For some reason, the act of choosing a plugin mechanism for our new project has been presented in my head a dilemma. Not a clear winner between the built-in stuff (plugin stdlib), the boring but battle tested option (Hashicorp go-plugin [1]) and the new exciting shiny ("future proof?") object web assembly plugins [2]
I ended up choosing the "traditional" Hashicorp library but any feedback, or comments on why you might think I am making a terrible mistake would be appreciated :)
I am afraid I don't have a formed opinion on the sigsum project yet.
Thanks for the pointer though, it indeed looks interesting, it might come handy once we start the effort of adding a transparent log (i.e rekor) to Chainloop.
Chainloop is not designed nor implemented with that centralization concept in mind.
It is meant to run as any other OSS infrastructure piece in your Software Supply Chain. The source of truth that we describe, it's about providing organizations with a single mechanism to define, ingest and route metadata and artifacts to their final destination (i.e artifactory, OCI registry, ...)
I completely agree with your comment. We might be doing a poor job at explaining what Chainloop is compared to Sigstore.
Chainloop is built on top of Sigstore's (among from others) great OSS building blocks. We use cosign, in-toto and DSSE for generation or OCI for storing the attestations. It's true that today the signing is done using a asymmetric cosign key at the moment of the attestation crafting but we have plans on implementing keyless/identity signing and verifying using Sigstore fulcio+rekor.
What languages would you say are viable options in practice today to match rego(language and engine) functionality?