Jason Hall

The distroless image doesn't currently push SBOMs to the registry, so `cosign download sbom` is expected to fail for that image.

Flipping this to Draft since we'll need a google GH org admin to set up the domain. This shouldn't block the 0.12 release.

I'd like to get this merged so we can start running ko.build out of this repo instead of out of my personal repo. This change also sets us up for...

Played around with the `govulncheck` CLI a bit. It can operate on source trees or built binaries. For example, running it on v0.25.0 of Tekton's main packages: ``` pipeline (v0.25.0)$...

After ~21 minutes: ``` Found 7 known vulnerabilities. ------------------------------------------------------- GO-2021-0319 Some big.Int values that are not valid field elements (negative or overflowing) might cause Curve.IsOnCurve to incorrectly return true. Operating...

new blog post https://go.dev/blog/vuln

govulncheck seems to have gotten a lot faster. Running against Tekton: ``` $ time govulncheck ./... govulncheck ./... 28.74s user 12.87s system 155% cpu 26.789 total $ go build ./cmd/controller...

> > integrating it in ko probably looks like running govulncheck on the importpath being built (govulncheck ./cmd/controller) while building > > It means that ko will require `golvuncheck` to...

> any clue ? Not really, honestly. 😕 Does this work when you try it on your own machine? Maybe there's some problem with k3s as it's set up by...

> IMHO - the runner is lacking in memory or CPU 🤔 . The same works very well in my local mac. It sounds like they should have plenty of...