Brandon Mitchell

> I guess what I'd really like to see is some group creating a new set of their own annotations so we stop being the clearinghouse for every single annotation...

> Security bugs are just that, bugs, with their own severity. How/who do we contact today based on information in image-spec annotations? for any bug? We have annotations for the...

> To be honest, the more I think about it, the more I like `org.securitytxt.url`... For the strict syntax that requires the URL points to the RFC9116 implementation, that makes...

> I've also been hit by the implicit nature of registering the algorithms I chose the register the `func() hash.Hash` function directly instead of the `crypto.Hash` interface so I could...

That's not available under the OCI spec, yet. But there is work happening upstream in OCI that may eventually make it possible. Once adopted by OCI, it will take time...

They likely have the date in the registry database, and some may expose it with registry specific APIs. But regclient uses the OCI APIs to query the registry and that's...

I'm fine with leaving it open, and when regclient starts testing 579, I'll close it out then. That way anyone wanting to track the progress can follow this.

I'd recommend that verification should not require an extra flag. If no option is given, have the command search through any available storage methods to see if the signed content...

> [@sudo-bmitch](https://github.com/sudo-bmitch) , do you think that should apply for commands like `tree` as well? Yes, everything that consumes the artifacts can have an automatic fallback vs tools that producing...

Please provide details on the docker engine with `docker version` and `docker info`. The contents of the tar file would also be useful (`tar -tvf node.tar`) along with any other...