-
Notifications
You must be signed in to change notification settings - Fork 229
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
content: resourceUri SHOULD match the download URI #1220
Conversation
When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined. In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value. fixes slsa-framework#1212 Signed-off-by: Tom Hennen <[email protected]>
✅ Deploy Preview for slsa ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
@adityasaky this was your suggestion, so I'd love your thoughts too. |
Signed-off-by: Tom Hennen <[email protected]>
Signed-off-by: Tom Hennen <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I think we need one more maintainer to approve this PR before we merge. @lehors, @trishankatdatadog, or @mlieberman85 would you mind taking a look? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
When verifying VSAs consumers are expected to match the resourceUri with the 'expected value' but the spec doesn't currently indicate how that expected value is to be determined.
In this change we suggest the resourceUri be set to the URI the consumer will fetch the artifact from. If it's set to something else the producer MUST tell the user how to determine the expected value.
fixes #1212