-
Notifications
You must be signed in to change notification settings - Fork 663
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spec: describe descriptors and digests #111
spec: describe descriptors and digests #111
Conversation
A _Content Descriptor_ or _Descriptor_, describes the disposition of targeted content. | ||
A _Descriptor_ includes the type of content, an independently-verifiable content identifier, known as a "digest" and the byte-size of the raw content. | ||
|
||
Descriptors SHOULD be embedded in other formats to securely reference external content. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be turned around to get “Other formats SHOULD use descriptors to securely reference external content”.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 on turning it around as this format will stand on its own in #94
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well, +1 on this change but I see below it says they can be independent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Wed, Jun 01, 2016 at 04:59:36PM -0700, Brandon Philips wrote:
+Descriptors SHOULD be embedded in other formats to securely reference external content.
Well, +1 on this change but I see below it says they can be independent
We got the turned-around “Other formats SHOULD use descriptors to
securely reference external content.” line, but this is still here.
Can we drop this line?
Before consuming content targeted by a descriptor, the byte content MUST be verified against the _digest_. | ||
Heavy processing of before calculating a hash SHOULD be avoided. | ||
Implementations MAY employ some canonicalization to ensure stable content identifiers. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Include mention of size verification to avoid Length Extension Attack.
47e94ac
to
5bb899a
Compare
Most of the feedback has been serviced. Schema definitions and validation of examples have been added. Note that the schema layout probably isn't ideal, but we may want to revisit in another PR. |
+++ | ||
draft = true | ||
+++ | ||
<![end-metadata]--> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what is this stuff?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i'm not sure
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It was in the top of the other spec. Figured we were using it.
Was this copied over from docker? This looks like part of Docker's docs build system.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
perhaps. It's seems fine to drop.
@vbatts do you know how we force a rebuild? Also, @opencontainers/image-spec-maintainers can we get an LGTM? One more LGTM required to merge this. |
|
||
### Reserved | ||
|
||
The following are field keys that MUST NOT be used in descriptors specified in other OCI specifications: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're restricting your reservation to “other OCI specifications”? I expect you can trust OCI maintainers to PR this spec if they want a new descriptor field. The folks you want to warn off are external implementations and specs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And because it doesn't hurt to also warn off other OCI specs, I'd use something generic like “MUST NOT be defined outside this specificiation”.
OK, looks like that worked. Need an additional LGTM from an @opencontainers/image-spec-maintainers |
On Tue, Jun 07, 2016 at 04:30:06PM -0700, Brandon Philips wrote:
After each push 1. |
@wking ick. I will file an issue with @caniszczyk to see if we can only have it decrement by 1 or something. This makes reviewing this stuff super annoying. |
On Tue, Jun 07, 2016 at 04:35:42PM -0700, Brandon Philips wrote:
Just don't bother stamping approval on things until they settle down |
@wking I just don't like the system implied mistrust. Like I trust Stephen to just fix nits after I give an LGTM and not require a full re-review of the PR. There is some middle ground here that more accurately reflects the trust model of a collaborative project. |
On Tue, Jun 07, 2016 at 08:29:13PM -0700, Brandon Philips wrote:
It's you're project, so you can obviously pick the rules that make |
I think this is ready to merge. Can other @opencontainers/image-spec-maintainers take a look and given an LGTM? |
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment)
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
The Docker link landed in 7b39189 (media-types: show relations between media types, 2016-05-02, opencontainers#55), but we've had a descriptor definition locally since d49d055 (spec: describe descriptors and digests, 2016-06-01, opencontainers#111). Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b6 (Add some text about extensions, 2016-06-26, opencontainers#164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [2], but that would be a larger change ;). [1]: opencontainers#111 (comment) [2]: opencontainers#111 (comment) [3]: opencontainers#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b6 (Add some text about extensions, 2016-06-26, opencontainers#164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers#111 (comment) [2]: opencontainers#111 (comment) [3]: opencontainers#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <wking@tremily.us>
Add a definition for content descriptors and digests, which are used as
content identifiers in the OCI image specification.
Signed-off-by: Stephen J Day stephen.day@docker.com
This is a draft of the descriptor specification, which includes the digest calculation.
Before merging:
Closes #92
cc @philips @vbatts