Brandon Mitchell
Brandon Mitchell
Some stream of consciousness feedback: - the docker headers were kept for legacy reasons, any new headers we add should be OCI headers - auth specifications in OCI is being...
> @sudo-bmitch thanks for the feedback. > > > * the docker headers were kept for legacy reasons, any new headers we add should be OCI headers > > Understood....
> I saw this PR is listed in the [agenda items](https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg#PresentationDiscussion-Agenda-Items1) of the OCI weekly discussion on Oct. 27th 2022, but I didn't find any notes. How can we proceed...
@yinonavraham That hits on https://github.com/opencontainers/distribution-spec/issues/216. We've been rather inconsistent and need to clean that up. I would lean towards reference being the full name (e.g. registry/repo:tag) and coming up with...
We need to get some reviews from other mods, but I think most of the focus is on getting a 1.1 release out right now.
A possible example is `application/vnd.slsa.in-toto.dsse`.
That feels backwards to me. My understanding is that would be a mediaType that names the envelope that happens to contain application data, rather than the application that happens to...
@anvega are we tracking the progress on that somewhere?
I'm okay with this being closed if there are no plans for the supply chain working group to work on this. I was just confused because the message above indicated...
Perhaps a way to think of the differences is "who do you need to trust?" - L1: unsigned provenance requires you trust the entire chain, including the distribution. - L2:...