-
Notifications
You must be signed in to change notification settings - Fork 86
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OCI 1.1 GA specifications #892
Comments
@priteshbandi @iamsamirzon We can discuss this issue for OCI 1.1 GA, and make a plan later. |
Yes please :D
Wouldn't this be a violation of the OCI spec? See https://github.com/opencontainers/distribution-spec/blob/main/spec.md
Maybe I am reading this wrong, but it's my interpretation that the referrer-tag-schema is only valid as a fallback after a client tried to use the proper referrers-API first. |
It is the current default behavior of using |
That wasn't my understanding of the subject/referrer specs. I was under the impression that clients would push an artifact with a subject, and if the registry did not indicate they supported the referrers API, the client would fall back to pushing the tag. The detection method has changed from a 404 on the referrers API to a header on the manifest push, but it hasn't depended on the release date of the 1.1.0 distribution-spec. Registries will transition on their own schedule, and potentially not at all. Hopefully I'm just misinterpreting. cc @sajayantony |
Yes, now that OCI 1.1 is generally available (GA), we should remove this feature from the experimental flag. However, before doing so, can we please ensure that allow-referrers-api complies with the GA specification?
Yes, unless we bump up major version.
IMO it shouldn't matter. The feature will be accessible through the allow-referrers-api flag and should align with the OCI 1.1 specification. Thus, if a registry supports OCI 1.1, it should function properly. Additionally, we can always make minor adjustments later if needed. |
I second with @priteshbandi 's opinions above. My two cents:
|
Here is the summary per the discussion in the community meeting on Mar 4, 2024: Current behavior When experimental flag List of work items
/cc: @priteshbandi @FeynmanZhou @shizhMSFT @vaninrao10 to review above work items |
Watching the recording of yesterday's meeting has me concerned. Does the lack of the From the spec, when pushing a manifest, if the subject field exists, the tool doing the pushing must push the fallback tag when the registry does not include the header to indicate registry supports the API:
When querying for referrers, the fallback is triggered on a 404 to the referrers API:
https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#listing-referrers The upgrade policy for registries requires that they include content previously pushed to the fallback tag, so there's no need to merge both:
https://github.com/opencontainers/distribution-spec/blob/v1.1.0/spec.md#enabling-the-referrers-api My concerns with making this a flag for the user (assuming that's switching whether the API or fallback tag is used) is that it creates a split brain issue where:
|
Thanks @sudo-bmitch. I think your comments make sense if registries comply with OCI 1.1 spec. My understanding is if registries do not implement OCI 1.1 referrers API, clients do not have a deterministic way to do the fallback. This is the reason |
Hi @yizha1. The They should also respond with a 404 or similar error to the referrers API request, which is the trigger to query the fallback tag. Registries that support the referrers API should always return a response, even if it is an empty list because the manifest doesn't exist or has no referrers. We designed both of those to make it possible to automatically distinguish between a registry that supports the referrers API and an existing 1.0 registry, so that tooling would be able to gracefully fallback without requiring user interaction. |
To summarize my understanding from today's meeting: The concern isn't that notation isn't able to know when a registry supports referrers, it's that older notation clients already exist that do not use the referrers API and only support the fallback tag. In other words, we are already in a split brain scenario where clients are depending on the fallback tag even when the registry is upgraded. So this flag is to ensure new versions of notation continue to support the older clients. For a graceful upgrade, my suggestion is to switch the verification logic to always use the referrers API, falling back to the tag when a 404 or similar error is encountered. Then when clients later switch the push based on the registry support for referrers in the future, clients verifying will have hopefully already upgraded to support that. When pushing a manifest with a subject, there's no action to include it in the referrers API, so the registry is indifferent to seeing the fallback tag pushed. |
The high-level plan is as follows: Update our current oci-1.1 implementation which is behind the In the notation 1.2 release:
In future release, increase the major version for notation and make oci 1.1 as the default behavior for the sign operation. PS:
|
What's the default value of the |
Thanks @sudo-bmitch @priteshbandi @shizhMSFT for comments. According to the discussion in the meeting on Mar 12, 2024, Shiwei's comment was answered in the meeting. We are now aligned on the plan as Pritesh commented. Sajay posted a chat message during the meeting that for Notation |
From the discussion, the referrers API would always be used going forward, with an automatic fallback to the tag schema. The referrers API is queried on verification, not on signing. The flag would be to force the push of the fallback tag on signing, even if the registry indicates the referrers API is supported, to avoid breaking older clients that only know how to pull the tag. |
Agree. Thanks for the clarification. |
Closing this issue as it's completed. |
Is your feature request related to a problem?
OCI v1.1 was released recently including:
The latest Notation release v1.1.0 uses image spec
v1.1.0-rc.6
and by default useReferrers Tag schema
when storing signatures. Besides uplifting dependency to the stable releasev1.1
of the image spec, it is also recommended to revisit the experimental feature of "--allow-referrers-api flag" as registries will implement and enable Referrers API as OCI 1.1 is stable now. Some questions to answer:--allow-referrers-api
flag from experimental feature, and make it a stable feature?Referrers Tag schema
still be the default?What solution do you propose?
N/A
What alternatives have you considered?
N/A
Any additional context?
N/A
No response
The text was updated successfully, but these errors were encountered: