►
From YouTube: OCI Weekly Discussion - 2021-10-21
Description
Recording of the OCI weekly developer's call from 21 Oct 2021; agenda/notes here: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?view#October-21-2021
A
Yeah,
hopefully
these
are
quick,
but
I
just
want
to
throw
two
out
there
just
get
some
attention
on
them
and
make
sure
that
I'm
not
completely
out
of
left
field
with
what
I
was
thinking
here.
One
was
on
the
artifacts
one.
We
had
the
pr
out
here
asking
to
archive
it
and
I
was
a
little
confused
by
that,
and
so
I
wasn't
sure
is
there
something
I
don't
understand?
Should
we
be
using
this
at
all,
or
is
this
a
little
premature.
C
C
I
thought
that
there
was
a
disagreement
about
it
and
that's
why
work
is
being
done
in
the
aurus
one,
but
maybe
steve
could
you
know
explain
it
the
way
that
he
sees
it,
but
I
you
know
I
didn't
mean
to
cause
any
issues
with
this
or
confusion,
but
I,
like
I
put
here
like
I'm,
also
very,
very
confused.
What's
going
on
so.
A
E
D
The
readme
is
a
good
place.
Let's
just
change
this
pr
to
a
you
know
a
link
to
some
efforts
that
are
underway.
The
work
groups,
as
well
as
the
the
auras
effort,
I
think,
would
be
fair
to
link
to
yeah
and
also
a
couple
other
places,
the
the
potential
prs,
the
reference
one
that
was
done
in
image
spec
as
well
as
linking
probably
to
mr,
mr,
you
know,
justin's
a
pull
request.
I
think
it
was
29
or
something
or
maybe
another
number
in
in
this.
In
this
repo.
D
E
When
a
person
is
confused,
it
is
the
documentation's
fault
right.
So
if,
if
josh,
who
is
even
a
person,
who's
relatively
plugged
into
the
effort
and
knows
you
know
knows
us
and
talks
to
us
sometimes
if
he's
confused,
then
like
some
rando
off
the
street
is
gonna,
be
extra
confused,
so
more
documentation
would
be
great.
E
F
I
guess
I
support
documentation,
it's
helpful,
I
sometimes
it
can
be
more
confusing,
so
I
just
rather
than
spawn
this
out
to
several
different
things,
the
like,
if
you
look
at
what's
in
this
repo
now,
it's
strictly
here's
the
guidance
on
how
to
use
the
existing
manifest
that
is
in
production.
People
can
use
today
like
it's,
you
know
as
released
as
anything
could
be,
because
that
was
the
whole
debate.
Is
this
a
spec
or
is
it
an
reference
implementation,
not
reference?
F
F
That's
the
working
group
discussion.
The
outcome
of
that
working
group
is
tbd
right.
It
could
be.
It
could
be
specs
that
go
into
this
one.
It
could
be
a
merger
with
the
distribution
spec
like
we
don't
know
yet.
So
I
I
I'm,
I
don't
know
if
we
should
be
adding
more
links
to
things
that
aren't
closed
as
opposed
to
it
needs
a
status
section
in
the
doc
in.
C
F
Thing
like
is
that
what
the
working
group
here
is
the
question
like
we
don't
know
if
it
should
go
in
like
when
the
artifacts
repo
was
created,
it
was
because
we
couldn't
get
agreement
to
make
changes
to
distribution
or
image.
So
that
was
the
concession
I
don't
know
what
the
output
of
the
working
group
is
like.
I
have,
you
know
an
opinion,
but
that's
the
point
of.
E
E
For
the
latest
discussion
I
think,
like
I
said,
josh
josh
is
a
person
who
is
relatively
plugged
into
this
stuff
and
if
he
doesn't
know
what
the
latest
status
is,
then
then
some
person
who
saw
a
presentation
about
artifacts
and
wants
to
get
involved
will
have
no
no
help
like.
Where
did
they
do
it?
Do
they
do
it
in
this
repo?
Do
they
do
it
in
rs
artifacts?
I
just
I'm
just
trying
to
give
people
breadcrumbs
to
find
where
the
current
discussion
is
happening.
F
I
mean
I'm
happy
to
do
that.
I
you
know
we're
having
a
big
changes
to
this.
I
was
trying
to
not
add
more
complexity
to
it.
Quite
honestly
of
you
know,
is
this
a
fork?
It's
not
a
fork,
not
that
it
moved.
You
know
this
is
on
the,
maybe
that's
the
words
we
can
put
there.
If
the
group
is
okay
with
that,
that's
great,
considering
all
of
the
contention
that's
happened
around
this
I
was
trying
to.
F
E
If
you're
not
interested
in
bike
shedding,
I
think
you
might
be
in
the
wrong
group,
but
but
I
think,
like
the
discussion
of
specific
wording
by
all
means,
a
pr
is
perfect
for
that.
But
I
think
I
think
I
agree
with
josh
whether
he
meant
to
say
this
or
not,
that
the
current
state
is
confusing
and
some
text
somewhere
saying
what
the
current
state
is.
Even
if
it
is
like
go
look
over
here
for
the
latest
status.
That
would
be
fine.
C
And
that-
and
that
was
really
the
purpose
of
of
the
pr
is
just
like-
I
thought
the
updated
thing
was
there,
and
so
it
was
simply
when
people
landed
this
because
they're
coming
from
someone's
blog
post
or
twitter
that
they
would
then
be
redirected
to
the
aurus
one.
Where
the
you
know
anyway,
I'm
sorry
didn't
I
should
have
reached
out
to
you,
know
mike
and
steve
and
got
more
clarification.
I
was
just
like.
B
F
C
C
A
E
Especially
useful
to
frame
it
not
in
terms
of
any
specific
type
of
thing,
being
racially
created
or
updated,
but
like
regular
images,
have
this
bug
regular
indexes?
Have
this
bug
right,
like
yeah,
I
think
I
think
we
can
easily
fall
down
a
rabbit
hole
if
we
talk
about
specific
use
cases
where
this
is
more
more
than
likely
to
happen,
but
yeah,
regular,
regular
images
from
2017
have
this
problem
and
registry
should
do
better
at
solving
it.
So
plus
one
plus
two
even
I'll,
give
you
plus
two
sargon.
E
E
B
B
E
D
E
B
G
Alternatively,
I
would
love
to
see
someone
actually
get
distribution
to
implement
this
using
like
there
are
clever
ways
by
using
side
channels
and
registry
or
distribution
has
historically
supported
caches
on
the
side.
In
other
databases
that
use
ec
I've
seen
people
build
consistency,
systems
that
are
external
to
them.
I
would
kind
of
love
to
see
someone
prototype
a
metadata
store
on
top
of
or
next
to
distribution,
just
to
see
how
complicated
it
would
be
to
implements
on
top
of
s3.
G
E
I
think
I
think
this
proposal
would
actually
help
motivate
that
work
in
distribution
right
like
like
we're
not
if
this,
if
this
gets
merged,
it's
not
saying
the
distribution
is
bad.
It's
saying
here
is
a
recommendation,
an
oci
recommendation
that
that
distribution
does
not
currently
satisfy
it's
just
a
recommendation
and
because
it's
an
unsatisfied
recommendation
now
somebody
can
say.
Oh,
I
would
like
to
satisfy
that
recommendation
and
go.
Do
that,
however
distribution.
I.
G
E
G
E
G
I
mean
yeah
we've
talked
about
like
I
feel
like
this
has
come
up
a
number
of
times
in
this
group,
where
it's
like,
hey,
propose
a
spec.
What
were
the
implementations?
The
specs
look
like,
but
the
implementation
takes
a
long
time.
If
there's
no
chance,
spec
will
get
merged.
Let's
not
do
it
in
this
case.
I
don't
actually
think
that
it's
a
a
ton
of
work.
I
think
someone
just
needs
to
propose
what
the
semantics
would
be
so
like
a
lease-based
semantic
would
be
something
that
would
be
very
realistic.
I
guess.
E
The
the
benefit
of
this
of
etags
and
this
proposal
is
that
they
are
not
prescriptive
about
how
the
e-tags
work
right,
like
like
distribution,
could
solve
it
completely
differently
than
you
know.
My
registry
or
brandon's
registry,
or
whatever
like
just
saying
etag,
should
be
used.
I
think,
is
not
a
is
not
a
an
onerous
thing
for
any
registry.
I
get
that
it's
worth
like.
Looking
into
how
hard
it
would
be
practically
inside
distribution,
but
I
don't
know
as
soon
as
I
saw
this
I
was
like.
G
A
H
G
A
B
Good
question:
it
was
the
it's
it's
effectively.
It's
been
the
same
process
as
the
other
specs
that
are
did
have
some
documentation
in
a
few
different
places.
It
might
not
be
actually
all
insane.
If
you
looked
at
runtime
spec,
it
would
probably
have
it
and
then
distribution.
Spec
was
the
first
release
that
somebody
besides
myself,
actually
went
through
the
whole
spec
release
process.
B
B
B
F
Yeah
I
mean
I
watched
the
video
from
the
meeting
that
was
out
a
week
on
vacation
on
the
extension
api,
and
you
know
this
kind
of
came
into
the
conversation
of.
Can
we
get
something
in
not
the
merge
spec
like
there's
not
release
specs,
what's
in
maine
is
like
the
work
in
progress,
and
what's
there
is
hey?
This
is
what
we're
working
on,
but
until
a
release
is
cut,
it
might
change
like
until
we
have
enough
confidence
that
this
will
work,
you
know,
will
it
work
across?
F
I
mean,
I
guess
I
guess
that's
the
question
like
we
went
through
this
with
the
notary
project.
We
were
working
in
a
prototype
branch,
for
instance,
and
that
just
confused
the
hell
out
of
people,
so
the
feedback
we
got
was
main
is
the
work
in
progress
and
then
there's
releases
for
what's
done
so,
for
instance,
sargon's.
What
was
the
thing?
The
d-duping?
F
I
think
that
got
merged
into
maine,
it's
not
released,
yet
it's
a
place
for
people
to
reference.
Do
the
implementation,
I
think
we're.
I
think,
we're
pretty
confident
about
how
that's
in
that
it
probably
won't
change,
but
you
know,
as
others
try
to
implement
it,
maybe
it
will
as
the
referrers
api
another
referrer.
Sorry,
the
extension
api
goes
in
to
enable
things
like
the
referrals,
api
or
other
extensions
that
others
might
want
to
do
until
they
start
working
on
it.
F
G
Do
we
do
that?
Do
we
say
that
this
conformance
test
is
going
to
make
it
to
the
next
release?
And
you
know
the
associated
features
are
likely
to
make
it
like
how
to
kind
of
track
this,
and
you
know
I
would
love
to
see
that
conformance
test
start
to
becoming
tested
against
registries
in
the
wild,
because
I
know
they're
non-conforming
registries.
A
E
B
What
I'm
sitting
here
thinking
like
because
one
of
the
things
that
it
came
up
in
the
past-
and
we
said,
let's
just
to
get
tags
for
now
like
main
and
then
tags
and
not
actually
get
them
to
get
branching
because
hey
we
didn't
want
to
like
maintaining
branches
and
merging
back
and
whatnot,
but
for
some
of
those
performance
tests
to
be
able
to
say
like
whatever
this.
This
moving
target
is
is
always
b1
and
then
it
could
be
v1.1
or
whatever.
B
C
No
so
sargan
the
conformance
test
binary
should
be
released
with
the
tag.
If
it's
not,
we
should
fix
that
and
then
there's
also
an
image
in
github's
registry.
That
should
be
tagged
with
the
release.
So
my
thoughts
are
that
you
could
run
the
tests
locked
in
that
version
and
you
would
say
I'm
a
100
compliant
and
then,
when
one
one
comes
out,
it's
a
whole
new
binary.
That's
locked!
C
A
G
So
if
I'm
just
to
recap,
our
version
december
is
z,
increments,
are
clarifications
and
additions
to
the
conformance
test
to
check
all
previous
y
releases
against
those
conformance
tests.
Increments
of
the
ui
release
may
add
new
features
where
the
future
version
of
the
tests
will
validate
previous
versions
may
not.
A
D
D
D
E
E
K
E
K
G
Oh
yeah,
so
I'm
gonna
reopen
this
wound.
Oh
good
yeah,
I
I
don't
know
if
people
were
familiar
with
this
issue
from
a
while
ago,
but
there
was
no
issue,
but
you
know
a
proposal,
but
there
was
a
discussion
around
adding
content,
encoding
and
accepting
coding
support
to
the
registry
or
to
the
distribution.
Spec
excuse
me,
rather
than
using
our
own
media
types
and
media
type
based
negotiation.
G
G
B
So
is
that
is
this
like?
Would
you
say,
was
this
a
transitional
first
step
so
that
you
could
potentially
stop
even
having
compressed
images
across
the
like
the
thing
that
the
identity
and
digest
is
calculated
on
being
with
any
compression
associated
with
it,
so
that
you
could
on
the
fly,
do
zysta
or
xz
or
whatever
across
the
wire,
and
then
identities
move.
G
More
towards
just
uncompressed
right
and
you
could
even
do
stuff
so
there's
a
second
part
of
the
proposal
which
I've
decided
to
split
off
from
the
first
part,
but
you
could
upload
a
tarball,
that's
not
compressed
with
the
digest.
The
tar
ball,
that's
not
compressed
with
an
encoding
of
gzip
and
you
would
verify
the
digest
on
the
uncompressed
form,
upload
the
compressed
form.
And
then,
when
people
go
to
download
that
blob,
they
only
have
the
permission
to
download
the
blob
with
the
encoding
of
gz.
B
It
raises
certain
security
fights,
but
it's
a
fine
prototype
or
you
know,
kind
of
a
demo,
but
on
the
whole,
storing,
storing
and
having
ability
based
on
uncompressed
blob
and
then
finding
other
ways
to
like
say
you
know
here's
here.
It
is
also
if
it's
xz
or
z,
stud
or
whatever,
like
ways
that
you
could
actually
present
it
or
point
to
it
or
even
move
it
across
the
wire
types
of
compression.
B
B
E
E
The
size
that
would
be
returned
is
the
uncompressed
size
right
like
like
I
get
a
size
and
a
digest
the
http
content
length.
Is
that
we're
asking
not
exactly
so.
I
see
I
see
an
image
and
it
says
layer,
one
or
layer.
Zero
is
digest,
abc
size,
a
thousand
bytes,
and
I
say
oh,
I
can.
I
can
process
a
thousand
bytes.
That's
easy
I'll
go
fetch
that
digest
descriptor
size.
Thank
you,
yeah
yeah.
Then
I
go
request
that
zipped.
E
I
say
I
yeah,
I
don't
wanna
a
thousand
bytes,
it's
actually
too
much
for
me.
I'd
rather
fetch
less
than
that
and
then
decompress
it
on
my
size.
On
my
side
I
am
doing
a
lot
of
trusting
that
that
inc,
that
size
isn't
going
to
actually
be
bigger
or
even
way
bigger,
like
the
the
descriptor
size,
is
there
to
prevent
me
from
to.
G
E
G
Way
that
this
works
is
that
when
people
do
dock
or
push-
and
we
did
the
multi-part
blob
assembly
at
that
point,
we
would
do
the
compression
and
output
the
eight
different
compressed
formats
that
are
supported.
I
would
hate
for
people
to
actually
do
on
the
fly
compression
on
serve
time.
I
will
for
fun,
but
I
take
your
point.
B
Yeah,
that's
that's.
That
was
that's
where
we
got
to
in
the
past
was
actually
almost
like
what
I
did
with
the
crazy
tar
split
project
was
going
down
the
the
all
the
different
ways
that
diffie-hellman
windows
are
calculated
for
all
the
different
gzip
implementations
to
see.
If
we
could
like
re-read
and
calculate
enough
to
re-assemble
whatever
gzip
they
used
in
whichever
optimization,
but
it
was
golang
or
bsd
or
otherwise,
so
that
we
could
do
that
on
the
fly
in
the
past.
It
was
really
maddening.
B
F
E
B
E
Shot
256
might
get
broken
tomorrow
and
if
it
does,
oci
falls
apart
I
mean
everything
falls
apart,
but
one
of
the
many
things
that
falls
apart
is
oci.
I
don't
think
steve
to
answer
your
question.
I
think
I
was
the
one
that
talked
about
that
at
the
summit
and
I
think
everyone
just
sort
of
shuddered
quietly
to
themselves
and
we
agreed.
We
should
do
something
about
this,
but.
F
I
I
guess
my
takeaway
from
the
conversation
was
we'd
spin
up.
You
know
a
group
that
would
start
experimenting
like
here's,
a
conformance
test,
here's
something
that
you
know
somebody
could
start
running
on
their
various
registries
to
see
like
what
happens,
I
think
you're
bringing
up
a
broader
thing,
which
is
a
great
conversation
as
well.
So
when
this
does
get
broken,
do
we
just
accept
that
for
existing
content
and
don't
change
it?
Do
we
fix
the
existing
content
whatever?
F
That
means,
because
everything
kind
of
falls
apart,
because
all
the
links
are
based
on
digest
or
can
new
content
be
start
being
pushed
within
three
days?
And
what
is
the
expectation
of
registries
that
you
know
implement
the
spec?
Does
that
make
the
256
character
limit
that
we
have
on
things
like?
I
think
that's
on
repos,
I
don't
know
if
it
includes
the
tag.
B
One
one
thing
that
it
one
thing
that
I
I
think
in
my
mind
all
existing
content
stays
there
like
addressable
and
everything.
Should
you
know
capital
letters
should
migrate
to
something
else
like
prop
12
or
otherwise.
It's
not
currently
broken
and
those
things
could
even
be
effectively
interchangeable
that
you
might
have
like
a
from
you
know
like
one
of
the
layers
in
the
stack
has
been
a
shot
256
and
the
thing
you
just
built
on
top
that
has
changed
since
this
right,
you're
w.
I
B
F
E
I
think
targeting
512
is
even
a
mis
like
targeting
a
single
thing
is
wrong.
If,
if
we're
going
to
do
the
work
of
getting
to
another
digest
like
format,
we
should
do
something
like
more
extensible
it
for
for
conformance
tests.
I
think
I
would
accept
it
as
a
conformance
test
to
say
I
support
md5,
which
is
worse,
which
is
like
the
wrong
direction,
but
at
least
it
proved
it's
not
as
a
guidance
for
what
you
should
use.
Instead,
it's
look
at
how
flexible
we
are.
E
A
No,
I
don't
think
we
need
to
rot
through
things
that
wouldn't
be
a
bounded
length,
but
going
on
in
in
general.
I
think
I
think
the
one
question
I
have
is
what
this
looks
like
in
a
transition
state
and
maybe
that's
in
there,
and
I
don't
think
we
would
be
able
to
answer
that
in
five
minutes,
but
just
in
general.
A
Something
to
think
about
is,
if
you
have
older
clients
doing
the
push,
or
maybe
you
have
a
newer
client
going
to
push
an
older
client
during
the
pull
you
know,
because
the
content
addressable
store
it's
that
digest
has
to
match
whatever
they're.
Seeing
if
it's
an
older
client
doesn't
know
about
the
about
the
encoding
happening
on
the
fly,
and
so
those
are
the
scenarios
that
I'd
like
to
see
fleshed
out.
C
So
I
actually,
I
think
I
want
to
say
me
and
jason
talked
about
this,
but
basically
one
of
the
things
with
conformance
tests
and
distribution
is
they're,
pulling
an
image,
spec
library.
So
the
the
writing
of
the
spec
is
saying.
You
just
need
some
document
that
references
the
blobs,
so
I'm
not
even
talking
about
going
away
from
sha-256,
but
I
was
considering
like
just
as
a
proof
of
concept.
C
Writing
like
a
yaml
based
registry
that
just
converts
in
and
out
of
yaml,
and
then
we
could
provide
to
the
conformance
test
like
here's,
my
manifest
and
descriptors
and
they're
actually
ammo,
and
you
throw
it
against
the
registry
and
it
works
given
that
new.
Because
then,
if
you
introduce
a
new
image,
spec
manifest
type
or
any
of
these
new
things
like
refers,
then
the
test
would
be
extensible
enough
to
like
you,
just
pass
it
a
bunch
of
blobs
and
then
those
somehow
get
templated
into
these
new
things.
E
Maybe
not,
I
think,
it's
a
different
dimension
of
different
of
changes
we
might
want
to
consider
not
that
I
would
advocate
yaml
specifically,
but
blobs
should
be
able
to
take
anything
and
be
content
addressed.
Currently,
there's
only
one
way
to
content
address
them
practically
and
it's
sha-256,
but
extending
that
to
other
things
could
be
useful.
I
know
I
only
have
a
few
more
minutes,
but
I
wonder
if
sargon
also
has
a
stand
up.
Sorry.
G
My
I
would
love
for
this
to
be
clarified,
because
I
asked
this
question
a
long
time
ago,
which
is
if
we
ever
want
to
mix
hash
algorithms
in
the
pull
process.
So
let's
say
a
tag
points
to
a
sha
256
manifest
that
then
points
to
md5
blobs
is
that
illegal?
If
some
blobs
are
md5
and
some
bobs
are
are
md4?
G
A
E
G
B
Because,
because
what
if
you?
What
if
you
were
building
something
on,
you
know,
you
know
debian
base
and
it
was
published
as
shout
out
to
56
or
in
the
future
or
whatever
they
want
to
standardize
on,
and
then
you
on,
the
top
are
exclusively
using
blade
to
be,
and
your
layers
would
be.
You
have
a
mix,
a
heterogeneous
set
of
hashes.
B
I
think
this
is
one
that
would
need
both
because,
like
I
said,
it's
a
different
api
call
so
having
a
bit
of
verbage
around
those
things,
the
fact
that
you
might
manifest
that
effectively
he's
calling
everyone
to
pass
is
fine,
but
then,
for
whatever
manifests,
you
know
that
are
getting
pushed
to
the
distribution
and
it
would,
I
think,
it'd,
be
in
both
distribution
and
image.
Spec.
E
I
think
it's
fine
to
put
it
in
the
in
the
specs
to
mention
it
in
the
specs.
I
think
it
might
confuse
people
because
practically
it
doesn't
happen
like
you,
you
would
never
see
this
it's
more
of
a
like.
You
know,
educational
oddity,
for
instance,
you
could
have
two
different
types
of
digest,
but
in
practicality,
100
of
registries
only
support
256.