.. glossary::
SLSA
* Supply-chain Levels for Software Artifacts (SLSA or "salsa") is a software supply chain security specification that provides guidelines to improve the build integrity of software artifacts. It mandates the production of authentic and verifiable provenance documents that describe the build process of a software artifact. It also requires the adoption of provenance generation by both open-source project maintainers and software package registries. An example of this is the `npm public registry <https://www.npmjs.com/>`_, which `has added support <https://github.blog/2023-04-19-introducing-npm-package-provenance/>`_ for publishing SLSA Build Level 2 provenances to improve supply chain security.
* URL: https://slsa.dev
VSA
* Verification Summary Attestation (VSA) is an output generated by Macaron that summarizes whether a software component complies with a policy. VSA is a verification document proposed by `SLSA <https://slsa.dev/spec/v1.0/verification_summary>`_ and `in-toto <https://github.com/in-toto/attestation/blob/main/spec/predicates/vsa.md>`_.
* To know more about VSA document generated by Macaron see our :ref:`Verification Summary Attestation page <vsa>`.
Witness
* Witness is a tool that wraps a build command and records various types of information in a provenance document in the ``in-toto`` format as the build execution happens.
* URL: https://github.com/in-toto/witness
PURL
* Package URL identifier
* URL: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst