From 44dca1ef05a3dd5fae0a4cd5d7cf51a44e60b00c Mon Sep 17 00:00:00 2001
From: Tom Hennen <tomhennen@google.com>
Date: Tue, 15 Oct 2024 19:03:13 +0000
Subject: [PATCH] update note about typosquatting

Signed-off-by: Tom Hennen <tomhennen@google.com>
---
 docs/spec/draft/verifying-artifacts.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/spec/draft/verifying-artifacts.md b/docs/spec/draft/verifying-artifacts.md
index 7302ee20e..c3148922c 100644
--- a/docs/spec/draft/verifying-artifacts.md
+++ b/docs/spec/draft/verifying-artifacts.md
@@ -124,12 +124,14 @@ Resulting threat mitigation:
 -   [Threat "I"]: Verification by the consumer covers compromise of the package
     in transit. (Many ecosystems also address this threat using package
     signatures or checksums.)
-    -   NOTE: SLSA does not cover adversaries tricking a consumer to use an
-        unintended package, such as through typosquatting.
+    -   NOTE: SLSA does not yet cover adversaries tricking a consumer to use an
+        unintended package, such as through typosquatting. Those threats are
+        discussed in more detail under [Threat "H"].
 
 [Threat "E"]: threats#e-build-process
 [Threat "F"]: threats#f-artifact-publication
 [Threat "G"]: threats#g-distribution-channel
+[Threat "H"]: threats#h-package-selection
 [Threat "I"]: threats#i-usage
 
 [validation-model]: https://github.com/in-toto/attestation/blob/main/docs/validation.md#validation-model