"In this way, consumers need only trust a small number of secure build platforms rather than the many thousands of developers with upload permissions across various packages."[1]

Bad idea. We should instead have 1000's of people around the world continuously reproducing builds of software, and continuously verifying amongst each other that everyone is building and then using the same peer reviewed version of software.[2] In this way, an attacker is forced to reveal their attack to everyone and can't just compromise the "secure build platforms" and conduct selective attacks.

[1] https://slsa.dev/spec/v1.0/use-cases#open-source

[2] https://reproducible-builds.org/

In their 0.1 version of the spec reproducible builds was one of the requirements. Unfortunately, they reduced the scope and now this req is part of their “future directions”.

I highly appreciate the idea of reproducibility. It is one of the ways to provide (and verify) integrity. And unfortunately, this is not widely adopted and in some cases even difficult to achieve…

Even though current specification only covers the Build track, complying with Build L3 would greatly benefit the software industry.

And future directions[0] include Source track that is supposed to to prevent a single compromised actor or account from introducing malicious changes.

[0] - https://slsa.dev/spec/v1.0/future-directions