Danny Nebenzahl; dn@scribesecurity.com
SLSA lvl 3 is hard. LVL 4 was hard enough that it will probably not happen broadly. Maybe for specific projects
git doesn’t offer 2 factor auth history rewriting is only possible by “trusted platform admins with two-party approval” <- this doesn’t exist. ^^ This is an issue for things like secret leakage.
SLSA is a little checklist-y, which doesn’t take into account the “risk management” mindset.
- We may reasonably disagree with the need for something based on other factors not accounted for by SLSA.