►
From YouTube: OCI Weekly Discussion - 2023-01-12
A
A
A
B
B
C
D
C
Yeah
my
suspicion,
just
knowing
that
I
need
to
prepare
for
the
conference
myself,
is
that
we
probably
won't
have
time
to
finish
up
all
the
RC
items
there.
All
the
various
open
tasks
on
that
Milestone.
So
potentially
we've
got
another
RC,
but
yeah
I.
Think
the
big
thing
from
last
week
was
just
that
we
got
some
agreement
from
different
parties
that
our
registry
can
refuse
a
manifest
if
it
has
too
many
annotations.
D
Okay
I
know
there
was
an
outstanding
item
about
conformance
two
two
ideas
for
this,
so
one
it's
kind
of
hard
before
Registries
or
implementing
this
to
really
write
performance,
I
I
think
Azure
has
some
level
of
support.
I.
Think
zot
has
some
level
of
support,
but
I
don't
know
it'd
be
kind
of
hard.
D
We
basically
have
to
code
against
one
registry
I'm
wondering
if
we
want
to
punt
conformance
or
option
one
or
two
just
check
for
the
refers
endpoint
and
see
if
it's
there
or
plus,
like
chucking
a
artifact
manifest
and
see.
If
it's
there.
D
I
guess
I'm,
just
you
know,
I
I
had
hoped
I'd
have
worked
on
this,
but
I
just
I
just
haven't
and
I
don't
want
to
like
hold
up
the
release
so.
D
C
F
Hey
so
this
might
be
a
good
time
on
it.
Sorry
I'm
joining
a
little
late
I
was
on
a
customer
call
so
I.
This
is
probably
a
good
time
to
just
float
the
general
idea
like
how
the
team
feels
or
how
the
community
at
large
feels
about
a
spec
going
out
ahead
of
compliance
tooling,
as
obviously,
historically,
we
released
the
spec
ahead
of
compliance
for
1.0,
and
this
is
the
first
time
we've
had
a
minor
release
version.
F
So
we're
kind
of
setting
a
precedent
in
some
ways,
so
I
wonder
if
we
can
kind
of
up
level
this
and
just
say,
is
this
a
blocker
or
not,
and
then
from
there
we
can
determine
if
we
need
more
resources
or
if
we
need
to
prioritize
it,
because,
obviously
we
can
say
yeah
everybody
does
it.
It
hasn't
gotten
done
like
Josh
said
and
I
think
sometimes
I
I
think
somewhat
we're
not
sure
if
it's
a
priority
or
not.
C
E
What
is
that
sorry
if
this
came
up
early,
I'm,
also
late,
but
I,
don't
have
as
good
an
excuse
as
Jessie
did
what,
if
we
had
a
single
conformance
test
that
just
said
that
slash
references
responds
with
an
index
successfully
within
nothing
about
the
contents
of
that
index.
Just
that
it.
You
know
the
bare
minimum
to
say
that
you
are
1.1.
C
A
E
Yeah,
we
also
as
humans,
approve
those
PR's
to
add
them
to
the
site
right.
So
we
can
say
like
listen
in
this
current
state.
The
bar
is
on
the
floor.
You've
passed
the
bar,
but
that
doesn't
mean
anything
so
we're
not
going
to
merge
this
PR
right.
We
could
it's
not
an
automated
thing.
It's
like
someone
somewhere
says
it's
a
you're
above.
C
D
We
yeah,
we
have
ability
to
skip
yeah,
we're
already
doing
that
for
like
you,
can
skip
push
or
you
can
skip
tag
list,
and
so
we
could,
by
default,
have
a
have
a
test
that
just
yeah,
because
it's
non-zero
and
then,
if
you
put
a
skip,
you
can
do
the
skip.
I
guess.
D
So
for
the
for
the
compliance
or
the
oci
conformance
repo,
it's
the
tag.
Release
like
it
has
to
be.
That's
the
rules
but
I
know,
for
example,
zop
is
running
off
me
so
they'll.
If
we
throw
something
on
there,
their
CI
will
fail.
Today.
D
Talking
about
this
and
we
had
a
year
to
do
the
conformance
I
think
it
could
be
the
type
of
thing
where,
like
no
one
can
say,
officially
quote
you're,
not
seeing
my
fingers
doing
the
quality
science,
but
officially
1.1
support,
obviously,
but
like
I,
think,
like
there's
a
lot
of
people
who
want
to
start,
you
know
talking
about
this
in
marketing
and
writing
clients
against
it,
and
it
may
actually
be
in
a
better
State,
like
once,
clients
start
doing
stuff
to
really
understand
the
behavior
but
I
like
kind
of
agree
with
you,
Brandon
I,
just
you
know,
I
just
feeling
busy
and
you.
C
I'm
busy
right
now,
just
because
of
the
the
security
Con
coming
up
at
the
end
of
the
month,
and
so
after
that
I'll
have
time
to
actually
sit
down
and
go
over
this,
possibly
for
a
camera
presentation
knocked
out
early.
G
D
I
I
would
offer
also
like
yeah
I.
Don't
want
to
just
like
talk
about
this
until
the
end
of
time,
Nisha
and
Brandon,
and
whoever
else
do
you
want
to
like
do
a
calendar
on
Monday
or
Tuesday
next
week.
If
you
have
time
and
just
like,
do
it
together,.
G
But
I
can
carve
out
some
time
on
Tuesday
I'm
on
Pacific
time,
so
I
think
I'll.
It's
compatible
with
Brandon's
time.
D
So
it's
just
a
matter
of
Brandon
being
like
Brandon,
is
kind
of
the
rep
refers
expert
here,
so
I,
just
I
like
it'd,
be
nice
to
do
a
screen
trigger
I
can
drive
and
kind
of
get
the
end
points
together,
but
I
guess,
let's
consider
we
could
put
something
together,
even
if
it's
tiny
next
week
for
conformance
what
else.
C
F
F
I
can
say
specifically
watching
a
one
one
client
effort
in
particular
kind
of
thrash
around
how
to
manage
things
across
multiple
Registries.
You
know
it's
I,
think
it's
easy
to
say.
Well,
we
could
you
know
we
could
just
try
and
push
an
artifact
and
if
it
fails,
you
know
don't
use
them.
But
it's
kind
of
it's
a
lot
simpler
for
clients
to
reason
about
saying:
oh,
it's
1.1
we
can
use
artifacts
so
I.
You
know
it
seems
simple
enough.
It
seems
like
it
would
not
be
and
I
know
Brandon
you.
F
You
had
some
some
concerns
about
it,
which
I,
absolutely
we
should
talk
through,
but
I
I
personally,
I
think
that
you
know
and
capabilities
aside,
like
I,
that
was
I
know.
That
was
the
original
thing.
I
brought
up
we'll
just
put
a
pin
in
that,
but
just
a
simple
version
and
point
might
make
sense.
C
F
Yeah
I
do
agree
with
that,
but
I
also
feel
like
we're
hand.
Wavy
enough,
like
I
mean,
as
you
all
know,
ECR
is
not
1.0
compliant,
but
it
certainly
is
a
1.0
registry
right
and
there
are
certain
things
that
we
could
change.
There's
certain
things
we
can't
change,
there's
certain
things
we
could
change
in
the
spec,
but
the
reality
is
is
that
at
least
a
client
can
say:
okay,
that's
a
1.!
Oh
this
behaves
differently
weird
and
like
put
in
this
little
corner
case
and
complain
to
us
and
so
I
think
that's!
F
The
thing
that's
missing
is
just
is
the
broad
stroke
that
says
roughly
you
can
expect
artifacts
and
refers
API
if
it's
1.1,
if
you
behave
weirdly
and
whether
that's
you
know,
registry
X
registry
y
or
register
Z,
then
the
client
implementer
can
say
Hey
you
behave.
Weirdly
I
had
to
put
some
some
work
around
code
in
and
I
I.
Don't
like
that
here
fix
that
right,
whereas
right
now
it's
like
every
registry
behaves
a
little
differently,
and
so
it
makes
it
much
more
difficult.
C
Yes,
definitely
from
the
client
side,
I
feel
as
well.
If
a
registry
says
that
there
are
1.0,
because
for
some
reason
they
don't
want
to
support
the
artifact
manifest,
they
only
want
to
support
images
on
their
registry.
C
Yeah,
so
that
my
fear
is
that
all
the
fallback
scenarios
that
we
had
done
for
the
referrer
API
or
design
there
specifically,
so
that
all
the
clients
would
follow
the
same
path,
no
matter
what
they're
talking
to
and
so
I
I
don't
want
to
get
into
a
scenario
where
one
client
looks
at
the
registry
and
says:
hey
I
checked
the
version.
Api
I
saw
this
1.0,
so
I'm
going
to
go
down.
One
path
and
another
client
looks
at
the
registry
and
says:
hey
I,
try
the
refer
API
and
it
was
available.
F
Sorry,
I'm
bad
totally
hear
you
I
I,
agree
that
that
is
one
potential
outcome.
I
think
that
still
lands
in
a
position
where
a
client
implementer
gets
to
say
hey.
This
is
you're
behaving
weirdly
and
then
a
client
might
say
I'm
just
always
going
to
do.
F
There's
always
going
to
be
this
thing
where
like
well,
it
doesn't
even
implement
it
right
like
because
at
1.0
registry
that
isn't
touched
might
not
even
Implement
that
version
endpoint
right.
That's
not
going
to
be
not
spec
compliant
for
1.0.
So
if
it's
not
there,
it
doesn't
mean
that
it
wouldn't
support
the
refers
API.
F
It
just
means
that
a
client
would
have
to
discover
that
by
other
means
and
use
it
with
caution,
I
think
because
it
could
disappear
right,
so
I
think
that's
kind
of
the
the
way
I'm
thinking
about
this
is
we're
just
looking
to
establish
a
broad
stroke
same
protocol,
for
just
you
know,
trying
to
to
hand
wave
at
some
very
high
level.
I
got
refers,
I
got
artifacts,
you
can
try
and
use
them.
F
C
F
No,
not
client,
no
I,
don't
mean
hand
wavy
in
the
clients,
I
mean
I'm,
so
Hand
wavy
is
maybe
the
wrong
thing.
I
meant
signal,
flares
or
something
you
know
some
way
to
say:
hey
I've
got
these
things
and
and
and
not
really
much
detail
right
that
that's
kind
of
what
I
mean
you
know
put
put
short.
If,
if
a
client
can
say
what's
the
version,
is
it
there?
F
F
You
could
do
that,
but
the
it's
sort
of
the
happy
path
that
we
don't
even
have
an
answer
for
so
every
client
is
forced
to
do
something
and
there's
no
way
that
they're
all
gonna
be
uniformly
implemented
right.
Try
this
try
that
if
this
error
code
comes
back,
try
this
thing
give
up
entirely.
That's
kind
of
the
world
that
we
have
now.
C
So
it
might
be
more
specific
in
my
question,
then
Let
me
throw
a
scenario
out
at
you:
you're
you're,
looking
at
producing
artifacts
from
about
your
three
tooling
I
do
similar
stuff
on
my
side.
So,
if
you're
producing
an
artifact
and
you're
doing
this
against
azure
Azure
supports
the
1.1,
it's
going
to
come
out
with
a
version
that
says
you
can
do
refers
and
artifacts
to
this
registry.
You
push
that
artifact
to
that
registry.
In
that
case
automatically
you
know
the
user
tries
to
create
some
artifact.
It
detects
it
automatically
upgrades
it.
F
C
C
F
I
feel
like
this
is
a
quiz
I'm
not
prepared
to
answer,
but,
like
it
fails,
I
mean.
Is
that
bad
like
this?
This.
F
F
In
this
context,
I
think
I
would
I
would
probably
and
I'm
probably
opinionated
here.
I
would
probably
prioritize
the
feature
over
portability,
I
think
in
the
fullness
of
time,
with
1.0
being
available
and
clients
adopting
it.
We
we
will
have
a
window
and
then
there
might
be
Registries
that
never
Implement
artifact
support
right.
That's,
okay,
but
I,
think
that
happens
in
software.
I
think
some
things
stay
in
a
legacy
space
and
and
those
implementers
or
communities
decide
to
support
that.
F
C
A
F
F
F
F
F
B
You
at
the
risk
of
taking
a
stab
at
it.
There
were
a
couple
of
options
that
I
was
thinking
about,
so
one
is
the
simpler
one,
which
is
we
at
least
provide
a
header
saying
that
this
is
1.1.
Another
option
is
that
we
call
out
a
full
capabilities
API,
which
will
definitely
require
more
design
time
and
agreeing
on
the
fields
and
properties.
B
The
third
item
that
I
think
is
important
is
while
reading
the
spec
there
is
no
indication
of
the
types
of
manifest
that
the
registry
should
support.
The
first
portion
of
the
spec
calls
are
examples
of
manifest.
It
does
not
say
it
should
support
index
image
and
artifact
in
any
form.
So
these
would
be
parts
of
the
discussion
that
I
would
like
to
have
with
this
group,
and
how
do
they?
Is
it
important
to
address
this
before
the
release?
I
think
these
are
the
things
that
I'm
hoping
we
can
talk
about.
C
So
yeah
I
was
leaning
much
more
for
the
capabilities
just
knowing
that
the
finer
grain
is
probably
going
to
be
more
important
for
client
usage
in
there,
but
it's
also
going
to
take
a
lot
longer
to
go
through
the
process
of
defying
that
creating
that
spec,
whatever
that
is,
and
the
question
I
threw
at
the
end
of
my
last
comment.
There
was:
how
long
do
we
want
to
hold
up
the
1.1
to
develop
something
like
that.
F
Does
that
help
with
the
priority?
Does
that
help
with
the
portability
aspect?
I
I
would
be
absolutely
willing
to
take
a
swing
at
the
cap
like
a
capabilities
PR
like
a
like
a
capabilities,
endpoint
I
I'd.
Happily,
do
that
and
look
to
and
look
for
both
client
and
registering
implementers
to
to
give
feedback
on
it.
I,
don't
think
it
helps
with
that,
though,
right.
C
It
doesn't
and
that's
why,
when
when
we
were
first
writing
this
myological
thought
process
how
this
would
roll
out
was
that
we
would
roll
this
out
in
terms
of
you've
got
the
new
refers
apis
eventually
going
to
be
available,
but
we
had
the
fallback
until
it
was
available.
We
were
going
to
assume
that
a
lot
of
clients
are
going
to
stick
with
the
image
manifest
until
they
knew
that
everywhere
they
might
ship
this
artifact
that
all
those
Registries
would
get
upgraded
and
then
they
would
make
that
switch.
F
I
think
that
yeah,
the
use
of
the
verb
upgrade
is
still
confusing
me,
but
that's
that's
okay,
I
get
you
now.
I
might
see
that
differently,
like
as
a
client
developer.
I
might
because
the
fallback
is
called
out,
I
might
just
implement
it
and
then
just
like
my
client
will
keep
falling
back
until
it
doesn't
have
to,
but
yeah
you're
still
left
with
this
need
to
support
your
users
around
future
portability.
F
You
know
so
so,
for
example,
for
I
can
speak
in
ACR
are
plans,
not
a
commitment,
but
our
plans
are
to
transparently
support
both
types
of
artifacts.
You
know
both,
like
you
know,
sort
of
image
manifest
and
indexes
that
have
subject
refers
and
use
the
tag
schema
and
then
once
1.0
is
there
we'll
support,
artifacts
and
using
a
more
native
references,
and
we
would
keep
you
know,
keep
supporting
both
of
those
right
because
we'll
have
1.0
only
clients
coming
on.
F
Obviously
so
I,
don't
I,
don't
really
even
know
like
I'm,
not
I'm,
I,
guess
I'm,
not
super
concerned
about
the
portability
aspect
I
unless
there's
something
where
like
we're
going
to
abandon
people
or
we're
going
to
break
tooling.
That
I
would
be
really
concerned
about,
but
I'm
not
I'm,
not
hearing
that
really.
C
So
we
grab
my
train
of
thought
here.
The
the
one
comment
in
there
you're
making
was
along
the
lines
of
you
know
the
declining
support.
The
new
stuff
I
would
definitely
make
a
client
that
can
read
that
sees
hey.
There's
an
artifact,
manifest
I
know
how
to
parse
as
a
client.
I
would
do
that
right
away.
So
if
somebody
creates
it,
you're
able
to
work
with
it,
but
I
would
hold
off
on
creating
the
new
one,
just
knowing
that
it
takes
a
long
time
for
this
stuff
to
upgrade.
C
C
The
thing
I
see
is
going
to
be
a
lot
harder
for
a
lot
of
clients
to
upgrade
is
going
to
be
their
Registries
that
are
in-house
and
a
lot
of
the
workflows
that
I
see
are
they
have
an
external
artifact,
an
external
image,
something
like
that?
They
pull
in
yeah,
no
CPU
guy
that
that
version
is
painfully
old.
C
They
they
pull
in
the
they
pull
on
the
artifact
from
Upstream
into
their
own
registry,
and
their
own
registry
isn't
going
to
be
upgraded
for
a
long
while
in
a
lot
of
places,
and
so
I'm
just
worried
that
we're
going
to
break
that
workflow
that
if
you
start
creating
s-bombs
and
other
stuff
Upstream,
it's
just
going
to
take
a
while
before
you're
going
to
be
able
to
import
those
into
a
local
registry.
That
a
client
is
running
because
it's
going
to
take
the
long
while
to
upgrade
that
registry.
F
All
right,
I
will
I
completely
agree
with
everything
you
said,
but
I
think
I'm
still,
okay,
prioritization
wise
coming
from
the
you
know
the
background
that
I
have
lots
of
Legacy
software
supported
over
25
years,
like
I,
get
that
pain.
But
it's
it's
a
decision
and
it's
okay
I
mean
you
know
it's
kind
of
okay
for
in
my
book,
for
new
features
to
pay
for
new
new
ground
and
I
I
really
do
I.
I.
Think
I
would
like
to
make
sure
that
we
try
to
like
separate
these
two
concerns.
F
F
That's
good,
no,
it
would
so
Tiana
just
just
to
be
funny.
113
was
the
final
destination
for
the
Solaris
Port
I
did
speaking
of
LTS
and
the
25-year
yeah,
so
that
that's
that's
the
real
joke.
So
if
anybody
was
gonna
pick
up,
LTS
yeah
and
it
got
backed
out
just
to
be
clear,
yeah
I,
don't
know
like
do
you.
F
Do
you
think
it's
fair
to
say
that
we
should
separate
these
two
things
and
just
kind
of
try
to
talk
about
them
in
in
different
contexts,
because
I
think
there's
one
as
like.
You
know
portability
best
practices
and
client
development
guide
and
another
one
is:
can
we
have
a
sane
way
to
determine
what
version
the
registry
is
or
its
capabilities.
C
So
I
think
the
need
to
do
that
difference
of
cloud
behavior
is
kind
of
driving
the
first
conversation.
So
if
we
get
rid
of
the
need
for
the
client
to
make
that
change
in
Behavior
I
think
that
we
eliminate
a
whole
need
for
that
whole
discussion.
That's
why
I've
been
pulling
this
thread
a
little
bit
so
just
to
be
clear
on
my
my
client
use
case
out
there.
It
is
when
they
ingest
this
stuff.
Their
registry
isn't
upgraded,
but
their
clients
are
their
clients,
can
absolutely
use
an
s-bomb.
C
They've
got
all
the
tooling
out
there,
they're
building
the
secure
Supply
chains.
They
just
don't
own
the
registry
server,
that's
a
different
part
of
the
company
that
servant
can
be
upgraded
for
one
two
three
five
years,
however
long
it's
going
to
take
them.
So
if
we
push
the
artifacts
in
a
portable
way,
they
can
still
run
a
secure
supply
chain,
pulling
an
s-bombs
pulling
signatures
validating
all
that
stuff
which
would
be
broken
if
we
do
it.
This
other
way.
What.
F
A
F
Artifact
right,
if
something,
what
whatever
a
client
pushes
an
oci
artifact
according
to
the
1.1
spec
right
that
is
not
portable
to
a
1.0
registry,
full
stop
right,
like
that.
We
agree
on
that.
What
I
would
be
concerned
about
is
pushing
things
to
a
1.0
registry
that
cannot
be
then
pushed
to
a
1.1
registry
1.2
into
the
future.
I
want
those
artifacts
to
not
be
stranded
in
the
past
and
to
be
carried
forward.
F
I
really
am
not
concerned,
and
I
might
be
the
only
one.
So
that's
why
I'm
asking
for
other
people's
input
like
I'm
seriously,
not
concerned
about
a
new
feature
not
being
portable
to
the
past?
That's
never
a
thing
that
we've
ever
done
in
software
right.
So
that's
the
part
that
I'm
confused
about
so
just
to
be
clear
portability,
very
important,
hopefully
to
everybody,
but
portability
of
older
artifacts
forward
is
kind
of
the
Focus
right.
It's
never
about
making
something
sort
of
look
like
a
future
thing
and
then
moving
it
back
right.
F
C
My
understanding,
though,
is
when
you're
creating
your
artifact
you're
saying.
If
my
registry
supports
it,
I'm
going
to
create
it
with
a
newer
version,
I'm
going
to
create
it
with
the
artifact
manifest.
Yes,
at
that
point,
we're
no
longer
talking
about
the
case
of
Ukraine
on
Old
registry
and
try
to
pour
it
to
a
new
registry,
we're
saying
you've
created
on
new
registry
and
now
all
the
old
Registries
no
longer
support
a
copy.
This
to
that's.
F
C
F
C
And
it
would
likely
be
a
user
side
switch.
It
would
likely
be
something
that
the
client
itself
will
probably
default
to
for
a
long
while
and
then
at
a
certain
point
in
the
future.
You
would
say:
okay,
we're
we're
comfortable
that
enough
time
has
passed,
that
we
think
that
everybody
that's
copying.
These
around
is
going
to
be
upgrade
on
new
registry,
we're
comfortable
using
the
new,
manifest
type,
but
I
saw
a
whole
lot
of
hands
pop
up,
so
I
think
Michael
was
first.
G
Yeah
I
think
so
so
the
risk
of
sounding
dumb
with
the
like,
maintaining
multiple
versions
over
years.
G
Here's
a
scenario
so
Suppose.
There
is
like
a
registry
implementation
that
is
only
like
that
gets
newly
developed
by
somebody
and
it
supports
it
supports
like
the
newest,
like
release.
1.1
somebody
sees
release
1.1,
they
see
the
spec,
they
implement
the
registry
according
to
the
spec,
a
client
that
is
written
for
that
kind
of
registry.
Would
you
know
just
easily
say
if
I'm
talking
to
that
new
registry
like
at
this
domain,
then
I
will
you
know,
use
this
method
of
updating
the
of
using
s-bombs
or
whatever.
G
But
if
I'm
talking
to
like
oci
conformant
1.0
registry,
then
I
will
do
a
fallback
and
that's
the
typical
workflow
I
would
think
from
the
client
side.
But
that's
all
that's
all
I
can
imagine
in
my
head,
I
I
of
course,
like
you
know,
Docker
is
the
the
heavyweight
kill.
So
I
am
not
really
sure.
If
that
is
that's
an
issue
that
we
should
be
concerned
about,
my
feeling
is
that
organizations.
G
Seem
to
set
up
their
own
internal
Registries
and
they'll
just
use
distribution,
and
if
there's
a
newer
one
out
there,
then
they'd
be.
A
C
I
think
when
Jesse
you're
on
the
same
page
and
the
yeah.
G
That
that's
why
I'm
wondering
like
what
is
the
scenario
where
a
registry
is
like
at
the
current
state,
which
is
I,
don't
know
1.0,
plus
whatever
it
was
before,
oci
was
ever
created
and
then
they
had
to
you
know
also
also
support.
1.3.
Would
registry
implementers
have
a
problem
implementing
that
right
now.
C
The
scenario
I
see
is
that
clients
don't
pull
images
directly
from
Upstream
to
their
production
clusters.
They
pull
those
images
in
internally.
They
run
it
through
a
vulnerability
Scan.
They
do
an
internal
Blessing
about
an
image
or
whatever
they're
going
to
do,
and
then
from
their
internal
registry.
G
So
I'm
having
a
hard
time
picturing
in
my
head,
whether
that
is
something
that
we
care
about,
like
what
the
scanners
do
and
how
scanners,
how
scanners
interpret
whatever
you
store
in
a
registry
is
that
is
that,
like
a
I
understand
that
there's
like
a
whole
like
software
security
ecosystem
that
is
around,
you
know
scanning
container
images
but
like
if,
if
it
scans
something-
and
it
says
it,
I
I,
don't
know
what
this
is.
It's
a
document
I
don't
find
any
vulnerabilities
in
it
shouldn't
that
be
fine.
C
A
G
No
so
who
I'm
the
way
I'm
thinking
about
it
is
somebody
like
suppose,
a
client
generates
an
s-bomb
using
you
know
whatever
s-bomb
tool,
and
they
push
it
to
a
registry
using
the
fallback
method.
With
the
tag
reply,
we're
doing.
G
C
Microsoft
puts
their
stamp
on
something.
That's
pushed
up
to
Azure
azure's
got
the
1.1.
It's
got
the
new
artifact
manifest,
so
their
image
has
here's
my
s-bomb
here's,
my
signature.
Here's
all
the
details,
all
the
digests
match,
but
it's
all
using
artifact
manifest
if
I'm
running
my
own
internal
registry,
it's
a
1.0
registry
I
can't
import
that
into
my
registry.
G
But
is
that
a
problem
like
can't
the
you
know?
That's
that's
a
client
issue
and
and
I
feel
like
as
far
as
client
implementations
are
concerned,
that's
kind
of
an
easy
thing:
it's
not
like
really
you're,
not
standing
it
up,
you're,
not
you're,
not
maintaining
it.
It's
not
like
exposed
to
the
Internet
it's
kind
of
sitting
in
some
place
and
going
like
oh
I'm,
just
gonna
make
a
call
I
feel
like
the
registry
has
like
more
responsibility
and
like
taking.
G
Taking
care
of
its
artifacts
the
way
it
wants
to
take
care
of
its
artifacts
so
suppose
the
registry
has
like
is
only
the
1.1
and
it's
like
not
supporting
this
extra
tagging
thing
or
did
I
get.
Why.
A
G
G
I,
like
pictures
Brandon,
please
go
ahead
and
draw
pictures.
I
still
yeah
I
still
feel,
like
you
know,.
G
Maybe
I'm
more
more
on
Jessie's
side
here,
like
I,
feel,
like
other
at
least
like
you
know,
clients
have
more
our
client
implemented,
implementers
have
more
latitude
than
registry
implementers.
I
Is
my
mic
working
now
I
tried
to
say
something
during
that,
but
I'm
not
going
here.
No
nerd
I
think
I
still
think
that
there
there's
sort
of
two
separate
issues
here.
There's
there's
the
question
of
whether
we
should
make
it
easy
for
clients
to
understand
what
a
registry
supports
and
then
there's
this
question
of
like
four
people
who
are
Distributing
public
artifacts
should
they
use
manifests,
which
we
think
is
more
portable,
or
should
they
be
pushing
artifacts
as
subjects
and
I
I.
I
A
I
I
I
Why
can't
we
just
have
a
way
for
clients
to
know
you
know.
Does
this?
Does
this
registry
support
the
new,
the
new
stuff
or
or
not.
C
All
right
that
was
long
enough
for
me
to
draw
the
scenario
that
I've
got
and
I
see
this
a
lot.
It's.
It
is
not
an
isolated
scenario.
Is
that
a
producer
out
there?
Sorry
can
we
just.
I
C
I
And
and
I
think
I
mean
most
artifacts
just
get
pushed
to
private
registries
and
we
never
see
them
like
they're,
just
in
someone's
private
it
registry
somewhere
they're
verified
when
they
try
to
run
the
image
and
and
like
they,
never
see
the
public
Registries
at
all.
So
so,
what's
the
so
the
question
that
I
thought
we
started
with
was:
can
we
have
a
way
of
determining
what
a
registry
supports
you're
saying
if
we
want
portability,
if
we
want
to
distribute
this
across
six
different
Registries,
we
need
a
compatibility
mode.
I
C
So
my
push
is:
what's
the
need
to
jump
so
quickly
to
a
different,
manifest
type?
That's
so
few
Registries
out
there
support
and
yeah
get.
Maybe
the
big
Registries
out
there
will
jump
with
support
earlier,
but
I
think
there's
going
to
be
a
very
long
tail
of
a
lot
of
incompatibility
out
there,
and
we
already
have
we've
got
today
a
manifest
that
will
work
across
everything.
C
C
Simple!
Is
that
you
can
push
it
with
an
image
manifest
instead
of
the
artifact
manifests
and
everything
just
works,
and
so
that's,
where
I'm
getting
to
the
question
of
do
we
need
to
have
this
discovery
automatically
out
there
so
that
we
can
support
a
scenario
where
we
just
automatically
change
from
an
image
manifest
to
an
artifact
manifest
if
there's
not
a
real
requirement
to
do
so.
So
that's
that's
the
question
I'm
throwing
out
there,
knowing
that,
knowing
the
downside,
so
I
didn't
have
the
attendees
up
so
I,
don't
know
who
raised
their
hand
first.
F
It's
still
Michael
and
then
just
me
as
far
as
I
can
see
Michael
you
all
set
I,
think
so.
Okay,
so
I
guess,
for
the
sake
of
time,
like
I
I
appreciate
the
drawing
I,
don't
know
that
I
didn't
understand
this
use
case.
I
also
want
to
be
clear.
You
got
a
lot
of
registry
implementers
and
and
kind
of
client
software
Professionals
in
the
chat
right
now,
like
we
I
think
we
all
get
it
like.
We
all
see
this.
F
F
That
is
a
mandatory
requirement
on
Registries.
We
cannot
abandon
customer
data.
We
cannot
abandon
users
artifacts
so
I.
Think
in
in
that
spirit,
I
I
think
I
would
like
to
write
a
PR
one
or
either
a
version
or
capabilities
on
point,
and
in
that
I
will
refer
to
this
concern
and
I
will
try
and
say
you
know
if
we
go
this
route
and
Brandon
I'm
inferring
here
that
the
the
worry
about
such
an
end
point
is
that
it
will
promote
adoption.
It
will
make
it
easier
for
clients
to
adopt
the
new
features.
F
That,
to
me
would
be
a
goal.
However,
there
is
a
concern,
and
so
I
think
as
part
of
anything
that
introduces
such
an
endpoint.
F
Unless
we
have
more
to
talk
about
and
then
I
just
have
a
question.
C
F
This
so
this
would
be
whatever
tool
the
producer
is
using
that
implementer
needs
to
understand
what
their,
what
they're
choosing
when
they
choose
to
use
1.1
they're
moving
into
the
future.
So.
F
So
I
think
that's
something
that
we
can
talk
about
in,
like
a
in
a
PR,
potentially
we're
talking
about
something
like
no
automatic
fallback
like
maybe
you
want
client
software
to
like
always
be
implemented
as
a
mandatory
fallback,
which
again
would
be
a
client
decision
right
but
like
as
far
as
the
storage.
As
far
as
the
storage
system
goes,
this
is
always
going
to
happen
and
I
know.
This
is
the
first
time
the
oci
is
introducing
new
features,
but
like
we're
going
into
the
future,
we
will
leave
the
pass
behind.
C
That
will
keep
saying
you're
worried
about.
If
you
upgrade
this,
you
want
to
be
able
to
support
the
old
stuff.
So
if
you
upgrade
from
measure
1011,
you
want
to
be
able
to
support
the
old
stuff,
that's
a
guarantee.
We
we
put
that
in
the
spec.
Nothing
in
this
has
changed
in
that
side.
It's
the
flip
of
that
of
saying,
okay,
once
this
goes
to
1
1
everybody
that
works
with
this
is
now
forced
to
upgrade
whether
they
wanted
to
or
not.
F
Nope
I
think
the
better
way
to
say
it
is.
If
you
want
to
bring
that
artifact
somewhere
else,
you
better
make
sure
it
it
supports
1.1.
Otherwise,
it's
not
a
destination.
So
it's
not.
B
F
H
Thanks
Sanjay
quick
question:
according
to
this
diagram
right,
so
let's
say:
if
there
someone
pushes
an
image
with
a
1.1
on
ACR
or
Docker
Hub
anywhere
right
and
if
they're,
older
Docker
clients
which
still
are
on
1.0
they're
gonna,
not
be
they're,
not
gonna,
be
able
to
pull
that
image.
Is
that
correct
or
they're
they
can
still
be?
They.
C
Can
pull
the
image?
The
image
itself
is
still
going
to
be
the
image
manifest,
but
they
can't
pull
the
s-bomb
and
the
signature
and
stuff
like
that.
But
that's
okay,
if
you're
pulling
directly
from
here,
because
the
older
Docker
client
doesn't
know
how
to
pull
an
s-bomb
or
a
signature,
it's
it's
only
when
you
go
from
here
across
to
here
and
then
to
something
that
needs
that
s-bomb.
F
F
F
F
I
was
doing
it
right,
cool
all
right,
so
I
I
will
Point
a
PR
out
of
capabilities,
endpoint
proposal
and
we
can
just
talk
more
about
it.
G
Yeah,
it's
I,
don't
know
how
much
of
stuff
needs
to
change
in
order
to
stick
in
a
capabilities.
Pr
oud.
So.
A
F
The
worry,
I'd
have
and
I
think
implementation.
Wise
I
mean
none
of
it's
rocket
science,
but
for
Registries
version
endpoints
a
lot
simpler
than
capabilities.