Resolve several open issues #206
Conversation
pmengelbert
force-pushed
the
mini-updates
branch
2 times, most recently
from
ffa8fcc
to
1c4acb3
Compare
pmengelbert
force-pushed
the
mini-updates
branch
from
1c4acb3
to
8a1ff93
Compare
spec.md
Outdated
| @@ -54,7 +58,7 @@ Several terms are used frequently in this document and warrant basic definitions | |||
| - **Pull**: the act of downloading Blobs and Manifests from a Registry | |||
| - **Blob**: the binary form of content that is stored by a Registry, addressable by a Digest | |||
| - **Manifest**: a JSON document which defines an Artifact. Manifests are defined under the OCI Image Spec <sup>[apdx-2](#appendix)</sup> | |||
| - **Config**: a section in the Manifest (and associated Blob) which contains Artifact metadata | |||
| - **Config**: a blob referenced in the Manifest (and associated Blob) which contains Artifact metadata and describes the Manifest | |||
There was a problem hiding this comment.
The (and associated Blob) here no longer makes sense.
and describes the Manifest
Does it?
There was a problem hiding this comment.
I adjusted the language here, thanks for the suggestion.
There was a problem hiding this comment.
Do you have an update to push with the updated language?
There was a problem hiding this comment.
oops 🥵 . Pushed now
spec.md
Outdated
| Location: <blob-location> | ||
| ``` | ||
|
|
||
| The digest contained in the `Location` header MAY be different from that of the blob that was mounted. As such, a client |
There was a problem hiding this comment.
Where did this wording come from related to using the digest?
The previous language was here https://github.com/opencontainers/distribution-spec/blob/f67bc11ba3a083a9c62f8fa53ad14c5bcf2116af/spec.md#cross-repository-blob-mount and is more clear. A client should NEVER use a digest from the registry without verifying it matches. Normally the client will just ignore this, I don't think it is correct to say the client should use it and verifying is expensive. Most registries use sha256 anyway, the case where it would differ is if the registry was using a different hashing algorithm.
There was a problem hiding this comment.
Most registries use sha256 anyway, the case where it would differ is if the registry was using a different hashing algorithm.
It would be great to be more explicit about this in the spec. The digest canonicalization section in the original spec seems mostly to do with signed schema 1 manifests:
To provide verification of http content, any response MAY include a Docker-Content-Digest header. This will include the digest of the target entity returned in the response. For blobs, this is the entire blob content. For manifests, this is the manifest body without the signature content, also known as the JWS payload. Note that the commonly used canonicalization for digest calculation MAY be dependent on the mediatype of the content, such as with manifests.
Though the section about different algorithms is good and maybe we should copy that over:
The client MAY choose to ignore the header or MAY verify it to ensure content integrity and transport security. This is most important when fetching by a digest. To ensure security, the content SHOULD be verified against the digest used to fetch the content. At times, the returned digest MAY differ from that used to initiate a request. Such digests are considered to be from different domains, meaning they have different values for algorithm. In such a case, the client MAY choose to verify the digests in both domains or ignore the server's digest. To maintain security, the client MUST always verify the content against the digest used to fetch the content.
IMPORTANT: If a digest is used to fetch content, the client SHOULD use the same digest used to fetch the content to verify it. The header Docker-Content-Digest SHOULD NOT be trusted over the "local" digest.
We already link out to https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#digests but that links to https://github.com/opencontainers/image-spec/blob/v1.0.1/canonicalization.md#canonicalization which is a 404 🤷 Looks like it should be https://github.com/opencontainers/image-spec/blob/v1.0.1/considerations.md#canonicalization (fixed at HEAD) which links to https://github.com/opencontainers/image-spec/blob/v1.0.1/considerations.md#canonicalization but I don't see anything here that would make me think "oh, I should make sure everything is using the same algorithm", especially in the context of a client-registry interaction
There was a problem hiding this comment.
Just pushed a commit that reflects these suggestions.
There was a problem hiding this comment.
I agree, there may be a little bit of gap in specification around using sha256. There are a few spots where there is an assumption made and if the registry were to use a different algorithm, it could cause some issues. When starting an upload, the client should know the desired digest (but there are cases it doesn't). If it doesn't, and the client/registry are using different algorithms, the finalization would require the registry to either recalculate the digest, calculate it using multiple algorithms, or reject. In the case of cross repository mount, the digest is likely referenced in a manifest and it is not an option to use a different digest that the registry returns.
pmengelbert
force-pushed
the
mini-updates
branch
from
7b6df28
to
2a6dbdb
Compare
spec.md
Outdated
| @@ -54,7 +58,7 @@ Several terms are used frequently in this document and warrant basic definitions | |||
| - **Pull**: the act of downloading Blobs and Manifests from a Registry | |||
| - **Blob**: the binary form of content that is stored by a Registry, addressable by a Digest | |||
| - **Manifest**: a JSON document which defines an Artifact. Manifests are defined under the OCI Image Spec <sup>[apdx-2](#appendix)</sup> | |||
| - **Config**: a section in the Manifest (and associated Blob) which contains Artifact metadata | |||
| - **Config**: a blob referenced in the Manifest which contains Artifact metadata | |||
There was a problem hiding this comment.
This is also described in image-spec if you want to link to that (similar to how manifest links to apdx-2).
There was a problem hiding this comment.
Thanks again, just pushed changes addressing this and the above
pmengelbert
force-pushed
the
mini-updates
branch
from
ed65f0b
to
3d347c1
Compare
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
Signed-off-by: Peter Engelbert <pmengelbert@gmail.com>
pmengelbert
force-pushed
the
mini-updates
branch
from
3d347c1
to
321694a
Compare
As PR opencontainers#206 has been merged, the testing code should be updated accordingly. Signed-off-by: Wang Yan <wangyan@vmware.com>
As PR opencontainers#206 has been merged, the testing code should be updated accordingly. Signed-off-by: Wang Yan <wangyan@vmware.com>
As PR opencontainers#206 has been merged, the testing code should be updated accordingly. Signed-off-by: Wang Yan <wangyan@vmware.com>
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added Signed-off-by: jwhb <jwhy@jwhy.de>
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added Signed-off-by: jwhb <jwhy@jwhy.de>
Mentions `TAG_INVALID` and `MANIFEST_UNVERIFIED` as legacy error codes. Also adjusts error codes' numbering - `code-11` was removed by opencontainers#206. Closes opencontainers#319 Signed-off-by: Flavian Missi <fmissi@redhat.com>
oci errors updated to be even with https://github.com/opencontainers/distribution-spec/blob/main/spec.md#errors-2 * TAG_INVALID and MANIFEST_UNVERIFIED were removed from OCI spec: opencontainers/distribution-spec#206 * TOO_MANY_REQUESTS was added Signed-off-by: jwhb <jwhy@jwhy.de>
Mentions `TAG_INVALID` and `MANIFEST_UNVERIFIED` as legacy error codes. Also adjusts error codes' numbering - `code-11` was removed by opencontainers#206. Closes opencontainers#319 Signed-off-by: Flavian Missi <fmissi@redhat.com>
Built on top of PR #204
Resolves #193 #26 #60 #68 #79 #126 #132 #183 #186 #195 #201 #202