As mentioned at today's meeting (and prior meetings), SLSA is currently focused only on "integrity" supply chain security includes more than that, notably "vulnerability management" and "developer trust" (or whatever to call it).

We should either:

• Better explain how SLSA fits into the bit picture, e.g. generating SBOM, identifying dependencies, etc.
• Expand to cover all supply chain security. (If we do this, we need to make sure we don't become too diluted and confusing.)

This issue is just a placeholder to note the issue and record main thoughts and interested parties.