An Overview of Attestations in CI

1 points by jbeckford

deivid

Can someone explain the value of attestations, specificslly when compared with reproducible builds?

If my build is reproducible, what does attestation grant?

val

Attestations allow developers to keep non-deterministic processes in their build, and they don't require checkers to rebuild the package.
- bureado
  
  This.
  
  Additional reads of potential interest include:
  
  https://google.github.io/building-secure-and-reliable-systems/raw/ch14.html
  
  And
  
  https://slsa.dev/spec/draft/build-env-track-basics
  
  Attestations today provide some value by virtue of the emerging serialization conventions, but the true, complete value comes when a trusted (verifiable) builder can prove what happened even in a non-deterministic build.
  - jbeckford
    
    Thanks. I added those links to the doc.