►
From YouTube: OCI Weekly Discussion - 2021-12-02
Description
agenda/notes: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?view#December-2-2021
B
B
B
I
was
listening,
it
was
a
podcast
the
other
day,
so
I
didn't
get
to
see
it,
but
whoever
was
doing
it.
They
were
complaining
about
everybody
that
had
the
bad
zoom
backgrounds
and
you
can
always
tell,
and
then
apparently
one
of
the
people
switched
his
and
they're
like
wait,
you're,
not
in
your
office,
he
goes
no.
I
just
took
a
picture
of
my
office
and
then
I'm
downstairs
in
the
basement
with
a
green
screen,
so
everybody
was
like
you're
just
two
floors
away,
but
yeah.
C
B
B
This
one
not
sure
if
people
saw
this
over
on
the
distribution
spec,
and
so
I
wasn't
sure
how
much
this
was
interesting
to
us.
B
Just
kind
of
thinking
through
when
we
have
a
an
index
that
isn't
fully
populated,
and
so
it
points
to
references
to
things
that
should
be
on
that
local
registry
they're,
not
remote
references
or
something
like
that
with
a
url.
But
it's
a
reference
to
a
local
manifest
and
it
just
doesn't
exist
on
the
registry
and
they
want
to
say
that's
a
support
case
and
there
there
are
good
reasons
for
it.
B
B
So
that
would
be
nice.
But
I'm
thinking
of
like
vulnerability
scanners
that
would
scan
a
partial
index
and
say
hey.
It
looks
good,
I
didn't
see
any
vulnerabilities
and
then
someone
later
on
uploads
a
massively
vulnerable,
manifest
that
never
got
scanned
and
usually
know
about.
So
I'm
thinking
through
those
kind
of
scenarios
and
what
could
possibly
go
wrong
there
and
just
kind
of
want
to
throw
it
out
to
see
other
people's
thoughts
on
that.
One
just
make
sure
that
folks
are
aware
of
that.
B
So
this
is
for
an
index
or
a
manifest
list,
and
what
they're
saying
is
they
want
to
be
able
to
sparsely
copy
individual,
manifest
out
from
a
manifest
list
or
from
an
index
to
not
copy
all
the
images?
But
some
of
them
are
you
thinking
of
copying,
just
some
blobs
out
from
an
image
and
not
all
the
blobs.
D
E
This
one
was
a
little
more
interesting
in
the
sense
that
I
really
like
the
optimization,
where
I
don't
have
to
pull
all
of
them,
but
there
was
an
interesting
assumption
around.
Does
a
scan
result
really
scan
the
index,
or
does
it
use
the
index
to
figure
out
what
it's
going
to
scan
below
it?
So
and
even
we
went
through
this
a
little
bit
with
the
signing,
but
the
interesting
thing
related
to
whether
it
exists
or
it's
in
other
locations.
E
We
kind
of
went
through
this
back
when
we
were
doing
pr27,
where
we
wanted
to
reference
things
in
other
repos,
which,
even
in
the
same
registry,
became
a
challenge
because
the
index
assumes
the
content
is
in
the
same
repo,
not
not
even
the
same
registry,
at
least
when
I
say
the
index
assumes
our
implementations
that
cloud
providers
have
done
tend
to
make
that
assumption.
So
I,
like
this
scenario,
I
think
it's
just
a
matter
of
what.
What
are
we
trying?
E
B
B
You
start
building
and
trusting
it,
and
then
everything
starts
coming
back,
four
or
four,
and
so
not
really
ideal
scenario
for
users
when
they
see
something
out
there
and
they
think
they
can
use
it
and
then
find
out
that
it
doesn't
actually
assist
on
the
registry
and
similar
for
the
scan
is
that
the
scan
would
have
to
be
a
layer
down
just
to
make
that
work,
and
so
you
couldn't
put
a
scan
at
the
top
level
anymore.
B
E
B
F
F
Adding
a
feature
for
scanning
or
anything
like
that,
the
manifest
blob
unknown
error
was
supposed
to
apply
to
anything
on
the
manifest
standpoint
and
somehow,
during
the
processing
of
over
drying
the
spec
we
referenced,
the
only
the
image
manifest
and
not
the
other
kinds
of
types
and
objects
that
are
on
the
manifest
endpoint,
and
so
the
spec
needs
to
be
opened
up.
