Brandon Mitchell

The current spec handles the scenario where the client knows the repository that contains additional metadata. Clients would query the referrers API in that alternate repository and receive a response...

The text: > A registry MUST initially accept an otherwise valid manifest with a subject field that references a manifest that does not exist in the repository, allowing clients to...

OCI doesn't define GC policies, registries are free to implement their own. Some delete anything over a few hours old, others require tags, others have negotiated lifecycle policies for legal...

I think the following spec sentence is a direct answer to the original question: > Each descriptor is of an image manifest or index in the same `` namespace with...

I don't believe it will be possible to fix `opencontainers/[email protected]` since that's a tagged release. This would need a merged fix and then a new release (v1.1.1) if external workflows...

> This is probably a compelling argument for adjusting the action to take version as a parameter and pointing users at HEAD instead of a tag. 🤔 I could see...

Currently the manifest delete workflow describes the process to delete an entry from the referrers response when deleting a manifest that has a subject. If we add a replace workflow,...

> One approach we might employ to help disambiguate bundles is the use of annotations to surface additional information about the contents of the bundle. In situations where Sigstore is...

This is something I'd like to see myself, but I'm not sure how that would work considering the different types of clients (e.g. build tooling, runtimes, vulnerability scanners, mirroring, pull...

To take two examples from the many, a vulnerability scanner, and Helm, I'm not sure they could work with a test like that. They don't have the granular interface to...