Learning about SLSA and considering action points

[consideRatio]

Below is a quote from the Developing Secure Software course. It seems like SLSA could provide input on some low hanging fruit we could work systematically towards:

Supply chain Levels for Software Artifacts, or SLSA ("salsa"), is a security framework being developed as a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. At the time of this writing it is still in development, but you should consider its recommendations. SLSA is being developed under the Open Source Security Foundation (OpenSSF). To learn more, see the SLSA home page.

Has anyone read through this?

[Carreau]

i will cross link https://scientific-python.org/specs/spec-0008/ and yes, publishing via trusted publisher, SBOM, and reproducible release are worth it.