SBOMs and Artifact Signing for Releases #417
Assignees
Labels
enhancement
New feature or request
Comments
|
I learned a new term that day, "ATO" - the reference is from our newbie-level OpenGovCon talk about WASM (and I'm so happy to hear it mentioned!) the recap article wherein you can find that quote, (context for those who don't wish to suffer through the video but wanted to get the gist of this talk anyway.) |
|
Perhaps, we could package OCI artifacts with SBOMs that contain a shim. By doing that, we can have integrity hashes through the content registry, SBOMs to provide transparency about contents, and easy distribution via OCI. Thoughts? |
|
I generally like distributing artifacts via OCI, pulling artifacts for a specific platform is quite convenient and it is easy to sign using cosign. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
My favorite cite about KWasm:
As the ecosystem has become more stable and mature, we have moved to the officially released shims, but it would be nice to be able to prove that the binaries are not compromised.
I would suggest providing SBOMs and signatures for the releases. WDYT?
The text was updated successfully, but these errors were encountered: