In reply to@_slack_opencontainers_UGGPC8W85:matrix.org
The goal for OCI artifacts is to create an ecosystem where we don’t actually know, or even need to know all the types. Just like there’s no official list of file types for windows or linux. That said, it would be great to know and we thought of having a clearing house in the OCI Artifacts repo. We decided to not block anyone and to have folks register with IANA to “own” their type. But, a list of types to advertise would be great.

In reply to@_slack_opencontainers_U013LP307S7:matrix.org
makes sense. as a registry implementor, i'm interested in such a list so that we can "understand" various types and give a richer user experience for them. for now in the DO registry we do that only for container images, but helm charts are an obvious next step and other types would be interesting as they become more common.

In reply to@_slack_opencontainers_UGGPC8W85:matrix.org
Gotcha. We did/do have a PR for registry operators to have a set of schemas artifact authors can provide so registry operators can present icons, localized strings and such. The other side of things is, should a registry limit the mediaTypes? File systems don’t limit file extensions. But, if you provide extra info, the file system can provide icons and text for the type. So, DO might want to relax the limits to enable an ecosystem. As you start to show icons for Image and Helm, artifact authors like OPA, CNAB, Singularity and WASM would ask, “hey, how do I get that for...)

In reply to@_slack_opencontainers_U013LP307S7:matrix.org
ah, yeah, we don't limit types at all - i've tested with helm and it works. it just doesn't look "right" in the UI, since we assume everything is a container image.

In reply to@_slack_opencontainers_U013LP307S7:matrix.org
i was in touch with the CNAB folks late last year and i know they had tested our registry, too. definitely interested in providing better UX around all kinds of artifacts in the future.

In reply to@_slack_opencontainers_UGGPC8W85:matrix.org
Just saw this from the Harbor folks: https://www.cncf.io/blog/2020/08/25/harbor-is-extending-its-reach-with-key-image-distribution-features-and-support-for-machine-learning-artifacts/ They really took advantage of the config object to store additional data, not in the layers.

In reply to@_slack_opencontainers_UR09UUBA4:matrix.org
What does this mean, generally, for the OCI specs and forward looking thoughts?

In reply to@_slack_opencontainers_UGJKRG59C:matrix.org
hey folks! I'm implementing an OCI registry for Django and running into some design questions - specifically if a blob should be allowed to be associated with more than one image, or if it's more secure to only allow 1:1. I've expressed my concern in detail here - https://github.com/opencontainers/distribution-spec/issues/180#issuecomment-695074478 would appreciate any quick thoughts/feedback so I can refactor what I currently have!

In reply to@_slack_opencontainers_UGJKRG59C:matrix.org
I was originally wanting to associate images with blobs based on tags, before the manifest upload, but it seems like the name doesn't include a tag (just the repository) so the association can only be done via the final request to upload a manifest, and either the registry needs to parse the manifest to find the blob digests (and create a link) or just have no ide (which seems like a bad idea when a manifest/tag deletion request is done because we can't clean up)

In reply to@_slack_opencontainers_UGJKRG59C:matrix.org
Why would a registry server need a repository name to upload a blob to in the case that the association isn't made until the final upload of the manifest?

In reply to@_slack_opencontainers_ULL23GEGN:matrix.org
For blob to image, that is really a matter of how your registry implements permissions. The common way to do it is to associate blobs at a repository level, since associating at an image level is not really possible without clients sending specifying the exact image when requesting blobs. To keep storage efficient, a common hash based blob storage can be used for the large data, then keep all the repository to blob associations to gate access of those blobs, this preservers permission and efficiency

In reply to@_slack_opencontainers_ULL23GEGN:matrix.org
For cleaning manifests when last tag is deleted, that is another policy thing. You can have a policy where manifests are automatically removed, kept forever, or deleted based on some staleness criteria

In reply to@_slack_opencontainers_ULL23GEGN:matrix.org
nothing in the specification requires keeping manifests, the only expectation is that if the manifest exists the blobs which is links to should be available

In reply to@_slack_opencontainers_UGGPC8W85:matrix.org
Basically, there's a garbage collection issue. Layers can be de-duped across repositories. But that means there's reference counting that must be tracked. This has been a debate. From an ACR perspective, we're seeing customers not just ask, but demand better deletion capabilities. Not just because they don't want to pay for so much additional storage, but their registries have old content that has vulnerabilities. If the images are so old, and not kept for archival reasons, or they're builds that never got deployed, they need to be deleted.

In reply to@_slack_opencontainers_UGJKRG59C:matrix.org
Derek McGowan what are your thoughts on having blobs not associated to any specific repository, but shared between them (and only have a cleanup policy if no longer linked to any one repository?)

In reply to@_slack_opencontainers_ULL23GEGN:matrix.org
v that's how docker/distribution and containerd do blob storage