Date: April 14, 2026 Total open issues: 226 Audited by: Mike Lieberman SLSA versions: v1.0 (Apr 2023), v1.1 (Apr 2025), v1.2 (Nov 2025)
Every issue was individually reviewed: body, comments, and related PRs checked.
Since this audit was published on April 14, 57 stale issues have been closed across four batched review passes.
All closures used a single comment: "Closing as inactive — no activity since this was filed. If it's still worth looking at, feel free to reopen or file a new ticket with updated context."
Sorted by number:
#15, #24, #36, #60, #61, #70, #77, #110, #124, #136, #161, #184, #194, #229, #234, #253, #315, #346, #348, #350, #351, #352, #365, #369, #377, #382, #394, #397, #407, #421, #424, #452, #454, #457, #491, #505, #535, #537, #576, #586, #647, #648, #682, #697, #709, #752, #776, #780, #805, #808, #835, #837, #850, #913, #918, #949, #1004
| Tier | In audit | Closed | Remaining |
|---|---|---|---|
| Tier 1 — Stale/Abandoned | 29 | 20 | 9 (#809, #985, #992, #1020, #1043, #1061, #1062, #1099, #1100) |
| Tier 2 — Likely Resolved | 16 | 4 | 12 (incl. #11, #62, #653, #674, #728, #758, #760, #806, #1047, #1089, #1273, #1577) |
| Tier 3 — Vague/Underspecified | 15 | 10 | 5 (#286, #453, #866, #1012, #1473) |
| Tier 4 — Duplicates | 10 close candidates | 3 | 7 (#278, #804, #849, #873, #1064, #1151, #1566) |
| Tier 5 — Individually reviewed | 48 | 18 | 30 |
| Needs human decision | 11 | 0 | 11 — unchanged |
| Needs marcelamelara review | 13 | 0 | 13 — unchanged |
- Finish tiers 1–4 (33 more stale/duplicate issues)
- Complete Tier 5 second pass (30 remaining)
- Raise the 11 "Needs Human Decision" issues at a SLSA community meeting or in an umbrella issue
- Ping marcelamelara on the 13 BuildEnv backlog items
Progress update generated April 24, 2026. Original audit below is preserved unchanged.
Nearly half of the 226 open issues predate the v1.0 release (April 2023). Many were never revisited after the spec shipped. This creates noise for contributors and makes it hard to tell what's actually active.
| Metric | Count |
|---|---|
| Total open | 226 |
| Opened before v1.0 (Apr 2023) | 107 (47%) |
| Opened before v1.0 and never updated since | 86 (38%) |
| Not updated in >1 year | 169 (75%) |
| Not updated in >2 years | 121 (54%) |
| Zero comments | 64 (28%) |
Recommendation: ~118 issues can be closed. 11 need a human spec decision. 13 need marcelamelara to review. That leaves ~84 genuinely active issues.
Zero or near-zero engagement, >2 years without activity. Safe to batch-close with: "Closing due to extended inactivity. The SLSA spec has evolved significantly (now at v1.2). Please reopen with updated context if still relevant."
| Issue | Title | Last update | Comments |
|---|---|---|---|
| #70 | Introduce concept of "coverage" | 4.8y ago | 0 |
| #77 | slsa/walkthrough a bit outdated | 4.8y ago | 0 |
| #124 | Link to azure-devops-demo | 4.7y ago | 0 |
| #136 | Move provenance issues from attestation repo | 4.7y ago | 0 |
| #229 | Decide on "contributor"/"member" role | 4.4y ago | 0 |
| #253 | Create reusable SLSA compliance template | 4.3y ago | 0 |
| #348 | New Threat type ideas | 4.0y ago | 0 |
| #352 | Helm provenance vs SLSA provenance | 4.0y ago | 0 |
| #407 | Rewrite the "get started page" | 3.8y ago | 0 |
| #576 | Downloadable version in .xlsx | 3.2y ago | 0 |
| #647 | Clarify: supply chain as a DAG | 3.1y ago | 0 |
| #648 | How should resolvedDependencies be verified? | 3.1y ago | 0 |
| #709 | Clarify "inventory" claim of Build L1 | 3.1y ago | 0 |
| #776 | FAQ: how does SLSA apply to runtime environments? | 3.0y ago | 0 |
| #780 | Provenance v1: make required fields more obvious | 3.0y ago | 0 |
| #809 | Collapse header categories in 1.0 nav bar? | 3.0y ago | 0 |
| #835 | (duplicate of #809) | 3.0y ago | 0 |
| #837 | Tracking issue for big open source projects | 3.0y ago | 0 |
| #850 | SLSA 1.0 Feedback from KubeCon EU | 3.0y ago | 0 |
| #913 | Tooling for good squash commit messages | 2.8y ago | 1 |
| #949 | Reframe levels page around consumer trust | 2.7y ago | 0 |
| #985 | Workstream: Build Platform Operations Track | 2.5y ago | 0 |
| #992 | Clarify threat model trust boundaries | 2.5y ago | 0 |
| #1020 | Slack invite is invalid | 2.2y ago | 0 |
| #1043 | YouTube playlist not updating | 2.0y ago | 0 |
| #1061 | Tie-ins with OpenChain ISO 18974/S2C2F | 1.9y ago | 0 |
| #1062 | Clarify what "control plane" means | 1.9y ago | 0 |
| #1099 | Repository vs. project: define terms | 1.7y ago | 0 |
| #1100 | Audit org members | 1.7y ago | 0 |
| Issue | Title | Why likely resolved |
|---|---|---|
| #11 | What about curl | sh ? | Has "applied ruling" label |
| #62 | README Alpine build process incomplete | Doc bug from 2021 |
| #394 | Clarify "policy" in provenance v0.2 | v0.2 is ancient history |
| #653 | Feedback on v1.0 RC | RC period closed 3 years ago |
| #674 | Common Requirements track missing from Future Directions | Future directions updated |
| #682 | Clarification of diagram and terminology | v1.0 reworked diagrams |
| #728 | Restructure URIs to /version/page? | Site restructured |
| #752 | Builder.id and VSA relationship | VSA spec evolved |
| #758 | "attestation" vs "provenance" consistency | Terminology standardized |
| #760 | Recommended term for company's interpretation of SLSA | v1.0 settled terminology |
| #805 | Who is SLSA — Software Producers clarity | Page content evolved |
| #806 | v1.0 dropping scope from 0.1 is weird | v1.0 shipped, decision made |
| #1047 | Google preferring v0.1 over v1.0 in search | SEO issue from 2024 |
| #1089 | Enable CODEOWNERS for PR review? | Repo governance, likely done |
| #1273 | Website home page is out of date | Likely addressed |
| #1577 | Broken link to SPDX attestation predicate | Specific link fix |
| Issue | Title | Age | Comments |
|---|---|---|---|
| #36 | SLSA and automatic dependency rolling | 4.9y | 3 |
| #61 | SLSA 4 artifacts with SLSA 0 dependencies? | 4.8y | 2 |
| #161 | SLSA Provenance for License checks? | 4.6y | 1 |
| #286 | Defining SLSA level for an organization | 4.2y | 11 |
| #315 | Non-falsifiable provenance metadata | 4.1y | 2 |
| #346 | Official SLSA level dataset for OSS? | 4.0y | 2 |
| #377 | Output SLSA as spreadsheet | 4.0y | 2 |
| #452 | Positioning SIG: Assess frameworks | 3.7y | 1 |
| #453 | Positioning SIG: Scope and Charter | 3.5y | 3 |
| #457 | SLSA logo icon | 3.7y | 2 |
| #537 | Signing and Provenance | 3.4y | 2 |
| #697 | Need list of all available tooling? | 3.1y | 1 |
| #866 | Framework vs. compliance vs. maturity model | 2.8y | 4 |
| #1012 | Add non-normative examples | 2.3y | 1 |
| #1473 | Requirements in spreadsheet format | 8mo | 0 |
| Keep | Close | Topic |
|---|---|---|
| #362 (26) | #365 (1) | "Service Generated" definition |
| #350 | #351 | Provenance materials / build granularity |
| #277 (9) | #278 (6) | Hermeticity / parameterless at L4 |
| #681 (5) | #397 (2) | resolvedDependencies |
| #716 (15) | #849 (3) | SLSA level in builder identity |
| #863 (24) | #873 (14) | Build L2 trust / verifiable builds |
| #878 (18) | #804 (6) | VSA field structure |
| #1063 (6) | #1064 (3) | Getting started with GitHub Actions |
| #1554 | #1566 | Track Specification Template |
| #1150 (2) | #1151 (0) | Container build env attestation |
Each verified by reading body, comments, and checking related PRs.
| Issue | Title | Why close |
|---|---|---|
| #5 | Reprodicible builds / SLSA 5 | v1.0 restructured levels. Reproducibility in #873/#230 |
| #15 | Digital signatures? Cite sigstore | #55 addressed this. Sigstore is the standard |
| #20 | Rationale/examples for requirements | Stale 4 years, volunteer never followed through |
| #24 | SLSA 4 require dependency retention? | v1.0 restructured requirements |
| #39 | Audience-specific how-to guidance | Spec part → #188. Guidance part stale 3.5y |
| #60 | "hermetic" ambiguity | v1.0 defined terminology. Build-env track handles hermeticity |
| #93 | Single maintainer guidance | Answered: can't reach highest level, by design |
| #94 | One-person review? | MarkLodato redirected to #306 |
| #95 | Pair and mob programming | v1.0 restructured review requirements; source track now |
| #101 | Distribute public keys for attestations | Sigstore solved this |
| #110 | "data owner" vs "system admin" | Deferred to post-v1.0, never picked up |
| #135 | Scope of SLSA vs CNCF whitepaper | v1.0 defined scope |
| #156 | Dependencies, OS packages and pinning | Last comment: "See #235" |
| #184 | Reproducible build inputs | Superseded by #873 and #230 |
| #194 | Wishlist for higher SLSA levels | v1.0 defined levels |
| #211 | Build service guarantees via attestations | 1 comment from 2021, effectively abandoned |
| #214 | Git URI and digests for provenance | v1.0 provenance format addresses this |
| #222 | Publish list of OSS compromises | "Applied ruling" label — decision was made |
| #234 | Automatic/reviewless merges | Source track supersedes |
| #235 | Maintainer vs. Distribution package | "Fix after v1.0" — 3 years later, still not fixed. v1.2 shipped. |
| #248 | Service Generated in GitHub Actions | Solved. slsa-github-generator ships L3 |
| #249 | Bad Design as supply chain scenario | Out of scope per v1.0 threat model |
| #276 | SLSA in broader supply chain security | v1.0 defined scope |
| #277 | Relaxation of hermeticity | Duplicate of #230 |
| #319 | Builder version info in provenance | MarkLodato: "close this as resolved" |
| #326 | 'dependencies complete' at L4 | TomHennen confirmed spec includes this |
| #341 | Map SLSA to other frameworks | Stale 4 years |
| #362 | "Service Generated" question | v1.0 Build track codified this |
| #378 | Formulation and Pedigree | v1.0 defines own terms |
| #380 | Trojan horse compiler attacks | v1.0 threat model updated; build-env track covers |
| #382 | Reproducibility wording | Superseded by #873/#230 |
| #403 | Contributor ladder | No activity in 4 years |
| #421 | Verifiable two-person review | Zero comments, 3.5 years |
| #424 | Create GitHub Security Procedures | Stale governance, 3.6y |
| #454 | Parameterless prevents script reuse | MarkLodato: "merge with #278?" |
| #491 | Partnership logo guidelines | Stale governance, 3.5y |
| #505 | Secure builder guidance | 1 comment, stale |
| #515 | SLSA Compliance Program | Proposal PR merged into slsa-proposals |
| #519 | SLSA v1.0 PDF | We're at v1.2. Not happening. |
| #535 | "Modify code after review" | Source track supersedes |
| #586 | Versioning source | Source track handles this |
| #691 | SPDX/CycloneDX in byproducts | "Shovel-ready" for 2+ years, nobody picked it up |
| #706 | Define security model for build system | Fix PR #816 merged Apr 2023 |
| #798 | npm provenance predicate | npm shipped their predicate |
| #801 | npm VSAs instead of publish attestation? | npm ecosystem moved on |
| #808 | VSA: under-specified resource_uri | Zero comments, 2.5 years |
| #900 | Workstream: Release SLSA v1.1 | v1.1 shipped Apr 2025. v1.2 shipped Nov 2025. Done. |
| #918 | in-toto statement encapsulation | marcelamelara answered it |
| #921 | What is the role of VSA? | Moved to in-toto/attestation#277 |
| #959 | Builder pitfalls / source material | 2 comments, 2.7 years stale |
| #977 | Workstream: SLSA Build L4 | Last activity Jan 2024. L4 work effectively dead. |
| #1004 | Update supply-chain-threats.svg | Nobody did it for 2.5 years |
| #1011 | Describe how verification works | MarkLodato asked for examples, nobody provided. 2.3y stale |
| #1016 | Attestation Immutability | Decision history documented. Nothing left to do |
| #1017 | Exploded package descriptor | Discussion stalled, no consensus |
| #1029 | List of SLSA implementations | "Shovel-ready" for 2 years, nobody did it |
| #1030 | SLSA user experiences | Community effort stalled |
| #1063 | Build level with GitHub Action | GitHub Actions SLSA docs matured |
| #1219 | VSA resourceUri vs subject | TomHennen answered directly |
| #1261 | Builder ID completeness | Zero comments, 1.3 years |
| #1270 | Community page outdated | Zero comments, stale housekeeping |
| #1279 | Completed resolved deps | Zero comments, overlaps #230 |
| #1281 | "build recipe" vs deps | arewm answered it |
| #1452 | Requirement titles more active? | Style bikeshed, zero engagement |
| #1563 | Seth McEvoy PR listing | Meta-tracking, not actionable |
These are real spec questions with significant discussion history, but they've gone completely cold. A spec maintainer needs to make an explicit call: close as overtaken by v1.1/v1.2, or revive with a champion.
| Issue | Title | Comments | Updated | The decision needed |
|---|---|---|---|---|
| #71 | Immutable reference at L4 | 20 | Jan 2023 | MarkLodato said "still stands for L4" but L4 workstream (#977) is dead. Is L4 still happening? If not, close this and all L4-related issues. |
| #230 | Hermetic breakdown to lower levels | 23 | Aug 2023 | MitM vs no-network debate. Was this addressed in v1.1/v1.2 or the build-env track? |
| #278 | Parameterless builds scope | 6 | Oct 2022 | Related to L4. If L4 is dead, close. |
| #863 | Build L2 provenance trust | 24 | Dec 2023 | MarkLodato gave a resolution checklist. Did anyone execute it? Check v1.1/v1.2 changelogs. |
| #891 | Verifying package names | 22 | Jul 2023 | Package name in attestations. Was this addressed in VSA/verification work? |
| #894 | Cache artifact language | 14 | Jul 2023 | Fix PR #901 closed without merge. Was it addressed differently? |
| #933 | mediaType for attestations | 5 | Aug 2023 | marcelamelara said "needs to be re-opened for L1." Was it addressed in v1.1/v1.2? |
| #940 | Standardize externalParameters | 13 | Aug 2023 | Common CI/CD schema. Did the ecosystem converge, or is this still a gap? |
| #986 | "Unforgeable" at Build L3 | 8 | Oct 2023 | What does L3 actually guarantee? Was this clarified in v1.1/v1.2? |
| #1015 | Custom extension fields | 5 | Jan 2024 | Standardized extensions map proposal. Was this adopted? |
| #1019 | Sigstore certs as provenance | 24 | Feb 2024 | Fulcio cert overlap with provenance. Still a gap given Sigstore evolution? |
These are all build-environment track backlog items filed by marcelamelara with zero comments. The track IS active (recent updates on #947, #1519, #1520), but these specific items have never been discussed. Rather than closing unilaterally, marcelamelara should review and close the ones no longer relevant.
