dlorenc

> 👋 > > We'd need to know what package manager is used and how/if it's different from other uses, and where the security advisories are published and in what...

> How is this any different than cosign taking a dependency on sigstore or crane? Just going to clarify this point - cosign depends only on the existing, 1.0 version...

> The comparison here is cosign depends on new sigstore services and uses crane for registry operations. Just correcting this point, not attempting to weigh on on the rest of...

I'm going to be frank here - that kind of meeting sounds great, but should that just happen in the Reference Types WG? Why have a separate effort and meeting...

Not sure the point you're trying to make here. Crane is a CLI tool, go-containerregistry is a library. cosign uses the go-containerregistry library to interact with OCI registries, like many...

> cosign uses go-container registry (crane as the cli) for working with a registry. Still not sure what this part means. `cosign` does not use `crane`, `cosign` uses the `go-containerregistry`...

+1!

Hey @princespaghetti - this repo should be archived. This code has been moved upstream over to the real cosign repo: https://github.com/sigstore/cosign/tree/main/cmd/cosign/webhook

Sure! We can use the same env car as config somehow.

Sure! Just curious - are you thinking of running this anywhere? I really only put it together as a quick demo/POC, but it appears that some people are actually looking...