[discussion] Revamp and Modernize SLSA Build Track Tooling

[Hayden-IO]

We have received funding by the OpenSSF TI fund to update the SLSA Build Track tooling. Over the next few quarters, @puerco will be working on updating the slsa-github-generator and slsa-verifier tooling. The goals of this initiative are to identify areas for improvement, make the tooling more maintainable, leverage existing tooling for core features (for example, using GitHub's artifact attestations for slsa-github-generator), and make the tooling more extensible (for example, support the source track and future tracks in slsa-verifier.

For slsa-verifier, the current proposal is to leverage existing libraries as much as possible, e.g. sigstore-go and in-toto/attestation-verifier, with slsa-verifier becoming a collection of policies for SLSA tracks.

Let us know if you have any questions!

Ref ossf/tac#537 and slsa-framework/slsa-github-generator#4451