[Build Profile] SLSA Provenance known issues


Mark Lodato
 

At Monday's Build Profile meeting, we looked at SLSA Provenance v0.2 as prior art for the build profile schema. As promised, here is a list of the known issues with v0.2 that can hopefully be improved upon in the SPDX Build Profile: https://github.com/slsa-framework/slsa/issues/460

Reminder: the larger SLSA framework is out of scope. We're just talking about the SLSA Provenance schema, which overlaps heavily with the SPDX Build Profile.

I personally am hoping that the Build Profile can satisfy all of SLSA's needs so that we can deprecate the SLSA Provenance format, but there has not yet been community discussion on this topic, let alone consensus.

Best,
Mark Lodato