dlorenc

I see in #57 it looks like sget is starting to grow key management/signing functionality. What's the full scope there? I'm worried we might run into overlap/confusion between the tooling...

> I don't see any issue myself, sget is a client , as is cosign and the other clients, with each being able to generate keys and sign things. In...

No real concern about the cosign scope, I just worry that we have two things that do the same thing still, with the only real difference being the implementation language....

No sorry! It signs blobs outside of them too: `cosign sign-blob`

Yea - `cosign sign-blob` supports signing arbitary blobs and outputting to stdout or local disk. I'm still not super keen on having two tools that do the same thing here...

> Anyway I feel we are going in circles a bit here. I am happy to propose we remove OCI interaction to help set boundaries, but I don't think it's...

Haha I like plz

Just a warning that if we do this, we should be clear which signature specification we're using. It looks like the wasm-sign code uses SSH keys, but generates standard ed25519...

PURL isn't perfect, but it's pretty good and the community is active and willing to address feedback. They support git URLs and generic HTTP fetching, which should work for the...

I agree with all of this! Purls are way too clumsy to work with by hand so we'll need a layer on top. Supporting them directly in the SBOM case...