Jon Johnson

Added some logging for the python tests, looks like these are hitting pypi :( ``` === RUN TestFindDependencies 2023/07/02 19:48:31 GET https://pypi.org/pypi/botocore/1.29.78/json took 48.203416ms 2023/07/02 19:48:31 convert:python: [botocore] Check Dependency...

After thinking about it some more, I think I'd rather just add a better error message and try to convince the world to upgrade their dependencies on ancient images 🤷‍♂️

> Notary v2 has a dependency on ORAS and ORAS Artifacts to manage registry interactions. How is this any different than cosign taking a dependency on sigstore or crane? This...

Opened a PR in syft: https://github.com/anchore/syft/pull/2893 I'm honestly not sure how necessary it is given that `grype` seemed to find the CVEs associated with stdlib even without my "fix", but...

Fix for this was included in https://github.com/anchore/grype/pull/1897

> Map collections are not part of the JSON standard compliant. It'd be great to change the json output to use json objects instead of map collections. Can you explain...

I think this might actually be useful for kind, cc @BenTheElder

I'm not actually sure what `cilium` really depends on here... maybe we should just drop the `cni-plugins-main` in the image config since it's a subset of `cni-plugins`? I wonder how...

Ideally ECR Public would support mounting, but it should at least return a 202 here instead of failing. > [Alternatively, if a registry does not support cross-repository mounting or is...

This diff is probably the culprit: https://github.com/facebook/buck2/commit/c21e43ee418f8a2ca1c9554b642ae929c53dfdce