Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarification on valid in-toto statement encapsulation #918

Open
AdamZWu opened this issue Jul 12, 2023 · 1 comment
Open

Clarification on valid in-toto statement encapsulation #918

AdamZWu opened this issue Jul 12, 2023 · 1 comment
Assignees
@kpk47

Comments

@AdamZWu
Copy link
Contributor

AdamZWu commented Jul 12, 2023

SLSA v1.0 specs refer to the in-toto v1 ResourceDescriptor, does that mean a SLSA v1.0 predicate can only be encapsulated by an in-toto statement v1? (i.e. we should not expect an in-toto statement v0.1 to contain a SLSA v1.0 predicate?)

How about the reverse? Could an in-toto statement v1 encapsulate a SLSA v0.1 or v0.2 predicate?
@github-project-automation github-project-automation bot moved this to 🆕 New in Issue triage Jul 12, 2023
@marcelamelara
Copy link
Contributor

My take is that v1 Statements can hold any SLSA version predicate, but the reverse (v1 provenance in pre-v1 Statements) is tricker because pre-v1 Statements (and therefore verifiers) don't know about resource descriptors. Other thoughts?

@kpk47 kpk47 self-assigned this Jul 24, 2023
@kpk47 kpk47 moved this from 🆕 New to 🏗 In progress in Issue triage Jul 31, 2023
@chuangw6 chuangw6 mentioned this issue Sep 8, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kpk47 kpk47

Labels
None yet
Projects
Issue triage
Status: 🏗 In progress
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kpk47 @AdamZWu @marcelamelara