| Issue | Title | Filed |
|---|---|---|
| #1107 | Best term for build env storage | Aug 2024 |
| #1122 | Distributed build attestation | Aug 2024 |
| #1164 | Build agent/executor measurement scope | Sep 2024 |
| #1168 | Build env verification policy guarantees | Sep 2024 |
| #1170 | Build executor may not be on rootfs | Oct 2024 |
| #1185 | Build environments without build agent | Oct 2024 |
| #1192 | Separate container vs VM requirements | Oct 2024 |
| #1195 | Build image in externalParameters | Oct 2024 |
| #1198 | BuildEnv for non-Linux environments | Oct 2024 |
| #1210 | Connection between Build and BuildEnv tracks | Oct 2024 |
| #1211 | CI control plane privileged access | Oct 2024 |
| #1243 | Detailed BuildEnv requirements/guidance | Nov 2024 |
| #1245 | Build env lifecycle figure | Dec 2024 |
#1142, #1148, #1367, #1378, #1379, #1480, #1492, #1508, #1509, #1413, #1427, #1436, #1441, #1457
#947 (24 comments, May 2025), #1132 (Nov 2025), #1150, #1167, #1196, #1253, #1322, #1519, #1520
- #230 — Hermetic breakdown (pending human decision)
- #863 — Build L2 trust (pending human decision)
- #926 — "official source" at L3 (Jul 2023, 9 comments)
- #716 — slsaLevel field (15 comments, Jun 2024)
- #878 — VSA fields optional (18 comments, Jul 2024)
- #968 — verifiedLevels (12 comments, Jul 2024)
- #1118 — VSA hosting policies (12 comments, Aug 2024)
- #1207 — VSA timeless vs time-sensitive (8 comments, Oct 2024)
- #1262 — VSA policy violations (4 comments, Jan 2025)
- #974 — Provenance vs VSA (10 comments, Jun 2025)
- #937 — Steering committee (Sep 2024)
- #1105 — S2C2F alignment (Nov 2024, 9 comments)
- #1039 — Dependency vs package threats (Apr 2025, 12 comments)
- #978 — SLSA for ML (Oct 2025)
- #1010 — Tracks sparingly (Nov 2025, 12 comments)
- #1102 — Codifying org/repos (Nov 2025, 6 comments)
- #1215 — Builder level meaningful in threats (Jun 2025)
- #185 — SLSA compliance with GitHub (Oct 2025)
- #742 — Late-branching strategy (Oct 2025)
- #1232 — Search on docs (Oct 2025)
- #1518 — README workstreams outdated
- #431 — Dependency Dashboard (Renovate, Mar 2026)
- #849 — Unique builder.id (Apr 2026)
- #1594 — SLSA for AI agent deployments (Apr 2026, 5 comments)
- #1604 — Broken external links (Apr 2026)
- #1545 — Spec TOC reorganization (Feb 2026, 5 comments)
- #1548 — "About this specification" (Feb 2026)
- #1531 — resolvedDependencies and SBOM (Jan 2026)
- #1540 — SLSA as public standard? (Jan 2026)
- #1486 — SLSA E2E with in-toto (Oct 2025, 7 comments)
- #1501 — Relation to GitHub attestation (Nov 2025)
- #1507 — SLSA in CD Foundation guide (Nov 2025)
- #1554 — Track Specification Template (Feb 2026)
- #1355 — Additional VSA properties (Jun 2025)
- Phase 1: Batch-close the 60 Tier 1-3 issues. Standard comment: "Closing due to extended inactivity. The SLSA spec has evolved significantly (now at v1.2). Please reopen with updated context if still relevant."
- Phase 1: Close 10 duplicates, commenting to point to the surviving issue.
- Phase 2: Close the 48 Tier 5 issues with the specific reasons noted above.
- Phase 2: Tag marcelamelara on the 13 build-env backlog items asking her to close any that are no longer relevant.
- Phase 3: Post the 11 "Needs Human Decision" issues to the SLSA community meeting or mailing list for a batch decision.
- Result: 226 → ~84 active issues. A clean tracker that reflects the actual state of the project.
Generated April 14, 2026. Every issue individually reviewed: body, comments, and related PRs checked. Issue data pulled via gh CLI.