Dan Luhring

This is a great issue. Adding a few frictions I've seen: - Tagging a commit before we're certain that we're releasing from that commit can cause issues for consumers of...

Adding my two cents: 1. I love this. I see "Syft-as-a-library" consumption of this project becoming big as time goes on. ❤️ 2. It'd be great if we can try...

One note for developers — we may be able to deliver more value sooner by breaking this up into two iterations. Today, there's not a precedent in Syft for dynamic...

@bolshoytoster Wow, that's great — thanks! Let us know if we can do anything to help.

Hi @WhyJee, good eye! The short answer is: this is known behavior. And you're right about `rpm` superseding here. Syft's philosophy is to surface as much data as it's aware...

Thanks for the thoughtful depiction here! I think I'm following. So it sounds like the actionable piece of this is that there are **two potential feature enhancements** we could add...

>we (w/@Dentrax) are the volunteers of this issue, btw Awesome!!!!

I think this feature would be related to #510 — having Syft perform a Cosign-style attest operation, and putting the attestation into the OCI registry. As far as CLI syntax,...

@developer-guy I think so! If we think of any more considerations, we'll put them here 😃 Thanks for taking this on. 🙏 Reach out at any point if it's not...

>(We expect an SBOM to be generated before pass into cosign/attach command.) Absolutely. On the implementation side, we can generate an SBOM in multiple execution paths. So we could make...