Closed corang closed 1 week ago
Alternatives:
how might we pull metadata from Zarf packages? Since they will be the fundamental 'unit' of any application, 1) we may be able to pull most data directly from there 2) encourage/require good hygiene on that metadata
I also think there maybe other metadata being added with additional information. (ideally we could identify an appropriate use case for zarf to handle infinity key-value metadata. then we could just add whatever is appropriate)
If we need to do this the best way I've found after discussing with @Noxsios is either the referrers api https://github.com/oras-project/artifacts-spec/blob/main/manifest-referrers-api.md or how cosign attaches attestations/sigs, referrers tag schema https://github.com/opencontainers/distribution-spec/blob/main/spec.md#unavailable-referrers-api
https://github.com/defenseunicorns/uds-marketplace/tree/schema/schema This is what I was able to figure out for what's possible today