Jason Hall

/remove-lifecycle stale

I'd still like to do this.

What should the "index" SBOM say is included? We already point to the base image(/index) we build on using the OCI annotations, is there something else we want to surface?...

@laurentsimon possibly superceding https://github.com/google/ko/pull/730 ?

To clarify, I think this PR may be on a better track than #730, which AIUI is blocked on goreleaser including provenance generation itself. The alternative in #730 is to...

Sounds good to me. I'm glad so many folks are looking into improving the SLSAbility of these release workflows, and I'm happy to just ride that wave 🏄

#730 was merged, closing this Please feel free to reopen this or open a new issue if there's anything else we should do on top of #730

In theory all the information you want is available somewhere in the mass of output that `ko` spams at you. Lines like: ``` 2021/08/02 08:25:07 gcr.io/imjasonh/windows/github.com/tektoncd/pipeline/cmd/pullrequest-init@sha256:60ddf2f4cf2392f95da20ec6895b89143a6299bb8331898f58af9de81dcfa6e6: digest: sha256:60ddf2f4cf2392f95da20ec6895b89143a6299bb8331898f58af9de81dcfa6e6 size: 1328...

> Or did you mean only that the current layer structure would allow for such a thing, but the (potential) kodata collision precludes supporting such a configuration? It's this. We...

There isn't really an idea what the UX would be yet. We'd need to start with a clear use case, and multiple users asking for it. Something like it should...