spec: describe descriptors and digests #111
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| A _Content Descriptor_ or _Descriptor_, describes the disposition of targeted content. | ||
| A _Descriptor_ includes the type of content, an independently-verifiable content identifier, known as a "digest" and the byte-size of the raw content. | ||
|
|
||
| Descriptors SHOULD be embedded in other formats to securely reference external content. |
There was a problem hiding this comment.
I think this should be turned around to get “Other formats SHOULD use descriptors to securely reference external content”.
There was a problem hiding this comment.
+1 on turning it around as this format will stand on its own in #94
There was a problem hiding this comment.
Well, +1 on this change but I see below it says they can be independent
There was a problem hiding this comment.
On Wed, Jun 01, 2016 at 04:59:36PM -0700, Brandon Philips wrote:
+Descriptors SHOULD be embedded in other formats to securely reference external content.
Well, +1 on this change but I see below it says they can be independent
We got the turned-around “Other formats SHOULD use descriptors to
securely reference external content.” line, but this is still here.
Can we drop this line?
|
LGTM after minor nit cleanups. |
| Before consuming content targeted by a descriptor, the byte content MUST be verified against the _digest_. | ||
| Heavy processing of before calculating a hash SHOULD be avoided. | ||
| Implementations MAY employ some canonicalization to ensure stable content identifiers. | ||
|
|
There was a problem hiding this comment.
Include mention of size verification to avoid Length Extension Attack.
stevvooe
force-pushed
the
descriptors-specification
branch
2 times, most recently
from
47e94ac
to
5bb899a
Compare
|
Most of the feedback has been serviced. Schema definitions and validation of examples have been added. Note that the schema layout probably isn't ideal, but we may want to revisit in another PR. |
stevvooe
changed the title
| +++ | ||
| draft = true | ||
| +++ | ||
| <![end-metadata]--> |
There was a problem hiding this comment.
It was in the top of the other spec. Figured we were using it.
Was this copied over from docker? This looks like part of Docker's docs build system.
There was a problem hiding this comment.
perhaps. It's seems fine to drop.
|
LGTM nit: There is some metadata at the header of this file. I don't know what it is for but otherwise looks great. |
|
@vbatts do you know how we force a rebuild? Also, @opencontainers/image-spec-maintainers can we get an LGTM? One more LGTM required to merge this. |
|
|
||
| ### Reserved | ||
|
|
||
| The following are field keys that MUST NOT be used in descriptors specified in other OCI specifications: |
There was a problem hiding this comment.
You're restricting your reservation to “other OCI specifications”? I expect you can trust OCI maintainers to PR this spec if they want a new descriptor field. The folks you want to warn off are external implementations and specs.
There was a problem hiding this comment.
And because it doesn't hurt to also warn off other OCI specs, I'd use something generic like “MUST NOT be defined outside this specificiation”.
|
OK, looks like that worked. Need an additional LGTM from an @opencontainers/image-spec-maintainers |
|
On Tue, Jun 07, 2016 at 04:30:06PM -0700, Brandon Philips wrote:
After each push 1. |
|
@wking ick. I will file an issue with @caniszczyk to see if we can only have it decrement by 1 or something. This makes reviewing this stuff super annoying. |
|
On Tue, Jun 07, 2016 at 04:35:42PM -0700, Brandon Philips wrote:
Just don't bother stamping approval on things until they settle down |
|
@wking I just don't like the system implied mistrust. Like I trust Stephen to just fix nits after I give an LGTM and not require a full re-review of the PR. There is some middle ground here that more accurately reflects the trust model of a collaborative project. |
|
On Tue, Jun 07, 2016 at 08:29:13PM -0700, Brandon Philips wrote:
It's you're project, so you can obviously pick the rules that make |
|
I think this is ready to merge. Can other @opencontainers/image-spec-maintainers take a look and given an LGTM? |
|
LGTM Apparently, we can LGTM ourselves. Feel free to wait for another maintainer to LGTM before merging. |
|
LGTM |
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
Jul 26, 2016
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment)
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
Jul 26, 2016
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
Sep 8, 2016
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/opencontainer-runtime-spec
that referenced
this pull request
Sep 14, 2016
There are other APIs described in this specification (e.g. the state JSON format, and the in-flight command-line API [1]), but this string covers the configuration file and referenced objects (e.g. the filesystem at root.path). As additional, backwards compatible features are added to the spec (leading to 1.1, 1.2, etc. releases) and supported by runtimes, those runtimes will *still* stupport 1.0 configs. Once a 2.0 spec is cut, runtimes that only support 2.0 (and nothing in the 1.0 line) will no longer support the 1.0 config. My preferred approach here would be to use JSON-LD [2,3,4] to explicitly document the intended semantics for each field, which would allow us to drop the config-wide version and version each field independently. That would mean a breaking change on a particular field would only break compatibility for folks who were using that field. Unfortunately, I haven't had much luck pushing the consensus in that direction. This commit does not add wording about how the runtime and other consumers should handle an incompatible version. We can address that once the command-line API lands. [1]: opencontainers#513 [2]: opencontainers#371 (comment) [3]: opencontainers/image-spec#111 (comment) [4]: opencontainers#510 (comment) Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/image-spec
that referenced
this pull request
Sep 18, 2016
The Docker link landed in 7b39189 (media-types: show relations between media types, 2016-05-02, opencontainers#55), but we've had a descriptor definition locally since d49d055 (spec: describe descriptors and digests, 2016-06-01, opencontainers#111). Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/image-spec
that referenced
this pull request
Sep 29, 2016
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b6 (Add some text about extensions, 2016-06-26, opencontainers#164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [2], but that would be a larger change ;). [1]: opencontainers#111 (comment) [2]: opencontainers#111 (comment) [3]: opencontainers#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
wking
added a commit
to wking/image-spec
that referenced
this pull request
Sep 29, 2016
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b6 (Add some text about extensions, 2016-06-26, opencontainers#164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers#111 (comment) [2]: opencontainers#111 (comment) [3]: opencontainers#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
dattgoswami9lk5g
added a commit
to dattgoswami9lk5g/bremlinr
that referenced
this pull request
Jun 6, 2022
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
7c00d
pushed a commit
to 7c00d/J1nHyeockKim
that referenced
this pull request
Jun 6, 2022
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
7c00d
added a commit
to 7c00d/J1nHyeockKim
that referenced
this pull request
Jun 6, 2022
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
laventuraw
added a commit
to laventuraw/Kihara-tony0
that referenced
this pull request
Jun 6, 2022
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
tomalopbsr0tt
added a commit
to tomalopbsr0tt/fabiojosej
that referenced
this pull request
Oct 6, 2022
We're not forbidding other OCI specs from using these fields, we're forbidding all specs (except for future versions of image-spec) from using these fields [1,2]. The wording I'm bringing in here matches what 873b9b64 (Add some text about extensions, 2016-06-26, #164) landed for the org.opencontainers.* annotation namespace. My personal preference would be to use JSON-LD to assign explicit semantics to every field (after which you don't have to worry about namespacing the fields themselves) [3], but that would be a larger change ;). [1]: opencontainers/image-spec#111 (comment) [2]: opencontainers/image-spec#111 (comment) [3]: opencontainers/image-spec#111 (comment) And later comments in that sub-thread. Signed-off-by: W. Trevor King <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a definition for content descriptors and digests, which are used as
content identifiers in the OCI image specification.
Signed-off-by: Stephen J Day [email protected]
This is a draft of the descriptor specification, which includes the digest calculation.
Before merging:
Closes #92
cc @philips @vbatts