draft a new blog: ORAS 0.14 and Future: Empower Container Secure Supply Chain #52
Conversation
There was a problem hiding this comment.
Thanks @FeynmanZhou, excellent to see docs and blog posts, in addition to the awesome enhancements and release.
A few nits before LGTM
docs/blog/oras-0.14-and-future.md
Outdated
| @@ -0,0 +1,73 @@ | |||
| # ORAS 0.14 and Future: Empower Container Secure Supply Chain | |||
|
|
|||
| _Feynman Zhou, CNCF Ambassador, Product Manager_ | |||
There was a problem hiding this comment.
Do you want to scope that you're an ACR Product Manager
docs/blog/oras-0.14-and-future.md
Outdated
|
|
||
| _Feynman Zhou, CNCF Ambassador, Product Manager_ | ||
|
|
||
| The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced v0.14 release for the CLI tool on Aug 22. ORAS v0.14 provides four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments. |
There was a problem hiding this comment.
Suggest adding a link to the 0.14 release:
There was a problem hiding this comment.
/replace ...for the CLI tool on August 22
/with for the oras CLI on August 22
docs/blog/oras-0.14-and-future.md
Outdated
|
|
||
| ## Install ORAS 0.14 | ||
|
|
||
| Install the latest release of ORAS on a Linux machine: |
There was a problem hiding this comment.
This solves linux, should we point to a common install oras page in oras.land?
And, when, oh when can we apt-get/win-get install :)
docs/blog/oras-0.14-and-future.md
Outdated
| In this demo, assume all images in are validated in MAR, so I will use ORAS to copy the container image from Microsoft Artifact Registry (MAR) to my personal repository of Docker Hub. You can use your prefered container registry with ORAS. | ||
|
|
||
| ``` | ||
| ./oras copy mcr.microsoft.com/mmlspark/spark2.4:1.0.0 registry-1.docker.io/pengfeizhou/spark2.4:1.0.0 |
There was a problem hiding this comment.
using ./oras assumes it's in the same directory.
Can we change this to oras copy assuming the developer centrally installed it?
There was a problem hiding this comment.
You shouldn't need registy-1 in the docker.io reference.
This should work
./oras copy mcr.microsoft.com/mmlspark/spark2.4:1.0.0 docker.io/pengfeizhou/spark2.4:1.0.0
There was a problem hiding this comment.
I would redact the destination registry name in this example
docs/blog/oras-0.14-and-future.md
Outdated
| Generate a SBOM for the Spark image stored in Docker Hub: | ||
|
|
||
| ``` | ||
| ./sbom-tool generate -di registry-1.docker.io/pengfeizhou/spark2.4:1.0.0 -b ./foo -pn bar -pv 0.1 -bc ./foo -ps MyCompany -nsb http://mycompany.com |
There was a problem hiding this comment.
remove ./sbom-tool as it should install centrally
remove registry-1 from docker.io reference
There was a problem hiding this comment.
There is a bug related to this: oras-project/oras#542
I will update it to docker.io after the 0.15 release.
There was a problem hiding this comment.
Oh, that's unfortunate.
On the first reference to registry-1, can you add: See oras-project/oras#542 for removing registry-1?
docs/blog/oras-0.14-and-future.md
Outdated
| Attach the generate SBOM to this Spark image stored in Docker Hub: | ||
|
|
||
| ``` | ||
| oras attach registry-1.docker.io/pengfeizhou/spark2.4:1.0.0 foo/_manifest/spdx_2.2/manifest.spdx.json --artifact-type example/sbom |
There was a problem hiding this comment.
love the attach command
Same comment about removing registry-1 from the docker.io reference.
docs/blog/oras-0.14-and-future.md
Outdated
|
|
||
| _Feynman Zhou, CNCF Ambassador, Product Manager_ | ||
|
|
||
| The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced v0.14 release for the CLI tool on Aug 22. ORAS v0.14 provides four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments. |
There was a problem hiding this comment.
| The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced v0.14 release for the CLI tool on Aug 22. ORAS v0.14 provides four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments. | |
| The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers recently announced v0.14 release for the CLI tool. ORAS v0.14 introduces four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments. |
There was a problem hiding this comment.
No need to commit my suggestions. You can add them directly to the source branch as I don't want to break DCO
docs/blog/oras-0.14-and-future.md
Outdated
|
|
||
| The [OCI Registry As Storage (ORAS)](https://oras.land/) project maintainers announced v0.14 release for the CLI tool on Aug 22. ORAS v0.14 provides four new top-level commands and new options to manage supply chain artifacts across different container registries and multi-cloud environments. | ||
|
|
||
| Prior to ORAS CLI v0.14 release, the ORAS Go library, also released v2.0.0-rc.2 to support [artifacts-spec v1.0.0-rc.2](https://github.com/oras-project/artifacts-spec/releases/tag/v1.0.0-rc.2) and provide new functions to enable developers to build your own OCI client tool. |
There was a problem hiding this comment.
| Prior to ORAS CLI v0.14 release, the ORAS Go library, also released v2.0.0-rc.2 to support [artifacts-spec v1.0.0-rc.2](https://github.com/oras-project/artifacts-spec/releases/tag/v1.0.0-rc.2) and provide new functions to enable developers to build your own OCI client tool. | |
| Prior to ORAS CLI v0.14 release, the ORAS Go library, also released v2.0.0-rc.2 to support [artifacts-spec v1.0.0-rc.2](https://github.com/oras-project/artifacts-spec/releases/tag/v1.0.0-rc.2) and provides new functions to enable developers to build your own OCI client tool. |
docs/blog/oras-0.14-and-future.md
Outdated
| In this demo, assume all images in are validated in MAR, so I will use ORAS to copy the container image from Microsoft Artifact Registry (MAR) to my personal repository of Docker Hub. You can use your prefered container registry with ORAS. | ||
|
|
||
| ``` | ||
| ./oras copy mcr.microsoft.com/mmlspark/spark2.4:1.0.0 registry-1.docker.io/pengfeizhou/spark2.4:1.0.0 |
There was a problem hiding this comment.
I would redact the destination registry name in this example
This PR is still in WIP. Please do not review or merge.