To
correctly
reflect
that.
I
think
the
original
spec
had
been
written
that
way
as
well.
B
F
Well,
I
mean
yeah
yeah,
I
mean
it
doesn't
say
it
now
with
this
change,
we're
saying
we're
just
clarifying
it
like,
I
think
the
spec
says.
If
you
have
a
manifest
you
should
you
know
you
should
return
manifest
blob
unknown
or
show
errors
when
they're
missing,
descriptors
right,
we're
saying
like
oh
that
man,
that
definition
was
too
narrow,
because
from
the
perspective
of
the
distribution
side,
the
manifest
is
anything
that
is
uploaded
to
the
manifest
in
point.
It's
not
just
the
image
manifest
itself
right,
so
a
manifest
could
be
like
a
image
index.
F
It
could
be
a
docker
manifest
list.
It
could
be.
You
know,
whatever
we
come
up
for
artifacts
or
any
kind
of
supported
type
of
the
registry
that
we
use
on
that
manifesting
point:
there's
like
a
presumptive
validation
of
that
type,
which
we
don't
do
for
blobs
right
and
then
there's
a
presumptive
check.
So,
like
other
other
kinds
of
environmental
checks
right,
it
might
be
like
oh.
F
Look
at
I
can
look
at
the
blobs
that
I
have.
I
can
look
at.
Oh,
like
hey,
am
I
referencing
a
blob
that
has
like
known
vulnerability
or
something
like
that
right,
so
you
can
have
extra
validation
on
top
of
that,
and
in
that
case
you
can
return
that
manifest.
You
know
blob
unknown
error.
B
B
B
F
I
mean
if
there
are
registries
that
aren't
doing
it
like
they
allow
you
to
if
there,
if
there
are
registries
that
are
supporting
monolithic
image,
pushes
and
they're
not
doing
this
validation,
they
would
allow
uploading
of
invalidate
like,
like
unpullable
images
right.
F
The
but
the
original,
the
you
know,
the
original
use
case
is
quite
valid.
It's
from
james
james,
hewitt,
right
he's
saying
like.
Oh,
I
want
to
make
a
registry
where
you
know
I
only.
B
B
I
do
the
copying
of
images
across
registries,
and
so,
if
I
hit
a
partial
index
out
there,
the
copy
will
fail
halfway
through.
F
C
F
B
B
I
didn't
go
through
and
do
it
even
deep
enough
search
of
everything,
but
just
to
say
that
you
know
if
you
have
multiple
index
entries
in
a
single
index
that
match
whatever
you're
looking
for
as
a
runtime,
that
you
should
pick
the
first
one,
and
so
that
gives
us
gives
people
the
ability
to
extend
an
index
with
multiple
things.
For
example
out
there
you
might
have
an
image
that
can
be
run,
but
you
could
also
have
an
artifact
and
from
the
index
level,
you
can't
tell
the
difference
between
an
image
and
artifact.
B
They
look
the
same,
and
so
you
could
be
able
to
potentially
put
some
annotations
or
something
like
that
in
your
index.
To
say
this
is
the
individual
manifest.
I
want
to
pull
for
a
signature
or
an
s
bomb
or
something
like
that,
and
so
that
s
bomb
verifier
would
know
to
pull
its
specific
one
out
there,
but
the
general
one
time
that
doesn't
know
anything
about
all
this
crazy
stuff
or
throwing
at
it
would
just
know.
I
need
to
pull
the
first
one
out
the
list,
so
I
just
wanted
to
clarify
that
point.
E
B
Yeah,
I'm
sure
people
find
other
ways
to
use
this.
I
think
there
have
been
other
discussions
out
there
talking
about
times
that
have
different
layer
formats,
and
so
you
could
push
a
manifest
with
one
layer,
format
and
different
manifest
with
different
layer
formats,
and
then
the
run
time
that
notice
to
use
that
second
layer
format
would
know
to
pull
the
second
manifest.
F
Yeah,
this
problem
is
surprisingly
difficult.
In
general,
this
has
been
my
recommendation
for
client
implementation,
so
I
don't
see
a
problem
with
it
being
inspect,
I'm
wondering
if
we
should
have
it
in
less
than
there.
F
Unless,
like
so,
if
multiple
manifest
magic,
client
or
run
times
requirements,
the
first
matching
entry
should
be
use
used
unless
there's
some
overwriting
client
policy
or
something
like
that.
But
I
think
maybe
should
is
enough
there
to
cover
that.
A
G
F
Using
the
term
so
from
this
perspective
of
the
spec,
the
runtime
is
the
whole
host
environment.
So
I
think
I
agree
with
you:
jason
easy
lg
lgtm
on
this
one.
I
think.
B
F
F
H
B
So
that
was
all
I
had,
I
think
josh
you're
up
next
on
the
conformance.
D
Sharing,
can
you
see?
Okay,
yes,
okay!
So
sorry,
if
my
emails
have
become
essentially
spam
at
this
point,
but
just
trying
to
get
this
all
together.
Thank
you
and
there's
been
a
few
other
people
who
have
been
willing
to
help
with
this
super
excited
that
it's
like
kind
of
all
coming
together.
D
D
This
page
is
now
completely
dynamic,
based
on
what's
in
that
repo,
so
you
can
see
we
have
like
open
source
and
hosted
and
everything
that's
under
distribution,
spec
v1.0,
we're
parsing
all
of
this
and
then,
if
the
there's
a
file
in
here
called
product.
If
this
says
type
distribution,
that's
open
source
and
the
rest
of
this
metadata
is
pulled
out
and
because
we're
using
junit
we're
actually
able
to
parse
that
and
go
and
figure
out
which
of
the
workflows
and
distribution
that
are
supported.
D
So
you
can
see
like
vanessa
just
support
like
uploaded
this
last
night
and
by
going
through
the
junit,
we're
able
to
see
it
supports,
pool
push,
content,
discovery,
management
and
also
this
version
is
not
hard
coded,
it's
being
pulled
out
too,
so
we're
it.
Once
we
get
a
1.1
the
process,
we'll
simply
be
adding
a
v1.1
folder
here
and
resubmitting
for
the
the
same
product
that
was
for
v1.0,
and
it
will
just
show
up
as
another
column
here.
D
The
other
thing,
too,
is
we're
bringing
in
the
actual
test
report
into
this
site,
so
you
can
actually
click
through
here
now
and
see
the
actual
test
output.
All
in
the
browser,
as
well
as
there
is
a
there's
another
file
that
people
have
to
provide
called
readme,
and
this
just
shows
you
how
to
actually
reproduce
those
results.
D
D
That's
pretty
much
it
that's
all.
I
have
to
say
about
it,
but
now
we
just
we
need
for
people
to
submit.
I
would
love
for
this
page
to
just
have
dozens
of
different
registries,
which
we
were
testing
before
I'm
happy
to
help.
You
know
put
together
some
of
these
files,
but
I
think
it's
probably
best
if
the
people
responsible
for
the
registry
are
the
ones
submitting
it,
because
I'm
not
going
to
complain,
I'm
not
going
to
claim
conformance
for
your
registry,
but
I'm
happy
to
help
put
together
these
submissions.
D
D
Thanks,
thank
you
so
yeah,
if
nothing
to
discuss
like
we,
we
just
like.
Thank
you,
everyone
who
then
steve
who
you
know
is
offering
to
get
involved
in
this,
I'm
hoping
that
we
just
get
prs
coming
in.
We
just
need
to
encourage,
I
think,
the
more
the
more
that
get
added
to
this,
the
more
encouraging
it
will
be
to
get
your
registry
on
there.
I
Josh,
I
had
a
question.
So
can
you
do
you
get
a
conformance
badge
as
a
as
a
distribution
provider
and
if
you're
not
do
you,
what
does
it
take
to
be
fully
con
format?
So
do
you
allow?
Is
it
each
of
those
sections
as
long
as
you
have
one
of
them,
you
are
conformant
or
do
you
need
all
of
them.
D
From
the
after
many
many
conversations
last
year,
I
think
that
we
decided
pool
is
the
only
absolute
required
thing.
People
have
different
feelings
about
this,
but
I
think
it
makes
sense
because
you
could
be
a
read-only
registry
and
still
be
an
oci
product.
So
and
no,
we
don't
have
any
type
of
badge.
That's
something
I
think
we'd,
probably
to
talk
to
like
linux
foundation,
legal
about
which
I
don't.
I
don't
know,
yeah.
I
We
don't,
I
don't
know
that
you
need
needed.
I
just
worked
on
kubernetes
conformance,
so
the
analogs
a
couple
of
things
I
saw
in
kubernetes
name,
squatting,
people
submitting
you
know
conformance
results
on
behalf
of
other
providers,
so
they
had.
To
put,
I
don't
know
if
you've
seen
the
kubernetes
stuff,
they
wrote
a
bot
now
that
basically
passes
the
whole
thing
and
you
have
to
do
all
those
verification
pieces,
but
yeah
name.
Squatting
was
a
big
one
and
fabricated
results.
I
Yeah,
so
I
know
you
know,
we
have
to
put
the
cart
before
the
horse,
but
I
guess
is
there
any
check
on
you
know
me
saying
I
own
this
registry,
here's
the
results
and
you
know
actually
validating
their
name
of
the
registry
at
least
matches.
D
It
sounds
it
seems
like
I
don't
know,
it's
definitely
the
point
of
this,
so
I
don't
want
to
make
light
of
it,
but
getting
people
to
sign
up
seems
like
the
biggest
priority
for
me
right
now
in
the
in
the
case
of
the
open
source
ones
like
maybe-
and
I
don't
want
to
put
more
work
on
the
maintainers
that
just
signed
up
for
this,
but
we
could
try
running
the
steps
in
the
readme
I
don't
know.
Maybe
I
are
you
still
on
that
team.
Lachlan.
J
I
A
while
ago,
they
had
conformance
profiles
right
so
that
you
could
create
in
different
platforms
what
contributed
conformance.
But
you
know,
I
guess,
let's
just
leave
it
and
see
what
happens
and
address
problems
if
and
when
they
come
up.
I
I
D
A
A
It's
verifiable
with
some
work,
I
mean
it's
yeah
yeah
and
even
even
if
I
catch
somebody
being
non-compliant,
I
would
probably
still
have
to
fight
them
in
the
issue.
Sorry
issue
comments
to
you
know
agree
with
that,
but
I
totally
agree
that,
like
getting
more
of
these
is
more
important
than
adjudicating
each
and
every
one
we
have
right.
Now
we
that's
not
the
problem.
D
Exactly
and
maybe
we
do
a
thing
like
if
someone
does
find
an
issue
with
one
of
them,
we
give
people
like
15
days
to
resubmit
working
or
we
remove
it.
Like.
I
think
what
what's
cool
about
this
is
the
this
new
list
of
maintainers.
D
I
think
beyond
that,
like
figuring
out
access
controls
and
oci
like
I
want
to
like,
come
up
with
a
more
workable
maintainership
model.
I
know
I'm
going
off
your
topic,
but.
I
Things
yeah,
I
think
one
of
the
things
that
kubernetes
did
it
has
a
different
number
of
performance
checks
per
version
and
then
the
bot
actually
checks
that
the
results
match
the
number
of
conformance
checks.
So
as
long
as
the
number
of
conformance
sets
change
between
versions,
I
I
don't
know
that
it
was
fraudulent.
I
probably
overspoke
it's
copy
and
paste
errors
between
versions
right.
It's
like
I
just
took
the
results
from
1.0
and
1.1.
It's
like
hey.
There
are
three
more
conformance
checks
in
1.1,
your
your
results,
don't
check
out.
I
So
that's
just
something
I
think
that's
the
kind
of
math
they
run
on
kubernetes.
It's
keep
changing
the
number
of
conformances
and
then
version
specific
conformance
numbers.
Don't
equal
the
same
thing
so
that
you
can
run
some
lightweight
validation.
I
H
Oh,
that
was
that
was,
I
think
that
was
me.
I
don't
think
I
put
my
initials
on
it,
but
that
was
about
effectively
cleaning
up
the.
H
The
the
conversation
about
the
security
release
that
tycho
had
said
of,
if
you're,
if
you're,
just
pulling
from
master
right
now,
then
it
still
shows
the
prior
release,
because
we,
the
way
we
branched
it
so
open
the
pr
to
show
a
merge
back
of
on
image
pack
and
distribution
spec,
which
introduces
an
ugly
bubble
in
the
get
branch
history.
But
at
least
then
people
who
are
getting
anybody
any
any
projects
that
currently
import
from
distribution
or
image
spec
for
the
simple
go
structures
we'll
stop
getting
the
dependable
alerts.
H
So
it
could
be
a
pretty
quick
couple
lgtms
if
folks
think
that
it
looks
correct
in
those
pr's,
it's
not
a
breaking
change.
It
just
introduces
a
bubble,
it's
not
actually
even
a
change,
because
those
changes,
those
combats-
are
already
in
the
main
branch
it
just.
It
just
shows
that
a
tagged
release
is
now
in
you
know,
tracking,
in
that
main
branch,
so
dependable
alerts
go
away.
C
That's
a
separate
topic,
but
you
want
to
go
there.
Well,
maybe
I'll
add
it
to
the
end.
H
So
yeah
that
that's
that's!
That's
it
for
the
what
pr!
It's!
In
the
note,
it's
in
the
markdown
hack,
md.
D
D
I
think
we
must
have
known
we
were
doing
this,
but
it
was
something
I
was
unaware
of
so
jason
had
put
up
a
pr
yesterday
on
performance,
and
I
wanted
to
validate
it.
So
I
pulled
down
a
zot
server
ran
that
and.
D
The
github
action
at
main
is
pulling
a
docker
image
that
is
push
to
github
registry
from
distribution,
spec
and
locked
to
the
1-0
tests,
so
they're
testing
every
change
against
the
1-0
spec,
and
not
necessarily
what's
in
what's
on
the
main
branch,
if
that
makes
sense,
so
I'm
wondering
if
that's
the
intended
behavior,
if
we
should
be
if
the
github
action
should
be
locked.
D
Or
if
we
want
to
enable
people
to
test
latest
latest
everything,
should
we
on
nci
be
pushing
like
a
latest
or
main
tag
so
that
people
can
override
that
image
when
they're
running
the
github
action?
It
was
just
a
bizarre
thing,
because
I
was
talking
to
rob
and
he's
like.
No
we're.
Definitely
like
we're
testing
conformance
pretty
regularly.
So
there's
just
been
a
bunch
of
changes
in
the
test
suite
since
100
that
they're
not
validating.
J
Yeah,
it
sounds
like
it
just
needs
to
be
updated
whenever
the
the
test
case
has
changed.
J
Yeah
on
on
the
on
the
track
releases
for
a
point,
release
that
somebody's
running
against
yes,
but
if
you're,
if
you're,
if
you're
making
a
change
in
maine,
I
think
that
that's
currently
tagged
to
development
if
they
wanted
to
get
a
specific
release,
that's
already
been
published
and
approved,
and
they
should
be
going
off,
not
maine,
but
right.
The
release
branch
well.
D
I
just
put
in
the
zoom
chat,
so
the
last
line
of
this
file
since
this
action
yaml's
on
the
main
branch,
it's
pointing
to
this
specific
v10
image
and
I'm
wondering
maybe
that
should
say
main
and
then
people
could
run
like
we
can.
Cherry
pick
this
onto
oh,
I
don't
know
that
image
should
be
locked
for
the
releases,
but
not
for
maine.
Maybe
does
anyone
have
github
actions?
Experience
with
this.
K
D
K
D
J
D
Okay,
we.
L
B
D
Yeah,
maybe
a
v1
branch
because,
like
I've
seen
other
ones
like
a
lot
of
the
github
provided
ones,
have
like
a
v1
or
v2
on
there.
I'm
not
really
seeing
a
lot
of
main.
J
So
I
guess
the
whoever
made
the
you
know
the
option
suggestion
for
selecting
that
makes
some
sense
when
you're
doing
your
own
locals
your
own
test
buckets,
but
for
you
know
whether
or
not
we
should
merge
a
pr,
it
probably
needs
to
be
running
against
the
current
test
bucket.
That
would
be
built
with
the
changes
right.
D
We'll
support
both
cases.
Somehow
lockheed
did
you
have
something.
I
J
I
I
B
I
think
I
threw
that
on
the
list
there
didn't
realize
we
got
to
that
point,
just
anything
on
the
working
group
status,
since
that
I
think
they
got
approved
right
and
so
next
steps
are
there
ways
for
community
members
to
participate
that
aren't
maintainers
yet
and
all
those
good
questions.
E
Yeah
I
mean,
I
think
just
the
first
part
is
you
know
we
did
get
the
votes.
That's
awesome.
We
were
gonna,
tally
him
this
morning
or
italian
at
this
meeting,
but
that
that
came
in
last
night.
So
that's
just
that
awesome
to
get
that
phil
vinson
as
chairs
did
you
want
to
think
about?
You
were
also
at
an
awkward
point
of
the
end
of
the
year.
I
think
we
have
to
kind
of
figure
out.
What
are
the
next
steps
there.
M
M
M
E
I
Yeah,
I
was
just
going
to
say
we
should
try
and
get
the
administration
of
pieces
out
of
out
of
the
way
which
is
typically,
you
know,
setting
up
a
repo
for
the
work
figuring
out
when
to
schedule
things
getting
zoom
links
set
up
calendars.
I
You
know
channels,
because
the
idea
is
here
that
we
carve
out
a
space
in
a
time
for
people
that
are
interested
and
anybody
can
participate
and
that
those
named
people
on
the
proposal
were
the
people,
at
least
being
responsible
for
the
scheduling
and
running
the
meetings
and
taking
the
notes
and
making
sure
that
the
conversations
align
with
the
charter
in
the
state
of
charter,
but
I
think
getting
the
administration
bits-
can
certainly
be
done
before
the
holidays.
I
And
I
can
I
can
take
point
with
the
other
named
folks
on
that
on
the
proposal
there
to
start
that
process.
But
I
think
the
question
to
the
tob
would
just
carving
out
a
space
getting
a
repo,
adding
a
set
of
maintainers
that
can
check
into
that
repo,
and
maybe
just
establishing
you
know
some.
I
You
know
set
of
criteria
about
if
somebody
was
to
come
and
stumble
across
this
repo
out
of
the
blue,
making
sure
that
they
know
that
it's
a
work
in
progress,
and
I
think
the
only
other
bits
to
the
tob
is
like
reporting
and
any
outcomes.
I
How
do
you
want
interactions
between
the
working
group
coming
back
to
this
group
to
say,
hey,
we've
made
a
checkpoint
or
a
milestone,
or
how
do
you
want
that
communication
to
happen,
which
you
know
might
already
be
in
the
working
group
documents,
but
that's
just
something:
what
is
the
cadence
cadence
that
this
working
group
needs
to
report?
Progress
back
to
the
tob
is
something
you
know
having
having
worked
on
kubernetes
steering.
I
We
had
to
make
sure
that
any
working
groups
were
meeting
milestones
and
showing
a
progress
towards
the
charter
and
were
making
progress
in
line
with
the
charter
there.
But
we
don't
have
to
you
know,
do
too
much
straight
up,
I
think
just
getting
getting
a
place
to
at
least
publish
when
the
meetings
are.
I
You
know
working
on
when
the
meetings
that
work
for
most
people
getting
the
zoom
recordings
calendar
all
that
administration
bits
is
probably
the
first
bit.
So
I'm
happy
to
like
work
with
the
people
and
and
take
point
on
the
named
folks.
If
anybody
else
wants
to
participate
too,
but
I
guess
the
question
would
be
carving
out
a
space
in
either
a
a
separate
repository
called
working
group.
What
proposal
and
then
we
can
go
for
there.
I
It
would
be
my
advice
just
to
set
up
the
my
proposal
just
to
set
up
the
place
for
the
initial
meetings
to
take
place
and
then
figure
out
exactly
what
we're
asking
as
part
of
the
working
group,
because
I
I
don't
know
you
know
spec
versus
code.
I
can't
answer
that
right
now.
Without
you
know
the
working
group
answering
it
so
it's
just
like.
I
E
I
I
We
figure
out
the
process,
so,
let's
you
know
not
being
a
tob
member,
that's
just
my
advice
because
we
can
go
and
create
all
this
policy
and
procedures,
but
it
doesn't
actually
help
people
start
having
conversations
about
moving
that
discussion
forward.
So
I'd
be
lightweight
move
fast
until
we
need
you
know,
until
proven,
process
is
needed.
M
Yeah
that
approach
is
is
good
and
I
I
assume
kind
of
that
initial
thought
of
like
at
least
having
a
repo
for
administrative
details.
You
know
sure
we
could
do
it
inside
the
tob,
but
that
quickly
could
get
messy
if
a
second
or
a
third
you
know
start
to
pop
up.
So
I
guess
I
I
always
forget
who
has
rights
to
what
in
our
github
work
so
offline,
we'll
figure
out
how
to
make
sure
the
right
people
get
access
in
the
next
few
days?
And
maybe
vincent
knows
more
than
I
do
about
open
containers.
H
It
it
varies
and
there's
some
that
I've
thought
that
I
do
have
access
to
and
don't
and
vice
versa.
I
have
the
settings
button
in
image.
Spec.
H
I
said
new
repos
is,
is
I
do
not
that's
an
andy
amy
thing,
distribution
spec,
but
not
every,
not
not
every.
H
This
is
part
of
a
thread
that
josh
brought
up.
You
know
as
far
as
like
getting
consistency
across
the
repros.
Is
that
not
everything
that
we
have
maintainers
of
maintainers?
Don't
all
have
rights
to
those
repos
like
as
far
as
like
github
organ
teams,
it's
that's
kind
of
a
not
quite
a
sinkhole
conversation,
but
it's
effectively.
We
by
phil,
saying
we
take
that
offline
that
that
basically
needs
its
own
session
of
like
getting
amy
or
chris
involved,
because
there's
even
times
enough
pinged
amy
for
something,
then
she
has
to
get
chris
involved.
A
D
There's
teams
in
place
for
everything,
but
we
just
need
to
put
the
right
people
in
there.
K
So
it
sounds
to
me
like
the
the
best
minimal
option
here.
Right
now
is
figure
out
where
those
discussions
are
going
to
take
place
where
that
community
is
meeting
and
talking
about
this
thing
and
when
and
get
a
file
in
the
tob
repo
and
figure
out
the
details
later.
H
E
E
So
we
just
if
we
get
a
doodle
up
that
accounts
for
that
or
sure
to
see
who
is
interested
to
participate
more
real
time,
then
that
would
be
great.
I
Okay,
I
think
I
can
create
a
bomb,
since
we
love
bombs
of
everything
that
we
need
to
do
and
we'll
I'll
propose
it
to
the
tob
folks
on
with
working
with
the
the
folks
on
the
working
group
proposal
at
the
moment,
and
then
you
can,
you
know,
naming
a
repo
and
where
we
put
things,
I
threw
some
examples
of
other
working
group
models.
I'm
not
saying
kubernetes
is
the
canonical
one,
but
that's
just
a
model.
We
could
follow.
H
Took
it
took
me
30
minutes
to
get
demoralized
that
it
was
bigger
than
like,
like
I
went
down
the
path
of
figure
of
seeing
why
it
was
broken
that
it
was
a
trail
of
tears,
especially
because
the
way
that
go
metal
under
work
is
that
it
fetched
a
bunch
of
things
all
at
once.
So
as
some
of
those
linters
started
to
not
work
on
older
versions
of
and
then
metal
lender
itself
is
is
outdated.
H
So
it's
just
a
little
bit
of
like
what
would
it
look
like
to
have
the
same
kind
of
test
matrix
on
whatever
versions
of
golang?
I
don't
really
think
we
we've
always
just
had
kind
of
an
informal
trailing
of
life.
Last
few
versions
of
go
no
like
industry
standard
of
like
we
have
to
support
back
to
go
one
for
something
crazy
like
that,
and
then
just
take
a
take
a
new
new
dive
at
keeping
that
working
with
go
laying
sea
island.
I
guess
that's
just
I
mean
I'm,
I'm
actually
free
after
this
call.
H
F
H
H
H
H
Posted
some
comments
on
the
pr
that
tasia
made
on
my
pr.
H
I
don't
I'm
not
I'm
not
opposed
to
it
at
all.
I
I
think
there
was
just
a
few
curiosities
of
why,
when
you
know
breaking
it
out
into
like
a
discovery
endpoint,
I
think
the
reason
original
reason
was
thinking
that
it
would
just
be
like
at
the
base
of
calling
the
extension
like
as
its
own
path
or
endpoint
was
just
that.
H
F
H
H
So
arguably-
and
I
think
jason
you've,
even
you
know
raised
this
point-
is
that
if,
if
you
know
you're
working
with
a
registry
or
you
have
a
tool,
that's
just
going
to
expect
an
extension
to
be
in
place,
and
it's
it's
not
even
going
to
look
to
discover
it.
First,
it's
not
going
to
make
it
a
client's
not
going
to
make
a
call
before
it
checks
that
extension,
unless
it's
some
kind
of
like
variable
json,
schema
that
it
has
to
arrive
at.
H
So
when
when
we
were
when
we
were
going
from
the
go
from
the
docker
v1
to
v2
apis,
you
know
we
introduced
that
v2
api
and
it
was
like
some
clients
would
hit
it
just
to
see
like
does
it
support
v2
before
it
would
guess,
and
then
eventually
they
just
skipped
that
step
to
say
like
if
I
can
go
ahead
and
frame
up
the
call
to
the
v2
whole
v2
thing
and
if
it
returns
not
found,
then
I
can
assume
that
it's
a
different
api.
H
F
E
E
If
I
only
have
permissions
to
a
sub
portion
of
the
registry,
I
need
to
be
able
to
have
an
extension
on
that.
You
know
that
discovery
ability
there.
So
it's
just
the
route
was
part
of
the
problem.
You
know
was
it's
great
to
have
stuff
at
the
root,
because
I
might
want
to
search
across
all
repos,
but
I
might
have
an
extensibility
point
on
on
a
sub
portion
of
the
overall
registry.
F
Yeah
that
totally
makes
sense,
but
the
the
question
on
the
pr
changes
from
tasia
is:
are
we
going
with
three
components,
underscore
space,
slash
extension,
slash
component
or
are
we
going
with
two
components,
which
is
underscore
extension
name,
slash
operation
I
suggested
so
that
would
be
closer
to
what
we
were
doing
with
the
discover
extension.
F
L
That
means
we
would
have
to
kind
of
like
make
referrers
like
what.
What
would
that
look
for
one
api,
as
an
example
would
be
right.
Now
we
have
something
like
just
as
an
example.
It
would
be,
or
as
artifacts
referrers
are,
we
saying
we
just
go
with
artifact
reference
or
as
reference,
that's,
if
it's
only
two
parts.
L
F
And
then
so,
yeah
the
reason.
The
reason
I
like
the
smaller
path
components
is
when
you
get
the
repository
name
and
these
path
components
all
together,
you
can
end
up
with
a
really
large
confusing
hard
to
parse
path,
and
so
this
kind
of
forces
query
parameters
on
the
actual
path,
either
into
a
document.
That's
posted,
along
with
the
request
or
into
just
git
query
parameters.
F
So
I
think,
that's,
I
think,
that's
a
better
model
for
these
extensions
and-
and
I
guess
I'm
just
reiterating
what
we
were
talking
about
before-
but
hopefully
that
clarifies
everything.
L
F
Vincent
did
that
clarify
your
concern,
or
were
you
talking
more
about
the
difference
between
registry
level
and
repository
level
extensions?
I
had
not
gotten
to
the
registry
versus
repository.
H
Discovery,
no,
I
think
that
I'll,
just
I'll
look
back
look
back
at
it
and
I
think
sometimes
conversations
break
down
into
certain
nuance.
That
it'll
take
a
little
bit
of
a
review
just
to
think
through
the
whole
thing
again,
since
we
kind
of
I
think
it
not
quite
fish
tailed,
but
just
has
kind
of
kind
of
gone
in
two
different
directions:
making
sure
it's
not
gotten
too
spread
thin
of
a
conversation,
but
anyhow
we're
at
time
I'll
call
it
for
this
recording
and
then
those
that
want
to
check
on
ci
stuff.