►
From YouTube: [OCI-WG] Reference Types - 2022-03-08
A
B
B
B
A
D
A
Probably
should
put
the
zoom
link
or
the
I
can
do,
link
at
the
top.
A
A
All
right
ready
to
roll
yep,
not
waiting
on
anybody
else,
okay,
so
yeah!
This
is
the
no
changes
proposal.
I
don't
think
we
had
anything
else
on
the
agenda
other
than
that
right.
We
wanted
to
talk
about
proposal
d
and
the
rubric
too.
Okay.
We
talked
about
that
later
on
I'll,
save
you
some
time
so
yeah,
no
changes
we're
good,
that's
it!
A
A
A
lot
of
it
just
comes
in
looking
at
what
oci
has
out
of
the
box
already
with
artifacts
the
image
spec
annotations
the
index,
whatever
else
we
got
out
there
we
can
play
with,
and
so
for
anybody
who's
not
familiar
with
it.
This
is
just
a
image
manifest
for
potentially
an
artifact
here.
The
idea
is
you
just
change
the
media
type
on
your
artifact
on
the
config
and
that's
how
you
reference
that
we're
going
to
have
this
kind
of
artifact
out
there
and
then
put
whatever
you
need
to
put
in
there
and
more
than
likely.
A
This
is
what
we're
going
to
have,
no
matter
what
we're
doing
with
reference
types
already.
So
this
part
should
be
unchanged
from
what
reference
is
doing
unless
we
introduce
a
whole
new
media
type,
which
potentially,
I
think,
we've
got
at
least
one
or
two
proposals
out
there
think
about
doing
that.
But
if
we
don't
change,
how
we're
doing
the
artifacts
themselves
in
there,
this
is
just
what
comes
out
of
the
box
with
their
ci
day.
A
And
so
then
the
question
is:
how
do
we
attach
it?
How
do
we
connect
that
artifact
we
just
made
to
whatever
we
are
pushing
up
there
and
I
said,
let's
just
use
an
index,
and
so,
if
I
create
an
index
out
there
right
now,
this
is
just
on
the
docker
notation.
This
is
a
manifest
list,
but
it's
just
a
collection
manifest
and
so
the
first
up
there
is
the
manifest.
I
want
to
refer
to
and
it's
got
its
digest.
A
I
said:
okay,
assume
this
digest
is
zo10101
and
then
I'm
just
going
to
create
another
entry
in
that
manifest
list.
That
says
this
is
an
artifact
and
the
way
I'm
saying
that
this
is
an
artifact
is
for
one.
The
annotation
just
has
this
artifact
true
flag
in
there
vendor
or
ci
artifact
and
set
to
true,
if
that's
set
to
true
I'm
just
saying.
Okay
at
that
point,
whatever
my
artifact
detection
code
is
that
just
keys
off
that
we're
good
to
go.
A
I
did
start
including
some
other
stuff
in
here
which
started
confusing
a
few
people.
I
think,
but
if
we
want
to
do
extra
filtering
on
this,
so
we
don't
have
to
query
each
one
of
these
individually.
A
We
can
put
other
annotations
in
there
as
well,
and
this
can
be
more
than
just
this
one
thing
we
can
have
a
whole
bunch
of
them
in
here
to
know
that
this
artifact
that
we
might
want
to
potentially
pull,
has
this
data
inside
of
it,
and
so
we
know
which
artifacts
we
might
want
to
query
later
on.
If
we're
a
signature
tool
out
there,
we
know
which
ones
we
want
to
query
later
on
might
also
include
hashes,
of
which
key
signed
it
or
if
it's
s
bomb.
A
I
did
keep
the
platform
the
same
in
both
and
so
that
might
scare
some
people
that
might
help
some
people
out.
That's
how
I'm
associating
these
two
together
as
they're
the
same
platform,
but
this
one
just
says:
I've
got
this
annotation
and
the
reason
I'm
able
to
get
away
with.
That
is
because
I
conveniently
had
a
full
request,
a
while
back
that
said
in
the
oci
image
spec,
if
multiple
manifest
match
from
the
client
standpoint
pick
the
first
one.
If
you
don't
know
how
to
differentiate
the
two,
then
you
should
pick
the
first
one.
A
Now,
if
you're
looking
for
an
artifact,
you
do
know
how
to
differentiate
two
you're
looking
for
that
annotation
and
so
you'll
pick
the
second
one.
But
if
you're
looking
for
the
image,
you
would
pick
the
first
one,
because
you
don't
know
what
that
second
thing
is
they
look
the
same
to
you.
So
you
just
pick
the
first
one.
A
So
that's
how
I'm
throwing
it
in
there,
and
so
this
works
if
we're
pushing
up
something
like
a
whole
tag.
If
we're
the
artifact
originator,
we
want
to
attach
the
artifact
to
our
amd64
image
to
our
arm64
image,
all
the
other
platforms
out
there.
You
can
just
make
your
index
and
then
put
all
these
artifacts
in
that
same
index,
and
now
you
ship
the
whole
thing
out.
You
got
one
big
thing
out
there.
It's
got
one
tag
point
to
it,
so
it
works
well.
A
In
that
scenario,
the
other
thing
I
threw
in
here
is:
if
you've
got
some
really
small
artifacts.
Maybe
we
just
put
them
in
there
as
an
annotation,
I'm
not
super
firm
on
this
one.
I
threw
out,
like
a
whole
bunch
of
different
things
in
this
proposal.
We
might
pick
and
choose
out
of
this
thing
and
say
we
we
like
a
we
don't
like
b.
A
We
don't
like
c,
of
course,
I'm
using
letters,
and
you
know
I
should
be
using
numbers,
because
this
is
personal
d
and
I
want
confused
with
all
the
other
proposals,
but
we
might
just
throw
something
in
there
as
hey
here's,
an
artifact
for
this
thing.
It's
just
right
in
here-
put
it
in
line
nothing
else
to
ship
anywhere
else,
no
other
files,
because
this
is
just
a
regular
image
right
here
and
we
just
do
an
annotation
out
there.
A
D
A
Going
all
right,
so
if
we
do
that,
we've
got
the
repo
tag
and
that's
what
we
already
had
before
and
so
that
works
as
a
good
way
to
say.
I've
got
this
tag.
Let
me
query:
it
pull
it
down,
and
now
I
can
just
query
all
the
artifacts
in
there
together.
A
It
doesn't
work
as
good
if
you're
pulling
down
a
manifest
by
digest
unless
you're
pulling
the
index,
and
so,
if
you
ship
the
digest
the
index
and
you
can
pull
it
that
way
as
well,
so
we
can
cover
those
two
scenarios
as
long
as
it
digests
the
index,
not
the
individual
image
manifest
once
you
get
into
the
next
layer
down,
you
start
saying:
okay,
I
want
to
verify
other
digest.
Maybe
the
image
digests
itself,
then
there
are
other
options
out
there.
A
Like
the
repo
tagging
that
we've
seen
before,
that's
what
cosign
has
been
doing
on
their
side,
it
seems
to
work
okay
enough,
it's
not
the
greatest,
but
probably
better
than
the
all
the
other
options
out
there.
I
think
you
know
it's
it's
horrible,
except
for
every
other
choice
out.
There
is
the
best
way
you
can
say
it,
and
so
we
got
the
sha
256
dash
and
whatever
the
digest
is
in
there,
and
then
there
is
a
dot.
A
I
shouldn't
have
used
dot,
dot
and
then
actually
dot
in
the
middle
there,
but
there
is
a
literal
dot
in
there
and
then
type,
and
so
whatever
your
digest
is
dot
and
then
sig
or
something
like
that
or
dot
s
bomb
or
something
along
those
lines,
and
that
would
be
your
tag
on
your
image.
So
you
would
know
that
hey
this
thing
is
not
really
a
digest,
it's
a
tag
and
the
digest
itself.
A
That's
in
this
tag
is
pointing
to
our
image
digest,
and
so
that's
how
you
can
when
I
pull
the
digest
for
my
image,
I
say:
okay,
here's
that
digest.
Let
me
go
query
the
registry
and
see
if
there
are
any
these
other
artifacts,
I'm
looking
for
attached
to
it
and
if
that's
not
enough
and
people
say
well,
that's
fine
until
we
start
pushing
two
of
them.
Well,
if
you
push
two
or
three
or
four
more
signatures
on
image,
you
could
make
a
index
out
there
for
that
one.
A
So
we
could
have
an
index
just
a
whole
bunch
of
artifacts
in
there
and
we
can
append
to
that.
That
would
be
an
option
or
the
other
option
is
that
we
just
start
introducing
a
hash
on
whatever
we're
putting
in
there,
and
so
you
just
hash
whatever
your
new
object
is
you're
creating
in
there,
and
you
just
include
that
as
part
of
your
digest
on
your
artifact
that
you're
pushing
up
in
addition
to
that.
A
So
this
is
more
for
deduplication
and
then
this
is
how
you
query
it,
which
is
whatever
the
digest
is:
that's
on
the
image
you're
querying.
So
between
all
of
these,
I
think
we
cover
a
lot
of
different
scenarios.
It
just
kind
of
gets
ugly.
Do
we
want
all
these
solutions,
or
do
we
want
to
start
decluttering
this
and
saying?
A
Okay,
we're
only
going
to
pick
two
out
of
four
possibilities
in
here:
I'm
throwing
them
all
on
the
table,
seeing
what
seeing
what
spaghetti
or
pasta
sticks
on
the
wall
when
it's
all
thrown
out
there.
So
that's
what
I've
got,
josh
go
or
sorry,
jason
go
ahead.
D
Yeah
thanks.
I
I
love
this
because
no
changes
like
this
this
proposal,
superpower
is
it
doesn't
need
any
changes.
People
just
need
to
start
adopting
it
right,
like
this
looks
like
clients,
clients,
adopting
this,
just
look
like
pushing
items
to
an
index
or
pushing
modifying
indexes
and
tagging
them
this
way.
I
think
there
are
some
small
issues
that
we
need
to
work
out.
D
That
probably
like
we
know
about
and
probably
aren't
even
related
to
this
proposal,
so
watches
are
related
to
changes
we
need
to
make
to
stuff
in
general,
the
data
issue,
the
like
inlining,
the
data
issue.
I
think
now
that
the
data
field
is
approved
in
oci.
I
don't
think
we
should
come
up
with
a
second
flavor
of
it
just
so.
A
D
I
think
more,
the
second
one.
I
think
that
if
I
think
that
if
we
have
two
ways
of
inlining
data
that
it
gets
confusing,
it
runs
an
annotation
and
one's
a
real
field.
I
don't
feel
strongly
it's
not
like
a
deal
breaker
at
all.
I
just
think
like
that.
That
was
the
initial
impetus.
For
me.
Raising
my
hand
was
another
data
field
seems
cumbersome.
D
In
the
in
the
spirit
of
changes
we
should
make
to
oci
anyway,
that
will
affect
this.
Are
we
had
that
proposal
from
forever
ago
in
the
distribution
spec
about
recommending
http,
etag
semantics,
to
avoid
races?
D
That's
going
to
come
up
here
right,
like
if
two
people
want
to
sign
at
the
same
time,
they're
going
to
conflict
they're
going
to
race
and
one's
going
to
win,
so
we
should
call
that
out
as
like.
In
order
to
yeah,
I
mean
that
you
can
say
I
am
specifically
signing
this
version
of
this
thing,
but
the
first
two
of
those
proposals,
they'll
race.
If
two
people
try
to
sign
them,
yeah.
A
Yeah
and
that's
why
I'd
definitely
say
the
very
first
one:
here
is:
more
than
likely,
you
shouldn't
be
dealing
with
any
race
at
all,
you're,
probably
the
originator
of
this
artifact
and
damage
and
everything
else
you're,
just
creating
all
this
up
front.
The
the
second
proposal
definitely
has
races,
and
so
it's
kind
of
a
question
of
do
we
need
to
do.
We
need
to
pick
between
this.
A
Does
the
end
user
need
to
pick
between
these,
because
the
the
hash
in
this
case
is
the
hash
on
whatever
artifact
you're
getting
ready
to
push
up
there?
It's
not
the
hash
on
the
thing
you've
signed,
so
it's
yeah.
D
D
Right
right
that
isn't
to
say
that
this
we
already
have
the
race
problem.
Today
we
already
have
a
problem
with
people.
Two
two
people
pushing
the
different
digest
to
the
same
tag
and
etags
is
the
answer
for
that
so
unrelated
to
this,
is
it
correct
to
say
that
signing
an
index
changes
its
digest?
If
I
have
a
multi-platform
image
index
for
alpine
and
it's
signed
by
three
people-
and
I
want
to
add
my
fourth
signature-
that
changes
its
digest
right.
A
That's
what
I
didn't
get
into
here
and
it's
it's
a
really
good
question,
which
is:
how
do
we
sign
an
index
and
we
could
potentially
say
that?
Okay,
you
know
this
is
going
to
be
the
top
level
index,
and
then
there
is
this
first
entry
here
is
itself
an
index,
and
then
we
have
the
signature
on
that
index
here
and
so
this
index
wouldn't
have
this
digest
change.
You
just
have
another
index
pointing
to
an
index
that
can
get
your
data
right.
D
Yeah
run
times
are
like
yeah.
I
think
that
that
obviates
all
of
the
the
benefit
of
this
is
that
nobody
needs
to
make
changes
and
if,
in
the
course
of
making
there
be
no
changes
to
image,
spec
and
distribution
spec,
we
require
a
bunch
of
changes
on
runtime,
spec
or
a
bunch
of
changes
on
the
unspecified
runtime
behavior.
Then
I
think
we'll
that's
a
loss,
but.
D
D
A
Yeah
and
the
question
is
how
many
of
these
do
we
want
to
include
in
our
you
know,
whatever
we
come
out
with
it,
I'm
throwing
a
whole
lot
of
these
things
out
there.
We
might
say
you
know
what
number
two
doesn't
give
us
any
value.
We've
got
three
and
one
there's
kind
of
solve,
both
all
the
cases
we
want
to
solve.
You
know
why
I
have
a
second
one
in
the
middle
there,
so
we
may
end
up
going
that
direction.
A
D
You
have
to
list,
oh,
the
that
format,
format.
A
D
A
A
D
Okay,
I'll
nisha
go
ahead.
C
Actually
josh
has
a
number
of
questions.
B
C
Okay,
my
question
was:
do
we
have
to
reserve
some
of
these
annotations
so
they're,
consistent
across
clients,
because
you've
you've
said
like
you
can
use
a
vnd.oci.artifact?
That
sounds
like
a
reserved
annotation
to
me.
A
Well,
vnd.oci,
I
believe
we
are
I'm
I'm
under
that
impression,
just
seeing
that
we've
used
that
in
other
places,
and
so
just
because
of
that
I
was
using
that
one,
and
I
would
assume
that
we
would
at
that
point
define.
This
is
what
we
mean
when
we
say
that,
as.
D
Oci
so
just
to
surface
the
the
chat,
because
I
know
it
sometimes
doesn't
bubble
up,
especially
in
recordings.
If
the
annotation
key
was
org,
dot,
open
containers,
dot,
something
something
dot
something
then
it
would
be
pre
pre-reserved,
the
vnd
prefix
isn't
for
oci
stuff
really.
But
these
are
all
you
know
stand-in
strings.
We
can
replace
with
other
stuff.
D
Would
indicate
a
change
then
to
the
spec
right,
a
change
to
the
spec,
only
to
reserve
the
the
details
and
semantics
of
specific
annotation
keys,
but
as
far
as
image
spec
changes
go.
Those
are
one
of
the
easier
ones
to
do
than
than
to
mint
whole
new
types.
D
A
E
Are
you
open
to
maybe
adding
one
more
annotation
in
there,
which
is
pointing
to
the
actual
digest
of
the
image
to
which
that
signature
belongs
so
right
now
you
have
artifact
type
and
and
whether
it's
an
artifact,
true
and
c
like
that,
if
you
had
an
s
bomb
in
there,
can
we
say
that
this
s-bomb
or
the
signature
or
this
entity
is
actually
linking
to
this
parent
manifest
over
there.
B
B
A
Yeah
and
that's
why
I
said
short,
I
didn't
go
through
and
figure
out
what
that
length
was
and
then
figure
out
how
we
can
what
our
length
limits
are
along
these
things.
But
I
do
want
to
make
sure
that
we
don't
break
that
limit.
B
Okay,
the
next
thing
was
so
it
looks
like
the
way
that
you
would
link
things
is
via
the
index.
B
And
I
could
see
that
becoming
an
issue
if
you
wanted
to
link
many
many
things
over
time,
and
so
I'm
wondering
does
that
mean
that
this
index
can
just
grow
indefinitely,
and
I.
A
B
A
B
A
Right
yeah,
there
is
the
four
megabyte
limit.
I
would
try
to
reserve
putting
things
in
this
format
to
the
originator
and
then
anything
else,
that's
being
appended
over
time
as
time
goes
on
to
probably
go
in
this
last
third
format
here,
which
would
be
unique
for
each
individual
artifact
you're
pushing
the
downside
of
that
is
there's
no
easy
query
option
at
that
point.
A
If
you're
pushing
up
something
for
docker
library
or
something
like
that,
this
would
be
docker
inc,
saying:
okay,
we're
going
to
put
the
annotations
on
all
of
our
official
library
images
up
here
at
this
point,
if
you
clone
that
image
down
and
copy
it
into
your,
you
know:
example.org
repo,
that
you're
running
as
a
company,
and
you
want
to
sign
the
alpine
thing
yourself.
You
would
add
the
signature
and
third
format
to
say.
Okay,
I've
signed
this
as
we
ingested
it,
and
so
you
wouldn't
actually
modify
the
alpine
index.
A
D
It's
also
up
to
you
to
move
that
if
you're
moving
you
alpine
originated
it
and
signed
it
with
three
people,
you
bring
it
in.
You
assign
it
with
two
more
people
in
the
third
format
there
and
you
want
to
move
it
to
somewhere
else.
You
now
have
to
move
the
originated
alpine
image
and
any
discovered
attached
things
with
it.
Yeah
right,
yeah,
yeah,
sorry,
josh.
I
think
I
got
you
off.
B
A
A
D
B
No,
it's
fine.
I
think
it
would
be
possible,
but
you
would
just
need
to
download
a
bunch
of
stuff
and
do
it.
Client
side
is
that
kind
of.
A
Yeah
it
if
you
have,
if
you're
the
originator,
then
potentially
they
can
do
the
query
just
by
looking
at
these
other
fields
in
there.
If
you
are
the
end
user,
looking
for
stuff
you'll
get
a
little
bit
out
of
these
types,
but
otherwise
you're
just
going
blind
just
saying,
I
need
to
download
all
these
to
figure
out.
Does
any
of
them
have
a
signature
that
I'm
looking
for
right.
B
E
A
That
that's
gonna
be
a
story
of
me
for
the
day
this.
This
is
kind
of
like
the
the
fallback
scenario
that
people
might
find
a
whole
lot
better
solutions
than
options
a
b
and
c.
But
if
we
have
to
fall
back
to
an
assistant
registry
is
unmodified,
and
that
might
be
your
the
downside
of
doing
that
fall
back
sorry,
you
should
go
ahead.
C
A
So
we're
not
gonna
link
the
artifacts
together,
we'll
link
the
artifact
to
whatever
it's
an
artifact
on
top
of,
and
so
assuming
it's
like
a
image
and
we
have
signatures
or
s
balms
I'll
pick
s
bombs,
because
no
one
chat
with
you.
So
if
we
have
a
bunch
of
s
bombs
and
say,
we've
got
multiple
of
them
different
formats
or
whatever
else
going
on
there.
We
can
push
them
up
there
with
different
tags.
C
I'm
having
okay,
so
so
that
means
that
something
else
is
something
else
is
doing,
like
all
the
understanding
of
how
the
linking
happens
is
on
the
client.
A
C
A
C
A
So
this
is,
this
is
on
the
client
side.
The
nice
thing
for
immutable
tags
is
that
if
you
go
with
the
hash
method,
then
you
can
push
it
once
not
to
worry
about
it.
The
immutable
policy
breaking
you,
because
you
can
just
always
push
another
artifact
later
on
as
a
separate
tag,
and
so
you
you
never
change
your
existing
tag
out
there,
but
it
doesn't
require
the
registry
to
do
anything
on
its
side.
It's
all
client-side,
but
the
client
that's
pushing
the
tag
and
the
client
that's
pulling
the
tag.
C
Okay,
so
if
there,
the
client
has
to
verify
that
the
the
hash
that
hash
bit
is
actually
pointing
to
the
the
manifest
hash
and
if
it's
different
than
break.
A
If
it's
a
signature,
well
you're
going
to
know
that
it's
invalid,
because
the
signature
is
not
going
to
match
whatever
the
artifact
that
was
signed
on.
If
it's
an
s
bomb,
I
don't
know
how
you
solve
that.
If
people
throw
s-bombs
out
for
different
images
out
there,
you
need
to
talk
to
whoever's,
got
right
access
to
the
repo
and
say
maybe
I
shouldn't
be
writing
to
that
repo.
D
D
If
so,
if
I
pull
in
alpine
into
my
repo
signed
by
you
know
three
upstream
originators
and
then
I
add
my
own
signature
to
it
in
format,
two
or
format,
three
and
then
that
version
of
alpine
is
deleted
from
my
registry,
like
I
untag
it
or
I
manually,
delete
it
or
whatever
and
those
blobs
go
away.
D
The
costly
image
layer
blobs
are
deleted
by
garbage
collection,
but
because
my
signatures
are
tagged
using
format
two
or
three
they
won't
be
automatically
read,
which
is,
I
think,
fine,
because
they're,
because
they're
lightweight,
like
like
the
the
number
of
bytes
in
a
signature,
is
low,
but
I
just
wanted
to
is
that
is
that
also
your
understanding?
The
garbage
collection
as
it
is
implemented
in
the
wild
shouldn't,
delete
these
things.
A
It
shouldn't
delete
these
things,
since
that
is
a
pro,
and
if
you
want
to
do
garbage
collection
on
the
client
side,
then
potentially
you
could
go,
do
a
listing
of
all
the
tags
and
then
query
does
digest
zero.
Zero
zero
have
a
manifest
out.
There
do
a
quick
head
request
or
that
doesn't
exist
in
this
repo.
Let
me
go
ahead
and
delete
this
artifact.
That's
attached
to
it,
because
there's
nothing
there
to
query
so
potentially
could
be
implemented
on
the
client
side,
not
ideal,
but
better
than
bad.
D
Yeah
and
the
the
benefit
of
garbage
collection
in
there
is
more
for
sort
of
cleanliness
and
hygiene
in
your
repo
and
less
about
saving
saving
money
on
storage
costs
or
something.
A
A
A
A
A
Otherwise
it
can
be
two
or
three
where
it
might
not
be
an
index.
It
might
just
be
an
individual
artifact.
A
F
A
I'm
hoping
that
this
one
up
here
stays
immutable
once
the
originator
has
created
that
image,
and
so,
if
you're,
trying
to
add
something
else.
On
top
of
it,
then
you're
creating
a
different
you're,
not
modifying
the
original
index,
you're,
creating
your
own
tag
with
your
own
artifact
in
there,
and
so
as.
F
A
A
Additions,
I
said
number
two
could
be
either
or
you
could
have
it
as
an
individual
artifact
or
it
could
be
an
index
depending
on,
if
you
just
want
to
add
to
it
over
time
and
you're,
not
worried
about
race
conditions,
otherwise,
you're,
probably
more
than
likely
to
go
to
option
three
and
each
of
those
there's
no
point
in
having
an
index
over
there.
You
could,
if
you
pushed
up
five
different
things
at
once,
but
you're
probably
going
to
send
individual
index
individual
artifacts.
At
that
point,.
F
D
A
You
can
pick
a
subset
of
two
and
three,
but
the
originator
has
their
say
and
whatever
goes
in
that
original
image,
so
it
wouldn't
be
pointless
upset
of
those.
F
Does
it
matter
so
the
originator?
Let's
just
assume
the
originator,
has
an
image,
a
signature
of
the
image,
an
s
bomb
and
a
signature
of
the
s-bomb
and
I'll
skip
the
scan
result,
because
the
scan
results
are
additive.
So
if
you
take
just
the
image
in
the
s-bomb
the
signatures
forum,
when
you
promote
those,
let's
say
you're,
promoting
them
to
another
registry,
but
then
when
you
deploy
them,
you
don't
deploy
the
s
bomb.
You
deploy
just
the
image,
it
doesn't
really
matter.
So
you
really
haven't
broken
anything
so
you're,
fine,
the.
F
D
D
Oh,
it
doesn't
have
to
it
shouldn't.
It
will
pull
this
json
document.
It
will
see
this
whole
json
document
and
then
iterate
through
manifest
and
say.
Oh,
I
am
I'm
amd
64
linux.
This
is
the
one
for
me.
I'm
pulling
this
first
image
and
never
read
the
rest.
Never
you
know
consider
the
rest
of
that
document.
F
F
F
D
D
F
F
D
A
A
G
D
D
Idea
is,
we
could
put
in
a
some
placeholder
platform
of
you
know,
architecture
equals
brandon
and
os
equals
mitchell
or.
C
So
the
gist
of
it
is
that
most
of
the
work
we
could
do
this
with
the
spec,
as
is
but
most
of
the
querying
and
con
the
filtering
and
the
content.
Management
and
discovery
happens
on
the
client
side.
C
A
B
C
Yeah
I
can
I
can
I
mean
I
would.
I
would
assume
that,
as
far
as
the
notetaker
is
concerned,
we'll
copy
all
of
this
and
put
it
submitted
as
a
pr
to
the
repo.
B
B
A
A
user
yeah
they
want
to
query
a
registry,
I'm
going
to
say
that
as
a
user,
there
is
a
way
to
do
it.
I
don't
necessarily
need
the
registry
to
do
it
for
me
as
long
as
there
is
a
way
to
do
it,
but
someone
can
correct
me.
F
Well,
I
I'm
just
gonna
go
back.
What
you're
I
think
you're
getting
at
is
the
the
tag
listing
api
has
no
filtering,
so
what
I
think
you're
saying
it
to
do.
Client
filtering.
I
literally
have
to
pull
every
tag
and
then
figure
out,
which
ones
are
there,
as
opposed
to
say,
hey
registry,
what
subset
of
tags
do
you
have?
F
So
I
I
do
think,
there's
a
difference.
I'm
not
saying
it's
a
dead
end
right
that
we've
gone
in
this
note,
assuming
this
was
the
problem
or
assuming
this
might
be
a
solution,
but
certainly
not
an
efficient
solution.
So
I
think
this
is
one.
I
think
we
want
to
differentiate
where
the
registry
can
return
the
subset
of
what
you're
asking
for
versus.
C
I
have
a
suggestion:
how
about
we
just
write
a
summary
of
what
we
think
rather
than
music,
rather
than
use
like
yes
or
no,
so
we
can
add,
we
can
add
all
the
nuances
in
there.
So
yes,
it's
possible,
but
requires
a
lot
of
work
on
the
client
side.
A
A
Any
any
debate
on
that
we'll
we'll
find
those
edge
cases.
I
think
people
are
looking
for
in
the
next
questions.
I
think
so.
I
want
to
query
the
registry
for
all
stored
artifacts
to
reference
another
artifact
by
its
tiger
digest
make
sure
I
understand
this
question
unless
someone
jumps
in
just
says:
that's
a
yes.
C
So
what
that
means
is,
if
so,
if
I
have
like
an
image,
for
example,
I
want
to
find
out
all
the
other
artifacts
that
reference
that
image.
C
So,
for
example,
you
have
the
index,
is
it
possible
to
you
know,
take
a
manifest
like
okay,
I'm
providing
you
a
container
image
digest?
Can
you
look?
Can
you
find
the
index
that
has
that
digest
in
it.
F
F
In
other
words,
when,
because
we've
we
wanted
to
make
sure
that
the
original
tag
and
digest
doesn't
change,
as
you
add
other
information
to
it,
so
I
think
one
is
just
saying
we
didn't
break
anything
the
original.
I
don't
know
what
your
canonical
images
here.
I
you
know
we
use
the
net
monitor
image,
but
the
net
monitor
image
didn't
change.
I
can
still
get
that
by
its
tag
by
its
digest,
because
the
digest
didn't
change,
you've
lifted
the
tag
onto
an
index,
but
that
index.
F
If
everybody
processes
the
index
is
right,
will
direct
me
to
the
digest
of
that
image.
So
number
one
says
I
can
pull
the
net
monitor
image
either
directly
or
because
you
graphed
an
index
by
tag.
I
can
still
find
it.
So
I
think
one
you're
fine,
I
think
two
is
the
interesting
one.
Where
how
do
I
find
all
the
references
to
it?
Because
I
have
to
look
at
an
index,
I
have
to
look
at
tag
matching
it
works.
This
is
just
a
matter
of
where
the
efficiencies
comes
in.
C
I
would
say
you
can
do
it,
but
not
without
some
serious
client-side
processing.
A
F
Actually,
I
don't
think
I
I
don't
read
one,
as
has
anything
to
do
with
the
signatures.
I
think
one
is
the
runtime
needs
to
be
able
to
run
the
net,
monitor
image,
don't
screw
that
up.
This
is
like
don't
break
what
works
number
two
is
before
I
deploy
the
image
I
want
to
verify.
It
has
a
signature
that
I
trust.
How
do
I
get
the
signature
for
that
image
for
the
net
monitor
image?
That's
what
ic2
is
and
to
nisha's
point
whether
it's
client-side
or
server-side,
like
client-side
processing,
is
only
really
a
problem.
F
When
it's
you
know
highly
of
you
know:
small
objects,
it's
the
registry
implication
at
least.
Maybe
that's
just
I'm
biased
on
how
I
think
about
it.
A
So
in
that
case
I
was
misreading
one
one
isn't
even
looking
for
the
signature,
it's
just
saying
give
me
that
modern
image
don't
break
what
works
kubernetes,
okay,
so
no
change
on
one
we're
still
good
there.
I
think
two,
I'm
still
gonna
say
we
can
still
do
that.
It
still
works.
You
know
it's
not
as
efficient,
but
it
still
works.
So
I
think
we've
solved
that
one
as
well.
F
I
think
that's
just
the
one
back
to
the
one
versus
zero.
True
versus
false
is
there
is
a
caveat
in
there
is
that
it's
not
efficient.
The
registries
will,
because
you
know
we
have
customers
that
have
thousands
and
tags
because
they
pushing
daily
things
to
a
repo.
So
I'm
sure
docker
hub
is
full
of
stuff
as
well.
So
the
the
problem
is
without
a
server-side
filtering
api.
The
only
way
you
know
that
you
found
all
the
references
is
literally
pull
every
tag.
F
A
D
A
All
right
query:
the
registry
for
all
artifacts
filtered
by
type-
and
I
think
the
particular
type
is
the
keyword
here
and
that's
what
we've
got
in
there
by
saying
it's
an
s
bomb.
This
is
a
signature
that
that
sort
of
thing
I
think,
we've
solved
this.
F
A
A
F
A
Yeah
and
so
it's
you
actually
have
to
query
each
one
of
these
things,
to
pull
it
to
check
that
annotation
to
see
if
it's
the
one
you
want
I'm
seeing
this
one
is
probably
the
person
that
wrote
this
question
wanted
a
little
bit
more
efficient
than
that
they
want
to
be
able
to
have
that
query.
B
I
just
wanted
to
say
that
I
think
probably
what
needs
to
be
done
at
this
point,
since
we're
kind
of
like
going
back
and
forth
about
things
misha
like,
should
we
update
this
rubric
to
be
a
little
bit
more
with
a
scale
having
like
a
column
for
client
or
server,
or
I
just
feel
like
it's
not
efficient
to?
A
B
F
D
I
wanted
to
I
wanted
to
ask
a
question,
so
we
were
talking
about
if
I
want
to
query
using
this
proposal.
If
I
want
a
query
for
all
signatures
for
alpine
latest
or
whatever
I
resolve
alpine
latest
to
its
digest,
I
look
up
alpine
latest
manifest
to
see
if
any
any
originator
signatures
or
whatever
in
there
and
then
in
order
to
see
if
I
need
some
other
stuff
that
is
not
in
the
original
image.
D
E
D
A
What
what
they're
looking
at
for
this
is
they're
saying
I
want
to
put
an
annotation
what
time
this
signature,
what
time
this
scan
result
was
generated
so
that
I
can
fetch
just
the
most
recent
one,
and
you
don't
know
that,
just
by
looking
at
that
hash,
you've
actually
got
to
go
through
and
pull
these
down.
I.
D
D
Could
also
have
tens
of
millions
of
signatures
if
you
want,
but
like
at
least
we
don't
have
to
do
a
ton
of
extra
work.
This
is
something
clients.
F
A
D
A
Yeah,
but
if
you've
got
a
scan
server,
that's
generating
a
scan
every
day.
I
would
recommend
that
you
have
something
there
doing
some
kind
of
garbage
collection
that
goes
and
gets
rid
of
all,
but
the
last
three
or
four
scan
results
just
starts
deleting
those
because
you
don't
want
them
anymore,
and
that
would
be
a
client-side
filter
that
you
have
to
implement
so
again,
not
ideal,
but
could
be
done
inefficiently.
F
Now,
okay,
this
is
the
where
like
number
one
like
it's
just
excuse
like
you,
always
want
to
give
the
give
me
or
at
least
get
one
checkbox.
So,
let's
just
say,
like
number
one
is
complete
check
very
clear.
I
think
the
thing
that
we
want
to
be
able
to
and
there's
gonna
be
others
that
it's
like
nope
just
doesn't
work
just
not
supported,
sorry
and,
and
that
might
be
okay,
the
ones
that
are
in
this
gray
area.
I
think,
let's
just
can
we
just
agree
that
we
put
some
kind
of
indicator
on
it.
F
That
says
it's
not
a
one
or
zero
and
then
you
look
to
the
column
for
description,
and
then
it
says:
okay,
what
does
this
mean?
I
don't
know
if
it's
if
they
all
become
inefficient,
client
server
kind
of
differentiators,
then
maybe
that's
a
simplistic
answer,
but
I
think
we
want
to
just
be
able
to
differentiate
the
the
ones
that
are
clearly
just
solve
it
because,
let's
just
say
the
registry
does
index
types
and
annotations.
F
C
Oh,
oh
we're
out
of
time
for
two
minutes.
Okay,
it
seems
to
me
that
there's
a
general
consensus
that
the
at
least
the
filtering
part
most
of
it
can
be
done,
but
with
a
lot
of
client-side
processing
like
the
server
doesn't
do
anything
can
we
I
mean
the
way
that
I've
been
taking
these
notes?
Is
I'm
not
put
I've
not
used
any
of
the
yes,
no
things
I've
just
like
written
a
little
note,
and
most
of
it
is
yes
but
inefficient.
A
Yeah,
I
think,
there's
going
to
be
a
partial
score
in
there
of
some
kind
or
we
might
have
something
there,
just
as
it's
client-side
or
it's
dependent
on
implementation,
decisions
and
stuff
like
that.
So
there's
there's
going
to
be
more
than
just
a
yes
or
no.
We,
I
don't
think
we
come
with
all
the
different
possibilities
for
what
the
in
betweens
are
yet,
and
I
think
it's
going
to
take
us
looking
through
some
of
the
proposals
to
figure
out
what
all
those
inbetweens
are.
C
Sounds
good,
I
think
we
can.
We
can
publish
some
of
this,
though,
does
anyone
want
to
use
marina's,
ascii
emoji
for
partial.
A
I've
I've
done
other
places.
Question
marks
we
might
want
to
come
out
with
like
a
little
sub
notation
like
one
means
this
and
just
put
a
little
footer
on
the
bottom
of
it
I'll
figure
something
out
and
get
a
pr
out
there.
A
B
Next
week
should
we
hope
that
we
get
another
proposal
and
do
the
same
thing
or
do
we
want
to
carry
on
with?
I
think
we.
C
Would
be
taking
a
while
on
this
one,
but
I
have
see
it
almost
ready.
F
But
I
do
think
it's
good
to
work
through
take
one
and
test
the
questions
and
the
fact
that
this
is
the
baseline
of
do
nothing
is
a
more
simplistic
one
than
probably
any
other
proposals
so
because
we
have
to
figure
out
how
we're
going
to
put
the
rubric
together
anyway,
and
if
we're
trying
to
do
the
rubric
across
each
and
every
one
of
these
things.
I
don't
know
if
we'll
make
much
progress,
so
I
think
testing
the
rubric
in
the
next
meeting.
With
this
as
a
baseline.