(no title)

A question out of curiosity:

Would you say that this is still a good fit for company-internal docker images?

I.e. a packaged rails app that's deployed in production using docker (to basically verify that we only deploy images built in CI [Github Actions])

Or would something more lightweight, like the Notary project[1], be a better fit for internal use?

(I know signing and provenance are different things, though for internal purposes, we can kind of infer provenance from just seeing a signed container, assuming we've locked down the build environment properly)

[1] https://notaryproject.dev/docs/quickstart-guides/quickstart-...