►
From YouTube: OCI Weekly Discussion - 2022-09-22
A
C
A
I
do
have
more
experience
in
that
in
that
way,
I
was
primarily
the
only
person
ever
doing
releases
for
the
specs,
and
somebody
ping
me
about
that
and
I
was
like
no
I've
documented
all
these
steps,
but
then
I
after
looking
at
it
hit
only
document.
So
if
you
remember
the
history
that
when
oci
first
launched
it
was
just
there
was
in
the
beginning,
there
was
the
specs
repo
and
then
it
eventually
was
pretty
clear
that
people
were
talking
about
like
the
difference
between
runtime
and
image.
D
A
B
E
A
A
B
C
The
which
one
that
was
Vincent
point
of
me
to
the
on.
B
Time,
spec
genius
right,
yeah,
that's
exactly
what
we're
just
talking
about
for
updating
that
so
having
that's
nice,
the
other
one
Nisha
saw
you
were
starting
on
that
and
I
had
tried
it
as
well.
We've
got
the
1.0
branch
on
image,
spec
right
now
and
I
was
looking
at.
Is
there
a
way
we
can
update
that
with
all
the
changes
up
to
the
point
that
we
added
the
reference
type
stuff?
B
B
Yeah
so
I
was
going
on
the
1.0
branch
and
if
I
try
to
do
a
merge,
it
starts
because
there
are
two
branches:
the
main
branch
and
the
1.0
Branch.
It
starts
pulling
all
the
other
old
commits
from
the
main
branch
in
and
thought
like.
I
can't
do,
emerge
and
I,
don't
think
I
want
to
do
a
rebase,
because
then
it's
going
to
take
whatever
the
release
tag.
This
on
that
thing,
and
it's
going
to
change
that
commit
digest
on
that
one
release
thing.
B
So
we
don't
want
to
change
that
digest
because
we
don't
want
to
put
stuff
before
commits.
We
want
to
put
it
after
the
commits
so
I
think
after
a
cherry
pick
and
going
through
doing
the
cherry
pick
on
like
40
or
50
I,
don't
know
how
many
there
are,
but
a
whole
bunch
of
commits
out
there.
Maybe
try
and
get
it
right.
Is
it.
E
Feels
painful,
would
you
be
how
about
is
how
about
tagging
the
the
main
branch
with
the
1.0
release.
B
E
Yeah
I'm
not
sure,
that's
that's
why
I
was
like
wondering:
okay,
where
are
I,
was
looking
for
a
1.0
tag
and
I
totally
missed
the
fact
that
there
was
a
1.0
branch.
E
B
B
B
B
F
E
That's
the
one
that
I
was
wondering
about,
which
is:
where
is
where
does
that
sitting
right
now
that
commit
the
another
adapter
commit.
E
B
F
A
B
E
So
what
I
I
found
like
five
commits
between
the
1.0
branch
and
Main.
E
B
A
E
B
A
F
F
A
B
E
A
If
TNN
was
here,
he
would
probably
just
be
like.
Oh
you
just
oh,
he
is
on
the
call
he.
B
F
A
F
B
B
B
A
F
E
So
try
doing
it
the
reverse
way.
B
A
E
Oh
tell
me
again
why
we're
trying
to
why
we're
trying
to
tag
there's.
B
B
E
Okay,
does
it
make
sense
to
rebase
the
one
on?
No,
it
does
not.
B
E
B
E
I
was
gonna,
say
if
1.0
was
merged
into
Main
and
what
was
it?
1.0.2
was
tagged
on
me.
E
E
A
I
think
I
think
the
solution
here
would
be
the
person
who's
wanting
from
what
happened
in
Maine
from
102
to
just
before,
all
this
to
be
considered
a
10
considered
for
a
103.
we'd.
Just
cherry
pick,
a
bunch
of
things
tag
it
only
on
the
no
branch
and
then
you
know
it
would
have
a
tag
floating
in
the
repo
for
something
that
only
exists
in
the
yeah
1-0
branch.
B
B
A
1-0
release
for
everything,
that's
in
the
everything
in
the
working
group
that
we
merged
in
and
then
any
CI
changes
that
we
made
after
this.
We
kind
of
want
to
cherry
pick,
those
in
as
well.
B
F
B
B
C
Sorry,
yeah
I
had
one
question
because
we
I
haven't
done
this
before
so
there
were
commits
merged
into
main
the
pr
commit
for
toggling.
The
version
is
going
to
come
coming
after
that
I'm
guessing.
We
would
still
tag
the
same
hash
that
was
there
in
the
pr
commit
right.
Would
that
mess
up
and
bring
in
extra
commits
along
the
time
or
what?
What
is
it?
Is
that
a
concern?
If
there's
no
concern,
then
we
can
do
it
because
the
water
is
supposed
to
close
tomorrow.
C
So
I
was
maybe
hoping
that
a
few
folks
from
here
can
just
join
in
and
go
through
the
tagging
ceremony
if
they
want
to
or
who
I
would
like
to
kind
of
participate.
Please.
B
A
A
A
And
then,
if
we're
tagging
like
like,
he
said
if,
if,
if
everything
is
in
the
history
up
to
that
point,
we
could
just
tag
something
that
Straight
from
Maine,
because
this
has
been
something
that
we've
talked
about
of
like
when
and
whether
we
ever
wanted
to
actually
branch
and
have
like
a
release.
Like
say
we
tag
a
v11
tomorrow
and
then
later
somebody
wants
a
v104.
B
B
A
Know
that's
the
way
that
that's
why
the
the
the
things
work
you
because
you're
supposed
to
say
that
the
commit
that
you
are
proposing
to
be
it's
not
just
one
at
the
time
when
you
go
to
click
the
button,
if
you,
if,
if
that,
if
that
during
the
vote,
something
has
been
like
at
last
minute,
we
need
this
to
be
considered
to
be
also
in
the
release.
Then
that's
a
different
hash
that
would
get
tagged,
but.
B
A
F
E
Me
now
I'm
confused
with
the
tagging
strategy
I,
as
the
group
like
decided
to
tag
things
on
name
or.
E
B
C
So
there
are
two
commits
involved
in
this
PR.
This
PR
is
going
into
main,
and
these
are
the
two
commits
that
switch
the
tag
back
from
not
one
to
the
so.
A
The
commits
in
the
Square
metallic
you
know
like
get
tag
and
I
would
I,
usually
sign
them,
but
I'd
be
tagging
the
four
seven
two
eight
B
whatever
so
that
that
it's
like
that
world
view.
As
of
that
commit,
and
then
you
merge
it
in
you-
can
see
that
it's
still
the
same,
commit
hash,
but
now
Mass
Main
is
you
know,
does
its
Shenanigans
with
otherwise
I.
C
A
C
So
we
don't
have
any
issues
basically,
and
even
though
it
might
look
like
this
got
merged
in
later,
even
after
comments
to
main
happen
right,
exactly
I
think
I
got
the
answer.
A
It's
on
Main,
but
it
it
well
tax
technically
in
git,
world
tags
and
tags,
and
heads
or
branches
or
tags
and
branches
are
all
just
types
of
heads.
It's
like
the
world
view
at
a
certain
time.
It's
just
they've
made
we've
built
this
workflow
around
branches
versus
tags
and.
D
A
Fact
that
you
can
actually
see
that
that
exact
shaw-1
commit
hash
is
in
the
branch
history
that
you're
looking
at
and
then
that
one
hash
has
been
tagged
is
helpful,
but
it's
actually
got
its
own.
Basically
lineage
and
world
view.
It's
they're
not
quite
conflated,
they're,
actually,
two
different,
distinct
objects
and.
E
Get
yeah
so
as
long
as
you
use
a
merge
commit
to
merge
that
branch
to
main
that
tag
will
stay
all
right,
correct.
A
B
F
A
C
It's
just
to
confirm.
We
merge
coming
to
PR
and
then
tag
on
that
digest.
That's
that's
pretty
much
it
right
and
then
follow
the
release.
Processes
like
adding
the
docs
and
all
that
to
the
releases.
All
right
sounds
good.
That's
all
I
wanted
to
confirm.
C
Josh
has
the
pr
and
I
think
he's
updated
all
the
votes
on
the
pr.
So
it's
the
same
process.
It's
got.
C
I,
have
the
documentation
merged
in
I
need
to
fix
a
typo
on
that
which
Jonathan
helped
me
kind
of
spot,
which
is
it
calls
runtime
spec?
We
just
need
to
rename
it
to
distribution
side.
That's.
B
B
A
But
since
we
just
have
the
majority,
then
let
the
clock
wind
out,
but
yeah
I,
think
I.
Think
it's
in
there
in
place
for
both.
B
Super
majority
that
we
won't
get
a
you
know
an
anonymous
because
John
is
out
this
week
and
he
said
that
unless
one
more
person
bugs
him
he's
going
to
keep
enjoying
his
vacation.
So
nobody
bug
him.
Let
him
enjoy
his
vacation.
B
Yeah
I
think
that's
fair,
probably
also
for
that.
You
can
add
note
saying
you
know,
people
that
didn't
vote
can
bring
forth
more
comments
into
the
you
know
before
the
actual
release
of
the
ga
okay,
given
that
it's
an
RC
and
we've
got
multiple
Cycles
still
left
to
go,
I
think
we're
pretty
good
there.
Yeah.
B
Speaking
of
that,
I
was
looking
at
the
bit
of
the
doc
updates
and
they
were
talking
about
RC
every
week
and
then
all
that
stuff,
but
I
think
it
all
said
that
applied
prior
to
the
1-0
release.
Is
there
any
requirements.
A
F
A
B
F
F
F
B
C
You
just
want
to
break
guys
and
thank
everybody
for
kind
of
reviewing,
so
many
PRS
getting
feedback,
a
lot
of
people
kind
of
came
in
and
did
a
lot
of
things
in
this
working
group
and
just
want
to
Echo
that
it
was
I
learned
a
lot
like
a
lot
of
stuff
on
how
to
kind
of
like
work
with
different
kind
of
like
challenges
and
whatnot
so
really
appreciate
the
opportunity.
Thank
you.
C
My
hope
is
that
we're
here
for
the
long
run
in
the
sense
that
we
get
the
RC
and
I
think
my
ground
last
week,
kind
of
give
brought
in
a
good
set
of
things
and
Lockheed
has
opened
an
issue
for
kind
of
getting
the
conformance
getting
some
wettered
implementations
endorsements
from
existing
implementations,
I
think
getting
into
GA
would
be
the
next
long
Milestone.
C
So
let's
My
Hope
Is
that
we
can
kind
of
like
see
it
through
in
the
working
group,
even
though
the
repost
close
doesn't
end
and
if
there's
good
feedback
and
challenges
that
we
need
to
meet
along
the
way.
We
should
be
able
to
absorb
that
also.
But
it's
going
to
take
time
so,
hopefully,
through
issues
directly
in
its
spec
and
distribution
spec,
we
can
address
them
going
forward.
B
I'm
still
here
for
the
long
run,
I've
been
last
week.
I
was
updating
regime
for
all
respect
changes,
so
it
got
at
least
an
implementation
out
there
for
people
to
play
with
that
uses
all
the
new
tag,
names
and
whatnot
nice
everything
convert.
It
was
amazing
how
many
places
I
had
referred
as
my
code.
It
was
not
a
simplified
and
replace.
B
I
knew
that
was
going
to
happen
at
some
point.
If,
if
we
needed
to
rename
it
I
was
like,
if
we
don't
have
to
that's
good
but
doing
it
now
pulling
the
Band-Aid
off
early
better
off,
then
I
did
have
one
other
thing.
If
we
wanted
to
change
topics
thinking
through
all
this,
we've
defined.
Okay,
here's
how
you
attach
a
signature
and
s
bomb
and
stuff
like
that,
with
the
reef
with
the
subject
and
the
reverse
and
whatnot,
we
don't
have
a
good
standard
to
say
if
you're
pushing
an
spdx
s-bomb
in
Json
format.
B
This
is
the
artifact
type.
This
is
The
annotation
other
fields
like
that.
What
the
values
are
so
that
different
tools
that
are
pushing
the
exact
same
kind
of
s
bomber
are
trying
to
read
the
exact
same
kind
of
s-bomb.
Can
interoperate
I
feel
like
there's
some
people
here
that
play
in
that
space
that
might
want
to
help
try
to
standardize
that
oh.
E
E
But
I
was
going
to
ask
is
that
registry
implementation
that
has
that
supports
the
photos
right
now.
B
E
The
fallback
tag,
okay
with
the
API
okay,
so
for
your
test,
Brandon
you've
been
using
distribution,
Resort.
B
C
B
For
the
different
types
or
not
yeah
I,
don't
think
we've
come
up
with
a
place
to
say
that
just
yet,
and
so
that
was
one
of
the
reasons
to
say:
hey,
let's
chat
about
this,
take
care.
Mike,
I,
don't
know
if
that
needs
to
just
be
a
PR
damage
spec,
because
we
have
annotations
and
stuff
like
that
to
find
over
there.
B
Yeah,
it's
it's
a
definition.
If
you're
going
to
push
an
s-bomb,
then
try
to
do
it
with
these
fields,
so
the
different
tools
can
interoperate
and
so
I
think
we've
got
some
stuff
out
there
already
for
annotations
and
so
trying
to
do
some
similar
things
for
different
kinds
of
artifact
types
might
be
useful.
B
C
We're
hoping
to
get
this
into
our
distribution,
ECR
ACR
John,
has
also
been
a
part
of
the
working
group
for
GCR.
So
we'll
see
comments
from
him
along
the
way.
I
think
the
the
one
the
question
I
had
was
regarding
standardization
for
s-bomb
types
or
whatnot
right,
so
one
convention
I
can
share
that
we've
discussed
is
using
the
ionotypes
that
have
been
registered,
so
you
can
actually
go
and
search
for
the
Ana
types
and
the
artifact
type
is
the
ionotype.
A
C
Like
parse,
whatever
blob
you
download,
even
if
it's
an
octet,
uproaded
or
whatever
type,
that
is
right,
so
that's
one
option
to
kind
of
like
standardization,
but
we
haven't
got
down
to
say
that
that
is
how
we
would
exactly
do
it.
So
it's
kind
of
leftover
clients
to
determine
how
to
kind
of
use
that.
C
Pdx
does
have
an
ion
type,
I
believe
Rose
did
register
it
so
she's
there
in
the
nice
restoration
part
of
this.
So
we
use
that
as
a
kind
of
like
a
way
to
kind
of
like
use
its
test
PDX,
you
search
for
it
and
it
kind
of
gives
you.
This
is
what
media
type
means.
So
it
would
be
good
if
people
kind
of
like
start
a
registering
on
a
side
note.
C
We
did
not
register,
or
at
least
we
haven't,
started
the
process
for
registering
the
artifact
type
similar
to
the
other
media
types
of
oci.
That
could
be
something
we
could
start.
If
you,
it
works
half
time
over
the
course
once
we
get
it
to
GA
at
least.
B
B
E
B
E
B
I
feel
like
signatures
is
probably
going
to
be
a
little
bit
more
of
a
challenge.
That's
going
to
take
a
while,
just
because
I
suspect
it's
going
to
be
chain
Garden,
whatever
is
going
on
with
notary
V2
in
the
future,
and
so
that's
probably
a
little
bit
premature
to
standardize
over
there.
B
But
the
s-bones
feels
pretty
straightforward,
maybe
there's
stuff
to
like
package.
Your
Docker
file
up
in
total
attestations
to
be
another
good
one.
E
Yeah
from
the
salsa
provenance
statements
could
be
another
one.
F
C
I
think
one
thing
that
was
lacking
was
the
process
of
how
to
register
these,
because
I
was
looking
at
how
oci
registered
I
found
history,
where
Steve
actually
did
the
registration,
and
then
you
have
to
find
the
email
of
all
the
fields
that
got
filled
in
it
is
a
it's
not
straightforward,
just
getting
some
guidance,
or
at
least
some
kind
of
documentation
somewhere,
and
this
is
how
you
would
register
for
oci
types
would
be
good,
spdx
and
other
other
tools
have
their
own
problem
like
like
how
they
impact
and
whatnot
they
do,
but
at
least
for
oci
it's
hard
to
kind
of
find
out
how
what
the
process
was.
C
It's
similar
to
how
we
did
the
pr
for
this,
for
the
release
right,
like
Vincent,
was
saying,
like
I'm,
happy
to
see
other
success
exercise
this
muscle
of
cutting
release,
and
then
at
least
we
got
some
good
understanding
of
what
the
process
is.
So
for
the
media
types
as
well.
If
you
can
slowly
kind
of
like
standardize
on
that,
tell
others.
This
is
where
you
go.
This
is
where
you
can
register
and
whatnot.
C
It's
I
mean
the
the
number
of
questions
that's
asked
in
the
registration
forms
are
it's
kind
of
in,
depending
on
how
you
read
it,
you
end
up
interpreting
interpreting
it
in
a
different
manner
right.
So
just
what
is
oh
I'm
guessing
you
found
it
easy
is
that
okay.
E
C
Started
filling
it
out
for
the
artifact
type
manifest
and
I
gave
up.
That's
why
I'm
asking
is
like:
what's
the
what
would
be
the,
and
maybe
somebody
will
just
find
it
easy
to
do
it
so,
rather
than
just
going
by
a
rough
think,
understanding
of
a
field
if
we
can
okay,
this
is
the
review
format.
These
are
the
fuels
that
we
fill
out
and
then
kind
of
submit.
It
should
be
easy,
or
or
at
least
we
have
done
this
before,
and
this
is
what
the
submission
looked
like.
E
Yeah
this
was
my
concern
actually
with
relying
on
Ayana
media
types
is
that
it's
bureaucratic
red
tape
that
not
many
people
would
want
to
do
and
they
may
either
they'll
push
back
and
say
we
we
don't
want
to
do
this
or
they
find
some
alternative
route
that
would
become
like.
C
F
C
I
think,
at
least
for
this
call
we
have
action
items
for
tomorrow.
I
get
the
tags
out
and
I
mean
get
the
merge,
get
the
tags
out,
update
the
release
with
the
dock
and
I
think
that's
the
next
steps
and
I
mean
I'm,
happy,
clapping
and
popcorn
on
my
side,
I'll
celebrate
tomorrow.
G
Yeah,
sorry,
it
was
figuratively
and
physically
as
well.
I
didn't
realize
the
but
I'm
trying
my
best
to
go
and
rewrite
that
blog
and
at
least
get
a
PR
up
so
that
we
could
Riff
on
a
little
bit.
Taking
your
your
suggestions,
there
I
don't
actually
think
it's
that
much
work,
because
I
have
most
of
it.
In
my
front,
brain
I
just
need
to
find
an
hour
to
sit
down
and
write
it.
G
B
Finding
that
hour
is
always
difficult,
yeah
and
so
I
I
felt
bad,
throwing
that
on
you,
knowing
that.
G
I
think
it's
a
fairer
session,
but
I
I
think
we
can
I
could
probably
a
lot
of
it's
just
Pros
right.
It's
it's
scaffold
around
fact.
So
it's
actually
not
that
hard.
It's
just
writing
a
couple
of
paragraphs
to
put
that
sentiment,
that
you've
kind
of
distilled
but
I
didn't
want
to
be
I
was
looking
for
more
input
and
there's
only
a
little
bit
of
input
that
I've
had
from
folks,
because
you
know
blogs
are
always
the
afterthought,
but
we
we
need
something.
Canonical
that
could
be
linked
back
would
be
my
opinion.
G
That
is
like
an
aggregated
point
for
when
people
are
like
what
is
this
and
just
a
little
prose
around?
You
know
not
15
GitHub
links,
because
that's
always
fairly
frustrating
for
me
is
what
did
they
announce?
Oh
here
are
15
GitHub
links
that
I
have
to
kind
of
you
know
triangulate
and
spin
up
my
CSI
Miami
skills,
so
I
don't
think
it's
too
too
bad.
G
B
G
Think
all
I
could
get
to
is
get
a
draft
and
we
could
continue
to
Riff
on
the
the
Google
Doc
or
we
could
put
up
a
PR
and
if
there
I
don't
know
if
there's
just
like
a
quick
pass
of,
this
is
good
enough
to
Riff
on
a
p
like
a
PR
without
saying
rewrite
the
whole
thing.
Maybe
we
can
just
get
it
up
there,
because
then
it's
kind
of
it
sets
in
motion
my
accountability
to
finish
the
pr.
B
C
Sure
I
don't
know
that
he
can
get
Josh
to
kind
of
like
get
the
tag
also,
so
we
can
get
distribution
also
out
in
parallel.