errordeveloper
diff --git a/‎README.md
Lines changed: 17 additions & 17 deletions b/‎README.md
Lines changed: 17 additions & 17 deletions
diff --git a/‎go.mod
Lines changed: 17 additions & 18 deletions b/‎go.mod
Lines changed: 17 additions & 18 deletions
@@ -1,5 +1,10 @@
 # Tape is for packaging applications
 
+## Disclaimer
+
+This project is an archived experiment that was done as part of Docker Labs and is no longer worked on.
+It's been made available by Docker Labs team under the Apache license as it's deemed of potential interest to the community, however, it's no longer in active development.
+
 ## What is Tape?
 
 Tape is a tool that can package an entire application as a self-contained (taped) OCI image that can be deployed to a
@@ -37,7 +42,7 @@ provide a logical supply chain entry point and location for storing metadata.
 
 The best analogy is flatpack furniture. Presently, deployment of an application is as if flatpack hasn't been invented, so
 when someone orders a wooden cabinet, all that arrives in a box is just the pieces of wood, they have to shop for nuts,
-bolts, and tools. Of course, that might be desirable for some, as they have a well stocked workshop with the best tools and
+bolts, and tools. Of course, that might be desirable for some, as they have a well-stocked workshop with the best tools and
 a decent selection of nuts and bolts. But did the box even include assembly instructions with the list of nuts and bolts
 one has to buy?
 That model doesn't scale to the consumer market. Of course, some consumers might have a toolbox, but very few will be able
@@ -53,10 +58,6 @@ source. The attestations are attached to the resulting OCI image, so it helps wi
 
 ## How does Tape work?
 
-> NB: This describes the current implementation that is very minimal and doesn't achieve all of the ambitious goals
-> as described above. Namely it works only with plain YAML and JSON manifests and doesn't yet have key integrations,
-> e.g. with Helm or other tools.
-
 Tape can parse a directory with Kubernetes configuration and find all canonical references to application images.
 If an image reference contains a digest, Tape will use it, otherwise it resolves it by making a registry API call.
 For each of the images, Tape searches of all well-known related tags, such as external signatures, attestations and
@@ -68,7 +69,7 @@ Copying of all application images and referencing by digest is performed to ensu
 are tightly coupled together to provide a single link in the supply chain as well as a single point of distribution
 and access control for the whole application.
 
-Tape also checks the VCS provenance of manifests, so if any manifest files are checked in to Git, Tape will attest to what
+Tape also checks the VCS provenance of manifests, so if any manifest files are checked in Git, Tape will attest to what
 Git repository each file came from, all of the revision metadata, and whether it's been modified or not.
 Additionally, Tape attests to all key steps that it performs, e.g. original image references it detects and manifest
 checksums. It stores the attestations using in-toto format in an OCI artifact.
@@ -78,8 +79,8 @@ checksums. It stores the attestations using in-toto format in an OCI artifact.
 Tape has the following commands:
 
 - `tape images` - examine images referenced by a given set of manifests before packaging them
-- `tape package` - package an artifcat and push it to a registry
-- `tape pull` – downlowad and extract contents and attestations from an existing artifact
+- `tape package` - package an artifact and push it to a registry
+- `tape pull` – download and extract contents and attestations from an existing artifact
 - `tape view` – inspect an existing artifact
 
 ### Example
@@ -430,14 +431,13 @@ $ crane blob ${podinfo_image}@${tape_attest_digest} | gunzip | jq .
 $
 ```
 
-## Roadmap & FAQ
+## FAQ
 
 ### What configuration formats does Tape support, does it support any kind of templating?
 
-Presently, it supports plain JSON and YAML manifest. In the future, the goal is to accommodate a variety of popular
-templating options, e.g. CUE, Helm, and scripting languages, so that environment-specific parameters can be specified.
-It may also support basic runtime overrides with or without templating e.g. for namespaces and labels.
-It should also offer flexibility around templating at buildtime, runtime, or done partially buildtime/runtime.
+Tape supports plain JSON and YAML manifest, which was the scope of the original experiment.
+If the project was to continue, it could accommodate a variety of popular templating options,
+e.g. CUE, Helm, and scripting languages, paving a way for a universal artifact format.
 
 ### How does Tape relate to existing tools?
 
@@ -451,20 +451,20 @@ support OCI artifacts and there could be different ways of building the artifact
 
 ### What kind of applications can Tape package?
 
-Tape doesn't infer an opinion of how the application is structured, what it consists of or doesn't consist of. It doesn't
+Tape doesn't infer an opinion of how the application is structured, or what it consists of or doesn't consist of. It doesn't
 present any application definition format, it operates on plain Kubernetes manifests found in a directory.
 
 ### Does Tape provide SBOMs?
 
-It doesn't create new SBOMs at the moment, but it may cater to this use case in the future.
+Tape doesn't explicitly generate or process SBOMs, but fundamentally it could provide functionality around that.
 
 ## Acknowledgments & Prior Art
 
 What Tape does is very much in the spirit of Docker images, but it extends the idea by shifting the perspective to configuration
 as an entry point to a map of dependencies, as opposed to the forced separation of app images and configuration.
 
-It's not a novelty to package configuration in OCI, there exist many examples of this practice, but there is no interoperability.
-Tape's ambition is to commoditise the model and abstract configuration tooling so that end-users don't need to think about whether
+It's not a novelty to package configuration in OCI, there are many examples of this, yet that in itself doesn't provide for interoperability.
+One could imagine something like Tape as a model that abstracts configuration tooling so that end-users don't need to think about whether
 a particular app needs to be deployed with Helm, Kustomize, or something else.
 
 Tape was directly inspired by [flux push artifact](https://fluxcd.io/flux/cheatsheets/oci-artifacts/). Incidentally, it also resembles
 
@@ -8,11 +8,11 @@ require (
 	github.com/fluxcd/pkg/oci v0.30.0
 	github.com/fluxcd/pkg/tar v0.2.0
 	github.com/fxamacker/cbor/v2 v2.5.0
-	github.com/go-git/go-git/v5 v5.8.1
+	github.com/go-git/go-git/v5 v5.11.0
 	github.com/google/go-containerregistry v0.15.2
 	github.com/google/uuid v1.3.0
 	github.com/in-toto/in-toto-golang v0.9.0
-	github.com/onsi/gomega v1.27.8
+	github.com/onsi/gomega v1.27.10
 	github.com/otiai10/copy v1.12.0
 	github.com/rs/zerolog v1.28.0
 	github.com/secure-systems-lab/go-securesystemslib v0.6.0
@@ -31,9 +31,8 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230717121422-5aa5874ade95 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
 	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
-	github.com/acomagu/bufpipe v1.0.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.18.1 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.18.27 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.13.26 // indirect
@@ -53,13 +52,13 @@ require (
 	github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b // indirect
 	github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
-	github.com/cloudflare/circl v1.3.3 // indirect
+	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
 	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/docker/cli v23.0.5+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v23.0.5+incompatible // indirect
+	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -73,7 +72,7 @@ require (
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.4.1 // indirect
+	github.com/go-git/go-billy/v5 v5.5.0 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
@@ -84,7 +83,7 @@ require (
 	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/gomodule/redigo v1.8.2 // indirect
 	github.com/google/gnostic v0.6.9 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/gorilla/handlers v1.5.1 // indirect
 	github.com/gorilla/mux v1.8.0 // indirect
@@ -120,7 +119,7 @@ require (
 	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/skeema/knownhosts v1.2.0 // indirect
+	github.com/skeema/knownhosts v1.2.1 // indirect
 	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2 // indirect
@@ -132,20 +131,20 @@ require (
 	github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 // indirect
 	github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 // indirect
 	github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f // indirect
-	golang.org/x/crypto v0.11.0 // indirect
-	golang.org/x/mod v0.11.0 // indirect
-	golang.org/x/net v0.12.0 // indirect
+	golang.org/x/crypto v0.17.0 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/net v0.19.0 // indirect
 	golang.org/x/oauth2 v0.9.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.10.0 // indirect
-	golang.org/x/term v0.10.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.15.0 // indirect
+	golang.org/x/term v0.15.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	golang.org/x/tools v0.13.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect
-	google.golang.org/grpc v1.55.0 // indirect
+	google.golang.org/grpc v1.56.3 // indirect
 	google.golang.org/protobuf v1.31.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/square/go-jose.v2 v2.6.0 // indirect