dlorenc

> Maybe we should wait for the **[EXPERIMENTAL]** stuff to become un-experimental -- sad as it would be to have to wait for the nice things -- before adding all...

> cc @dlorenc is this the upstream guidance or what? What do you mean by upstream? Sigstore? I think I'd proceed with a warning here or make it opt-in. I...

I think you have to go all the way back to docker media types, including lying about the layer contents.

This looks awesome. I'd just note that it more closely resembles a lock file rather than a go.sum file to me. They're very close so it's mostly just a nitpick....

> * We would need to push it as a separate object and connect it with the image manifest. Hopefully without breaking compatibility with existing registries. This is the tricky...

Hey, Skaffold maintainer here ([github.com/GoogleCloudPlatform/skaffold](github.com/GoogleCloudPlatform/skaffold)). We're tackling some of these same problems, and after a quick check it seems like we might be able to help out here. Skaffold supports...

> It doesn't look like the governance meets the letter or the spirit of the CNCF graduation criteria. This needs to be evaluated, IMHO. +1 to this. The one other...

This attempts to address CVE-2023-46402 and #24

I'd agree with this - SLSA4 was designed to be very aspirational from the start. Just my personal take - but I'd either expect some intermediate levels or massive changes...

Cc @mattmoor and @dekkagaijin