Jason Hall

> Another friendly ping. I'm not in any rush to get this done, I just keep noticing it's still open. Anything else blocking? Another one. I'm also fine just dropping...

Rebased and resolved conflicts.

The [policy enforcing signed containers from Chainguard Images](https://edu.chainguard.dev/chainguard/chainguard-enforce/chainguard-enforce-kubernetes/chainguard-enforce-policy-examples/#policy-enforcing-signed-containers-from-chainguard-images) looks right to me. It governs images from `cgr.dev`, `docker.io`, and `ghcr.io/chainguard-dev` (not `-images`) -- I believe the last one is because...

> I think we should keep it as it is, because of the metaprogramming capabilities enabled by it. That's completely reasonable. Can you give me an idea of what kinds...

> The locales are an example. It is also used already in this way inside chainguard images, such as to build multiple versions of nginx from a single melange yaml...

> There are many packages in Alpine where dynamic generation of subpackages happens. Could you share some of those for reference? Like a fool I looked for Alpine's glibc locales...

I think it's still worth doing! We also now have a lot more examples in the Wolfi repo, and wolfictl as a sandbox for features like this. It might make...

I think there's an opportunity to do even better here. AIUI the opensbom-generator for Go reads a `go.mod` to generate the SBOM. This means that any dependency listed in `go.mod`,...

Yeah ideally that would be the responsibility of whatever thing consumes the output of `go version -m`. Licenses is tricky because Go has taken a strong stand that they won't...

I think it would be useful to have some commands like `melange pipelines list`, `melange pipelines get split/dev`, etc. to inspect the built-in pipelines from the commandline. Shouldn't be too...