# Open Container Initiative at Cloud Native SecurityCon ## Feb 1, 2023 - 2pm to 5pm Pacific ### Zoom: Join Zoom Meeting https://zoom.us/my/opencontainers?pwd=S2tJVGVra0dYdlZCRjJwdXdPdGRQQT09 Passcode: 77777 One tap mobile +16699006833,,591648311# US (San Jose) +16465588656,,591648311# US (New York) Dial by your location +1 669 900 6833 US (San Jose) +1 646 558 8656 US (New York) 877 369 0926 US Toll-free 855 880 1246 US Toll-free Meeting ID: 591 648 311 Find your local number: https://zoom.us/u/aLDk4OXTu ### Room: 618 - Seattle Convention Center ### Agenda items for working session: - OCI 1.1 release - <https://github.com/opencontainers/image-spec/milestone/14> - <https://github.com/opencontainers/distribution-spec/milestone/6> - <https://github.com/opencontainers/runtime-spec/milestone/17> - <https://github.com/opencontainers/image-spec/pull/999> - Jon will be virtual, ~30 min late. - Discuss checkpoint image support - <https://github.com/opencontainers/image-spec/issues/962> - Additional Owners and Stakeholders are needed for the Auth WG - <https://github.com/opencontainers/tob/pull/119> - more topics here! ## Recording **Recording**: https://youtu.be/MV-r8Uxtgeo ## In-Person Attendees: * Brandon Mitchell * ToddySM * Sajay Antony * Samuel Karp * Amye SP * Brian Goff * Lachie * John Kjell ## Remote Attendees: * Tianon * Yi Chen * Chris Crone (will need to leave early) * Jesse Butler * Vincent Batts * Michael Brown * Ramkumar Chinchani * Josh Dolitsky * Akihiro Suda * Stephen Day * Victor Lu * Alex Flom ![](https://i.imgur.com/Lry81UL.jpg) ## zoom chat log 00:08:33 Jesse Butler: This is what remote work was like in the before times, yโ€™all. So nostalgic. 00:09:20 ToddySM: ๐Ÿ˜ƒ 00:10:02 Jesse Butler: I put the checkpoint issue in for discussion 00:10:09 Jesse Butler: But not pressed to kick things off 00:11:40 Chris Crone: He's a very quiet, very good engineer 00:14:48 Chris Crone: Thanks Lachie! 00:17:12 vbatts: https://github.com/opencontainers/image-spec/issues/962 ? 00:25:17 Josh Dolitsky: were hands thrown in seattle yet? 00:25:47 ToddySM: What hands, Josh? 00:27:33 Jesse Butler: Thank you sam! 00:32:36 Sajay Antony: Love the head gear Josh. 00:37:48 ToddySM: Chris A from CNCF just entered the room here 00:38:19 Jesse Butler: Hi chris! 00:38:41 Sajay Antony: Hi Chris, Hi Jon 00:38:51 Brandon Mitchell: Victor and Jon, we're just going around giving everyone a chance to give their initial position. 00:39:09 Jon Johnson: Thanks 00:44:03 Chris Crone: I unfortunately have to drop. Thank you all! 00:44:19 Sajay Antony: Reacted to "I unfortunately have..." with โค๏ธ 01:00:54 Jon Johnson: Can't hear 01:06:08 Josh Dolitsky: FWIW and maybe helpful, this is pr of cosign w/ oci 1.1 but no new manifest (but with subject, artifactType, referrers) https://github.com/sigstore/cosign/pull/2684 01:06:26 Josh Dolitsky: see "SBOM Flow" 01:06:30 Sajay Antony: Reacted to "FWIW and maybe helpf..." with ๐Ÿ‘ 01:09:24 ToddySM: Good one, Jesse - we have 2 more hours till get the alcohol ๐Ÿ˜„ 01:09:38 Jesse Butler: Weโ€™re getting the band back together! 01:10:29 Jesse Butler: Shoot I swear I looked - sorry I missed your hand Jon 01:10:37 Jon Johnson: I went up after you! 01:10:46 Jesse Butler: Ah cool cool. I do need a cocktail ๐Ÿ™‚ 01:13:19 Jesse Butler: Specification vs Compliance, exactly 01:19:18 Michael Brown: Honestly, pretty impressive stack space / memory IMO 01:19:30 vbatts: ya 01:19:44 Jesse Butler: Yeah thanks Jon that was a great summary of your position 01:19:51 Jon Johnson: <3 01:19:55 cpuguy83: Jelly of that stack. 01:20:00 cpuguy83: *stack space 01:23:18 Aaron Friel: Reacted to "*stack space" with ๐Ÿ’ฏ 01:23:48 Aaron Friel: brew uses oci <3 01:31:57 Stephen Day: We can get rid of the manifests endpoint 01:32:01 Aaron Friel: Reacted to "We can get rid of th..." with ๐Ÿ˜† 01:32:03 Jon Johnson: i'm down 01:32:08 Sajay Antony: There was a time I remember artifactManifest had blobs field called descriptors. 