Comments (6)
Adding links to Notary v2 efforts, and closing this issue as it's being tracked separatley:
from distribution-spec.
An important design constraint is whether additional sigs can be added without changing the root image digest (i.e. what the mutable tag points to). If bumping tags is ok, sigs can live in CAS. If tags cannot be bumped, tags must live outside of CAS.
from distribution-spec.
Previous discussion in opencontainers/image-spec#22, opencontainers/image-spec#176, and opencontainers/image-spec#400.
from distribution-spec.
An important design constraint is whether additional sigs can be added without changing the root image digest (i.e. what the mutable tag points to). If bumping tags is ok, sigs can live in CAS. If tags cannot be bumped, tags must live outside of CAS.
@wking Can you add more details to your note? When you say "can live in CAS," do you just mean within the manifest like in schema 1?
from distribution-spec.
When you say "can live in CAS," do you just mean within the manifest like in schema 1?
Manifests get pulled by reference, and references can be names or digest, so they're content addressable, but also tag-addressable (presumably to make space for HTTP content-negotiation for compat with clients who don't understand new media types). But now we have indexes, which are kind of tiptoeing into in-CAS content negotiation. By "in CAS" I mean "is pushed as an opaque blob and retrieved by digest", like we currently use for layers. It would be nice to be able to push whatever types you want (including signature objects) into the CAS blob store, and then push an array of descriptors as the mutable tag. Clients would request the tag by name, and the server would select an entry based on content negotiation Accept
headers vs. the media types in the tag's descriptors. Then signed content looks like a GET /<repo-name>/tag/<tag-name>
with Accept: some-signature-type
, possibly with fallbacks in Accept
to index, manifest, etc. types if you can accept unsigned content (e.g. because you're going to follow-up and verify the resulting digest with Notary or some other non-CAS signature store).
from distribution-spec.
i think this issue can be closed. This is the point of the Notary v2 discussion, and to store the signatures themselves as referenced blobs in a registry. Whether or not Notary v2 fully delivers on that is not a blocker for this distribution-spec.
from distribution-spec.
Related Issues (20)
- Update language on client side referrer list generation to mention replace HOT 2
- Add `PUT` method support for `/referrers` endpoint HOT 2
- Proposal: Extend Referrer API to image layer blob HOT 1
- Question regarding refferres API conformance tests for push HOT 1
- Debug mode cannot be turned off for conformance test HOT 1
- Conformance teardown test deleteManifestBeforeBlobs should allow return 400 when delete by tag is disallowed by registry HOT 1
- [conformance] Allow 404 on tag list for management test
- Define sane limits on the repository name HOT 3
- [![](https://github.com/<org>/<repo>/workflows/oci-distribution-conformance/badge.svg)](https://github.com/<org>/<repo>/actions?query=workflow%3Aoci-distribution-conformance)
- Idea: GoLang specs for V2 new media types like `application/vnd.docker.distribution.manifest.v2+json` HOT 3
- Proposal: Limit the maximum number of lists returned by the tags list API HOT 2
- performance: what can dist-spec do to improve downloads of large images/layers? HOT 7
- Teardown Tests Should Accept 404 Response for Blob Deletion HOT 2
- Proposal: Allow listing tags in reverse lexical order HOT 1
- performance: consider relaxing chunks should be in order for patched uploads HOT 9
- Proposal: refactor conformance tests HOT 9
- proposal: tighten digest verification requirements for clients HOT 4
- Can we assume all manifests and indexes are always pushed using the /manifests API in case of multiarch images? HOT 3
- Clarification in spec needed: Deletion by tag vs. deleting tags. HOT 6
- Referrer API order and sorting HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from distribution-spec.