►
From YouTube: OCI Weekly Discussion 2019-12-11
Description
Attendees:
Nisha Kumar (VMware)
Josh Dolitsky (Blood Orange)
Vincent Batts
Mike Brown (IBM)
Ram Chinchani (Cisco)
Kat Cosgrove
Rose Judge
Steve Lasker
Jon Johnson
… a phone number
serge
… another phone number
Agenda Items:
App centric rootfs builds for containers (nisha)
Joshua Lock and Nisha Kumar (VMware) gave a talk on using linux distro tools to build container images: https://youtu.be/BN7nWlAcz-o
Possible/Inevitable collaboration with SIG-Security: https://github.com/cncf/sig-security/tree/master/supply-chain-security
Timezone issue: Joshua and other stakeholders are in the EU (and possibly Asia) and the regular meeting hour is not easy
OCI distribution conformance strategy (jdolitsky)
Distribution spec endpoints: https://github.com/opencontainers/distribution-spec/blob/master/spec.md#detail
Starting points for test harness
Quay tests: https://github.com/quay/quay/blob/master/test/registry_tests.py
Zot: https://github.com/anuvu/zot
https://github.com/anuvu/zot/blob/master/pkg/compliance/v1_0_0/check.go
https://github.com/kinvolk/ocicert
Self-certification model
k8s conformance example: https://github.com/cncf/k8s-conformance
existing OCI repo: https://github.com/opencontainers/oci-conformance
Recent discussion
https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/JCpfBI-_woQ
Prior discussions (2018)
https://github.com/opencontainers/distribution-spec/issues/24
https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/jL5yhEIv3Ac
Notes:
app centric rootfs
looking to build with the constraint of:
no external infrastructure (vb: what all does this mean?)
(Nisha) means no reliance on any one organization’s internal infra or a picky build system
Typically, each org has a way of mirroring source code and rolling their own build system to build artifacts. We’d like this to be easily accessable/usable by any developer.
provide a manifest of whats included
and the sources of the things included
we looked at a number of distro tools
we want users to be able to do this and not have to set up sophisticated build environments
(vb) sounds like https://reproducible-builds.org/ is the place for the conversation
Consensus is that although it is a good topic, it is too vast to include in OCI and too young to include in CNCF
Next steps is the set up a meeting with individuals who are interested in this topic and come up with goals and outcomes for a SIG
(vb) no complaints on the approach that dolitsky is taking for the distribution conformance
one day maybe having a live leaderboard would be interesting,
but for now having tooling that outputs a result, and a github repo for folks to commit the output of their results is a good first step
we could even make a generated matrix of results from the committed reports to the repo
the pieces to include need to have: 1) version of their tool; 2) a README on the enviroment; 3) version of the conformance tool; etc.
A
A
A
B
B
So
some
background
on
this
joshua
lock,
who
is
a
colleague
of
mine
who
is
in
the
UK,
which
is
why
he
can't
attend,
because
it's
a
clearly
bad
time
for
him.
Anyway,
he
and
I
worked
together
on
trying
to
use
linux
distro
tools
to
make
route
offenses
for
container
images
that
just
have
the
app
and
its
dependencies
either
for
building
your
app
or
running
your
app,
so
either
bill
time
or
runtime
images
that
have
just
enough
to
get
it
to
build
and
run.
B
So
we
have
it.
We
gave
a
talk
at
cube
con
and
we
got
a
lot
of
positive
response
for
it.
In
the
talk
we
had
several
requirements
that
we
were
looking
at.
One
of
them
is
the
availability
and
the
quality
of
the
software
bill
of
materials
for
that
root
of
s
that
we
have
built.
So
what
we
were
looking
for
is:
can
we
use
this
build
system
to
build
a
root
of
s
that
only
has
the
app
and
its
dependencies
and
will
give
us
a
list
of
packages
that
we
installed
and.
B
B
That
so
that
was
mostly
because
typically,
it
seems
to
me
that
each
like
this
is
this
is
possible
for
companies
that
have
their
own,
shall
we
say,
mono
repo,
so,
for
example,
VMware
has
a
list
of
mirrors
that
they,
so
they
say
so
they
mirror
upstream
projects
and
they
have
like
a
whole
build
system
that
will
build
binaries
from
those
upstream
projects
or
from
the
mirrors
more
likely
from
the
mirrors.
Rather
Intel
had
something
similar
I,
don't
know
how
it
works
with
red
hat
red.
A
Hats
got
a
pretty
a
very
picky
build
root
system;
it
doesn't
have.
It
doesn't
have
internet
access,
anything
that
anything,
that's
tagged
to
be
in
the
any
of
the
binaries
or
the
sources
of
the
binaries.
At
the
time
of
the
build
are
preserved.
When
you
build
that
image,
so
you
can
anything,
that's
publicly
released.
You
can
go
back
and
see.
They're
like
hematocrit
sealed
build
route
that
it
was
built
in
yeah.
B
B
B
Like
images
for
I
mean
the
one
experiment
we
had
was:
let's
try
to
build
like
an
equivalent
golang
image,
because
the
NGO
langing
image
from
docker
hub
is
pretty
big
and
we
did
manage
to
do
that.
For
the
most
part,
some
of
the
tools
are
reasonably
okay
to
use,
and
some
of
them
are
painful
to
use,
but
once
you
know
the
steps
to
do
it,
it
can
be
done,
and
then,
on
top
of
that,
you
have
to
do
some
extra
mile
manipulation
to
get
and
docker
to
use
it.
B
So
anyway,
we
would
like.
We
think
that
this
is
actually
a
viable
way
for
building
apps
for
containers
and
we'd,
like
a
forum
to
discuss
it,
some
more
and
maybe
like
gather
some
folks
who
are
interested
in
the
same
thing
and
so
Joshua
reached
out
to
Chris
Anna
Chuck,
who
see
seed
Steve,
maybe
Steve,
Lasker
and
Vincent
batts,
and
some
other
folks
right.
So
I
guess
at
this
point,
I'm
trying
to
figure
out
whether
this
forum
for
discussion
should
live
under
C
and
C
F
or
in
OCI
you
and
that's
yeah
and
the
other.
D
B
A
A
Times
that
I've
gotten
pulled
into
conversations
like
this,
and
even
the
amount
of
the
bits
of
work
that
I've
done
on
it
for
the
container
image
and
at
you
know
so
forth
for
containers
has
frequently
involved
this
reproduce.
Reproducible
builds
org,
they
have
a
conference
every
so
often
there's
been
one
in
Berlin
last
I.
Think
last
year
was
in
Paris
and
it's
it's
been
kind
of
a
general
industry
effort
piece
just
to
tackle
some
of
these
issues.
There
are
people
from
Debian.
A
B
It's
mostly
looked
at
from
it's
mostly
abused
by
embedded
folks,
who
are
thinking
about
like
hardware
and
abling.
More
than
containers
I
mean
when
they
think
about
it.
From
the
container
perspective
they're
like
yeah,
it's
possible.
Somebody
else
can
do
it,
I,
don't
think
we
want
to.
You
know,
look
at
it
and
then
you'll
have
to
think
about.
Okay,
would
you
be
willing
to
make
a
target
for
containers
and
that's
where
the
conversations
with
the
embedded
Connecticut
fraud.
B
A
So
I
think
I
think
some
of
the
places
that
this,
if
I,
if
I,
had
to
imagine
what
this
would
look
like
as
it
gets
bubbled
up,
is,
if
there's
like
a
methodology
for
exporting
from
or
collecting
the
sources
from
any
given
tools.
So
like
say,
pi
PI,
generating
an
S
bomb.
You
know
like
the
schema
for
what
the
s
bomb
as
it
would
be
exported
from
pi
PI
would
look
like
the
way
that
you
collect
the
sources
from
that
and
these
kind
of
things
like
what?
What
is
the?
A
It
would
be
not
quite
a
Sisyphus
type
role
in
a
function
but
going
to
these
different
communities
and
encouraging
it
or
otherwise
making
it
easy
to
export
it
from
those
places.
But
the
reproducibility
piece
of
it
is
I
will
I
will
venture
to
say
a
almost,
not
solvable
problem
in
common
time,
because
a
lot
of
the
different
underlying
technologies
are
constantly
growing
or
changing
or
having
different
dynamics
that
one
of
the
few
ways
that
I
can
speak
on
RedHat
side.
A
One
of
the
few
ways
that
they
were
actually
able
to
do
their
Builder
infrastructure
is
by
saying
no
to
most
new
technologies
that
came
along
like,
as
somebody
wanted
to
package
Ruby
up
there
just
say
no,
because
we
can't
currently
do
it
with
the
I'll.
You
know
it
had
to
be
like
C
in
Python
and
whatever,
like
this
slow
march,
into
adding
incorporating
new
languages
and
new
language.
New
things
are
always
being
created
faster
than
incorporating
the
old
ones,
so
I'm
not
I'm,
not
being
a
downer
downer
in
it.
B
Yeah
agreed
I
mean
in
fact
we
we've
kind
of
said
that
we
don't
really
want
it
to
be.
Reproducible
somewhat.
Repeatable
is
good
enough,
so
I
mean
I.
Understand
like
the
Debian
folks
are
like
gung-ho
about
reproducibility,
but
but
I
agree
with
you,
it's
like
really
difficult.
If
you
don't,
if
you
don't
have
like
homogenous
way
of
defining,
you
know
your
your
app
and
its
dependencies
and
you
know
what
what
provides
and
what
it
needs
and
all
of
that
stuff.
B
Geeks
also
has
something
called
geeks
pack,
which
does
somewhat
the
same
thing.
The
trouble
with
the
trouble
with
geeks
is
that
the
the
is
the
scheme
in
which
you
have
to
write.
The
packaging
definition
is
all
in
a
language
called
schema,
which
is
like
another
thing
that
people
need
to
learn
and
that's
gonna
be
like.
D
No
I
would
say
so.
The
the
conversations
you're
having
here
I'm
a
girl,
interested
and
I
actually
have
a
little
bit
more
vested
interest,
but
I
I
think
this
is
a
great
conversation
and
as
far
as
like
the
forum,
you
know,
I
working
through
the
S
bomb
stuff
and
the
security
cig
working
group
that
some
people
that
I
got
pulled
into
you.
D
That
is
the
right
place
this
to
have
this
conversation,
because
those
the
right
people
that
are
thinking
about
it
and
deep
into
that
I
think
it's
interesting
here
for
you
to
talk
about
this,
because
it
kind
of
helps
us
and
others
that
are
curious
about
what's
going
on
there
and
what
a
kind
of
there's
this
RC
thing,
accountable,
responsible,
consulted,
informed,
I,
think
a
lot
of
us
are
very
want
to
be
informed
about
it.
But
I,
don't
know
how
responsible
or
even
consulted
some
of
this
group
Ness
is
and
I
my
best
recommendation.
D
I
guess
would
be
to
work
in
those
groups
and
I.
You
know
we
can
all
help
point
you
to
the
right
people
to
get
involved
with
it,
because
the
those
conversations
are
actively
happening
like
the
software
Bill
of
Materials
working
group
specifically
talks
about
reproducible
bills.
The
tough
folks
are
involved
in
that
conversation
like
Santiago
and
Patrick
and
I
just
grew
up
back
to
the
guys
name,
yeah
and
they're.
Having
that
deep
conversation
and
you'll
actually
be
able
to
engage
with
them
on
what
you
think
could
be
a
way
to
make
more
progress.
D
B
B
So
right
now,
with
my
work
in
turn,
there
is
I
suppose
like
there
is
a
way
to
generate
the
software
Bill
of
Materials
after
the
after
the
after
the
fact
like
after
building
the
container
image.
The
problem
is
that
it
isn't
very
good:
it
isn't
a
high
quality
software
Bill
of
Materials,
so
it's
there,
but
it's
incomplete
and
the
only
way
that
you
can
get
a
complete
software
Bill
of
Materials.
A
B
So
that
means
that
we
it
needs
to
have
the
container
needs
to
be
well
described.
It
needs
to
the
build
system
that
created.
It
should
be
able
to
create
the
exact
same
thing,
not
bit
not
bit
for
bit
but
equivalent
same
thing,
and
it
should
be
able
to
create
updated
images
easily,
because
it
it
is,
it
should
be
able
to
build
from
source.
B
So,
that's
that's
why
we
called
it
cig
build
because
it
it
is
based.
The
outcome
of.
It
is
basically
like
a
system
that
should
be
able
to
create
these
components
that
can
be
consumed
by
projects
like
kubernetes,
so
Tim
pepper,
who
is
in
cig
release
for
kubernetes,
is
also
interested
in
seeing
something
like
this,
because
right
now,
kubernetes
is
releases
kind
of
a
mess
and
they
are
having
a
hard
time,
accounting
for
all
of
the
components
that
is
needed,
or
you
know
actually
releasing.
B
A
D
I
think
so
what
I?
What
I'm
suggesting
is
it's
like,
create
it,
and
then,
if
it's
create
something
and
if
it's
valid
people
will
come,
I
mean
that's
like
this
is
a
great
group
to
bring
things
to,
and
they
even
have
whatever
forum
that
you've
created
to
be
housed
under,
but
I,
think
you're
I.
Think
you're
had
the
incubation
point
of
building
that
collective
forum,
and
you
know,
there's
a
couple
of
people
here.
D
That
will
be
absolutely
if
you
just
set
up
a
meeting
and
say
hey
we'd
like
to
talk
about
you
know
this
thing
and
see
who
attends
so
I
think
this
is
a
great
firm
to
advertise
to
and
see
who
would
attend
it
and
then
set
up
some
meetings
set
up
conversation
and
see
what
kind
of
grouping
and
collaboration
you
can
get
and
I
think
by
being
plugged
into
those
other
working
groups.
You'll
get
more
visibility
into
some
of
stuff
they're.
Thinking
about
that
you'd
want
to
incorporate
and
find
the
right
people
I'm,
not
suggesting.
D
It
necessarily
is
the
place
that
you
build
this
thing
like
I,
don't
know
if
you're
actually
suggesting
of
building
something.
There's
just
a
conversation
at
this
point,
because
everything
you're
saying
is
perfectly
valid,
I'm,
just
not
sure
I
think
Vincent's
point
I'm,
not
sure
what
what
is
it
you're
looking
to
accomplish
here,
yeah.
B
A
So
a
lot
of
the
binaries
that
are
out
there
in
registries
are
not
easily.
You
can't
get
the
sources
easily
so,
depending
on
your
interpretation,
certain
certain
licenses,
like
the
GPL
v2
dot.
One
has
this
kind
of
hand
wavy
equivalent
access
that
I've
been
told.
People
broadly
interpret
that
if,
if
you
get
the
binaries
from
a
registry
than
the
source
should
be
available
in
a
registry,
and
so
I
think
I've
pointed
you
to
the
link
of
it.
A
But
at
this
point,
I've
just
started
working
with
working
on
an
implementation
to
do
that,
and
rather
than
bringing
it
up
in
conversations,
I've
just
moved
forward
with
actually
vetting
this
seeing
how
well
it
works
in
production
and
as
I'm
doing
my
own
exploratory
pieces
of
that
I'm.
Using
that
informed
decision,
then,
as
I
see
the
conversations
crop
up
in
places
like
the
artifacts
work,
that
Steve
is
doing
now
sitting
here.
A
Thinking
of
like
oh
well,
that
basically
means
to
me
that
the
this
source
container
thing
that
I'm
building
effectively
could
have
its
own
media
type
and
be
a
different
type
of
object.
That's
just
shoved
at
a
registry,
so
I'm
reusing
the
distribution.
Spec
conversation
that's
going
on
I'm
reusing
the
artifacts,
but
conversation
that's
going
on.
If
eventually
we'll
reuse,
the
the
s
bomb.
You
know
conversation
that's
going
on
yeah.
A
I
feel
like,
even
though
it's
a
use
case
that
I'm
in
is
critical
path.
For
me,
it
would
be
trying
to
push
the
push
the
ball
up
the
hill
to
start
having
the
conversation
before
I've
got
some
kind
of
like
here's,
what
I've
found
to
actually
be
working
and
here's
how
it
relates
to
all
the
different
conversations
that
are
going
on
yeah.
B
A
B
So
that
involves
you
know,
should
I
make
a
layer
should
I
use,
the
artifact
should
I
like
use
both
it
and
that
yeah
I
get
that
the
part
about
the
the
route
FS
building
stuff,
and
this
is
why
we
asked
the
CNC
F
first,
because
we
felt
like
you
know
we
can
have
these
conversations
here,
but
we
can't
have
them
in
depth.
So
we
can
say:
hey,
there's
a
conversation
happening
in
that
forum,
go
check
out
the
meeting,
minutes,
etc.
B
But
we,
we
can't
have
that
same
conversation
in
depth
over
here,
but
we
can
definitely
have
adjacent
conversations.
So
we
can
say
there's
this
builder:
it
builds
o
CI
compliant
images,
it
you
know,
how
do
we?
How
do
we
allow?
How
do
we
best
allow
the
community
to
use
it
or
it
doesn't
need
work
and
all
of
those
things
so
I.
A
Even
as
the
way
I'm
trying
to
produce
the
production
of
those
images
for
the
time
being
is
a
bit
like
thinking
through
what
tools
like
build
kit
or
build,
or
whatever
else
would
need
hooks.
You
know
and
like
right,
you
know,
industry
best
practices
are
like
if
you
need
this
day,
metadata
generated
for
each
run,
step
like
when
people
hand
into
docker
file
or
or
just
you
know,
industry
practice
of
like
if
you're
using
docker
files
and
you're
not
going
to
be
able
to
achieve
this
you're
gonna
have
to
do
something
else
entirely.
D
B
A
I
was
when
we
started
to
touch
in
this
last
week.
I
was
inclined
to
just
have
them.
You
know,
as
we
march
through
a
call
of
like
well,
would
need
attention
first,
you
know
almost
what
we're
doing
now,
but
just
like
here's,
the
groups
that
are
involved
here,
here's
how
what
would
be
the
most
productive,
next
steps
and
and
really
start
chiseling
it
into
like,
like
what
you
gave
us.
The
big
end
goal
like
success.
Current
success
criteria.
A
B
A
How
could
it
be
incremental
and
start
breaking
it
breaking
it?
Apart
of
like
I,
worked
at
this
team
and
they
made
sure
that
anything
that
they
produce,
we
can
push
to
a
registry
cool,
great
or
I,
worked
with.
We
determined
that
any
build
tools
that
our
container
build
tools
that
want
to
produce
this
kind
of
outcome
should
do
it
in
this.
You
know
advisable
patterns
or
you
know,
I,
don't
know
what
and
start
incrementing
through
that.
It's
because
then
the
community
could
own
fixing
that
or
somebody
can
step
in
and
do
those
incremental
pieces.
A
B
D
B
D
So
if
you
find
a
couple
of
people,
you've
been
working
close
to
it
closely
with
I
would
and
they
are
interested
in
doing
between
now
that
I
think
you'll
get
a
lot
done
in
a
small
group
and
then
keep
on
bringing
the
circle
wider
and
wider,
and
building
more
and
more
consensus
and
getting
more
input
and
I
think
you'll
get
more
progress.
Okay,.
E
E
A
A
while,
yeah
and
I
think
that
it's
it's
so
a
few
other
people
that
might
also
have
good
opinions
or
not
on
the
call
today,
but
of
we've.
We've
had
conversations
like
this
for
the
runtime
spec
and
for
image
spec,
and
they
were
a
little
funkier
to
write
tooling
of
I
mean
like
you.
Could
you
could
do
certain
kinds
of
conformance
testing,
but
not
quite
like
we
could
with
this
HTTP
API,
and
this
is
where
even.
A
I'm
glad
for
the
work
that
dong-soo
has
started
a
year
or
so
ago,
that
is
part
of
its
contribute,
part
of
its
already
merged
in
and
some
of
it's
still
sitting
in
a
PR,
that's
gone
still,
but
of
the
quite
stuff
that
you
looked
at
last
I
looked
at
it,
it
was
just
gonna,
be
like
a
sliver
of
it.
That
would
be
effectively
what's
the
OCI
v2
schema,
yeah.
E
So
I
sat
down
with
Jimmy
and
went
through
it's
like
a
3,000
line
file
and
just
went
through
all
the
different
method-
names
that
are
specific
to
Quay
and
rip
them
out.
So
it's
pretty
much.
A
lot
of
them
are
not
specific
okay,
so
it
would
be
a
good
starting
place,
but
I
guess
like
what
was
what
your?
What
your
hesitation
on
that
approach,
then
I
don't
have
hesitation,
I'm.
E
I'm
running
into
Python
2
versus
Python
3
issues
on
my
Mac,
but
besides
that
is
that
is
there?
Is
there
conformance
test
written
in
Python,
2,
I,
I?
Don't
actually
don't
know,
I
just
I
just
started
playing
with
it
today.
Oh,
but
yeah
I
mean
like
in
terms
of
the
no,
but
in
terms
of
whether
whether
it
is
whatever
language
it
is
right.
E
I
put
in
the
email
like
you
know,
there
is
a
there
is
a
repo
or
a
project
for
kubernetes
called
gates,
conformance
and
there's
a
tool
called
Senna
boat
sonobuoy
persona
by
that
was
a
hefty
O'toole
and
they
basically
people
can
come
in
and
open
a
PR
against
this
repo
and
say
o
our
kubernetes
distribution
works
with
kubernetes
115.
Here's
the
log
for
running
sonobuoy
and
thinking
about
that
being
sort
of
a
good
approach,
considering
like
it
yeah.
A
And
this
is
one
of
the
funny
parts
about
conformance
testing
that
as
technical
people,
we
can
start
describing
some
of
the
pieces
of
it.
But,
as
is
business
people,
they
start
getting
upset
pretty
quickly,
because
when
you're
like
red
check,
you
know
red
X,
this
thing's
not
compliant
yeah
people
get
their
feelings,
are
pretty
quick
but
yeah.
If
they,
if
there's
an
output,
it's
machine
parsable
and
it
shows
like
either
when
they
ran
it,
which
version
of
the
conformance
test.
They
were
an
against
it,
because
the
conformance
test
itself
might
iterate.
A
You
know
like
rerun
again,
because
we've
added
new
conformance
pieces,
the
version
of
the
tool
that
they
ran.
It
again,
do
you
know
the
version
of
their
application
or
tool
that
they
ran
it
with
there.
You
know
like
there's
several
different
markers
like
that
and
then
all
the
machine
parsable
stuff,
so
that
you
can
get
like
it's
conformant.
You
know
that
kind
of
stuff.
A
lot
of
the
musts
are
there
and
none
of
the
shouldn'ts
and
those
kind
of
stuff
like
that.
The
spectrum
both
passing.
A
Pretty
sure
the
artifacts
will
stay,
its
own
thing
is
a
reference
of
I.
Think
they're,
just
like
companion,
companion
pieces
once
how
you
implement
the
distribution
and
the
other
is
here's
how
you
handle
the
things
you
might
see
on
a
distribution
registry,
but
as
far
as
where
to
put
the
conformance
piece
of
it,
we
probably
would
not
be
a
big
deal
to
make
another
repo
of
like
distribution,
conformance
or
whatever,
and
the
only
thing
that
we
get
into
there
is.
A
Wednesday
when
things
start
being
in,
if
like
say,
the
conformance
tests,
would
they
with
the
conformance
tests
themselves,
live
in
the
distribution?
Spectracoat
I
would
think
so,
even
if
the
output
of
what
saw
their
version
together,
yeah
and
even
if
there
is
a
compendium,
you
know
a
companion
repo
that
shows
the
matrix
of
like
this
person's
tool
ran
against
it
and
got
you
know
a
green
checkmark.
A
D
Putting
in
this
I
was
thinking
a
separate
repo,
but
the
versioning
is
makes
a
good
point.
Is
that
you're
reading
this
spec
and
what
so
the
test
results
either
you
have
to
repose
that
keep
the
same
versioning
scheme
over
time,
but
every
time
we
do
a
spec,
the
spec
update
will
be
good
to
say.
Well,
if
we're
proving
the
spec
update
it'd
be
good
to
have
a
test
that
it
also
has
to
go
in
with
the
PR
so
kind
of
like
that
yeah
on
the
artifact
stuff,
I,
just
think
of
the
artifacts.
D
E
Want
to
Darrell
know:
I
was
just
hoping
to
get
some
thoughts
and
I
mean
I
mean
my
bait.
My
basic
plan
right
now
is
to
reuse
the
Quai
stuff
and
bake
it
into
robot
framework,
which
has
a
really
really
nice
HTML
report,
which
will
say,
like
here's,
the
exact
request,
body
response
and
all
this
I
can
share
an
example
of
that.
But
I
was
just
saying
if
there's
any
aversion
to
any
any
approach
that
I'm
about
to
be
taking
and
whether
that
sounds
pretty
much.
What
I
expected.
A
E
Munched
that
log
yeah
I
mean
someone
can
always
come
in
and
PR
that
you're
wrong
azure
is
lying
or
something
right,
but
like
it's
also
just
that
there's
only
so
many
registries.
Right
now,
let's
say:
there's
hundreds
in
the
future
or
the
spec
goes
1:1,
and
you
want
that
historical
data
and
I
think
a
live
dashboard
down
the
line
would
be
nice
but,
like
I,
think
step,
one
is
getting
a
process.
D
I
was
thinking
more
about
and
I
think
we
partially
discussed
this
last
week.
Was
you
know
it's
one
thing
to
have
the
open
source
registries.
You
know
like
way
and
harbor
that
under
CN
CF,
maybe
there's
some
automation
in
place
that
every
time
a
commit
has
done,
the
verification
runs
and
those
make
perfect
sense
for
things
like
you
know,
J,
frog
or
us
or
Google.
You
know
it's
like
I
struggle
a
little
bit
with
how
honest
people,
honest
is
not
the
right
word,
because
that
sounds
the
judgmental.
D
You
know
if
I
ran
the
test,
and
you
know
we
failed
in
some
place-
I,
don't
know
how
proactive
that
I
would
want
to
be,
and
I
would
say
that
I
am
probably
more
proactive
than
maybe
others
would
be
necessarily
or
rather
than
my
marketing
team
might
actually
try
to
stop
me
from
being
honest
and
put
something
up.
So
I
would
probably
just
keep
on
hacking
at
it
until
we
were
able
to
go
green
on
that
thing.
D
Until
we
got
post
got
it
posted,
which
means
that
it
might
not
be
put
up
right
away,
so
I
I
think
it's
I.
Think
it's
more
important
right.
Now
we
get
the
tests
in
place
that
anybody
can
run
and
validate
it.
In
fact,
a
customer
of
ours
should
be
able
to
go
and
get
the
tests,
and
the
the
thing
that
was
more
important
to
me
was
the
conversation
we
had
last
week
was
sorry
I
bounced
around
a
little
bit.
B
D
That
the
sorry
I
was
one
more
point,
just
the
the
piece
that
came
out
of
it
was
because
the
distribution
spec
intentionally
leaves
certain
things
open
off
for
one.
The
conversation
we
had
last
week
was
a
certain
registries
like
docker
hub
require
you
to
create
the
repo
first,
the
spec
doesn't
say
that
and
the
creator
repo
is
not
a
spec
8,
a
distribution,
spec
API
its
registry
specific.
So
for
each
I
would
say
your
test
framework
has
to
provide
that.
D
There's
an
openness
that,
when
you're
running
against
a
CR,
here's
the
ACR
pieces
that
make
this
the
the
automated
test
possible,
as
well
as
to
occur
hub
and
Quay
and
so
forth.
And
then
a
customer
that
wants
to
evaluate
hey,
do
I,
want
to
use
GC,
RACR
or
Harbor.
They
can
run
those
tests
themselves
and
yes,.
E
E
Readme
they're
basically
required
ever
read
me.
That's
like
here's
your
setup,
so
this
is
how
you'd
spin
up
a
cluster.
This
is
how
you
run
sonobuoy
and
then
here's
the
teardown
so
yeah.
It's
exactly
that
and
the
tool
that
is
yet
to
be
created
would
basically
take
a
registry,
endpoint
and
I
guess
an
optional
auth
token
I
guess
it
could
be
completely
off
yeah.
Whatever
is
whatever
is
very
much
not
specific
to
the
provider
and
should
work
with
all
the
registries.
Then.
D
E
D
D
A
D
That
makes
sense
for
the
ones
that,
like
Quay
and
harbor,
that
supports
standalone
but
the
you
know
and
they're
there
a
couple
of
great
ones,
but
the
majority
of
the
registries.
You
know
there
are
cloud
hosted.
We
don't
have
standalone
like
you.
You
play
a
standalone
ACR
by
creating
a
nice
era
in
your
subscription
I.
Just.