{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreidnor5f6d7tvjg5vlvux35mpa3cigianleus4vmwqgtjzyae6ht7i",
    "uri": "at://did:plc:haakkg7y3xdghcdmprxeexso/app.bsky.feed.post/3mmy4e7lfw5w2"
  },
  "path": "/t/submit-android-apps-to-our-appverifier-database/38125?page=2#post_35",
  "publishedAt": "2026-05-29T07:45:46.000Z",
  "site": "https://discuss.privacyguides.net",
  "tags": [
    "SLSA • Requirements",
    "L4 (for the Build track)",
    "hermetic",
    "@RoyalOughtness",
    "Trust assumptions in none-reproducible FOSS applications",
    "General",
    "sifting through  their GitHub"
  ],
  "textContent": "jonah:\n\n> There is also a Level 4, FWIW. Looking at SLSA • Requirements\n\nYou’re looking at a “draft” specification. Later, this was split into 2 tracks: Build and Source.\n\nThat said, I remember the discussions at the time that L4 (for the Build track) would mandate hermetic and/or reproducible builds.\n\nThat said, @RoyalOughtness seems to have a better grasp of supply chain security than most here.\n\nTrust assumptions in none-reproducible FOSS applications General\n\n> Yep. Secureblue seems to be super serious about software supply chain security (sifting through  their GitHub to see what I can setup for my projects), so cc: @RoyalOughtness",
  "title": "Submit Android apps to our AppVerifier database"
}