akcrisp
commented
8 months ago all as per my updates on the kyverno policy media types - can i second this request for a media type being defined by vex and i could do with this asap...
Open sudo-bmitch opened 1 year ago
akcrisp
commented
8 months ago all as per my updates on the kyverno policy media types - can i second this request for a media type being defined by vex and i could do with this asap...
oej
commented
2 months ago Agree that this is needed.
OCI has done a fair bit of work on defining a new referrers API that is used to associate metadata like SBOMs, signatures, and VEX to container images. The key piece of data needed to lookup that metadata is a mediaType, so that a query could be made for all associated OpenVEX reports for a specified image. Is that something OpenVEX would be interested in documenting as part of their spec?
IANA has their list of registered media types, and that would be awesome if OpenVEX wanted to go through that process. But it's also acceptable to us to just have something that looks reasonable and is documented by the project, e.g.
application/vnd.openvexlisted in a readme. OCI has some mediaTypes for their own content defined in opencontainers/image-spec that may be useful examples with features like versioning and a suffix to make future changes easier.