►
From YouTube: OCI Weekly Discussion - 2022-10-06
B
B
B
Yeah
sorry
I
had
to
leave
forever
I've
not
caught
up
at
all
on
what
happened
in
my
absence.
But
I
figured
I'd
lurk,
but
it
seems.
D
B
D
A
B
B
A
I
can
chat
about
this
for
a
while
I
literally
run
everything
through
a
buildx
build
I'm
doing
a
straight
Docker
image.
Docker
build
to
get
my
multi-platform
image,
but
I
export
it
to
an
oci
layout
instead
of
pushing
up
to
a
registry
directly
and
then
I
parse
that
out
into
the
directory
structure,
because
they
like
to
Tar,
It,
Up
and
then
go
through
and
back
date,
all
the
time
stamps
in
the
config
in
the
history,
all
the
layer
layers
and
things
like
that
and
then
I
push
it
up.
A
So
most
of
that's
pretty
good.
There
are
spots
and
then
I've
also
got
some
other
tooling
that
I'm
working
on
to
intercept
all
the
HTTP
requests
that
involves
putting
a
proxy
in
the
middle
of
the
network
connection.
A
It's
when
you
start
capturing
all
the
HTTP
requests
and
I
can
replay
them
later
on,
so
someone
else
can
use
it
later.
On
get
two
challenges.
One
is
not.
Everything
is
necessarily
going
to
be
replayable.
Some
people
might
make
requests
that
you
just
can't
intercept
and
replace
they're
going
to
be
unique
every
time,
but
the
other
challenge
is
let's
say:
you've
got
that
recording
of
all
the
request.
How
do
you
know
it's
any
good
and
that
you're
not
just
replaying
a
malicious
recording
of
all
the
requests
so
yeah?
A
You
can
reproduce
it,
but
you
can
be
reproducing
something
that's
malicious
and
that
would
be
no
good.
So
I've
been
working
on
some
of
those
challenges,
making
it
easy
to
diff
between
the
two
two
different
recordings
and
see
what
changed
where,
where
the
malicious
data
may
have
potentially
come
in.
It's
fun
stuff.
A
B
B
C
A
A
A
C
I'll
put
it
over
in
the
the
notes:
deck
but
yeah
we're
gonna
have
things
it's
gonna
be
fun.
I
need
to
be
able
to
get
grab
a
zoom
invite
for
all
of
you.
A
We
need
to
clarify
I'm
assuming
Mike
Brown
in
the
hack
MD.
There
is
not
the
Mike
Brown.
That's
here
on
the
me
today,
correct.
C
A
D
C
D
A
Yeah
and
part
of
his
artifacts
part
of
it
is
our
reference.
I
want
to
say,
refers
and
the
subject
field
how
to
get
those
a
ga.
So
we've
got
a
couple
things
we
want
to
get
all
moved
into.
Ga.
D
A
D
C
A
B
A
A
A
How
you
want
to
handle
things
like
a
reference
to
an
oci
layout
to
an
immutable
tag.
Maybe
we've
got
other
stuff
coming
on
down
just
sorting
through
how
we
want
to
make
that
string.
Standardized
I
thought
that
might
be
an
interesting.
A
A
A
We
need
a
way
to
potentially
standardize
if
we've
got
multiple
different
things,
pushing
up
an
s-bomb
and
multiple
different
things,
consuming
the
s-bomb
and
pick
I'm
using
S
Palm,
because
it's
kind
of
a
common
example.
A
lot
of
people
find
right
now,
but
you
know
potentially
other
kinds
of
artifacts
as
well:
standardizing
the
media
types
and
the
annotations
that
we
use
for
that,
so
that
different
tools
can
interact
with
different.
You
know:
multiple
sources
can
be
consumed
by
multiple
consumers
and
they
don't
have
to
know
their
individual
thing.
They're
consuming.
A
That
makes
sense
for
trying
to
push
up
like
an
spdx
s-bomb
depending
on
how
it
gets
generated.
I
don't
want
to
see
three
different
spdxs
bombs
depending
on
different
generators
and
then
have
to
parse
apart
each
one
of
those
individually.
It's
nice.
They
all
went
up
in
a
standard
format,
standard
field,
names.
D
Should
shouldn't
I
mean
I
could
see
having
a
set
of
annotations
that
kind
of
applied
to
all
artifact
types,
but
wouldn't
wouldn't
that
be
like
the
the
s-bomb
specific
annotations?
Wouldn't
that
be
the
concern
of
spdx
or
whoever
is
defining
the
format
of
an
s-bone?
It's
like
we
potentially
we
don't
do
that.
Do
we.
A
A
I
thought
we
had
in
here
we
got
somewhere,
not
in
here
someone
recapture
it
here.
The
different
kinds
of
manifest
types
as
well
for
the
configmia
type
might
be
over
in
our
artifact
documentation.
We've
got,
we
said:
hey
here
are
the
different
kinds
of
artifacts
that
we
were
going
to
potentially
have.
A
Yeah
you're,
stable
I
was
thinking
up
where
we
actually
captured.
Okay,
Helm
is
going
to
come
in
and
they're
going
to
use
this
media
type,
and
so
we
kind
of
took
the
effort
of
capturing
a
bunch
of
this
so
that
it
if
there
was
somebody
needed
to
use
a
Helm
chart,
they
knew
what
to
look
for,
and
so
just
getting
that
captured
somewhere
of
saying
here's
the
stuff
that
we
know
people
are
going
to
use
for
this.
So
this
is
what
it
looks
like
that's
how
you
can
use
it
makes
it
easier.
A
D
A
So
right
now,
I
can
push
something
up
that
may
comply
with
6838
today.
That
would
be
an
SPD
accessible
right,
but
just
because
I
pushed
it
was
something
that
complied
doesn't
mean
that
someone
else
is
looking
for.
That
knows
what
I
pushed,
because
I
could
I
can
make
a
lot
of
values.
I
comply
with
RFC
6838.
A
A
This
is
how
you
must
use
our
spec,
we're
just
saying:
hey:
there
are
other
people
are
using
our
spec,
here's
how
they're
using
it
or
how
they
should
use
it
because
of
their
own
documentation,
and
that
way,
if
you're
writing
a
tool
that
uses
one
of
these
things
and
you're.
Looking
for
the
CES
bomb,
you've
got
one
place
to
go
without
having
to
go
to
12
places.
D
Sounds
fine?
How
does
that?
How
does
that
go
interact
with
the
sounded
like
some
people
were
thinking
that
artifacts
repo
should
go
away.
A
I
guess
part
of
it
is
how
much
of
this
is
spec
versus
you
know,
sometimes
you
say
spec
and
it
gets
assumed
too
much.
We've
got
things
in
here,
like
implementations,
or
you
say,
hey
here,
A
bunch
of
people
that
implement
this
stuff,
and
we
just
have
a
list
of
this.
A
A
A
A
A
The
artifact
type
itself
is
only
each
so
far
because
artifact
type
is
going
to
be
Cyclone.
Dx
spdx
pick
an
s-bomb
kind
of
keep
picking
on
the
same
popular
too,
but
then
there's
probably
going
to
be
some
annotations
there.
That
say
this
is
the
and
well
maybe
not
even
annotations.
Maybe
that
comes
into
the
individual
blobs
that
are
in
there
of
saying.
Okay,
this
is
the
top
of
us
bomb.
The
media
type
of
The
Blob
itself
may
be
Json
XML,
something
like
that.
A
So
it
might
just
be
captioning.
Here's
where
this
me
type
goes.
Here's
what
this
me
type
is
going
to
look
like
just
so
that
someone
parsing
it
knows.
Okay,
let
me
go
find
that
to
find
the
one
I'm
looking
for,
but
then
do
we
need
to
have
something
like
this.
It
says:
hey
you're,
going
to
have
some
Json
in
there
so
that
when
you
do
the
listing
you
can
find
the
ones
got
the
Json,
not
the
XML,
because
that's
what
your
parser
is
looking
for.
A
So
not
trying
to
solve
it
today,
but
through
the
topic
on
there.
People,
if
you
want
to
chat
about
later
on,
but
I,
definitely
get
the
hesitation.
If
we
don't
want
to
standardize,
we
don't
want
to
conflict
with
other
standards
or
start
a
fight
of
telling
someone
else
how
they
need
to
standardize
their
project.
A
I
just
want
to
capture
try
to
capture
someone's
information
so
that,
if
you're
trying
to
implement
this
stuff
and
you're
looking
at
how
to
implement
for
oci,
you
don't
have
to
say:
okay,
here's
how
to
reverse
yeah,
but
now
I
need
to
go.
Look
in
these
other
place
to
figure
out
how
they
do
their
thing.
A
A
And
not
only
that,
once
we
include
this
in
our
standard,
then
we
can
make
it
something
that
the
conformance
test
checks
for,
and
so
then
your
registry
can
say
not
only
am
I
standard
with
all
the
other
distribution
specs
stuff
in
there
for
all
the
API
calls,
but
also
for
authentication.
Then
we
eliminate
some
of
that
confusion
of
okay,
which
client
is
right.
A
That
says
you
need
to
authenticate
and
it's
going
to
tell
you
what
server
to
go
and
what
vlg
is
into
that
server
to
request
your
Authentication,
and
so
you
could
easily
do
lazy
authentication,
which
is
the
bad
thing
that
I
do
that
really
upsets
people
like
John
or
I,
just
request
the
resource
I.
Don't
even
bother
trying
to
do
the
authentication
I
just
say.
Let
me
go
straight
to
that
manifest
or
blog
or
whatever,
and
just
try
to
pull
it
and
if
it
pulls
on
the
first
request.
A
Without
any
authentication,
great
I
have
saved
a
whole
bunch
of
round
trips,
and
if
it
did
need
authentication,
then
the
server
tells
me
right
there.
When
I
pull
the
Manifest
hey,
you
need
to
authenticate
with
this
field
to
try
to
pull
that
object,
and
so,
instead
of
me
pre-computing
it
I
can
do
it.
Lazy
I've
had
to
back
a
bunch
of
that
out.
I
had
a
kind
of
follow
the
doctor
away
because
a
bunch
of
Registries
really
don't
like
that.
A
A
A
A
A
A
So
that's
sitting
out
there
there
were
questions
of
hey,
should
we
even
be
doing
that?
Should
we
instead
of
doing
this,
just
do
a
check
out
Direct
on
Main
and
maybe
do
a
create
a
new
Branch
off
of
that
point?
A
A
A
A
A
In
fact,
I
think
I
got
a
bad
line
there.
I
shouldn't
have
that
one
PR
yeah
feel
free
to
have
a
look
through.
A
It
was
like
I
say
we're
just
trying
to
pull
in
everything,
except
what
the
working
group
did
so
I
do
need
to
go
through
and
change
that
message
up
there,
but
otherwise,
if
this
makes
sense
great,
let's
go
ahead
and
pull
it
out
draft
and
get
it
merged.
If
it
doesn't
make
sense,
we
can
change
it,
but
there
was
someone
that
basically
said:
hey
I
need
this
release
because
they
can't
depend
on
just
main
for
all
their
use
cases.
A
Now
the
main
reason
to
get
everything
before
the
working
group
is
the
assumption
that
the
working
group
output
and
this
could
get
into
what
we
want
to
talk
about,
which
is
you
know?
How
do
we
move
this
GA
I?
Think
a
good
chunk
of
the
answer
of
how
we're
going
to
move
into
GA
is
we'd
like
to
see
some
Registries
some
users,
people
actually
implementing
this
verifying
that
it
works.
A
I'm
assuming
that's
three
month,
maybe
hopefully
not
too
much
longer
in
that
kind
of
time
frame
here
and
so
I
figure
getting
a
103
out
before
them
might
be
useful
for
people.
D
And
when
we
say
see
things
implemented,
is
that
implemented
in
things
like
distribution
or
implemented
in
actual
like
in,
like
Cloud
Registries
or
in
Docker
or
wherever.
A
B
Yeah
I
mean
there's
not
really
like
Alpha
Beta
compatibility
guarantees
right
that
we
have
I,
don't
know,
I
mean.
B
B
I
think
we
all
have
to
just
kind
of
agree
to
that.
It's
good
at
some
point,
but
I
haven't
really
been
paying
attention
for
a
long
time
and
so
I
don't
know
like
what
level
of
maturity
we
feel
this
is
at
I
know
people
have
been
messing
around
on
the
playground,
I
wonder:
do
it
I'm
coming
with
like
no
knowledge
in
my
brain
of?
What's
happened
in
the
last
few
months,
so
I
don't
know
what
y'all
have
discovered
Brandon.
They
have
opinions.
A
A
From
the
server
side
yeah,
you
guys
got
work
to
do
and
I
feel
I
want
to
make
sure
I
don't
break
anything
from
your
side.
So
let
me
find
the
part
I
know:
I'm
scrolling
is
never
fun
to
watch.
Someone
do,
especially
if
you're
trying
to
read
what
they're
reading
and
I'm
not
even
reading
it,
but
I
want
to
find
that
part
of
the
spec
I
already
passed
it
content
Discovery.
Here
we
go
after
listing
tags,
we
got
the
listening
first.
A
A
So
what
that
means
for
a
registry
trying
to
implement
not
quite
sure
what
you
might
need
for
like
creating
a
new
field
in
your
own
database
with
an
index
and
whatnot
on
your
side
to
try
to
keep
these
queries
efficient.
What
it
looks
like
in
terms
of
caching
the
responses
so
that
you
can
avoid
having
to
regenerate
this
every
single
time.
Someone
queries,
it
I'm
sure.
There's
some
work.
B
It's
not,
it
doesn't
cover
the
case.
I
was
interested
in
where
you
can
walk
back
through
arbitrary
relationships.
Yeah.
B
Not
just
a
hard-coded
relationship
so
like
the
fact
that
it
must
include
an
artifact
type
means
that
we
can't
well
I.
Guess
we
could
relax
that
but,
like
I
would
like
to
be
able
to
go
from
a
child
to
its
parent,
not
not
strictly.
What
is
it
called
now,
an
artifact
manifest
to
its
subject.
A
A
If
it's
got
like
an
image,
manifest
artifact
type
comes
from
the
config
media
type
and
if
it's
the
artifact
manifest
it
comes
from
the
artifact
height.
So
it's
since
the
artifact
manifest
doesn't
have
a
separate
config
in
there.
That's
why
I
put
that
field
over
there,
but
it
can't
be
an
empty
string.
A
B
A
Yeah,
the
idea
is,
we
want
to
allow
you
to
query
an
image
that
has
multiple
things
that
refer
to
that
image:
multiple
things
for
that
subject:
Field
Point
to
it
to
get
back
and
index
of
results
and
I'll
be
able
to
look
through
that
list
of
results
and
say
these
two
are
the
ones
I'm
looking
for
and
all
this
other
stuff
that
might
be
having
somebody
feels
pointing
to
it.
Just
don't
relate
to
my
client
of
my
use
case,
and
so
I
can
ignore
them
all.
B
How's,
that
in
stone
is
all
this
like
can
I
change
a
must
to
it
should.
B
A
A
Yeah,
it
definitely
went
back
and
forth
a
bunch
of
annotations
because
your
concerns
are
shared.
I'll
I'll
put
it
that
way.
A
A
D
There's
there
is
some
yeah.
D
Have
imagination
in
there
I
think
there's
been
some
discussion,
I
think
what
one
of
the
discussions
we
could
have
is,
whether
or
not
you
know
I
think
the
spec
currently
is
implying.
D
A
D
A
A
B
Me
I
now
either
need
to
index,
maybe
not
index
but
like
store,
annotations
twice
or
I
have
to
store
a
parsed
out
version
of
every
manifest
or
I
have
to
join
against
every
Manifest
content
or
I.
Guess
fetch
the
Manifest
content
separately,
parse
it
as
Jason,
pull
out
the
annotations
and
then
stick
that
in
there
I
hate
it.
A
B
C
B
A
A
B
D
C
D
B
B
A
A
A
All
these
commits
to
either
update
this
or
to
change
this
to
be
off
of
Main
just
before
we
did
this
and
then
cherry
pick
a
few
other
things,
because
we
do
have
some
CI
stuff
that
came
in
after
the
working
group
that
we
need
to
pull
as
well.
So
we
still
need
a
branch.
It's
just.
How
do
we
manage
it?.
C
A
Don't
want
to
touch
it
again,
but
yeah.
A
B
Yeah
I
mean
if
I
end
up
implementing
this,
as
is
I'm
just
going
to
have,
like
page
size,
equals
one,
and
so
you
end
up
having
to
do
in
plus
one
queries
anyway.
C
A
So
I
feel
like
what
Michael
was
talking
about
earlier
was
more
on
the
caching
side,
generating
this
once
and
then
being
able
to
cash
it,
and
so,
if
you
can
build
all
this
at
the
time
that
something
gets
updated,
so
you
see
a
new
manifest
that
subject
field.
Then
you
just
build
this
index
once
and
have
it
available
for
a
cash
poll.
D
D
D
D
You
I
mean
you
can
hash
these.
They
just
what
it's
like
invalidating
them
is
a
little
bit
more
complicated,
but
you
can
still
do
it,
but.
D
B
B
B
A
A
Because
there
is
there
we
go
backward
compatibility.
There
is
a
fallback
where
we
start
looking
for
okay,
if
I'm
looking
for
this
digest
the
screaming
into
the
void,
digest
there
to
go,
look
if
you,
you
know
the
cosine
syntax,
so
they
do
the
dot
sake.
At
the
end
of
this,
we
just
took
the
dot
sake
off.