been removed from SLSA 1.0 <https://slsa.dev/spec/v1.0/provenance#v10> . I would like to re-align the SPDX 3.0 build profile with SLSA 1.0. Should we restart the build profile meetings for this? --- nisha -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5707): https://lists.spdx.org/g/Spdx-tech/message/5707 Mute This Topic: https://lists.spdx.org/mt/107795144/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
