Consider defining an OpenVEX mediaType

[sudo-bmitch]

OCI has done a fair bit of work on defining a new referrers API that is used to associate metadata like SBOMs, signatures, and VEX to container images. The key piece of data needed to lookup that metadata is a mediaType, so that a query could be made for all associated OpenVEX reports for a specified image. Is that something OpenVEX would be interested in documenting as part of their spec?

IANA has their list of registered media types, and that would be awesome if OpenVEX wanted to go through that process. But it's also acceptable to us to just have something that looks reasonable and is documented by the project, e.g. application/vnd.openvex listed in a readme. OCI has some mediaTypes for their own content defined in opencontainers/image-spec that may be useful examples with features like versioning and a suffix to make future changes easier.

[akcrisp]

all as per my updates on the kyverno policy media types - can i second this request for a media type being defined by vex and i could do with this asap...

[oej]

Agree that this is needed.

[akcrisp]

Hi Just wondering if there has been any progress on this ? this is needed really urgently to make discovery of vex artifacts reliable. You can then use oras discovery to find vex artifacts attached to images.