SHA-Bundle-Digest enchansement contains innacurate content

[ipanova]

I came across this PR https://github.com/operator-framework/operator-sdk/pull/5567 and among its' motivation it mentions this EP https://github.com/operator-framework/enhancements/blob/master/enhancements/sha-bundle-digest.md The content of which is not entirely accurate and should whether be corrected or completely removed to not misguide people. If there are other places in documentation that refer to this content they also should be updated.

https://github.com/operator-framework/enhancements/blob/master/enhancements/sha-bundle-digest.md#appendix-a This example does not reference an image manifest. It is an output of skopeo inspect command that behind the scenes parses actual manifest and extracts information from it. An image manifest looks like this https://github.com/opencontainers/image-spec/blob/main/manifest.md. It is a misconception that image manifest includes name and repo tags. It does NOT . It does not have image name included in its payload, nor repo tags and as consequence its' digest will not change with repo tag change either.

https://github.com/operator-framework/enhancements/blob/master/enhancements/sha-bundle-digest.md#motivation The motivation part needs to be re-worded. It still stands around the content security and reproducibility but not because with the name change changes digest ( which is not true because name is not part of manifest..) but because its tags nature. Tags are mutable and volatile and one cannot guarantee to pull same content twice because tag can point to some other image manifest in time , hence the user can receive completely other image.

I understand that this EP is 2y old, however things ought to be correct or better removed.