corang
commented
1 month ago Alternatives:
- don't publish as OCI, serve directly from repo
- publish as oci but a separate artifact
Closed corang closed 1 week ago
corang
commented
1 month ago Alternatives:
andrewg-xyz
commented
1 month ago how might we pull metadata from Zarf packages? Since they will be the fundamental 'unit' of any application, 1) we may be able to pull most data directly from there 2) encourage/require good hygiene on that metadata
I also think there maybe other metadata being added with additional information. (ideally we could identify an appropriate use case for zarf to handle infinity key-value metadata. then we could just add whatever is appropriate)
corang
commented
1 month ago If we need to do this the best way I've found after discussing with @Noxsios is either the referrers api https://github.com/oras-project/artifacts-spec/blob/main/manifest-referrers-api.md or how cosign attaches attestations/sigs, referrers tag schema https://github.com/opencontainers/distribution-spec/blob/main/spec.md#unavailable-referrers-api
https://github.com/defenseunicorns/uds-marketplace/tree/schema/schema This is what I was able to figure out for what's possible today