Jason Hall

https://github.com/golang/go/issues/37475 is now implemented, and should be released with Go 1.18. After that, we can have `ko` check for the existence of stamped vcs information in the built binary, and...

I still want this.

> Hello @imjasonh , is this issue still available? I would love to work on it Go for it! Let me know if you have any questions, I'd be happy...

> -buildmode=pie > Build the listed main packages and everything they import into > position independent executables (PIE). Packages not named > main are ignored. from `go help buildmode`

That PR was closed without merging. IIRC it wasn't clear to me how to check that it did anything.

Also likely related to reproducibility diffs discussed in #593

> Btw @imjasonh GoReleaser is now capable of generating SBOMs by using the Syft tool under the hood, so, that we can add that support to the ko project🙋🏻‍♂️ I'm...

I think with #730 we have a fair assurance that the artifacts that we've released have come from reliable sources and are tamper-evident. I'll close this unless folks think there's...

If we expect `KO_DOCKER_REPO` to be set, can we search the YAML for string values with the `KO_DOCKER_REPO` prefix? That is, if `KO_DOCKER_REPO=gcr.io/hello`, ```yaml images: - some/other:image - gcr.io/hello/ko-built-me ```...

This might be a little more complicated now with Windows support, since kodata is laid out differently in Windows layers. I wonder if we could just not include the layer...