Andrew McNamara

@s-snahil @trishankatdatadog , thanks for this submission. I haven't read over your linked content, but I was wondering if you want feedback and what form you would like that feedback....

I think I made the same assumptions. We merged a change where source VSAs can have dependencies of other sources (i.e. submodules). I had always thought of artifact dependencies as...

@k8scarcella, I don't see SLSA mentioned anywhere in the https://cicd-cybersecurity.netlify.app/cicd-security-guide/ off hand. Do you know if SLSA is mentioned anywhere that I didn't find? Most of the links seemed to...

@trishankkarthik @s-snahil, the e2e examples came up in the SLSA specification call today. We recognize that these blog posts will be long and some other authors of potential blog posts...

All registries might not support the referrers API but this is also why the configuration can be defined. After creating this PR, I investigated the gap more and created sigstore/cosign/issues/4335....

I found the spec: https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#unavailable-referrers-api > A client that pushes an image manifest with a defined subject field MUST verify the [referrers API](https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers) is available or fallback to updating the...

I just reworked this implementation to include the changes made in https://github.com/sigstore/cosign/pull/4357. It is not currently possible for cosign to download all of these attestations, but that is also something...

@steiza , that would be a change that happens in v3 though? We can make the change to have a consistent interface when interacting with the OCI registry in v2...

@sudo-bmitch , do you think that should apply for commands like `tree` as well?

I created a draft pull request with the abstraction implementation only to reduce the number of changes that might need to be reviewed at once: https://github.com/sigstore/cosign/pull/4336