buildpacks
Add RFC for cosign integration
Signed-off-by: Sambhav Kothari [email protected]
Fixes #192
Debatable points -
- Dealing with daemon use case?
- pack v/s lifecycle support?
- SBOM future (for now this just exports the SBOM in cosign format but also continues to use the existing way of storing it in the app image for restore/rebuild)
Maintainers,
As you review this RFC please queue up issues to be created using the following commands:
/queue-issue <repo> "<title>" [labels]...
/unqueue-issue <uid>
Issues
(none)
Cosign maintainer here! We'd love any feedback on the SBOM use case. This is really just a first draft based on how we guessed people might use it. If there's anything you don't like or we could change to make things easier we can do that! I'm excited to see it used here at all.
If I recall correctly, this RFC falls under the same idea as other external operations such as
preparer. Those of which I believe we would develop PoCs independently and try to incorporate back into the project via these guidelines. If so, should this be a draft or closed?
I would prefer if this was a repo under buildpacks org, potentially under the platform team since pack would be the first target usecase. It would make it easier to manage/review/depend on repositories that fall under the buildpacks org umbrella.
Is the only outstanding issue of how we proceed with a PoC/where the work happens?
Is the only outstanding issue of how we proceed with a PoC/where the work happens?
Pretty much
@samj1912 as we discussed, this RFC requires a few set of changes to align with the latest agreed upon strategy. Please let me know when it's updated and I'll review/start the voting period.
@samj1912 what is the status of this RFC? Is this still something we want to do?
