►
From YouTube: OCI Weekly Discussion - 2021-11-18
Description
Recording of the OCI weekly developer's call from 18 Nov 2021; agenda/notes here: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?view#November-18-2021
B
A
B
A
A
E
B
D
F
B
A
lot
of
people
and
that
security
advisory,
I
will
welcome
any
questions
around
it
and
I
don't
the.
I
think
that
the
neat,
the
neat
thing
to
say
is
that
the
it's
the
release
process.
We
were
we're,
since
we
had
never
done
a
release
like
this.
We
tried
to
make
sure,
because
there
was
a
brief
moment
where
there
was
a
lot
of
stuff
that
could
have
been
released
in
both
the
image
and
distribution
spec
if
we
just
tagged
it
on
the
end
of
main
tag
to
release
on
the
end
of
main.
B
But
we
decided
to
kind
of
do
it
in
a
way
where
the
whole
community
would
be
involved
in
the
discussion
of
releasing
all
the
features
that
have
been
merged
into
maine
in
the
meantime,
and
so
the
the
wording
that
was
updated
on
both
distribution
and
image.
Spec
are
not
breaking,
which
was
important,
they're
strongly
worded
shoulds
and
a
few
musts,
but
like
they're,
like
kind
of
conditional
musts.
B
Sadly,
it
could
almost
be
a
neat
feature
had
it
been
well
defined
since
the
beginning,
but
as
it
was,
and
that
kind
of
the
behavior
that
people
have
come
to
expect
with
fetching
an
image
and
then
effectively
look
relying
on
the
this
content
type
to
be
provided
in
the
http
headers,
so
that
they
know
how
to
work
with
the
payload
they're
receiving
just
needed
some
definition
so
that
we
don't
have
any
malicious
use
of
it
and
because
it's
mitigatable
and
all
this
kind
of
stuff.
I
I
don't
think
I
mean
like
this.
B
B
B
B
I
think
that
the
more
curious
part
about
running
this
advisory
you
know
with
all
the
people
involved,
was
that
it
made
most
sense
for
an
advisory
to
run
against
the
specifications,
even
though
that's
not
really
a
place
to
have
an
advisory,
because
it's
all
the
implementations
that
would
technically
have
the
you
know
kind
of
vulnerability
effectively.
If
you
don't
want
to
classify
it
as
such,
but
we
kind
of
coordinated
that
effort
and
we'll
see
all
the
different
services
and
containers
roll
out
their
own
fixes
and
mitigations
accordingly.
B
So
that's
neat.
I
do
think
that
probably
we
should
coordinate
a
blog
on
the
on
the
on
the
oci.
I
hadn't
had
not
even
thought
about
that
until
we
like
pushed
the
submit
button,
I
just
posted
the
the
made
that
post
of
the
dev
mailing
list
and
should
now
reach
out
to
chris
chris
and
amy
about
you
know
having
some
kind
of
wording,
but
I'd
welcome
any
thoughts
on
messaging,
otherwise,.
B
D
D
Assumes
that,
like
what
you've
proved
conformance
for
is
that
your
product
is
locked
and
that
also
the
spec
is
locked
or
the
conformance
suite
is
locked,
and
neither
of
those
are
true.
So
what
I'm
proposing
instead?
Is
we
just
simply
tear
down
that
page
right
now
and
I
opened
a
pr
to
like
to
do
this.
D
I
don't
know
who's
in
control
of
merging
that
so
I
pinged
chris,
but
basically,
when
you
submit
for
conformance,
you
can
add
a
badges
markdown
file
and
then
we
make
a
new
results
page
that
if
you've
added
that
badges,
we
can
then
show
that
on
the
table
and
it
will
link
to
your
ci
your
github
actions,
doing
your
stuff.
You
can
also
submit
conformance
and
not
put
the
badges
and
just
put
the
html
and
xml
files
and
you're
good
to
go.
D
D
G
D
G
D
D
G
Now
I
think
what
you're
saying
is:
you
guys
did
some
for
the
initial
for
the
right
industries
and
it
wasn't
ever
there
so
that
it
became
a
wall
of
shame
because
you
put
up
some
red
badges
and
gave
them
a
chance
to
fix
it,
and
not
everybody
took
the
time
so
rather
than
having
a
list
of
shame.
Is
it
just
it's
a
it's
an
incomplete
list?
If
you
want
to
be
in
the
list,
then
you
submit
your
exactly
yeah.
That
makes
sense.
So
it's
almost
the
same
process
as
just
a
matter
of
you're.
D
D
I
I'm
not
sure
that
it's
our
responsibility
to
like
double
check
their
work,
that
their
conformance,
so
if
they're
lying
they're
lying
and
you
pretty
much,
are
just
going
to
merge
what
comes
in
I
mean.
Maybe
I'm
not
thinking,
hardly
hard
enough
about
it,
but
we
just
need
some
people
there
to
press
the
buttons
and
then
beyond
that
my
topic
last
week
is
like
we
need
people
to
submit
results,
so
somebody
from
gitlab
had
sent
a
thing,
and
I
think
that's
great-
that
they
opened
an
issue
from
here.
D
I'm
going
to
basically
try
to
go
to
the
registries.
I
know
about
open
an
issue
and
ask
them
to
do
that
individually
and
that's
what
steven
day
recommended
I
do
also
so
so
yeah
so
seeking.
I
don't
know
as
many
people
as
we
can
get.
I
I
I
suggested
like
we
have
two
from
each
spec,
because
the
conformance
will
be
around
specs,
even
though
it's
just
distribution
right
now
and
steve
you
volunteered,
even
though
you're
not
a
technically
a
maintainer,
it
seems
but
like
if
you're
willing,
then
I'm
fine
with
that.
G
D
Yeah
and
then
like
kind
of
like
piggybacking
on
this
too,
as
we
put
together
a
group
of
maintainers
for
this,
maybe
we
can
use
this
as
the
test
ground
to
hash
out
this,
like
maintainers
files
stuff,
like
alexa,
sent
this
email
to
me
or
to
the
chain
that
the
maintainers
file
is
the
definitive
source,
and
then
I
looked
at
the
repos
there's
like
half
of
them.
Don't
even
have
that
file
and
then
the
oci
conformance
stuff
has
people
who
haven't
been
active
since
like
2015..
So
I
don't,
I
don't.
D
Yes,
so
you
would,
we
would
show
a
green
check
that
you're
compliant
with
one
o.
According
to
the.
If
you
look
at
the
instructions,
it
actually
says
minor
versions
are
all
you
need
to
submit
for.
So
if
you
break
for
101,
like
that's
a
bad
thing
but
you've
submitted
for
1-0,
so
we
would
show
a
green
check
for
the
registry
because
you've
just
because
you've
submitted-
and
maybe
your
badge
will
show
red.
G
So
the
I
wonder
if
it
should
be
based
on
maine
or
should
be
based
on
the
release
branches,
because
one
of
the
things
we
were
discussing
in
one
of
the
recent
meetings
was
maine
would
start
to
have
things
that
were
pending
the
next
release,
so
that
people
can
start
to
build.
Some
stability
around
the
the
whatever
is
defined
in
maine
as
an
upcoming
release,
and
the
fact
that
it's
in
maine
and
not
cut
to
release
also
suggests
that
it's
not
final,
like
we
were
talking
about
number
111.
D
The
so
right
now,
it's
just
like
add
a
single
file
under
live
slash
registry
name,
slash
badges,
but
what
we
could
also
do
is
v10
slash,
registry
name,
slash
badges
and
we
can
show
badges
for
a
lock
and
we
can
show
badges
for
a
live
also,
so
both
we
could
do
both
or
just
like
the.
What
the
test
right
now
are
doing
is
main
of
everything.
So
that's
what
we
have
right
now,
and
so
that's
what
I
was
trying
to
mimic
with
this
proposal
and
that's
kind
of
a
hard
pr
to
look
at.
D
H
D
So
it
would
simply
the
thing
I'm
thinking
is
that
it
would
simply
allow
for
badges
coming
from
it
could
be
travis,
it
could
be
actions,
it
could
be
anything
and
you
just
give
us
badges
and
we'll
build
a
map
like
a
main
like
a
for
the
dashboard.
Okay,
just
concat
those
files
in
so
whatever
badges.
You
put.
You
know
you
want
to
do
some
cross-site
scripting
on
the
you
know,
whatever
you
want
to
do.
D
D
This,
but
like
just
to
be
clear,
I'm
marking
this
I'm
proposing
this
as
an
optional
thing,
because
it
is
not
scalable
to
rely
on
this,
these
badges
to
actually
prove
conformance.
I
think
we
need
to
go
the
same
route
as
kate's
conformance
vendors.
Can
we
take
them
on
their
on
their
word
that
their
conformant
by
by
nature,
that
they
submitted
a
pr
and
part
of
the
pr
is
like
give
a
readme
of
how
you
could
reproduce
this?
So
anyone
could
come
in
and
be
like?
Actually
hey.
H
D
So
yeah
it's
it's
a
little
bit
hazy
like
as
far
for
the
open
source
ones.
I
guess
anyone
could
submit,
but
I
think
it's
like
I
wouldn't
want
to
like
come
in
and
submit
zot,
because
I'm
not
like
I'm,
not
the
one.
That's
you
know
so
I'll.
I
will
once
we
get
these
changes
in.
I
will
do
a
bundle
bar
one
that
we
can
use
as
a
reference,
but
then
I'm
gonna
basically
go
to
each
of
the
open
source
projects.
I
don't
know
how
to
like.
H
So
I'll
pick
it
up.
I
understand
that
having
open
containers
run,
the
tests
for
other
registries,
in
other
words,
doesn't
make
sense.
So
I
totally
support
it.
I
just
wanna
I'm
just
trying
to
get
the
direction
of
okay.
This
is
where
a
dev
would
go
and
submit
the
tests
and
make
sure
it's
healthy,
just
trying
to
get
more
details
there.
So
this.
D
D
H
Sounds
great
so
the
current
workflows,
you
have
a
branch
under
blood
orange
io,
slash,
oca,
conformance
right
and
the
40
ammos
are
in
there
for
the
workflow.
So
what
I
think
you're
expecting
is
that
we
own
that
in
our
opposite.
Yes,
and
then
we
have
a
regular
action,
ci
cd,
whatever
works
for
us
and
then
submit
a
badge,
so
I
just
need
to
figure
out
how
get
moved
over
and
totally
fine.
It
makes
perfect
fit
exactly.
D
Exactly
yeah,
so
that
the
reason
so
my
second
message
on
that
chain
was
I'm
keeping
a
branch
that
has
all
those
animals,
so
they
mostly
just
work.
A
lot
of
them
were
just
not
working
because
we
had
out
of
date
credentials
for
some
of
the
clouds.
Acr,
I
think
was
was
good
to
go
though.
So
you
guys
just
need
to
you
know,
put
the
right
secrets
in
github
and
it
should
work.
H
And
but
putting
on
a
putting
on
more
like
an
open
containers
hat
here,
I
don't
think
having
all
registry
credentials
inside
one
giant
repo
being
able
to
hit
every
cloud
is,
is
something
that
is
maintainable
in
the
long
run
right
like
you're.
Looking
at,
I
don't
know
if
it
grows
it's
going
to
get
out
of
hand
anyway.
So
it's
fine!
Yes,.
D
E
D
D
B
B
You
know
distributions
kubernetes
distributions
that
wanted
to
have
that
certification
marker,
and
that
was
something
we
that
particularly
back
to
those
two
names
we're
trying
to
work
out
years
ago,
like
how
do
we
drive
a
certification
process
and
it
was
less
easy
to
pin
down
and
it
was
kind
of
like
the
loop.
That
would
dovetail
that
whole
thing
back
together,
so.
D
G
Okay,
creating
a
better
carrot
help
or
is
this
just
not
something
people
are
overly
focused
on
I
mean
it
did
take
time
it
like
it
was
something
we
had
to
go
spend
you
know,
allocate
time
to
go
off
and
do
so.
I
I'm
not
if
we're,
if
folks
aren't
interested
in
doing
it
more
than
a
couple
then,
and
we're
not
and
I'm
not
advocating
for
the
wall
of
shame.
I
thought
that
was
always
an
interesting
approach,
but
it
it
should
we
invest
in
this
or
what's
the
right
balance
here.
B
Yeah
yeah,
I
think
I
think
the
fact
that
the
registry
api
was
used
for
so
long
before
it
became
a
distribution.
Spec
conversation
was
the
kate's
conformance,
got
cut
out
in
front
of
the
train
on
that
one
and
distribution
kind
of
lagged
in
that
conversation.
So
it's
already
been
used
widely,
rather
than
saying
really
you
ought
to
have
this
certified
moniker.
You
know
certified
annotation
on
your
service,
so
it
would
be
mostly
a.
B
It'd
be
kind
of
a
lagging
process.
I
think
that's
what
we're
feeling
here.
Is
it
like
encouraging
people?
What
what
is
the?
What
is
the
win
here?
You
know
the
value
and
somebody
saying
that,
because,
if
they
aren't
strictly
conformant
or
whatever,
if
we
like
point
out
the
areas
where
they're
not
conformant,
is
that
a
big
deal
does
it
is
it?
B
D
I
think
beyond
a
1-0
there's
also
a
lot
of
value
to
the
end
users.
So
if
we
roll
out
a
1-1
with
some
new
features,
you
could
know
instantly
by
going
to
this
page.
Who
has
these
new
features?
What
I
want
to
try
out
right
now,
it's
like
everyone,
just
scrambles
to
add
a
new
feature,
and
we
never
know
I
mean
that's
like
with
the
artifact
stuff
like
that
was
a
whole.
D
G
G
B
D
G
B
Good,
besides
the
discussion,
I
think
it's
it's
it's
something
we
all
need
to
be
aware
of,
and
it
almost
feels
like
once
some
of
this
like
there's
a
couple
of
patterns
in
place,
then
we
can
at
least
start
kind
of
a
campaign
and
actually
ask
all
the
members
here
who
are
involved
in
those
projects,
whether
it's
like
you
said
zot,
acr,
gcr,
otherwise,
people
to
step
up
and
it
might
that
might
require
folks
to
have
have
to
have
conversations
with
either
their
employer
or
otherwise.
But
it
it
this.
D
B
B
Like
I
was
saying,
I
don't
expect
that
you
watched
the
video
from
last
week
but
effectively
I
did
not
did
not
see
that
see
it
as
the
working
group
tob
proposal
was
in
you
know,
particularly
in
my
lap
or
any
of
the
tabs
lap
to
say
yes,
this
is
ready
to
vote
on
and
start
the
vote.
So
in
that
way
you
know
it
was
taking
taking
blame
that
if
it
was
in
my
lap,
then
I
didn't
realize
it.
So
if
it
is
in
my
lap,
then
we
need
to
get
it
voted
on.
A
A
G
I'm
happy
to
follow
whatever
process
that
you
know
we
want,
but
I've
been
waiting
for
direction
on
how
you
wanted
to
proceed.
This
is,
I
think
this
is
just
the
you
know,
hot
potato,
whatever
it
is,
that
just
has
got
bounced
around,
I'm
not
sure
who
owns
what
step
next
steps,
but
let's
just
identify
what
that
is
and
and
make
the
next
steps.
G
B
B
B
B
Well,
I
mean
almost
like
almost
like
the
kep
workflow.
Sometimes
you'll
have
kubernetes
caps
that
don't
create
new
repos.
They
just
show
a
particular.
You
know
effort
how
it's
orchestrated
and
they
commit
a
markdown
file.
That
shows
this
is
what
this
effort
is
about
and
how
it's
tracked
and
who
to
get
involved
with
or
in
contact.
B
B
This
could
be
a
pr
to
the
tob
proposals-
repo,
just
fine,
I'm
just
saying
looking
at
this
repo
everything
in
there
we're
all
existing
just
existing
repo
creations
of
repos,
not
something
that
kind
of
cross-sections.
That
is
a
working
group.
So
maybe
the
file
is
wd
whatever
you
know,
thought
markdown,
that's
fine!
So
just
to
be
concrete
ready
to
we're
ready
to
vote.
You
wanted
to
see
john
added
as
a
in,
in
that
you
know,
stakeholders
list
or
whatever
and
it'd,
be
probably
just
as
well
that
this
is
a
open,
a
pr.
A
B
G
G
B
Again,
yeah
the
the
maybe
with
the
with
the
holiday
in
the
middle
of
it,
then
we
just
make
it
a
little
bit
longer,
but
let's
go
ahead
and
unbox
it,
even
if
it's
like
you
know,
december
1st
or
something
that
gives
more
than
a
basically
gives
two
weeks
from
right
now.
If
sometimes
we
only
do
those
votes
for
seven
days.
If
we
go
ahead
and
get
it
out
of
the
way
now,
then
it
gets
people
on
the
front
end
back
inside
of
this
u.s
holiday.