Coder Social home page Coder Social logo

Comments (3)

mtrmac avatar mtrmac commented on August 16, 2024

Thanks for your report.

(What happens here is that this adds an artifact with a subject field that refers to the dev:test image, per https://github.com/opencontainers/image-spec/blob/main/artifact.md / https://github.com/opencontainers/distribution-spec/blob/main/spec.md#listing-referrers ).

  1. Use cp to copy this oci image to another oci image

This really does nothing relevant; Skopeo is completely unaware of the attached artifact, but because this copy within the same oci: repository does not change the manifest digest, the artifact seems to stay attached.

The real issue is that Skopeo, and c/image in general, just does not support the concept of OCI artifacts indirectly attached using the subject field.

If you can identify those artifacts manually, you can probably copy them manually with skopeo copy, one artifact at a time, but a skopeo copy of an currently does not find nor copy any of such artifacts automatically.

We have some parts of the infrastructure for this now in c/image, for use-sigstore-attachments (which is a somewhat similar concept); but not exactly this.

This would have to be implemented in c/image, then Skopeo would automatically inherit the support. So, moving this RFE there.

from image.

SamirPS avatar SamirPS commented on August 16, 2024

Okay thanks for your answer

If you can identify those artifacts manually, you can probably copy them manually with skopeo copy, one artifact at a time, but a skopeo copy of an currently does not find nor copy any of such artifacts automatically.

But if I do this, the sbom file will not be attached to my oci image, or did I miss something?

from image.

mtrmac avatar mtrmac commented on August 16, 2024

The “attachment” is not a separate physical link that needs to be copied; it is a semantic feature purely caused by the artifact having a subject, and the registry, or the consumer of the OCI directory, looking for that link.

So you can upload that artifact to any registry (possibly having to invent a tag for that upload); once it is uploaded, registries that understand the “referrer” concept from the OCI distribution spec are expected to notice the reference, and allow querying it. Registries that don’t understand the “referrer” context would just store the artifact, and it would not be found, or it would have to be found by iterating all tags in that repo.

from image.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.