►
From YouTube: OCI Weekly Discussion - 2022-03-10
A
A
I
don't
think
we
have
a
whole
lot
to
do
today.
We
have
a
busy
over
in
the
working
group
getting
stuff
happening
over
there.
B
Good
I
wish
I
could
join
that
call
more
often,
for
whatever
reason
my
tuesdays
tend
to
be
much
busier
than
my
thursdays,
but
that's
how
it
goes.
So
that's.
C
B
What's
what's
the
current
status,
because
I've
actually
had
two
different
things
pop
up
here
lately,
one
I
think
one
on
my
team
will
will
actually
start
putting
more
hands
on
which
I'm
looking
forward
to
one
kind
of
like
the
pushing
and
pulling
objects
signatures
whatever
so
like,
actually
using
some
of
the
stuff
and
then
another
where
I
had
somebody
reach
out
from
red
hat.
That
was
doing
some
unified
content
delivery,
something
anyhow,
it
sounded
very
much
down
the
same
path.
A
Yeah
and
I've
also
been
seeing
like
the
the
cncf
secure
supply
chain
working
group,
stuff
they've
been
doing
there.
They
mentioned
this
as
well
they're,
saying
hey,
you
know
we
need
to
start
attaching
all
these
signatures
and
s
bombs
as
we
deliver
these
things,
but
it's
not
really
happening
out
in
the
wild
too
much
yet,
and
so
well
that
may
change
with
this
work.
A
So
far
we
kind
of
went
through
got
our
list
of
requirements
and
a
little
rough
idea
of
what
we're
doing:
hey
there
tiana
and
we're
starting
to
throw
proposals
out
there.
B
B
Would
probably
be
good
if
we
do
have
any?
Let
me
obviously
overlap
in
that
space,
but
even
if,
like
they
have
a
placeholder
for
us
to
say,
statuses
and
like
you
know,
if
there's
requirements
and
whatnot
from
one
to
the
other,
because
obviously
I
think
container
registries
and
manifest
of
objects
is
going
to
heavily
be
leveraged
in
one
way
or
the
other.
A
Yeah
and
they're,
also
over
in
the
cncf
slack
they've,
got
a
channel
over
there
as
well.
For
that
working
group
been
a
little
bit
busy
lately,
just
because
they're
almost
done
getting
their
white
paper
finished,
they
just
had
a
cfp
on
their
or
a
call
request
for
comments
rfc
on
their
white
paper,
they're
putting
out
so
they're
they're
busy
right
now,
taking
all
those
comments
and
hopefully
getting
that
paper
finalized,
but
otherwise
on
the
working
group.
A
A
couple
proposals
sitting
out
there
and
we
started
going
through
the
one
this
past
week
on
tuesday
about
the
first
proposal.
Saying
do
absolutely
nothing
and
what
can
we
make
happen
within
a
existing
registry
just
using
like
the
tags
that
have
the
digest
in
them
and
using
oci
artifacts
as
they
are
today
and
so
next
few
weeks?
Hopefully
we'll
start
going
into
some
of
these
other
proposals.
They're
saying,
let's
actually
change
a
whole
bunch
of
stuff
and
then
see
what
more
that'll
give
us.
A
B
B
A
A
B
B
B
A
So
tan-
and
I
was
just
saying
that
I
was
feeling
like
our
working
group-
was
feeling
productive
is
that
is
that
feeling
consistent
on
your
side
as
well.
E
I
think
so
there's
a
lot
of
communication
happening,
which
is
definitely
more
productive
than
this
conversation
has
been
for
years.
So
yeah.
A
A
So
cool,
I
don't
have
much
else
to
really
talk
about.
Unless
you
got
questions
from
me,
I
am
keeping
my
general
agenda
that
I
keep
pushing
to
try
to
get
the
oci
layout
visible
in
a
lot
of
places.
The
file
system
layout
the
image
layer,
a
lot
of
places
yeah,
I'm
a
fan
of
that
I'd
like
to
see
it
used
in
more
places.
B
B
Tienen
would
probably
appreciate
this
also,
but
I
just
had
like
a
small
fever.
During
the
other
day
where
I
was
trying
to
fetch
fetch
and
unpack
an
image,
and
I
was
like
stuck
between
the
capabilities
of
scopio
and
umochi,
and
then
what
the
crane
project
can
do
and
like
which
ones
actually
support
like
an
oci
image
layout
versus
like
what
you
would
effectively
docker
save
output,
something
and
like
how
different
they
were
and
and
sometimes.
A
You
output,
you
can
output
a
an
oci
image
layout
that
has
the
files
needed
for
both
the
layout
and
the
docker
alert
and
the
docker
launcher.
A
B
B
A
B
Okay,
then
I'll
have
to
go
back
to
where
I
was
because
I
it
I
was.
I
was
scorpio
copying
something
and
anyhow,
I
was
actually
trying
to
unpack
a
file
system
and
I
was
really
frustrated
by
the
fact
that
some
of
the
tools
will
will
silently
think
that
they
will
silently
act
like
they've
worked.
But
it's
because
they're
expecting
like
a
docker
image
layout
like
a
docker
save
layout,
but
not
an
oci
image
layout
and
so
it'll
it'll
repackage
something
that
looks
like
what
you
want.
B
But
the
contents
of
each
tar
layer
is
just
the
tarballs
of
the
prior
thing
like
it.
They
don't
fail
because
they
didn't
get
what
they're
expecting
it
will
try
and
do
its
best
job
anyhow.
I
ended
up
with
down
a
rabbit
hole
and
it
was
not
what
I
was
prepared
to
do
that
afternoon.
So
I
just
had
to
stop
and
move
on
to
something
else.
B
B
A
I'd
like
to
see
layout
in
a
lot
of
stuff
we've
been
working
on,
especially
in
ci
pipelines.
I
like
to
see
us
between
the
different
stages
of
the
pipeline,
keep
the
layout
local
and
then
once
you
get
to
the
last
step,
say:
okay,
now,
we've
generated
our
s
bomb
taken
done
our
signing
all
the
other
steps
in
there
done
our
security
scan.
A
A
Yeah,
it
probably
needs
me
going
into
various
individual
projects,
saying
hey,
it
would
be
nice
if
you
could
do
that
with
a
layout
too.
I've
been
pushing
also
on
the
reference
type
group.
I've
got
an
issue
open
over
there
saying
hey,
we
might
have
missed
one
of
our
items
here
that
we
need
to
be
able
to
generate
the
reference
type
that
can
be
exported
to
a
layout,
because
people
do
air
gap.
Networks
are
going
to
take
this
stuff
across
in
a
file
format.
That's
on
disk,
not
on
a
registry.
B
Yep,
I
think
the
thing
one
of
the
things
that
I
don't
like
about
that
that
I
think
some
of
the
tools
at
the
time
that
we
first
worked
on,
that.
B
Probably
don't
do
it.
I
think
that
one
of
the
one
of
the
conversations
that
would
probably
have
to
be
revisited-
and
this
is
probably
if
you
have
even
a
small
write-up
of
how
you've
interacted
with
it
or
seen
it
done-
is
it
people
are
still
very
focused
on
the
tags.
You
know
like
the
doctor
tag
or
something
like
that.
So
when
we
have
stuff
exported
to
a
layout,
it
expects
a
you
know.
This
annotation
this,
like
clunky
annotation
field,
to
be
like
the
tag
name
so
even
like
in
that
situation.
B
That
again
just
a
couple
weeks
ago,
emoji
like
won't
operate
on
it.
Unless
it
has
a
tag,
it
won't
be
like
actually
no
it's.
This
is
this
digest.
So,
if
you're,
not
even
using
tags,
if
you're
only
in
a
digest,
workflow
making
sure
that
that
you
know
has
continuity
in
the
in
in
that
workflow,
if
you're,
just
only
referencing
digests,
because
some
of
the
tools
actually
won't
even
be
able
to
reference
it.
Unless
you
have
that
annotation
tag
in
there.
A
A
A
Yeah
another
place
I've
been
using
is,
if
I
want
to
do
image,
modification
pull
an
image
down.
Do
some
tweaks
to
it
with
some
automated
tooling,
is
that
I
tweet
the
image
and
then
re-push
it
back
into
my
little
rci
layout,
and
then
I
can
push
that
up,
but
then
keeping
track
of
okay.
I
modified
this
stuff.
These
are
the
layers
that
are
safe
to
delete
now,
because
I've
replaced
them.
A
A
A
B
B
A
What
are
you
saying
brennan?
I
didn't
want
to
derail
your
conversation
there.
If
we're
looking
for
other
stuff
to
chat
about,
I've
always
got
my
sore
spot,
which
I'm
thinking
that
at
some
point
we
might
want
to
define
the
spec
for
authentication.
B
B
Look
that's
finding
how
how
best
how
best
can
we
have
that
conversation,
because
I
mean,
like
people
have
obviously
been
touchy
about
it
most
mostly
back
in
the
heavy
heavy
docker
days,
but
how?
How
best
could
we
tackle
that?
Because
I
think
a
lot
of
people
just
emulated
certain
patterns,
so
it
would
have
to
be
like
effectively
defining
how
folks
do
do
things,
which
is
somewhat
in
the
docker
off
docks,
but
then.
B
If
something,
if
people
want
to
like
improve
on
that
or
like
venture
out
from
it,
then
it'd
have
to
be
a
way
to
break
it.
Well,
it's
a
it's
been
a
pain
point
for
a
long
time
here
here
recently
I
was
even
ranting
to
tienen
and
john
about
it,
because
I
was
going
through
an
overhauling
completely
personal,
non
non-big
enterprise
nonsense,
but
it
it
it
occurred
to
me
just
the
extent
to
which,
if
you
have
a,
if
you
have
a
effectively
a
read,
only
well,
not
really
say
say
you
have.
B
If
you
wanted
to
have
a
mostly
read-only
but
public
registry,
and
it
only
offed
once
somebody
tried
to
put
or
post
or
delete
or
update
or
whatever
patch
there's
no
workflow,
that
would
redirect
them
back
to
the
first
step
where
they
do
the
first
get
where
it
first
hands
off
the
token,
and
so
basically,
if
you
ever
wanted
to
have
off
even
for
their
read-only,
it
has
to
be.
B
It
has
to
be
in
place
from
the
very
first
request
and
it's
kind
of
a
funny
workflow,
so
like
in
my
situation,
I
was
trying
to
just
put
a
load
balancer
to
where
it's
like.
If
it's
read,
if
it's
a
get
just
go
over
to
this
path
and
as
soon
as
they
try
to
put
poster
leafs
go
to
this
other
path
to
handle
off
like
http
author,
anything
like
that,
and
it's
completely
broken
on
the
docker
registry
workflow.
You
can't
do
that.
Yeah.
A
Yeah
I've,
even
just
like,
I
think
it
was
this
past
week,
dr
all
docker's
hub
broke
their
author.
That
was
a
fun
one
to
get
fixed
frantically,
but
it
was
one
of
those
workflows
where
I
think
container
d
was
used
to
doing
it.
One
way
docker
was
used
to
testing
a
different
way
and
it
was
just
keeping
those
all
sorted
out
of
they
didn't
realize.
A
A
A
The
one
year
talking
about
the
events
was
it's
for
me
for
other
people
talking
to
me.
They
call
it
lazy
authentication
where
they
just
hit.
The
query
see
what
happens
and
if
the,
if
they
get
or
the
put,
comes
back
and
says
hey,
you
need
to
authenticate
on
this
thing.
That's
when
they
get
the
header
and
they
say
okay.
Now
I
need
to
do
it.
Let
me
go
ahead
and
send
the
request
to
the
right.
A
B
A
A
Yeah,
so
it
it's
important,
you
get
the
right
return
back
that
the
header
back
that
says:
hey!
You
just
need
to
be
authenticated
before
you
do
that
request,
but
then
different
registries
handled
the
extending
your
all
differently,
all
friends
here,
so
I'm
not
going
to
call
it
names,
especially
because
people,
I
would
call
it
names
for-
are
here
to
defend
themselves.
A
But
I've
seen
a
challenge
where,
if
I'm
already
logged
in
for
one
repository
and
then
I
try
to
reuse
that
to
access
a
different
repository,
it
just
throws
an
immediate
access
denied,
not
to
please
authenticate
with
this
new
scope,
and
so
a
lot
of
the
tooling
out.
There
surprisingly
goes
with
the
docker
workflow,
where
they
assume
that
the
client
is
adding
the
scope
and
updating
the
scope
and
define
the
scope
rather
than
just
using
regular
http
semantics
of
hey.
Whatever
the
web
server
told
me
to
authenticate
with.
C
Yeah
we've
had
problems
with
that
in
container
d,
like
we've
tried
to
start
off
with
we're
not
going
to
touch
the
scope
but
yeah
as
soon
as
you
want
to
do
stuff
like
cross
repository
mounts
and
stuff
like
that,
there's
no
way
to
do
that
without
touching
the
scope,
because
it's
like
yeah,
I
I
don't
think
most
registries
would
even
give
you
a
correct,
like
scope
to
say,
hey,
you
need
to
read
from
here
and
right
from
here.
C
B
A
Yeah
it's
interesting
just
because
we
actually
do
a
compliance
test
against
your
auth,
but
that
just
if
it
works
great,
if
it
doesn't
or
if
you
don't
have
an
auth,
then
the
comply
just
passes.
C
In
terms
of
like
mandating
like
how
tokens
and
stuff
work
like
that's,
not
something
we
want
to
get
into,
but
yeah.
I
think
what
we're
seeing
at
least
from
what
actually
exists
today
is
that
scopes
are
something
that
you
know.
Clients
inject,
therefore,
like
there's
an
unwritten
understanding
between,
like
what
a
scope
actually
means
between
a
registry
and
a
client.
A
I
would
be
a
fan
of
letting
the
registry
tell
me
what
my
scope
should
be
instead
of
me
presupposing
what
my
scope
should
be
and
me
preemptively
doing
the
auth,
but
I
think
we're
in
a
world
where
I'm
too
late
for
that
battle.
D
I
don't
think
it's
too
late.
We
we've
got
a
lot
of
problems
to
solve
around
authentication
and
I
think
there's
there's
definitely
some
caps
that
we're
trying
to
do
in
kubernetes,
that's
gonna,
maybe
maybe
will
affect
some
of
this.
I
think
we
do
need
we
need.
You
do
need
to
talk
about
security
of
the
containers
and
the
tags
and
the
images
that
we're
storing
how
they
get.
You
know
expanded
how
you
run
containers.
What
is
the
lifespan
of
those
container
images?
D
D
It
might
make
sense
for
us
to
define
some
patterns,
maybe
vince
and
dirk
in
vernon,
that
that
we
we
can
profit
for
his
suggestions
at
the
oci
level.
You
know
if,
if
you
pull
an
image
with
this
off,
you
know
that
you
could
find
out
from
the
originator.
Maybe
you
know
what
kinds
of
cash
policies
were
requested
for
that
image.
D
Otherwise,
kubernetes
guys
are
going
to
figure
this
out
on
their
own
right
and
handle
it
in
their
own
policy
and
it'll
be
there'll.
Be
this
constant
sync
disconnect
between
what
kubernetes
users
think
is
the
policies
of
images
and
what
the
original
you
know.
The
original
developer
of
the
images
was,
you
know,
were
when
they
pushed
it
to
a
private
repo.
D
Yeah
yeah,
I
can
share
some.
I've
got
a
cap,
I'm
doing
for
insured
secret,
pulled
images,
I'm
working
with
morneau.
I.
A
D
C
C
I
I
think
that
is
relevant
here,
like
one
of
my
largest
complaints
about
the
way
kubernetes
does
off
today
is
that
it's
not
scoped
like
the
credentials
and
everything
are
not
scoped
before
they
get
to
through
the
whole
kubernetes
api.
So,
like
most
of
the
time,
you
can
use
these
credentials
that
are
being
used
even
to
do
push
operations
which
to
me
is
a
significant
flaw
in
the
design,
but
we
don't
really
have
a
way
today
to
say.
C
Well,
I
guess
we
kind
of
do
in
the
in
and
the
way
we
tried
to
define
some
of
the
the
off
and
tokens
of
getting
like
longwood
tokens
or
refresh
tokens
that
are
scoped,
but
I
don't
think
anybody
does
that
today.
I
think
everybody,
every
registry
is
doing
their
own
thing
for
like
having
specific
poll
only
credentials
and
stuff
like
that.
B
Probably
240
is
almost
a
better
one,
because
it
looks
like,
as
we
were,
redoing
the
distribution
spec
to
go
for
the
v1.
That
litzky
opened
that
one
as
a
kind
of
a
tracker.
So
we
don't
lose
track
of
the
references
to
you,
know,
teasing
out
off
and
authentication
authorization,
but
probably
something
between
the
two
of
those
of
like
just
the
technical
details
of
one
that
110
issue
like
how
to
how
to
appease
the
docker
token
piece
of
it
a
scope
and
then
what?
What
effectively,
how
to
get
conformance
on
those.
B
B
D
Just
trying
to
point
out
there's
there's
two
there's
a
couple
of
parts
to
all
three
one
is:
how
do
you
get
it
and
the
others?
What
do
you
do
with
it?
When
you
have
it
right,
and
I
think
we
we
can
definitely
help
describe
both
sides
of
that,
or
at
least
maybe
have
some
model
where,
where
whatever
your
auth
is,
when
it's
given,
whatever
its
values,
where
it's
you
know
it
scopes,.
B
Brandon
is
there
is:
is
this
something
that
you
would
want
to
either
comment
on?
Something
like
the
issue
240
or
110,
or
tease
out
into
even
taking
a
stab
at
this.
A
B
I
don't
know
like
at
this
point:
I
think
it
yeah
I'm
two
ways,
I'm
like
it.
It's
almost
like
one
of
those
things
that
there's
been
a
few
items
brought
into
the
spec
or
specs,
not
just
like
the
distribution
image
runtime.
That
was
basically
like
this
is
already
how
it
is
and
we're
basically
defining
the
behaviors
and
then
even
like
putting
a
little
ribbon
around.
These
are
the
spots
where
things
kind
of
differ.
You
know,
as
we've
found
of
like
it.
Would
you
know
generally.
This
is
how
it
is.
B
But
this
is
the
spots
where
there's
gray
area
or
rough
edges
and
then
once
it's
there,
then
it's
it's
like
either
easier
for
folks
to
get
a
better
understanding
of
it
or
to
say
you
know
something
needs
to
be
fixed
and
it
like,
because
I
think
part
of
it
is
that
when
it's
not
specified
most,
you
know
services
like
you,
know,
azure
aws
gcp.
B
They
know
what
does
or
doesn't
work
with
their
tools,
and
they
don't
want
to
like
break
their
customers
and
if
it's
not
defined,
then
they're,
not
you
know
just
like
venture
to
change
it
and
like
potentially
break
their
customers.
Who
cares
if
it
like,
like
they
need
to
cut
that
kind
of
assurance
to
say?
B
Oh
actually,
this
would
not
just
not
break
our
customers,
but
it
would
also
enable
other
use
cases
with
like
known
tools,
but
when
it's
not
written
down,
there's
nothing
for
them
to
back
that
up
with
so
being
able
to
even
point
out
like
here's
where
it
does
or
doesn't
work,
even
if
it's
like
we
get
some
part
merged
and
in
this
in
in
the
issue,
it's
teased
out
of
like
here's,
the
differences
still
that
are
yet
to
be
ironed
out,
and
it
allows
a
lot
of
those
different
implementations
or
services
to
say
like
where
the
differences
are
and
like
have
more
assurance
that
they
could
unify
and
not
break
their
customers
and
enable
other
tools.
A
A
A
Yeah
I'll
dig
through
some
of
those
open
issues
out
there
and
see
what
kind
of
feedback
this
is
relatively
fresh
in
my
head.
I've
had
a
lot
of
people
hit
me
and
say:
hey
your
code.
Doesn't
work
for
this
case
doesn't
work.
For
that
case,
I
keep
realizing
all
the
different
scenarios
that
are
out
there
that
are
not
easy
to
work
around.
A
Yeah
I've
been
seeing
a
lot
of
them
just
because
I'm
copying
images
between
and
I'm
also
trying
to
make
long-term
clients
and
boy
that
opens
up
a
whole
other
can
of
worms.
When
you
think
of
a
long-term
client
that
gets
a
password
once
and
then
reuses
that
for,
however
long
it's
been
running
yep,
especially,
you
have
credential
helpers
that
that
adds
in
another
complexity.
There.
B
A
A
Yeah,
I
think
that's
all.
I
got
to
turn
no
agenda
media
into
a
bunch
of
discussion
topics.