Jason Hall

I would recommend signing images built with Kaniko using [cosign](https://github.com/sigstore/cosign), after the build is complete, then verifying it before pulling+running it.

@itay-grudev Thanks for trying out the latest Kaniko, this feedback is _super_ helpful to avoid pushing these changes out to all users. Do you happen to have a Dockerfile that...

Even ignoring vendored dependencies, there are quite a lot of direct dependencies on pkg/errors in the codebase: ``` $ git grep -l github.com/pkg/errors | grep \.go$ | grep -v vendor...

If we could enumerate the packages that `bom` needs that would be helpful. Common things like `go` and `git` are already available as apk packages and should be very easy...

I thought the plan was to make a base image that contained all the things `bom` needed, then use `ko` to build `bom` on top of that base. You could...

> Why include the size of the reference? In addition to @jonjohnsonjr 's answer, including the size can avoid DoS attacks on services that will chase these references. A service...

FYI the above accepted proposal is slated to be included in the upcoming Go 1.18: https://tip.golang.org/doc/go1.18#amd64

Mostly questions about which zone it should pick. The `-a` zone in most regions is already the most overloaded in my experience, and I'm not sure whether users would expect...

Some users might only want the region, e.g., for regional GKE clusters. So if we do add a "top zone" mode there should still be a "top region" mode.

I agree it's somewhat annoying when you have multiple Chrome profiles open. I find myself copypasting the URL from my personal profile to a new window in my corp profile,...