Brandon Lum

+1. Another potential thing we could do on top of that as well is have unknown purls have type unknown+purltype and pkgEqual to a handling of that purl. To point...

Thanks for opening this @stevemenezes . hmm yea let's chat more about this! I think this shouldn't be too bad, since most of the things are already refactored. The tricky...

I like the incremental approach! I think both a go-cloud and individual collector implementations can co-exist.

issue name should be: hotel california osv-certifier :)

Awesome ! assigned it to you!

I think we'd like to potentially have some sort of free form metadata node that we can encode additional info and for those that are helpful - we would promote...

Hmm, would layer IDs be okay to be represented as packages? and a DEPENDS_ON relationship matching them? So like a layer ID would look a bit like "pkg:container_layer/sha256:abdef...", and then...

hmm what do you mean by the `INCLUDED_IN` relationship. I'm not too sure i follow. Since layers are just tarballs, i'm assuming that it would be for the container package...

Here's a proposal on how to encode layerID and adjacent container image metadata https://docs.google.com/document/d/11WqkncYYob8MtNkcvTZiYcjbvclT15UKFh6coDjJToU/edit

Ah yes - we have collectors that can run as daemons - which I believe should do exactly what you're asking for. We have this being done for files, would...