Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add predicates for human reviews #151
base: main
Are you sure you want to change the base?
Add predicates for human reviews #151
Changes from 7 commits
e1db1d9
a6edb01
9f98b89
10614e7
c29b165
0475f64
d39f850
545dc62
8f6a088
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Before this new predicate, I was completely unfamiliar with Crev. To provide extra context for other in-toto users, I think it would be very helpful to give a short description of what Crev is, why it's useful, and how developers can use it. It might even be useful to point to the Rust implementation as an example.
Also, this description only mentions the dependency source code aspect of Crev, though the rest of this spec, and especially the examples, do include the package review capabilities of Crev as well. I'd clarify this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be a bit more specific and say that the subject corresponds to the "package" field of a Crev Package Review Proof.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A question and a suggestion. Q: What are possible
idType
values, and who determines these? Rec: I'd add in here that this field is intended to correspond to thefrom
field in the Code Review Proofs format when theidType
matches the ID for Crev.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a bit of a disconnect here, because the crev code review type includes
from
but missing from the package review type. Same fordate
. I suspectdate
may be omitted as a package-wide review is meant as an ongoing document with updates as new versions / advisories emerge. On the other hand, I'm not sure about thefrom
field. I wonder if in the in-toto context we want to drop it and lean entirely on the signature. That takes us to a broader conversation about how in-toto supports crev, though.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Which consumers, if any, of this predicate need to be able to parse/care about the contents of the
comment
field? This would be helpful info.