Puerco

Thanks for the report @ohxeighty I'll take a look!

Following up to this one, I've opened https://github.com/in-toto/attestation/pull/434 to address two inconsistencies between the protos and the spec with the `metadata` and `scanner.db` fields.

Ah yes, this is intentional. When writing this, @mattmoor and me decided not to add the repository URL to make the purls portable when copying images.

Mmh interesting. This also has ramifications on "dumber" environments where automation may not have all the context expressed in the advisories. For example when relying on a purl string :/...

We are making some improvements to the release process, we'll cut a new release this week!

> we should fall back to apkdb when an SBOM is not available Right, in general. We will start with the data from the apkdb and complement it with that...

I brought this issue to SPDX. [The license list version format is baked into the SPDX spec](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#67-license-list-version-field), I think we will need to double tag the license list release for...

The license list was updated in https://github.com/kubernetes-sigs/release-utils/commit/9c4908275a6d6121ca95140b91e12ad5c2955d39 as part of the fix in #462, I think we can keep the spdx tools bump in this PR.

> I definitely want to hear more about what the use-case is here. Of course, my main use case is that I need to bundle [Ampel](https://github.com/carabiner-dev/ampel/) policies (see an [example...

Now, to be fair, I have been trying to convince myself not to wrap the policies in a synthesized in-toto statement because, even when it does not make sense (as...