I like your model. Reading it makes me think the only think that is missing from the attestation spec is optional tags to "proof". For example, when I assert a build is reproducible, i should also attest to my own assertion being true and link to the build pipelines outputs showing that.

Also makes me think there might be some convention that should (not required) be applied to assertions that they should be phrased as null hypotheseses.

Yeah, it's on my to-do for Attestations. Proof/evidence to support the validity/invalidity claim.

Lit. Ok I think I have enough information to get Fran what he needs to implement reproducible builds via assertions and attestations. Step 0 for that is to just piggy back on izzyondroid scans Step 1 do it via loom so it can be done on demand for those who don't want to farm out their trust. Step 2 would be to add those in as attestations to the initial assertion Step 3 would be figure out how to apply wot to who's assertions you care about in that specific context. Step 4 drink coffee and take a walk