nisha
> > I'm not sure I understand the question. This proposal is largely independent of the artifacts proposal. What's the "top-down" linking problem? Per this proposal you want the ability...
> > Second, something that references debian, let's use an image manifest that contains a signature: > This part is where I am confused. AIUI the [image-spec](https://github.com/opencontainers/image-spec/blob/master/manifest.md#image-manifest-property-descriptions) says it's reserved...
@dlorenc I would certainly appreciate including @jonjohnsonjr's example of how this would work in the spec, with the clarification on "Image Manifest" applications.
👋 I can help answer SPDX questions (XML is only one of the supported formats)
> great, sounds good @nishakm , look forward to collaborating with you. > > I guess a key question to kick off is if you do any sort of key...
Is there any resolution for @jonjohnsonjr's suggestion on using the OCI index to map references? Something like: ``` { "schemaVersion": 2, "manifests": [ { "mediaType": "application/vnd.oci.image.index.v1+json", "size": 7143, "digest": "sha256:0228f90e926ba6b96e4f39cf294b2586d38fbb5a1e385c05cd1ee40ea54fe7fd",...
> We feel it's best to move forward with the proposal in this PR to decouple from `image.manifest` and `image.index`. > Using the new `oci.artifact.manifest` provides a clear definition for...
Regarding requirements: What are they exactly? This is what I have been able to grok thus far: - We want to store artifacts that are _related_ to a container image...
> > Your current proposal seems to be limited in that only new artifact manifests are allowed to have these new kinds of relationships, which seems inflexible and less powerful...