Jason Hall

It looks like one place we could put the warning is here: https://github.com/sigstore/cosign/blob/dbd430fce5d4b3805758bd97ec5c104b164091c8/cmd/cosign/cli/sign/sign.go#L150-L160 with an ```go if _, ok := ref.(name.Tag); ok { log.Println("hey don't sign tags pls") } ```

@dlorenc ping, possibly https://github.com/sigstore/cosign/pull/2019 first?

I think we can do this now. #2019 was merged in https://github.com/sigstore/cosign/commit/1f42a247b80d34f1deecfdf61ce8b5e3a858308b and released as part of cosign 1.12. We're on 1.13 now, so I think this is ample warning...

It's a bit rudimentary, but in _theory_ it should be possible to do something like `docker pull wait.kontain.me/sign.kontain.me/random.kontain.me`, which would wait 10s to serve a signed random image. I'm not...

I don't remember where I saw it, but there's a Bazel remote executor that runs on Cloud Run, that caches artifacts based on last access, where the way it determines...

This sounds useful for chaos testing registry clients. I like it. The only question I have is how the behavior should be configured. Should we just hard-code certain behaviors into...

I mean, it's a hacky registry for fun, I don't care if its rules are hard-coded or pulled from a config file at startup. The point of it all is...

From https://superuser.com/a/1616656/21888: ``` $ echo "Hello, World" | ssh-keygen -Y sign -n file -f id_rsa > content.txt.sig Signing data on standard input $ echo "Hello, World" | ssh-keygen -Y check-novalidate...

It's possible the registry protocol and various clients check that the manifest is pullable after pushing, which would mean the image would disappear before anything real could pull it. Maybe...

obligatory