Document stability policy

[dlorenc]

Until we get to 1.0:

• cosign signatures should be interoperable between +/- one release. SIgnatures created with version X should be verifiable by versions X+1 and X-1, and vice versa.
• Experimental is completely up in the air

After 1.0:

• Signatures should always remain interoperable. We can add new formats if we want to, but old ones have to continue working and new versions of the tool need to support creating AND verifying old formats.

[dekkagaijin]

cosign signatures should be interoperable between +/- one release. SIgnatures created with version X should be verifiable by versions X+1 and X-1, and vice versa.

Since we know where cosign is being used right now, we're opting for a clean break for 0.4.0: sigs before and sigs after. This should be the last change made in such a way.

[dlorenc]

+1, we'd document/publish this policy as part of the 0.5.0 release

[dlorenc]

This is done!