Matt Moore

Is this done?

cc @imjasonh @jonjohnsonjr @jdolitsky

Hopefully @puerco can provide an example of what we should be doing here. 🙏

@puerco DM'd me this, posting here so I don't lose it 🤩 ```json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:af1c5f9673f78aa7a575d627cd8a210bf6a895b0065f719a098dc035eee55a58", "spdxVersion": "", "creationInfo": { "created": "1970-01-01T00:00:00Z", "creators": [ "Tool: apko (devel)", "Organization:...

For the JSON migration, there are types here: https://github.com/kubernetes-sigs/bom/blob/main/pkg/spdx/json/v2.2.2/types.go

Here's a reference for the CycloneDX side of things: https://github.com/chainguard-dev/apko/pull/274

FWIW +1. Having the default be `example.com` means that you can't easily make it `svc.cluster.local` unless/until the default-domain job is run. These days I generally just use `svc.cluster.local` and expose...

I'd propose a similar two-release strategy to things we've done previously (e.g. requiring `ko://`): 1. Start to verify things by default, be noisy when they are NOT (link to how),...

@imjasonh Yeah 2 doesn't have to be the next release, but we should indicate in our scary warning that this is the direction we intend to head. We can always...

To pontificate a bit. At least for me, `ko` and other "last mile" build tools exist to try to realize the best practices (e.g. nonroot, multi-arch, minimal base). While the...