-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add artifactType to image index #1066
Conversation
45d6dc3
to
136f1bb
Compare
(#1020 is also very related 👀) |
It would be useful for implementations which generate multiple artifacts, each with their own platform or other metadata and perhaps, associated signatures, attestations, to be able to index them all in a single image index. As an implementer, I'm considering having a top level "package" stored as an image index, which then references all the artifacts in the package as artifacts (image manifests). The artifactType of the image index would be "application/...package", and the artifactType of the image manifests could be: * "application/...plugin" with annotations and/or platform fields set to indicate that it is the plugin for, e.g., macOS with Apple Silicon (darwin-arm64) * "application/...schema" with annotations indicating this is a separate artifact * ... other artifact types as needed Using an image index in this use case is helpful as we would want to associate SBOMs, signatures to the individual artifacts references, so that a client only needs to download and verify the artifacts it consumes selects from the index. Signed-off-by: Aaron Friel <mayreply@aaronfriel.com>
136f1bb
to
749ea9a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This aligns with #1020 and defines these fields that can be used by artifact authors. These are optional fields and having them enables distribution spec to return indexes that may be referrers to other artifacts.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO this is reasonable (even separately from #1020, now that I've looked at it again with fresh eyes) 🙇
Need to update the json schema and the go-specs. I can do that up as follow up PR. |
It would be useful for implementations which generate multiple artifacts, each with their own platform or other metadata and perhaps, associated signatures, attestations, to be able to index them all in a single image index.
As an implementer, I'm considering having a top level "package" stored as an image index, which then references all the artifacts in the package as artifacts (image manifests). The artifactType of the image index would be "application/...package", and the artifactType of the image manifests could be:
Using an image index in this use case is helpful as we would want to associate SBOMs, signatures to the individual artifacts references, so that a client only needs to download and verify the artifacts it consumes selects from the index.