Lukas Hoehl

> `cosgin` has too many dependencies https://deps.dev/go/github.com%2Fsigstore%2Fcosign/v1.13.1/dependencies and must be factored into the decision making. > > That is one of the reasons https://github.com/sigstore/sigstore-go was built. sigstore-go seems to be...

Is there something missing to review this PR?

> @mikebrow that KEP was about using k8s secrets to carry keys required to decrypt the container image. While this PR is allowing you to `select` the key to decrypt...

> Or... just assume it's an object type with "preserve unknown fields" annotation in CRD, this way we can at least generate most of the work and then do workarounds...

How should this be implemented outside of zot? How should e.g. traefik know how to generate the presigned URLs, where the blobs are stored in S3 etc. I believe having...

For now I've only included the [severity field](https://ossf.github.io/osv-schema/#severity-field) from the OSV API. I see potential in ingesting additional metadata like [summary](https://ossf.github.io/osv-schema/#summary-details-fields), [details](https://ossf.github.io/osv-schema/#summary-details-fields) and [references](https://ossf.github.io/osv-schema/#summary-details-fields) into GUAC. Those are not part...

> Overall this is a great PR, very comprehensive! We should just remove it from "on ingestion" otherwise this is good to go! Thank You! Rechecking the code i don't...

/hold wait for apiserver-proxy v0.18.0 release

Really nice! I could see having a filter for the repositories being useful. For example we have a registry with around 3000+ repos where not all of them are interesting...

> Could you describe your use case of debugging a test file (instead of just a single test)? Does the debugger run through each test? Yes, the debugger does execute...