SLSA uses provenance to indicate whether an artifact is authentic or not, but provenance doesn’t do anything unless somebody inspects it.
Package ecosystems verify an artifact’s provenance against a set of expectations.
Example threats in this category include building from an unofficial fork or abusing a build parameter to modify the build. Usually expectations identify the canonical source repository (which is the main external parameter)
A package version is considered to meet a given SLSA level if and only if the package ecosystem has verified its provenance against the package’s expectations.
Glasp is a social web highlighter that people can highlight and organize quotes and thoughts from the web, and access other like-minded people’s learning.