Semver Violation: Breaking CLI Changes in Patch Release 3.0.3

[lorenzo-milicia]

Hello maintainers,

I'd like to raise a concern regarding semver practices in the recent releases. Upgrading from v3.0.2 to v3.0.3 breaks the previously valid command:

cosign sign --tlog-upload=false --key <key> <image>

This now throws:

Flag --tlog-upload has been deprecated, prefer using a --signing-config file with no transparency log services
Error: --tlog-upload=false is not supported with --signing-config or --use-signing-config. Provide a signing config with --signing-config without a transparency log service, which can be created with `cosign signing-config create` or `curl https://raw.githubusercontent.com/sigstore/root-signing/refs/heads/main/targets/signing_config.v0.2.json | jq 'del(.rekorTlogUrls)'` for the public instance

Such breaking changes should not occur in a patch release. More generally, "stable" v3.x.x tags should reflect production readiness, but the series still has notable inconsistencies and incomplete implementations.

Please reconsider how CLI deprecations and semver guarantees are managed for the project's stability and reliability in production pipelines.

[haydentherapper]

Sorry for the confusion. This was done not as a semver violation but as a bug fix, as that flag value was being ignored under a new v3 code path. The error message provides other flags you can use.

[lorenzo-milicia]

I understand the rationale behind the change, but it still highlights a lack of maturity in v3 to be considered stable for production—especially given the open issues that report inconsistencies across various sub‑commands.

Having experimented with migrating from v2 to v3 to achieve a unified, maintainable handling of OCI artifacts (in conjunction with ORAS and OCI 1.1‑compliant registries), I believe this major release feels more like an alpha than a stable version.

I’m happy to provide more detailed feedback if needed.