Hello OpenSSF community,
I am working on a project called QSP (fail-closed session protocol framework),
focused on making verification and trust evaluation reproducible.
Stage271 introduces a concept where external review itself becomes
a verifiable artifact.
Instead of treating review as a trust-only statement,
this stage records review outcomes as:
- structured JSON records
- Ed25519 signatures
- SHA256-linked chain
- CI-based re-verification
What is new
Stage270 proves a verification decision (accept/reject).
Stage271 extends this by proving:
- that a review record exists
- which artifact was reviewed
- that it was signed
- that it is linked in a tamper-evident chain
- that it can be re-verified later
In short:
- Stage270 = decision proof
- Stage271 = review proof
Repository
https://github.com/mokkunsuzuki-code/stage271
Quick verification:
git clone https://github.com/mokkunsuzuki-code/stage271.git
cd stage271
pip install cryptography
python tools/verify_stage271_review_chain.py
Question
I would appreciate feedback on:
Does this approach align with supply-chain security practices?
Is "verifiable review record" a meaningful concept in this space?
Are there similar efforts in OpenSSF / SLSA / provenance work?
Note
This is not a claim of formal peer review or standard compliance.
The goal is to explore making review records auditable and reproducible.
Thank you for your time.
Hello OpenSSF community,
I am working on a project called QSP (fail-closed session protocol framework),
focused on making verification and trust evaluation reproducible.
Stage271 introduces a concept where external review itself becomes
a verifiable artifact.
Instead of treating review as a trust-only statement,
this stage records review outcomes as:
What is new
Stage270 proves a verification decision (accept/reject).
Stage271 extends this by proving:
In short:
Repository
https://github.com/mokkunsuzuki-code/stage271
Quick verification: