Matt Moore
Starting to poke through code, I think the most natural integration point for *signing* is likely to implement a new `publisher.Interface` that composes with another publisher similar to the caching...
So it looks like currently: ```go return cli.Sign().Exec(context.Background(), n.digests.List()) ``` ... generates a new cert for every image, and send the user through a separate 3LO for each one, so...
I figured we'd have something like `git commit -s` to trigger signing. We could also use `.ko.yaml` to default `-s` on like I do with `gitsign` for example.
I think that with `-s` we'd also want to encode the SBOMs as attestations, so I suspect that'd be really cumbersome via shelling out (certainly no way to avoid multiple...
We've also been talking about plumbing sufficient environment variables into `cosign` to configure custom sigstore instances. The idea is to enable a pattern like minikube's `env` setup: ``` eval $(configure-sigstore-env)...
Goal: eliminate queue-proxy dependency on `k8s.io/client-go/kubernetes` Two offenders: 1. `k8s.io/client-go/informers` is pulled in via the informed watcher in `knative.dev/pkg/configmap` (unused in queue-proxy): https://github.com/knative/pkg/pull/1851 2. `k8s.io/client-go/kubernetes` is pulled in directly via...
Goal: eliminate queue-proxy dependency on `contrib.go.opencensus.io/exporter/stackdriver` Two offenders: 1. `knative.dev/pkg/metrics` 2. `knative.dev/pkg/tracing` Commenting out the stackdriver logic in these packages further reduces the queue-proxy binary size to `35,560,653` (another 18%...
FWIW, that's likely included in my figures, unless it is transitively pulled in through other things. I'm measuring the overall binary size once a particular cut point in the dependency...
Shouldn't effect the code pages, but @tcnghia also found that if we use: ``` GOFLAGS=-ldflags="-s -w" ``` It drops things another ~10MB (on top of what I measured above). Seems...
@evankanderson do you want to link to or summarize your thoughts on timeline to cut this dependency?