Jason Hall

> A registry server implementation may still accept mutating `-immutable` tags. I think this is a fundamental flaw with this approach. If you want to enforce that `-immutable` tags mean...

> The immutability isn't really expected to be enforceable by the registry, as the registry nodes may have a distributed database that does not guarantee serializable consistency. > > And...

> i'm for this, but single handedly, the `mediaType` field will break this idea and be awful to work around Can you elaborate? I'm not sure I follow, but maybe...

Docs for this is live now: - https://docs.docker.com/desktop/extensions-sdk/ - https://docs.docker.com/desktop/extensions-sdk/extensions/METADATA/ - https://docs.docker.com/desktop/extensions-sdk/extensions/DISTRIBUTION/

@puerco says https://github.com/sigstore/cosign/pull/1616 unintentionally removed this ability, and we should add it back. AIUI this means using `ociempty.SignedImage` if the image-by-digest doesn't exist in the registry, determined using [`pkg/v1/remote.Head`](https://godoc.org/github.com/google/go-containerregistry/pkg/v1/remote#Head) presumably....

There's [`cosign dockerfile verify`](https://github.com/sigstore/cosign/blob/main/doc/cosign_dockerfile_verify.md) which parses a given Dockerfile for base image references (and intermediate build stage images), and ensures the referenced image(s) are signed. Is that what you were...

Having a method to determine the correct Rekor pubs sounds generally useful outside of cosign. Can we add this to sigstore/sigstore and just call it from cosign? Or, if we...

Here's a concrete proposal: - move `pkg/providers` into sigstore/sigstore, as `pkg/oidc/providers` - move `pkg/providers/filesystem` into sigstore/sigstore as `pkg/oidc/providers/filesystem` - move `pkg/providers/github` into sigstore/sigstore as `pkg/oidc/providers/github` - (as it doesn't have...

cc @wlynch

Another bump: the [`filesystem` provider](https://pkg.go.dev/github.com/sigstore/cosign/pkg/providers/filesystem) expects to find a token at `/var/run/sigstore/cosign/oidc-token` -- if we move this to sigstore/sigstore I think we should see if we can have it look...