Conversation
chmeliik
reviewed
Oct 10, 2025
ralphbean
force-pushed
the
source-slsa
branch
from
737d69d to
641fe03
Compare
chmeliik
approved these changes
Oct 15, 2025
Contributor
chmeliik
left a comment
chmeliik
left a comment
There was a problem hiding this comment.
This makes sense to me. Do we also want to say something about git submodules, or leave that for the future?
ifireball
reviewed
Oct 15, 2025
ralphbean
force-pushed
the
source-slsa
branch
from
641fe03 to
78d2e1f
Compare
The verification task already captures the public key as a task parameter, which is included in the build attestation by Tekton Chains. Recording it again in task results is redundant. Updates three references: - Removes bullet point about recording public key in results from verification workflow section - Clarifies Conforma reads public key from task parameters, not results - Removes duplicate line from implementation requirements section Addresses review feedback from chmeliik in PR #268. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
arewm
requested changes
Oct 28, 2025
Member
Author
|
Re: #268 (comment) Updated the text to clarify that the public key is read from the provenance attestation of the verification task (which includes the task parameters). |
Updates based on code review feedback: 1. Clarify that Conforma reads the public key from the provenance attestation of the verification task (which includes task parameters) 2. Add explicit mention that Conforma verifies trust in the source verification task itself using Trusted Tasks mechanisms (ADR 53) 3. Specify that the verification task will be maintained in build-definitions with possibility of future relocation 4. Remove "OCI storage overhead" from negative consequences as the duplication provides desirable availability/reliability benefits 5. Clarify ITS provisioning is a capability for deployments that choose to adopt source provenance verification, not a mandatory global rollout 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
3 tasks
Updates based on second round of review feedback: 1. Clarify relationship between Build Track and Source Track in Context section, providing better foundation for discussing source provenance 2. Specify OCI storage mechanism: task uses OCI referrers API (via oras attach) with container image as subject of OCI reference (git commit remains subject within VSA payload) 3. Note that Conforma supports both tag-based and referrers-based attestation storage mechanisms 4. Expand trust model explanation to include reliance on Trusted Tasks mechanisms for verifying task provenance 5. Add timing consideration as race condition mitigation: typical workflows have builds taking longer than VSA generation, reducing likelihood of unfavorable race condition outcomes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
Signed-off-by: Ralph Bean <rbean@redhat.com>
ralphbean
commented
Oct 31, 2025
After discussion,we learned that the tag-based fallback is unsupportable here.
ralphbean
commented
Oct 31, 2025
ralphbean
commented
Oct 31, 2025
arewm
approved these changes
Oct 31, 2025
Member
arewm
left a comment
arewm
left a comment
There was a problem hiding this comment.
Thanks for the clarifications and updates. Approved.
ralphbean
added a commit
that referenced
this pull request
Nov 3, 2025
🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Ralph Bean <rbean@redhat.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.