Issues with Proposal E #47
Comments
I'm doing this today with the tag based solutions in regclient. And extending that for the API support should be rather straightforward. For every manifest copied, there's a check to see if there's any tags referencing it that also need to be copied. It's a recursive process.
I'm hoping it's a bit carrot and stick where registries see both the value to supplying the feature to users, and where users insist on not doing this by tag, that motivates registries to eventually adopt. I am realistic in suspecting that many registries, especially self hosted ones, will use the fallback solution for many years to come. |
|
Hey Chris, thanks for your comments! Safely rolling this out to registry implementations and clients has been a large and ongoing topic in the group even since before its inception. To answer the questions:
As an example, let's say I'm moving
Under the non-fallback case, the tag list and filter would be replaced by a trip to the new Some versions of some proposals have proposed adding recursiveness to the There's also been discussions about filtering
To me, this is exactly why I think it's so important that we have a fallback case. Some proposals have basically required registries to adopt the new APIs in order to get this new behavior at all, which I think is just a non-starter for roughly the reasons you describe, around slow uptake. If, N years from now, almost no registries have adopted the new APIs, then we're roughly in the same spot we're in today, with folks like cosign bolt on the tagging convention onto unchanged APIs. The benefit at least would be a bit more rigorous and thorough specification for the tagging convention, instead of just copying whatever cosign made up one day. To @sudo-bmitch's point, as attaching things to things takes off, registry operators may find that they can avoid a lot of unnecessary tag list API calls by implementing the new APIs. Many registry instances will never update though, and that's why fallback is so important. |
|
@sudo-bmitch @imjasonh on copying across registries (Q1): This is less elegant than using an OCI index (Proposal D) that you can easily copy with existing tools. You could also write the OCI index out to disk using the OCI layout for air gapped use. This is another example of how fitting into the existing data model is beneficial. @sudo-bmitch @imjasonh on adoption (Q2): I vote more carrot and less stick 😄 I'm more pessimistic than you unfortunately, I think that the fallback risks becoming the de facto standard with some fragmentation as some operators implement some parts of Proposal E. There are definitely parts of the OCI spec that I would love to change (looking at you digests computed on compressed content). The reality is that the image spec is difficult to evolve in a backward compatible way except using OCI indexes or manifest lists. |
We're seeing cosign use digest tags today, so existing tools that don't support this will end up stripping the signature off the image when copying it. That's not actually horrible to me, since the tooling doing the mirroring doesn't understand signatures, there's a good chance the tooling using the image on the mirror doesn't either. But if you want to copy an image with metadata, use a metadata aware image mirroring tool. For the OCI layout, I've been pushing the other manifests in the layout with their digest tags, same as if I were copying between repositories that don't support the API. |
That makes the proposed solution a lot less user-friendly, as not many user are aware of what that means, and they shouldn't have to be aware. In my understading primary use-cases are around signatures and other securoty-related metadata, not just some supplimentary metdata, in which case, I'd think that security-for-all would be a great goal. What do folks think? |
It's hard to disagree with that sentiment, and I don't think anybody here would. 😄 Stuffing signatures into an index with the built image(s) would definitely work for signatures attached at build-time, and the built artifact could even be naively moved across registries using some* existing tools. But we still have the problem of appending more information to it, or updating information included in the index, without modifying the index's digest. That's fundamentally why we chose to explore moving attachments outside the referred-to thing. Once attachments are outside, tooling to move things has to expand to know about how to discover and move attachments. *Notably, |
|
Closing since the outcome of these discussions resulted in Proposal F |
As discussed on the working group Slack channel, I have some concerns with the current preferred proposal– Proposal E.
Things I'm concerned about in Proposal E (C1-3):
Questions I have (Q1-2):
For concerns (C1) and (C2), I think we need registry operators to chime in.
At a high level, I'm worried that requiring major changes to (properly) implement references will at best take a very long time to be adopted and at worst not be adopted broadly by the ecosystem.
The text was updated successfully, but these errors were encountered: