►
From YouTube: OCI Weekly Discussion - 2021-12-02
Description
agenda/notes: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?view#December-2-2021
B
B
B
I
was
listening,
it
was
a
podcast
the
other
day,
so
I
didn't
get
to
see
it,
but
whoever
was
doing
it.
They
were
complaining
about
everybody
that
had
the
bad
zoom
backgrounds
and
you
can
always
tell,
and
then
apparently
one
of
the
people
switched
his
and
they're
like
wait,
you're,
not
in
your
office,
he
goes
no.
I
just
took
a
picture
of
my
office
and
then
I'm
downstairs
in
the
basement
with
a
green
screen,
so
everybody
was
like
you're
just
two
floors
away,
but
yeah.
C
B
B
Just
kind
of
thinking
through
when
we
have
a
an
index
that
isn't
fully
populated,
and
so
it
points
to
references
to
things
that
should
be
on
that
local
registry
they're,
not
remote
references
or
something
like
that
with
a
url.
But
it's
a
reference
to
a
local
manifest
and
it
just
doesn't
exist
on
the
registry
and
they
want
to
say
that's
a
support
case
and
there
there
are
good
reasons
for
it.
B
B
So
that
would
be
nice.
But
I'm
thinking
of
like
vulnerability
scanners
that
would
scan
a
partial
index
and
say
hey.
It
looks
good,
I
didn't
see
any
vulnerabilities
and
then
someone
later
on
uploads
a
massively
vulnerable,
manifest
that
never
got
scanned
and
usually
know
about.
So
I'm
thinking
through
those
kind
of
scenarios
and
what
could
possibly
go
wrong
there
and
just
kind
of
want
to
throw
it
out
to
see
other
people's
thoughts
on
that.
One
just
make
sure
that
folks
are
aware
of
that.
B
So
this
is
for
an
index
or
a
manifest
list,
and
what
they're
saying
is
they
want
to
be
able
to
sparsely
copy
individual,
manifest
out
from
a
manifest
list
or
from
an
index
to
not
copy
all
the
images?
But
some
of
them
are
you
thinking
of
copying,
just
some
blobs
out
from
an
image
and
not
all
the
blobs.
E
This
one
was
a
little
more
interesting
in
the
sense
that
I
really
like
the
optimization,
where
I
don't
have
to
pull
all
of
them,
but
there
was
an
interesting
assumption
around.
Does
a
scan
result
really
scan
the
index,
or
does
it
use
the
index
to
figure
out
what
it's
going
to
scan
below
it?
So
and
even
we
went
through
this
a
little
bit
with
the
signing,
but
the
interesting
thing
related
to
whether
it
exists
or
it's
in
other
locations.
E
We
kind
of
went
through
this
back
when
we
were
doing
pr27,
where
we
wanted
to
reference
things
in
other
repos,
which,
even
in
the
same
registry,
became
a
challenge
because
the
index
assumes
the
content
is
in
the
same
repo,
not
not
even
the
same
registry,
at
least
when
I
say
the
index
assumes
our
implementations
that
cloud
providers
have
done
tend
to
make
that
assumption.
So
I,
like
this
scenario,
I
think
it's
just
a
matter
of
what.
What
are
we
trying?
E
B
B
E
B
F
F
Adding
a
feature
for
scanning
or
anything
like
that,
the
manifest
blob
unknown
error
was
supposed
to
apply
to
anything
on
the
manifest
standpoint
and
somehow,
during
the
processing
of
over
drying
the
spec
we
referenced,
the
only
the
image
manifest
and
not
the
other
kinds
of
types
and
objects
that
are
on
the
manifest
endpoint,
and
so
the
spec
needs
to
be
opened
up.
To
correctly
reflect
that.
I
think
the
original
spec
had
been
written
that
way
as
well.
B
F
Well,
I
mean
yeah
yeah,
I
mean
it
doesn't
say
it
now
with
this
change,
we're
saying
we're
just
clarifying
it
like,
I
think
the
spec
says.
If
you
have
a
manifest
you
should
you
know
you
should
return
manifest
blob
unknown
or
show
errors
when
they're
missing,
descriptors
right,
we're
saying
like
oh
that
man,
that
definition
was
too
narrow,
because
from
the
perspective
of
the
distribution
side,
the
manifest
is
anything
that
is
uploaded
to
the
manifest
in
point.
It's
not
just
the
image
manifest
itself
right,
so
a
manifest
could
be
like
a
image
index.
F
It
could
be
a
docker
manifest
list.
It
could
be.
You
know,
whatever
we
come
up
for
artifacts
or
any
kind
of
supported
type
of
the
registry
that
we
use
on
that
manifesting
point:
there's
like
a
presumptive
validation
of
that
type,
which
we
don't
do
for
blobs
right
and
then
there's
a
presumptive
check.
So,
like
other
other
kinds
of
environmental
checks
right,
it
might
be
like
oh.
F
B
B
B
F
B
F
C
F
B
B
I
didn't
go
through
and
do
it
even
deep
enough
search
of
everything,
but
just
to
say
that
you
know
if
you
have
multiple
index
entries
in
a
single
index
that
match
whatever
you're
looking
for
as
a
runtime,
that
you
should
pick
the
first
one,
and
so
that
gives
us
gives
people
the
ability
to
extend
an
index
with
multiple
things.
For
example
out
there
you
might
have
an
image
that
can
be
run,
but
you
could
also
have
an
artifact
and
from
the
index
level,
you
can't
tell
the
difference
between
an
image
and
artifact.
B
They
look
the
same,
and
so
you
could
be
able
to
potentially
put
some
annotations
or
something
like
that
in
your
index.
To
say
this
is
the
individual
manifest.
I
want
to
pull
for
a
signature
or
an
s
bomb
or
something
like
that,
and
so
that
s
bomb
verifier
would
know
to
pull
its
specific
one
out
there,
but
the
general
one
time
that
doesn't
know
anything
about
all
this
crazy
stuff
or
throwing
at
it
would
just
know.
I
need
to
pull
the
first
one
out
the
list,
so
I
just
wanted
to
clarify
that
point.
E
B
Yeah,
I'm
sure
people
find
other
ways
to
use
this.
I
think
there
have
been
other
discussions
out
there
talking
about
times
that
have
different
layer
formats,
and
so
you
could
push
a
manifest
with
one
layer,
format
and
different
manifest
with
different
layer
formats,
and
then
the
run
time
that
notice
to
use
that
second
layer
format
would
know
to
pull
the
second
manifest.
F
F
G
F
B
F
F
H
D
D
This
page
is
now
completely
dynamic,
based
on
what's
in
that
repo,
so
you
can
see
we
have
like
open
source
and
hosted
and
everything
that's
under
distribution,
spec
v1.0,
we're
parsing
all
of
this
and
then,
if
the
there's
a
file
in
here
called
product.
If
this
says
type
distribution,
that's
open
source
and
the
rest
of
this
metadata
is
pulled
out
and
because
we're
using
junit
we're
actually
able
to
parse
that
and
go
and
figure
out
which
of
the
workflows
and
distribution
that
are
supported.
D
So
you
can
see
like
vanessa
just
support
like
uploaded
this
last
night
and
by
going
through
the
junit,
we're
able
to
see
it
supports,
pool
push,
content,
discovery,
management
and
also
this
version
is
not
hard
coded,
it's
being
pulled
out
too,
so
we're
it.
Once
we
get
a
1.1
the
process,
we'll
simply
be
adding
a
v1.1
folder
here
and
resubmitting
for
the
the
same
product
that
was
for
v1.0,
and
it
will
just
show
up
as
another
column
here.
D
The
other
thing,
too,
is
we're
bringing
in
the
actual
test
report
into
this
site,
so
you
can
actually
click
through
here
now
and
see
the
actual
test
output.
All
in
the
browser,
as
well
as
there
is
a
there's
another
file
that
people
have
to
provide
called
readme,
and
this
just
shows
you
how
to
actually
reproduce
those
results.
D
D
That's
pretty
much
it
that's
all.
I
have
to
say
about
it,
but
now
we
just
we
need
for
people
to
submit.
I
would
love
for
this
page
to
just
have
dozens
of
different
registries,
which
we
were
testing
before
I'm
happy
to
help.
You
know
put
together
some
of
these
files,
but
I
think
it's
probably
best
if
the
people
responsible
for
the
registry
are
the
ones
submitting
it,
because
I'm
not
going
to
complain,
I'm
not
going
to
claim
conformance
for
your
registry,
but
I'm
happy
to
help
put
together
these
submissions.
D
D
Thanks,
thank
you
so
yeah,
if
nothing
to
discuss
like
we,
we
just
like.
Thank
you,
everyone
who
then
steve
who
you
know
is
offering
to
get
involved
in
this,
I'm
hoping
that
we
just
get
prs
coming
in.
We
just
need
to
encourage,
I
think,
the
more
the
more
that
get
added
to
this,
the
more
encouraging
it
will
be
to
get
your
registry
on
there.
I
D
From
the
after
many
many
conversations
last
year,
I
think
that
we
decided
pool
is
the
only
absolute
required
thing.
People
have
different
feelings
about
this,
but
I
think
it
makes
sense
because
you
could
be
a
read-only
registry
and
still
be
an
oci
product.
So
and
no,
we
don't
have
any
type
of
badge.
That's
something
I
think
we'd,
probably
to
talk
to
like
linux
foundation,
legal
about
which
I
don't.
I
don't
know,
yeah.
I
We
don't,
I
don't
know
that
you
need
needed.
I
just
worked
on
kubernetes
conformance,
so
the
analogs
a
couple
of
things
I
saw
in
kubernetes
name,
squatting,
people
submitting
you
know
conformance
results
on
behalf
of
other
providers,
so
they
had.
To
put,
I
don't
know
if
you've
seen
the
kubernetes
stuff,
they
wrote
a
bot
now
that
basically
passes
the
whole
thing
and
you
have
to
do
all
those
verification
pieces,
but
yeah
name.
Squatting
was
a
big
one
and
fabricated
results.
D
It
sounds
it
seems
like
I
don't
know,
it's
definitely
the
point
of
this,
so
I
don't
want
to
make
light
of
it,
but
getting
people
to
sign
up
seems
like
the
biggest
priority
for
me
right
now
in
the
in
the
case
of
the
open
source
ones
like
maybe-
and
I
don't
want
to
put
more
work
on
the
maintainers
that
just
signed
up
for
this,
but
we
could
try
running
the
steps
in
the
readme
I
don't
know.
Maybe
I
are
you
still
on
that
team.
Lachlan.
J
I
I
I
D
A
A
It's
verifiable
with
some
work,
I
mean
it's
yeah
yeah
and
even
even
if
I
catch
somebody
being
non-compliant,
I
would
probably
still
have
to
fight
them
in
the
issue.
Sorry
issue
comments
to
you
know
agree
with
that,
but
I
totally
agree
that,
like
getting
more
of
these
is
more
important
than
adjudicating
each
and
every
one
we
have
right.
Now
we
that's
not
the
problem.
D
D
I
Things
yeah,
I
think
one
of
the
things
that
kubernetes
did
it
has
a
different
number
of
performance
checks
per
version
and
then
the
bot
actually
checks
that
the
results
match
the
number
of
conformance
checks.
So
as
long
as
the
number
of
conformance
sets
change
between
versions,
I
I
don't
know
that
it
was
fraudulent.
I
probably
overspoke
it's
copy
and
paste
errors
between
versions
right.
It's
like
I
just
took
the
results
from
1.0
and
1.1.
It's
like
hey.
There
are
three
more
conformance
checks
in
1.1,
your
your
results,
don't
check
out.
I
I
H
H
The
the
conversation
about
the
security
release
that
tycho
had
said
of,
if
you're,
if
you're,
just
pulling
from
master
right
now,
then
it
still
shows
the
prior
release,
because
we,
the
way
we
branched
it
so
open
the
pr
to
show
a
merge
back
of
on
image
pack
and
distribution
spec,
which
introduces
an
ugly
bubble
in
the
get
branch
history.
But
at
least
then
people
who
are
getting
anybody
any
any
projects
that
currently
import
from
distribution
or
image
spec
for
the
simple
go
structures
we'll
stop
getting
the
dependable
alerts.
H
So
it
could
be
a
pretty
quick
couple
lgtms
if
folks
think
that
it
looks
correct
in
those
pr's,
it's
not
a
breaking
change.
It
just
introduces
a
bubble,
it's
not
actually
even
a
change,
because
those
changes,
those
combats-
are
already
in
the
main
branch
it
just.
It
just
shows
that
a
tagged
release
is
now
in
you
know,
tracking,
in
that
main
branch,
so
dependable
alerts
go
away.
H
D
D
Or
if
we
want
to
enable
people
to
test
latest
latest
everything,
should
we
on
nci
be
pushing
like
a
latest
or
main
tag
so
that
people
can
override
that
image
when
they're
running
the
github
action?
It
was
just
a
bizarre
thing,
because
I
was
talking
to
rob
and
he's
like.
No
we're.
Definitely
like
we're
testing
conformance
pretty
regularly.
So
there's
just
been
a
bunch
of
changes
in
the
test
suite
since
100
that
they're
not
validating.
J
Yeah
on
on
the
on
the
track
releases
for
a
point,
release
that
somebody's
running
against
yes,
but
if
you're,
if
you're,
if
you're
making
a
change
in
maine,
I
think
that
that's
currently
tagged
to
development
if
they
wanted
to
get
a
specific
release,
that's
already
been
published
and
approved,
and
they
should
be
going
off,
not
maine,
but
right.
The
release
branch
well.
D
I
just
put
in
the
zoom
chat,
so
the
last
line
of
this
file
since
this
action
yaml's
on
the
main
branch,
it's
pointing
to
this
specific
v10
image
and
I'm
wondering
maybe
that
should
say
main
and
then
people
could
run
like
we
can.
Cherry
pick
this
onto
oh,
I
don't
know
that
image
should
be
locked
for
the
releases,
but
not
for
maine.
Maybe
does
anyone
have
github
actions?
Experience
with
this.
D
K
D
J
L
B
D
J
So
I
guess
the
whoever
made
the
you
know
the
option
suggestion
for
selecting
that
makes
some
sense
when
you're
doing
your
own
locals
your
own
test
buckets,
but
for
you
know
whether
or
not
we
should
merge
a
pr,
it
probably
needs
to
be
running
against
the
current
test
bucket.
That
would
be
built
with
the
changes
right.
I
J
I
I
E
Yeah
I
mean,
I
think
just
the
first
part
is
you
know
we
did
get
the
votes.
That's
awesome.
We
were
gonna,
tally
him
this
morning
or
italian
at
this
meeting,
but
that
that
came
in
last
night.
So
that's
just
that
awesome
to
get
that
phil
vinson
as
chairs
did
you
want
to
think
about?
You
were
also
at
an
awkward
point
of
the
end
of
the
year.
I
think
we
have
to
kind
of
figure
out.
What
are
the
next
steps
there.
M
M
M
E
I
I
How
do
you
want
interactions
between
the
working
group
coming
back
to
this
group
to
say,
hey,
we've
made
a
checkpoint
or
a
milestone,
or
how
do
you
want
that
communication
to
happen,
which
you
know
might
already
be
in
the
working
group
documents,
but
that's
just
something:
what
is
the
cadence
cadence
that
this
working
group
needs
to
report?
Progress
back
to
the
tob
is
something
you
know
having
having
worked
on
kubernetes
steering.
I
We
had
to
make
sure
that
any
working
groups
were
meeting
milestones
and
showing
a
progress
towards
the
charter
and
were
making
progress
in
line
with
the
charter
there.
But
we
don't
have
to
you
know,
do
too
much
straight
up,
I
think
just
getting
getting
a
place
to
at
least
publish
when
the
meetings
are.
I
You
know
working
on
when
the
meetings
that
work
for
most
people
getting
the
zoom
recordings
calendar
all
that
administration
bits
is
probably
the
first
bit.
So
I'm
happy
to
like
work
with
the
people
and
and
take
point
on
the
named
folks.
If
anybody
else
wants
to
participate
too,
but
I
guess
the
question
would
be
carving
out
a
space
in
either
a
a
separate
repository
called
working
group.
What
proposal
and
then
we
can
go
for
there.
I
It
would
be
my
advice
just
to
set
up
the
my
proposal
just
to
set
up
the
place
for
the
initial
meetings
to
take
place
and
then
figure
out
exactly
what
we're
asking
as
part
of
the
working
group,
because
I
I
don't
know
you
know
spec
versus
code.
I
can't
answer
that
right
now.
Without
you
know
the
working
group
answering
it
so
it's
just
like.
I
E
I
I
We
figure
out
the
process,
so,
let's
you
know
not
being
a
tob
member,
that's
just
my
advice
because
we
can
go
and
create
all
this
policy
and
procedures,
but
it
doesn't
actually
help
people
start
having
conversations
about
moving
that
discussion
forward.
So
I'd
be
lightweight
move
fast
until
we
need
you
know,
until
proven,
process
is
needed.
M
Yeah
that
approach
is
is
good
and
I
I
assume
kind
of
that
initial
thought
of
like
at
least
having
a
repo
for
administrative
details.
You
know
sure
we
could
do
it
inside
the
tob,
but
that
quickly
could
get
messy
if
a
second
or
a
third
you
know
start
to
pop
up.
So
I
guess
I
I
always
forget
who
has
rights
to
what
in
our
github
work
so
offline,
we'll
figure
out
how
to
make
sure
the
right
people
get
access
in
the
next
few
days?
And
maybe
vincent
knows
more
than
I
do
about
open
containers.
H
H
This
is
part
of
a
thread
that
josh
brought
up.
You
know
as
far
as
like
getting
consistency
across
the
repros.
Is
that
not
everything
that
we
have
maintainers
of
maintainers?
Don't
all
have
rights
to
those
repos
like
as
far
as
like
github
organ
teams,
it's
that's
kind
of
a
not
quite
a
sinkhole
conversation,
but
it's
effectively.
We
by
phil,
saying
we
take
that
offline
that
that
basically
needs
its
own
session
of
like
getting
amy
or
chris
involved,
because
there's
even
times
enough
pinged
amy
for
something,
then
she
has
to
get
chris
involved.
A
K
H
E
I
Okay,
I
think
I
can
create
a
bomb,
since
we
love
bombs
of
everything
that
we
need
to
do
and
we'll
I'll
propose
it
to
the
tob
folks
on
with
working
with
the
the
folks
on
the
working
group
proposal
at
the
moment,
and
then
you
can,
you
know,
naming
a
repo
and
where
we
put
things,
I
threw
some
examples
of
other
working
group
models.
I'm
not
saying
kubernetes
is
the
canonical
one,
but
that's
just
a
model.
We
could
follow.
H
Took
it
took
me
30
minutes
to
get
demoralized
that
it
was
bigger
than
like,
like
I
went
down
the
path
of
figure
of
seeing
why
it
was
broken
that
it
was
a
trail
of
tears,
especially
because
the
way
that
go
metal
under
work
is
that
it
fetched
a
bunch
of
things
all
at
once.
So
as
some
of
those
linters
started
to
not
work
on
older
versions
of
and
then
metal
lender
itself
is
is
outdated.
H
So
it's
just
a
little
bit
of
like
what
would
it
look
like
to
have
the
same
kind
of
test
matrix
on
whatever
versions
of
golang?
I
don't
really
think
we
we've
always
just
had
kind
of
an
informal
trailing
of
life.
Last
few
versions
of
go
no
like
industry
standard
of
like
we
have
to
support
back
to
go
one
for
something
crazy
like
that,
and
then
just
take
a
take
a
new
new
dive
at
keeping
that
working
with
go
laying
sea
island.
I
guess
that's
just
I
mean
I'm,
I'm
actually
free
after
this
call.
H
F
H
H
H
H
I
don't
I'm
not
I'm
not
opposed
to
it
at
all.
I
I
think
there
was
just
a
few
curiosities
of
why,
when
you
know
breaking
it
out
into
like
a
discovery
endpoint,
I
think
the
reason
original
reason
was
thinking
that
it
would
just
be
like
at
the
base
of
calling
the
extension
like
as
its
own
path
or
endpoint
was
just
that.
H
F
H
H
So
arguably-
and
I
think
jason
you've,
even
you
know
raised
this
point-
is
that
if,
if
you
know
you're
working
with
a
registry
or
you
have
a
tool,
that's
just
going
to
expect
an
extension
to
be
in
place,
and
it's
it's
not
even
going
to
look
to
discover
it.
First,
it's
not
going
to
make
it
a
client's
not
going
to
make
a
call
before
it
checks
that
extension,
unless
it's
some
kind
of
like
variable
json,
schema
that
it
has
to
arrive
at.
H
F
E
E
If
I
only
have
permissions
to
a
sub
portion
of
the
registry,
I
need
to
be
able
to
have
an
extension
on
that.
You
know
that
discovery
ability
there.
So
it's
just
the
route
was
part
of
the
problem.
You
know
was
it's
great
to
have
stuff
at
the
root,
because
I
might
want
to
search
across
all
repos,
but
I
might
have
an
extensibility
point
on
on
a
sub
portion
of
the
overall
registry.
F
L
That
means
we
would
have
to
kind
of
like
make
referrers
like
what.
What
would
that
look
for
one
api,
as
an
example
would
be
right.
Now
we
have
something
like
just
as
an
example.
It
would
be,
or
as
artifacts
referrers
are,
we
saying
we
just
go
with
artifact
reference
or
as
reference,
that's,
if
it's
only
two
parts.
L
F
And
then
so,
yeah
the
reason.
The
reason
I
like
the
smaller
path
components
is
when
you
get
the
repository
name
and
these
path
components
all
together,
you
can
end
up
with
a
really
large
confusing
hard
to
parse
path,
and
so
this
kind
of
forces
query
parameters
on
the
actual
path,
either
into
a
document.
That's
posted,
along
with
the
request
or
into
just
git
query
parameters.
L
F
H
Discovery,
no,
I
think
that
I'll,
just
I'll
look
back
look
back
at
it
and
I
think
sometimes
conversations
break
down
into
certain
nuance.
That
it'll
take
a
little
bit
of
a
review
just
to
think
through
the
whole
thing
again,
since
we
kind
of
I
think
it
not
quite
fish
tailed,
but
just
has
kind
of
kind
of
gone
in
two
different
directions:
making
sure
it's
not
gotten
too
spread
thin
of
a
conversation,
but
anyhow
we're
at
time
I'll
call
it
for
this
recording
and
then
those
that
want
to
check
on
ci
stuff.