You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
https://slsa.dev/spec/v1.0/verifying-artifacts --- Broader picture with fewer details, plus an assignment between Package Ecosystem vs Consumer that may not be accurate (e.g. what if the Consumer does the verification)
@joshuagl and I discussed discussed a possible reorganization:
Move all of the content to the spec, with the provenance page just linking there. This way there's no jumping back and forth.
In the spec, say that we assume the reader is using slsa.dev/provenance/v1, but explain that if they are using something else they need to do the equivalent. This would also force us to explain each step to say why we're doing it.
Organize the page as follows (not sure of section titles):
Overview / what the purpose of verification is
Talk about architecture options:
package ecosystem vs consumer --- we recommend moving the work to the ecosystem but it's not mandatory.
Right now the steps to verify an artifact is split between two pages:
@joshuagl and I discussed discussed a possible reorganization:
The text was updated successfully, but these errors were encountered: