►
From YouTube: OCI Weekly Discussion - 2020-09-30
Description
OCI weekly developer's call recording from Sep 30, 2020. Agenda and notes here: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?view#September-30-2020
A
Hello,
so
I
just
got
off
the
phone
with
some
of
the
distribution
spec
maintainers
and
we're
coming
up
with
a
strategy
for
getting
out
an
rc
for
distribution
spec.
So
rc1
there
was
an
rc
0.
That
was
all
the
way
back
in
february
2019..
A
So
we
do
still
have
a
few
issues
to
work
out.
People
have
been
opening
issues
against
the
new
version
of
the
spec
already
and
there's
some
work
that
then
I
need
to
do
as
well,
but
we're
trying
to
practice
and
go
through
the
release
process
so
considering
that
rc2
will
be
closer
to
the
final
1.0
release,
we're
going
through
the
formal
process
of
going
doing
the
release
through
the
mailing
list.
A
Vince
just
opened
up
a
pull
request
just
like
10
minutes
ago,
with
a
list
of
the
full
requests
that
have
been
merged
since
rc0
and
either
during
this
call
or
right
after
this
call
about
to
send
the
email
out
to
the
list
for
the
vote
on
rc
on
rc1.
So
that's
pretty
much
all
I
have
to
share
you
know.
Obviously,
I
would
love
for
people
whether
it's
before
or
after
rc1
going
out
for
people
to
kind
of
go
through
this
with
a
fine-tooth
comb
and
make
sure
we
aren't
missing
things.
A
B
Steve
you're
muted,
I
said
you
want
to
put
the
pr
in
the
hack
doc.
B
B
Okay,
so
careful
on
pauses,
so
I
don't
know
how
loud
the
squeal
is.
I
guess
I'll
hear
it
later.
Let
me
share
here
for
the
latest
of
what
we've
been
getting
all
right.
Let
me
get
the
sharing
right
this
time.
B
Okay,
so
as
many
or
where
we've
been
off
in
notaryland
working
on
how
we
want
to
think
about
signatures
in
a
registry
there's,
actually
let
me
just
pull
up
one
quick
picture
here
this
one.
B
B
I
have
some
signatures
on
it,
such
as
in
this
case
the
other
one.
Does
this
one?
Have
it
hold
on
yeah?
This
one
has
the
one
we've
been
using
lately,
so
the
wabit
networks
makes
this
net
monitor
software.
They
have
an
image,
they
have
an
s-bom,
they
have
some
source
code.
These
will
be
the
stuff
that
vincent
was
kind
of
working
on
where
you
could
package
up
source
code
and
an
artifact
and
submit
them
all
under
an
index
was
the
working
thought
you
could
put
a
signature
on
all
of
them.
B
You
can
push
it
up
to
doc
or
hub
and
for
those
that
never
heard
of
wabit
networks,
docker
might
have
a
certification
process
that
says
yep
this
one's
good
and
so
companies
might
like
acme
rockets,
say
well.
I
trust
docker
hub
they've,
attested
to
weapon
networks,
I'll
pull
it
into
my
environment
in
the
acme
rockets
environment.
They
want
to
do
some
additional
testing
to
make
sure
it
works
in
their
environment
and
they
add
another
signature
which
says
yep
good
for
acme
rockets
and
then,
as
a
policy
management.
B
It
only
allows
things
that
are
signed
by
acne
rockets.
As
an
example
there's
a
couple
of
implicit
things
in
here
collections
of
signatures.
B
Signatures
are
additive,
things
like
the
digest
and
the
tag
of
the
amount
of
the
thing
that
I'm
trying
to
do
a
deployment
on
doesn't
change
because
the
devs
define
these
scripts
or
helm,
charts
have
references
and
so
forth.
So
we
want
to
have
these
additive
signatures,
like
I've
done
here,
docker
up
added
a
signature
to
an
existing
artifact
added,
a
signature
to
an
existing
artifact.
So
we
have
to
have
this
immutability.
B
So
the
way
we've
been
kind
of
thinking
about
it
is
well
we've
been
rethinking
through
it
a
lot
actually
and
now
we've
got
a
chance
to
dig
into
a
little
bit
more.
If
we
think
about
where
we've
gone
a
little
bit
with
the
artifact
spec
is
we
have
this
image
index
and
an
image
manifest?
That
happened
to
be
in
the
image
spec?
But
that's.
B
That's
a
neither
here
or
near
for
now,
but
of
course,
the
image
spec
can
an
image
can
be
a
type
of
artifact,
which
is
either
an
index
or
a
manifest
there's
a
collection
of
manifest
that
says
the
multi-arc,
the
helm
helm
chart
is
a
type
of
manifest
as
well
as
singularity
and,
of
course,
the
wasm
thing
we've
been
talking
about
recently,
and
we
still
have
this
cnab
thing.
B
That's
kind
of
floating
out
there
there's
a
little
bit
of
anomaly
that
we've
been
trying
to
figure
out,
but
we
kind
of
said
look
we'll
put
that
off
until
we're
ready
and
we'll
come
back
to
it.
And
of
course
we
have
our
opa
friends
as
we've
been
thinking
about
signatures,
we've
been
kind
of
thinking
about.
B
How
does
this
fit
in
and
you
know
initially,
we
were
trying
to
get
anything
to
be
approved
because
we
were
really
trying
to
just
get
the
the
model
working
and
we
wanted
to
leverage
anything
that
was
there
and
minimize
any
changes
whatsoever.
So
we
glummed
on
to
the
config
object
that
exists
in
manifest,
and
that
worked,
you
know
worked
well.
We've
obviously
had
a
number
of
success
around
that
as
we're
starting
to
think
about
these
signatures
or
collections.
B
There
become
some
interesting
questions
and
if
I
group
these
are
these
really
collection
types
in
fact,
are
these
things
even
really
singular
types.
So
this
is
what
I'll
kind
of
drill
into
here-
they're
not
really
collections
of
artifacts,
but
they
have
a
collection
of
references.
You'll
see
what
I
mean.
B
If
I
think,
of
a
helm
chart
today,
home
charts
are
in
a
registry
as
a
single
thing
and,
as
we've
been
having
various
conversations
around
getting
the
registry
capability
surfaced
as
a
replacement
to
home
repos,
because
we
definitely
had
some
challenges
there
that
one
of
the
questions
was
it
doesn't
handle
chart
references
chart
dependencies.
How
do
I
refer
to
it
where
sub
charts?
Sorry,
that's
what
I
was
trying
to
say,
but
it's
actually
not
just
sub
charts.
B
The
weird
thing
is
that
a
helm
chart
has
a
reference
to
an
image
and
it's
the
reference
itself,
isn't
anything
known
by
the
registry.
So
if
somebody's
trying
to
take
a
helm
chart
put
it
into
their
registry,
so
they
have
control
of
the
deployment
unless
they
modify
the
helm
chart.
It's
actually
pointing
at
who
knows
where
could
be
still
from
docker
but
somewhere
else.
B
If
the
helm
chart
actually
had
references
to
other
artifacts,
then
we
could
actually
have
those
things
be
tracked
in
the
registry
as
well,
and
and
but
in
this
case,
if
you
look,
the
helm
chart
is
what's
pointing
at
a
collection
of
things
and
of
course
it
can
point
to
subcharts
as
well.
I
just
stopped
with
the
animation.
B
So
what
we
really
have
is
there's
a
thing
and
there's
this
one
to
one
or
one
to
many
or
many
to
one
reference
to
other
things
that
are
in
the
registry,
and
the
references
are
really
important
for
a
number
of
reasons.
One
when
I
query
something
I
want
to
get
the
forward
of
reverse
references,
but
of
course
the
dreaded
garbage
collector
that
we
always
refer
to
it
needs
to
be
able
to
account
for
these
things.
B
So
elaborating
a
little
more.
We
have
these
individual
types.
Now
we
have
some
reference
types,
and
maybe
we
have
some
collection
types.
So,
let's
take
a
cnab
as
well.
So
today,
a
cnab
kind
of
has
this
reference
to
an
invocation
image
and
it
has
a
reference
to
an
actual
image
that
would
be
deployed,
in
this
case
the
wordpress
image.
B
But
if
it's
trying
to
use
helm
to
deploy
it,
it
actually
puts
helm
in
the
invocation
image,
which
is
kind
of
strange,
I'm
not
sure.
If
somebody's
trying
to
chat,
maybe
pop
the
chat
window
out
and
yeah
I'll
make
it
available
somewhere
I'll,
send
it
out.
So
what
sorry?
B
What
I'm
starting
to
say
is
the
invocation
image
actually
has
the
helm
chart
in
it,
which
is
kind
of
weird,
because
if
I
just
want
to
update
the
helm
chart,
I
have
to
rebuild
the
whole
invocation
image,
and
that
means
that
any
certification
I
have
that
binary.
I
no
longer
can
trust
that
one,
because
I'm
rebuilding
it
every
time,
it's
kind
of
heavy
weight.
If
all
I'm
trying
to
do
is
change
the
helm
chart
but
cnap
is
being
built
before
artifacts
was
really.
B
It
officially
started
hoping
that,
when,
if
we
change
that
that
the
cnab,
that's
in
a
registry
could
actually
point
to
a
helm
chart
which
could
point
at
the
images
it
references,
so
you
kind
of
start
to
get
a
lot
more
flexibility
with
this
concept
of
referencing.
So
again,
a
thing
is
one
to
many,
many
to
one
and
so
forth.
B
B
I
have
these
reference
types
and
then
we
have
you
know
the
multi-arc
index.
But
then
the
question
is:
is
signature
really
a
reference
type?
These
other
things
are
things
that
I
want
to
be
able
to
interact
with
in
a
registry,
but
I
don't
know
if
I
really
want
to
interact
with
a
signature
independently.
B
So
I
took
a
little
mock-up
of
the
azure
container
registry
repo
listing
not
the
most
elaborate
ui.
That's
not
our
skill
set,
but
we
know
how
to
paint
a
couple
of
characters
in
the
template
of
work.
We
get.
So
if
I'm
pushing
the
hello
world-
and
I
didn't
get
a
chance
to
update
this
to
net
monitor.
But
if
I
just
have
the
hello
world
tag
listing,
I
can
see
all
the
builds
for
that
and
that's
interesting.
B
B
B
What
I
really
want
to
do
is
say
an
individual
artifact
which
in
this
case
these
are
happen
to
be
all
images
happens
to
have
a
signature.
So
it's
more
of
an
attribute.
That's
applied
to
an
artifact,
not
really
another
artifact
per
site,
and
if
I
were
to
go
further,
if
I
have
an
s-bomb
is
an
s-bomb
just
another
type
of
attribute
or
a
scan
result
listing,
or
you
know
what
date
that
something
was
pushed
to.
The
registry
are
other
artifact
metadata
pieces
that
I
might
associate
with
an
individual
artifact,
that's
in
a
registry.
B
So
what
I'm
kind
of
coming
around
to
is?
Is
there
artifacts,
which
there's
a
collection
order?
These
are
the
things
I
think
I
want
to
be
able
to
see
in
a
registry,
and
then
there
is
some
metadata
around
those
that
I
want
to
be
able
to
interact
with,
and
some
of
the
things
are
static
values
like
I
can
send
an
s-bomb,
and
I
say
hey
that
s-bomb
is
for
the
singularity
image,
the
vulnerability
images,
the
voldemort
voter
vulnerability.
B
Summaries
are
things
that
I
probably
would
update,
because
I'm
going
to
do
additional
scan
results,
so
this
one
gets
updated.
I
might
want
to
submit
some
docs
that
I
can
just
put
as
a
special
artifact
type
in
it,
and
the
registry
knows
to
pull
this
thing
out
and
displays
it.
But
then
I
get
some
other
interesting
ones
like
what
is
the
tag
history?
B
What's
the
poll
count
the
last
pull
date
expiration
date,
these
things
are
might
be
things
that
I
set.
These
things
are
values
that
the
registry
would
maintain
but
surface
in
a
common
way,
and
I've
avoided
the
name
spacing
to
make
things
unique.
I'm
just
trying
to
get
some
basic
concepts
here
so,
where
I've
kind
of
come
as
I've
tried
to
get
the
slides
updated,
is
we
have
image
index?
We
have
image
manifest.
B
So
if
I
were
to
kind
of
re,
do
that
original
chart,
the
original
slide
then
you'll
see
that
all
of
these
things
effectively
become
a
new
artifact,
manifest
in
a
registry
and
again
don't
forget,
and
now
we
have
a
way
that
actually
the
spec
technically
says
I
have
to
at
least
support
image
index
image
manifest.
It
doesn't
say
anything
only.
B
Are
we
ready
to
say
instead
of
putting
instead
of
changing
these
types,
which
we
still
might
want
to
do?
Is
we
put
a
new
manifest
in
that
we
can
now
support
those
these
collections
and
attributes,
and
you
know
s-bombs
and
attributes
and
signatures,
and
and
that's
it
so
I'll
pause,
because
that's
all
the
slides
I
have
and
I'll
try
to
mute.
My
mic.
If
I
can
find.
C
It
so
I
have
been
trying
to
figure
out
how
to
stick
an
s-bomb
using
artifacts
and
the
way
that
I
have
done
it
is
using
the
the
the
image
manifest
rather
than
an
artifact
manifest.
C
The
problem
with
that
I
found
with
s-bombs,
especially
with
the
spd-x
ones,
is
the
content
addressability
stuff,
so
spdx
requires
that
it
has
references.
I
mean
it
kind
of
describes
all
of
the
things
that
you
have
downloaded,
including
the
index
and
the
manifest
and.
C
All
of
the
things
that
you
know
a
user
or
a
consumer
would
be
downloading
from
a
registry,
so
in
that
sense
it's
really
it.
I
don't
know
how
to
do
that,
because
then
you
know
the
the
document
has
to
refer
to
the
index,
but
then
something
needs
to
refer
to
the
document.
C
C
B
Yeah,
I
guess
you
can't
see
the
the
overlay
that
comes
down.
I
was
trying
to
get
that
to
pop
down.
Thank
you
in
the
s-bond
case.
The
idea
is
that
the
question
that
I
kind
of
have
for
some
of
these-
and
maybe
this
is
the
delineation
between
s-bombs
and
artifacts
or
metadata
and
artifacts,
is
when
does
somebody
want
to
query
it
directly
directly
and
I
guess
independently,
because
I
can
definitely
see
metadata
as
something
I
want
to
get
all
of
the
artifacts
that
are
supposed
to
be
deleted
today.
So
that's
like
this
reverse
index.
B
So
the
idea
for
your
s-bomb
is:
it
is
just
a
layer
because
we
have,
if
we
assume
we
have
this
new
artifact
manifest
type.
You
would
basically
will
define
a
new
schema,
because
the
that
you
have
your
blob
that
says
here
is
the
s
bomb.
It
could
be
a
collection
of
blobs
and
it
refers
to
a
particular
image.
For
let's
say
the
reason.
The
manifest
is
super
important,
we're
going
to
kind
of
skipped
over.
This
is
at
a
registry.
B
B
Then
I
throw
another
blob
ins
that
happens
to
be
the
config
object
and
then
within
some
reasonable
period
of
time
or
actually,
if
it's
in
the
spec,
we
all
just
have
our
own
deterministic
times.
Here's
a
manifest
that
says
stitch
all
these
things
together
and
the
registry
doesn't
get
the
manifest
within
some
period
of
time.
We
go
like.
I
don't
know
what
these
loose
things
are
and
we
toss
them
from
garbage
collection.
B
It's
also
how
we
know
how
to
delete
things,
because
we
do
a
lot
of
deduping
and
stuffs
and
registries.
So
the
map,
the
thing
that
we've
been
talking
about
for
these
reference
types
before
was
hey.
Can
I
just
call
a
blob,
put
and
then
call
another
api
that
links
them.
B
I'm
just
still
thinking
that
the
manifest
idea
is
helpful
to
drive
that
linkage,
instead
of
just
an
arbitrary
put,
because
this
then
defines
some
piece
of
data
that
I
can
look
at.
That
is
more
than
a
one-to-one
and
I
can
make
logical
grouping
of
it
and
it
could
support
the
things
that
you're
talking
about
here
in
asia
with
s-bombs
as
well.
C
Yeah
at
this
point,
I
I
have
managed
to
say,
like
you
know,
use
a,
I
suppose,
an
s
palm
manifest,
and
so
each
layer
becomes
like
an
s,
an
s
bomb
for
an
individual
package
that
comes
with
a
whole
container
image
now
yeah
and
and
I'm
working
with
the
spdx
community
to
figure
out
how
exactly
spdx
can
handle
this
kind
of
artifact,
where
you
have
something
external
to
the
document
that
points
to
another
document
that
points
to
another
document
and
you
have
to
kind
of
walk
down
all
of
it
in
order
to
get
to
the
actual
s-bomb.
C
Walking
from
this
index
all
the
way
down
to
me-
and
I
also
can
point
to
other
places
where
you
can
go-
and
you
know
query
other
information
if
you
wanted
so,
for
example,
the
s
bomb
would
say
for
this
particular
package.
C
The
corresponding
sources
are
over
here
and
oh
something
like
okay
for
this
image.
It
contains
this
package.
The
corresponding
sources
for
this
package
is
over
here
and,
if
you're
doing
it
like
with
the
like
build
source
image
style,
then
you
have
to
say
you
know
you
can
get
the
corresponding
package
by
downloading
that
image
over
there.
C
C
Json
objects
and
I
wonder
if
that
and
and
I
think
that
the
spec
allows
for
that
right-
a
layer
can
be
a
json
object
yeah.
So
that
seems
to
do
the
s
bomb
thing,
but
signatures
the
signature
bit
is
well
there's
a
double
whammy
for
me
over
here.
First
of
all,
I
don't
know
how
you
can
you
know.
B
Well,
the
idea
is
because,
as
we
showed
that
first
slide
signatures
are
additive,
the
signature
would
point
to
the
s-bomb,
so
you
would
be
able
to
go
to
the
registry
and
say
for
any
particular
thing.
What
is
the
sig?
Do
I
have
any
signatures
for
it
and
then
the
client
has
a
way
to
and
and
we're
still
getting
into
the
details
of.
B
How
do
I
efficiently
get
a
signature,
because
in
the
example
we
showed
here,
there
actually
is
three
signatures
and
I
don't
want
to
iterate
through
all
three,
so
I
will
get
to
that
next
level
of
how
do
we
get
efficiently
things
out?
But
the
idea
is
that
you
would
signatures
are
additional
pieces
of
metadata
that
get
added
to
information
in
the
registry,
so
the
question
is:
does
metadata
get
signed
like?
That
would
be
an
interesting
problem.
B
The
in
this
case
I
would
probably
say
that
the
the
s
prime,
like
I
think
is,
is
an
artifact
manifest.
That
basically
says
I
refer
to
this
other
thing
and
maybe
there's
a
piece
that
says
that
the
artifact
manifests,
whether
I
should
be
exposed
or
not
like.
I
would
imagine
an
s
bomb
isn't
necessarily
a
tag.
It's
an
attribute
that
gets
shown
on
an
artifact.
So,
for
instance,
I
I
said
these
two
have
s
bombs,
but
these
other
ones
just
for
the
sake
of
display.
Don't.
C
C
Yes,
this,
you
know
this
container
image
is
called
blah
and
it
is-
and
it
comes
from
this
supplier,
but
the
reality
is
that
the
container
image
contains
all
of
these
other,
like
individual
things,
can
that
come
from
different
suppliers
and
those
things
come
from
different
suppliers
and
you
so
on
and
so
forth.
The
supply
chain
is
really
complicated
and
the
s
bomb
needs
to
reflect
that
and
for
the
purposes
of
you
know,
searching
for
licenses
and
version.
C
Software
versions
that
that
kind
of
in-depth
metadata
support
would
be
nice
so
in
in
that
sense,
because
there's
so
much
of
data
about
the
data
and
folks
are
looking
for
different
things.
I
kind
of
feel
like
it
can't
really
be
an
attribute
by
the
way,
I'm
pasting
a
link
to
a
mock-up
that
I
have
for
sticking
asperms
into
container
images
just
for
reference.
B
With
that
yeah
yeah,
because
I
want
to
leave
time
for
brian's
thing,
but
I
want
to
give
some
others
some
time
to
like
there's
a
whole
great
set
of
conversations.
We
have
around
s
bombs
and
everything.
I
think
in
this
case
we're
trying
to
make
sure
that
we
can
support
different
types
of
information.
D
So
I
I
have
a
question,
but
it's
probably
pretty
closely
related
to
bomb
stuff,
basically
just
about
the
reverse
indexes
like.
If
I
want
to
make
a
signature,
for
example,
I
may
not
be
able
to
test
like
the
arm
variant
of
a
container
image,
only
the
x86
one,
so
I
actually
don't
want
to
sign
the
index.
I
want
to
sign
just
the
specific
image
that
we
signed
off
on
right.
D
So
now
you
get
this
question
of
I'm
looking
for
a
signature
for
this
thing.
Is
it
a
signature
of
the
index?
Is
it
a
signature
of
the
particular
variant
that
I
actually
want
from
it,
and
I
think
this
is
kind
of
getting
at
what
nisha
was
saying
where
s-bomb
doesn't
know
actually
what
you
care
about,
so
they
have
to
basically
document
everything.
Every
relationship.
B
Well,
it
might
to
your
point:
it
might
be
more
of
the
s
bomb
thing,
the
the
way
we've
said
for
signatures
is
you
can
sign
an
individual
manifest.
So
in
this
case
the
event
monitor
software.
Is
you
know,
platform
agnostic,
so
pick
windows
limits
doesn't
really
matter,
and
I
have
two
signatures
on
it.
B
I
can
also
sign
so
here
is
now
the
windows
and
the
linux
variants
they're
individually,
signed
by
two,
but
I
can
also
sign
the
index.
So
there's
nothing
that
says
here
that
a
signature
or
any
attributes
for
what
we're
talking
about
here
couldn't
be
assigned
to
either
because
both
these
are
just
digests
they're.
Just
you
know
references
in
it.
The
fact
that
the
digest
happens
to
be
an
index
a
manifest
or
an
artifact
manifest
are
details.
D
Yeah,
so
one
of
the
things
that
tough
does,
for
example,
to
try
to
avoid
the
question
of
like
well,
where
is
the
signature?
Is
it
on
the
metadata?
Is
it
on
the
actual
object?
Is
they
just
always
put
it
on
the
actual
object?
So
the
suggestion
would
be
you
never
assign
the
oci
index.
You
always
just
have
collections
of
signatures
for
the
individual
manifests
within
the
index,
and
then
you
could
aggregate
them
together
if
you
wanted
to
with
like
an
api,
but
the
signatures
always
live
on
the
exact
like
bottom
level.
D
Content
of
the
thing
you
care
about
that
avoids
probably
nisha's
problem
with,
like
providers
that
have
other
providers,
like
all
this
nesting
that
you
get.
If
you
just
say,
the
signatures
are
only
on
the
end
content
and
not
any
of
the
metadata,
and
if
you
find
that
thing
through
the
metadata,
then
cool-
that's
great.
D
You
know
this
is
all
metadata
about
the
the
content
you
care
about,
and
I
don't
know
if
people
care
about
signatures
on
metadata
or
if
they
care
about
signatures
on
content,
because
asserting
that,
like
the
metadata
is
correct,
is
a
completely
different
concern
and
I
I'm
not
sure
if
that's
like
a
design
call
right.
B
So
you're
still
muted,
I
got
that
yeah.
I
actually
got
the
visual
cue
as
well.
Here
cormac
was
kind
of
bringing
up
the
question
and
I
guess
part
of
his
base
in
some
of
the
history,
some
of
which
I
know
and
some
of
them
I
know
I'm
glad
they
don't
is.
Should
you
be
able
to
sign
individuals
or
only
sign
them,
the
art
of
the
index?
I
actually
think
you
should
be
able
to
have
both
I'm
sure
we'll
get
into
that
detail.
B
I
don't
know
if
we
would
dictate
one
or
the
other.
It
would
probably
be
up
to
the
the
individual.
That's
posting
those
because
the
the
interesting
one
wasn't
as
much
the
platform
specific
images
like
java.net
node
by
the
multi-platform,
because
there's
only
a
few
people
in
this
community
that
build
those
iot
gets
interesting
because
end
developers
are
building
iot
images
that
are
multi-arcs.
So
I
kind
of
leave
that
one
open.
B
B
Other,
so
that's
that's
why
I'm
suggesting
there
is
a
different
collection
type,
and
only
because
I
didn't
I
literally
was
like
building
slides
when
we
got
here
was
this
thing
probably
needs
another
attribute
on
it.
That
says
whether
I
want
to
be
displayed
or
not,
because
there's
a
bunch
of
things
that
I
just
don't
think
have
any
business
needing
tax
and
I
want
to
know
what
just
gets
transly
deleted
versus
might
block
a
delete.
B
So
those
are
kind
of
interesting.
B
So
maybe
five
more
minutes
and
then
we'll
leave
the
last
15
for
for
brian,
let's
brian,
you
think
it's
gonna
well
we'll
see,
but
anybody
else
I
mean
this.
This
is
new,
even
for
some
people,
that's
been
tracking,
notably
because
I
was
trying
to
address
the
feedback
from
the
last
couple
of
weeks.
I
put
a
question
into
the
chat.
B
The
same
way
we
want
signatures
to
move
and,
as
signatures
are
becoming
more
of
this
attributish
level
thing,
it
kind
of
felt
the
right
time
to
pull
that
in
so
there
I
mean
there's
a
couple
of
things
in
there
and
I've
been
there's
a
pr
which
I'll
list
also
it's
still
rough,
that
talks
about
some
metadata
stuff
that
you
would
set.
Some
is
things
that
the
registry
just
calculates
like
the
poll
count,
I
think,
is
what
yeah
like
last
polled.
Nobody
sets
that
value
as
a
human
or
a
service.
B
E
Whereas
a
signature
I
see,
is
kind
of
a
different
entity
that
it
is
more
tied
to
the
image,
because
you
know
you
might
you
may
call
it
both
metadata,
but
I
see
a
distinction
between
those
two
as
to
what
would
you
move
between
registries
and
what
doesn't
make
sense
to
move
between
registries
yeah?
Absolutely
it's
captured
in
the
detail.
B
For
the
sake
of
time,
I
won't
go
into
it
because,
honestly,
the
pr
is
not
in
a
great
readable
state,
so
we'll
bring
that
up
in
a
later
time.
But
yes,
there's
a
certain
sense
of
metadata
or
flag
that
get
copied
with
and
some
stay
with
the
registry
and
the
semantics
of
that.
We
need
to
make
very
clear.
B
So
I'll
post
this
deck,
so
people
can
poke
at
it
and
we'll
continue
these
conversations
as
a
combination
of
oci
and
art
notary,
and
with
that
I
will
hand
off
to
brian.
F
Cool
thank
you,
so
I
just
wanted
to
kind
of
poke
the
bees
hive
a
little
bit
on
this
pr
to
the
image
spec
number
777
I'll
get
in
chat
just
in
case
we
don't
have
a
hack
and
b
up
or
whatever.
So
this
is
a
change
submitted
by
docker
about
a
year
a
little
over
a
year
ago
to
it's
essentially
upstreaming
a
change.
F
That's
in
build
kit
already,
where
build
kit
adds
this
cpu
variant
to
the
image
spec
it
seems
like
people
seem
like
this
is
a
good
idea,
and
then
some
more
people
came
up
later
said.
Why
don't?
We
just
you
know,
have
the
whole
platform
spec
on
there
and
honestly,
it
makes
a
lot
of
sense
for
windows
to
be
able
to
access
some
of
those
feels
like
os
version,
because
windows
containers
can
only
run
on
the
host
version
that
they
were
created
for
so
they're
very
tied
to
that.
F
It's
number
809
that
that
does
that
it
takes
it
basically
just
embeds
all
the
platform
fields
into
the
image
spec,
so
that
we
can
essentially
be
able
to
like
backfill
indexes,
or
you
know,
make
determinations
on
what
to
do
just
from
the
image
back
without
having
to
have
a
descriptor
having
the
index
available.
F
And
it
seemed
like
everybody
was
like
yeah.
This
is
good
and
I
derek
made
a
comment
saying
yeah.
This
is
just
up
streaming,
build
kit
and
v-bats
said
it's
good,
but
it's
had
like
no
movement
in
quite
some
time,
so
I
wanted
to
poke
that
and
see
where
them
we
might
come
from
here.
D
Yeah,
I
think
the
chris
price
was
the
original
on
that
in
the
pr
that
you
were
helping
out
yeah
right,
yep,
okay,
yeah.
I
think
he
was
helping
out
some
of
the
work
we're
trying
to
integrate
some
of
container
d
stuff
back
into
moby
and
there's
yeah.
There
are
some
cases
where
build
kit
and
mobi
were
doing
some
stuff
that
weren't
actually
in
oci.
So
we
were
just
trying
to
to
reconcile
that
since
there
was
no
reason
to
not
actually
have
the
variant
in.
B
F
So
I
know
docker
is
already
consuming
cpu
variant
and
actually
we
do
a
check
to
see
if
the
field's
set
or
not
and
if
it
is
set,
then
we'll
use
it
and
if
it's
not
set,
we
just
ignore
it
like
so
we're
like
when
we're
trying
to
do
platform
matching
that
kind
of
stuff,
I'm
not
sure
what
might
need
to
be
done
for
windows.
F
In
terms
of
that
probably
the
same
thing
which
is
like,
if
it's
not
there,
then
we
just
assume
that
it's
built
from
an
old,
an
old
builder
and
that's
yeah,
I'm
not
sure
what
to
do
for
things
that
just
don't
support
a
period.
B
B
Yeah
we,
I
can't
imagine
we
index
that
honestly.
This
is
that's
in
that
category
of
the
gabillion
images
that
we
have.
We
don't
index
a
lot
of
information
because
of
it
would
just
fall
over
so
there's
certain
things
that
we
bubble
up,
but
I
don't
know
if
this
is
one
of
the
ones
that
we
would
be
able
to
easily
query.
B
G
G
G
B
So
derek
I'm
curious:
how
is
this
different
than
the
config
object
being
optional
in
index?
Is
it
because
in
this
case,
it
still
is
an
image?
So
it's
okay
to
process
and
if,
in
the
artifact
case,
we're
using
config
to
say
this
isn't
an
image,
it
actually
means
something
else,
and
if
the
client
got
it,
it
might
choke
on
it
because
it
doesn't
know
to
get.
That
is
that
the
differentiator
here.
D
Well,
I
think,
for
this,
the
variant
is
always
defaulted
to
something
when
it's
not
given,
so
the
knowledge
of
the
variant
is
already
in
every
client.
It's
just
the
clients
have
to
assume
has
to
make
some
assumption
about
variant
and
a
lot
of
clients,
actually
even
look
for
this.
If
they,
if
they
expect
to
parse
a
platform
out,
then
it's
going
to
look
for
this
so
yeah
it's
much
different
than
just
adding
adding
a
new
light
config
where
it
would
change
the
whole
behavior.
This
isn't
really
changing
the
behavior
of
anything.
B
F
At
least
for
variant
yeah,
I
doubt
I
don't
think
anybody's
injecting
os
version
right
now,
but
it's
definitely
something
like
the
windows
team.
I've
talked
to
they're
like
yeah.
We
would
love
to
have.
D
This
yeah
there
was
there
were
some
other
discussions
about
adding
a
full
platform
field
to
the
to
that
config,
instead
of
just
adding
the
variant
field,
because
it's
it's
kind
of
inconsistent
today
with
the
way
the
other
platform
fields
are,
it's
not
all
nicely
separated.
The
problem
is
yeah.
If
we
did
that,
then
then
you'd
have
kind
of
more
of
a
compatibility
issue.
If
you
have
another
field
that
clients
don't
know
to
look
for,
so
you
would
end
up
having
to
duplicate
data
anyway.
D
D
B
D
I
I
think
it's
a
small
point
release,
but
I
think
the
problem
here
is
that
there's
not
really
much
activity
on
this
image
factory,
though.
D
F
People
that
yeah.
B
B
B
Well,
I
so
I
I'm
happy
to
facilitate
a
conversation
with
the
folks.
Vincent
doesn't
happen
to
be
here
today,
brian,
I
would
just
suggest
emailing
the
maintainers
and
say
what
do
you
think.
D
We
also
there
was
a
smaller
project,
but
on
the
go
digest,
I
think
we
broke
some
of
the
maintainer
deadlock
by
having
a
larger
kind
of
retirement
of
inactive
maintainers
replaced
with
some
active
ones.
Yeah,
I
don't
know,
that's,
probably
not
the
best
idea
for
a
big
repo,
but
maybe
adding
more
maintainers
can
at
least
help
break
some
of
the
deadline.
B
I
I
wasn't
sure
if
chris
chris
coincidentally
jumped
in
at
the
for
this
topic
or
what,
but
I
I
guess,
let's
see
what
they
maintainers
say.
You
know
and
who's
being
active
because
I
know
a
couple
of
them
are
still
active
and
you
know
interested
and
let's
see
what
happens
there.
If
there's
no
activity,
then
obviously
that's
something
we
have
to
kind
of
figure
out.
F
D
B
Yeah
you
got
john
and
brandon
I
get.
It
was
mostly
because
the
windows
work
that
basically
brian's
trying
to
cover
here
so
okay
yeah.
Thank
you.
I
expected
that
one
to
go
much
longer
all
right,
so
I
will
put
a
I'll
post.
The
slides
I'll,
send
out
some
links,
brian
ping,
the
maintainers
figure
out
what
the
next
steps
are
and
make
sure
we
can
definitely
drill
in
more
on
the
s-bomb
stuff.