Janos

Hey @stevehipwell, thank you. We are looking for specific things that not having OCI registries as a distribution method prevent OpenTofu users from doing.

Hey @buzzsurfr thank you for offering to implement this, it is much appreciated. When the core team looks at issues, there are a few points that go into that consideration:...

Hey @DavidGamba thank you, that is very good info. Could you paste the error message for that? I want to see if we can do something short-term about it.

@skyzyx no we don't need a HashiCorp buy-in as long as provider authors sign their releases with both GPG (needed for Terraform) and Cosign. We do this for OpenTofu releases...

Hey folks, we discussed this with the core team and given that Cosign is a very large dependency and sigstore-go is only at version 0.3.0, we are marking this issue...

@stevehipwell I believe we would need some form of indication that the library is stable. The library currently has an explicit warning that the API is not stable. It is...

Hi everyone. We discussed this issue with the core team and we will not be implementing this feature until there is a stable and supported Go library available to verify...

Thank you very much @steiza, please keep us informed when a stable release is ready. As a note on adoption, there are currently over 2000 provider authors in the OpenTofu...

@stevehipwell thank you for your input, the theoretical benefits of Sigstore are well understood. The OpenTofu binaries are signed with it. However, unfortunately the reduced complexity wouldn't manifest for the...

Hey community, thank you all for your valuable contributions. We are working through our backlog of issues now that the stable release is out and this would be a great...