Publisher information

[RealHarshThakur]

I'd like to rely on the public buildpacks regsitry but only users to use allow images by certain publishers (heroku, paketo, etc). Is there a way for the API to give out this information reliably such that I could verify if a particular buildpack was published by who I think it is? Apologies if this isn't the right repo for this issue

[jkutner]

@RealHarshThakur it's possible we could expose this, but it would just be something we pass through from the underlying docker registry (which is what host the buildpack images). Are you interested in limit to namespaces or actual publishers?

[RealHarshThakur]

Limit to namespace is essentially relying on dockerhub handle they(publishers I trust) have, isn't it? I think that would be a good start. Long term, maybe we can rely on the the OCI artifacts being signed and verifying via public key.