Brandon Mitchell

The first question covers frequency, but I'd want to include severity too. There's a big difference between "dependabot notifies me once a month to merge a PR" and "there was...

I'd be interested in including the lifecycle of the SBOM too. Few things I'm thinking of: - when and how should we generate the SBOM (before compile or after image...

The link in the description should be updated to https://github.com/confidential-containers/

My thoughts most closely align with [kevpar's comment](https://github.com/containerd/containerd/pull/6479#issuecomment-1024719689): > I like the idea of adding ArgsEscaped to OCI and immediately marking it as deprecated, and also figuring out the right...

Thanks for updating! I don't have a Windows system available to build an image with this. Is there a public example (repository:tag) I can use to test against some code?

Something I'm seeing in practice is the documentation here may be inaccurate. It looks like Docker also sets the field on Linux images: ```shell $ regctl image config regclient/regbot:edge-alpine --platform...

The images I'm building are from buildkit (and buildx), where it appears to be set on every image that defines a `CMD`: https://github.com/moby/buildkit/blob/cdc17fe2beb46178e34eecd1368740b004ad6592/frontend/dockerfile/dockerfile2llb/convert.go#L1266 I don't think buildkit has support for...

Don't spend any effort debugging the CI failures, they should be fixed with a rebase.

> @sudo-bmitch You can create windows images in buildkit, if not via wcow then with cross-compilation. If the analysis shows that no runtime uses it on linux we can drop...

From the Go implementations, the preference is to omit the field, rather than explicitly set it to null, in the JSON. That's seen with [omitempty](https://github.com/opencontainers/image-spec/blob/6ad7100eb087e43398e9ea8fe44fffc1501b8984/specs-go/v1/descriptor.go) defined on various fields. I...