Hayden B

Load is an interesting question. I would stay away from batch APIs - one that adds multiple entries in a single request - because it's hard to build an SLO...

I'm not concerned about issues for Rekor, it's more around monitoring. If we measure P99s for Rekor for adding a single entry, P99s for multiple entries will be higher, as...

No concerns around monitoring for that, but I do have a number of questions that pop up: How do we search for a single artifact in that set? To construct...

@cpanato - Should we start updating all repos to 1.19? It's not a significant release so I don't expect any weird issues.

We do SCT verification in Cosign, and worked around the `glog` issue by copying in `ctutil` - https://github.com/sigstore/cosign/blob/7ba521444f9fcfdf2e1e5936c05834597674e6c9/cmd/cosign/cli/fulcio/fulcioverifier/ctutil/ctutil.go See https://github.com/sigstore/cosign/blob/30bf1c09c6fde849245648ff294725d86094fe28/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go for the verification. It still pulls from `certificate-transparency-go`, but avoids...

Hey! To implement, either we will need to add a new IDP type, or restructure the github-workflows type. My guess is it'll be simpler to have some code duplication now...

I’ll open a new issue in Fulcio to discuss more.

A lack of run attempts shouldn't be a blocker, we don't encode that in the identity. Do you possibly have a one to one mapping between the necessary GitHub claims?...

+100000 to this. A couple thoughts: * This is a significant breaking change, so we should prepare for issues to be filed. Blog posts/Slack/documentation beforehand is critical. * We do...

> My preference is to immediately stick a deprecation warning in, and leave it for a release or two first. But yeah, I'm on-board overall. Sounds good, let's get the...