01:34:08 Jon Johnson: https://github.com/sigstore/cosign/pull/2684 uses image manifest, not artifact manifest 01:34:42 Sajay Antony: Jon there is one difference logical difference that Image manifest needs a config blob. (zero or not) 01:35:28 Jon Johnson: An ~empty config blob vs a nonexistent config blob is ~100 btyes 01:36:18 Jon Johnson: bytes* So for the zero blob artifact manifest, you get minor savings in space, but for non-zero blob artifact manifest, it's actually more compact to represent as an image manifest. 01:36:54 Sajay Antony: Reacted to "bytes* So for the z..." with ๐Ÿ‘ 01:37:13 Aaron Friel: Distribution spec does have an extensions API, but it doesn't help tools and the companies/groups behind them know whether they can use a registry. 01:39:02 cpuguy83: Config could be optional and when it is not set layers are not required, and a new "blobs" field could be there. 01:39:37 Sajay Antony: +1 if config were optional and had a artifactType field. 01:45:18 vbatts: setting Config to OPTIONAL would be _just as breaking_ 01:45:41 vbatts: expecting users to pass _something_ is duct tape 01:45:51 vbatts: `application/x.farts` 01:46:20 Ramkumar Chinchani: Are we underestimating how quickly end-user tooling gets fixed these days? 01:46:26 Sajay Antony: This is why I didn't want to recommend making CONFIG optional.. Its removing a REQUIRED field on the image manifest. 01:47:59 Josh Dolitsky: i think referrers is important for wasm etc too. matt butcher commented on needing graph of things 01:48:27 vbatts: @ram I don't think so. Container things are well into the bell curve, so some tools will be _quick_ but there are deployments out there that won't get these features for 5+ yrs 01:48:32 Aaron Friel: Agree - but it's irrelevant if they can't count on pushing the root artifact ๐Ÿ™‚ 01:48:45 vbatts: @sajay I see 01:48:53 Aaron Friel: All the referrers/subject fields in the world don't help producers if the artifact is rejected on push. 01:49:07 Brandon Mitchell: I know a lot of people in government spaces take a very long time to update things, especially when going into airgapped environments. 01:51:49 Aaron Friel: Do we or could we find a collection of OCI *clients* and just experimentally observe their behavior? I prefer to make decisions with data, do we know how e.g.: tools like Snyk, Anchore, etc., handle scanning images? 01:52:50 Aaron Friel: Images that may be missing a config, or whose layers are arbitrary binary content. 02:11:27 Sajay Antony: The types are in image spec. 02:11:48 Jon Johnson: We don't need the types if we define distribution-spec via duck-typing 02:21:10 Sajay Antony: https://github.com/opencontainers/image-spec/pull/1004 02:22:18 Jon Johnson: but why is the rum gone 02:22:34 vbatts: ๐Ÿฅƒ 02:24:39 cpuguy83: Users will hassle tool makers to fix their tools. 02:26:30 Jesse Butler: Reacted to "Users will hassle to..." with ๐Ÿ‘ 02:26:31 Jon Johnson: Libre Containers Initiative 02:26:36 Sajay Antony: Reacted to "Libre Containers Ini..." with ๐Ÿ˜‚ 02:26:41 cpuguy83: Reacted to "Libre Containers Ini..." with ๐Ÿ˜‚ 02:26:41 Jesse Butler: Reacted to "Libre Containers Ini..." with ๐Ÿ˜‚ 02:26:53 Sajay Antony: We have about 35 mins. 02:30:14 Jesse Butler: โ€œElectric catsโ€ vbatts 02:31:01 Aaron Friel: How do you "just suddenly get artifacts in there"? 02:31:14 Josh Dolitsky: I will propose an escape to the stalemate- Drop ArtifactManifest from main, release v1.1.0 Re-add ArtifactManifest and immediately release v1.2.0-rc1. This puts us in the exact same situation we find ourselves in whether we want to recommend ArtifactManifest even though we already have a release candidate out with it. and we would have something to get us lowercase artifacts and references today 02:31:16 Jesse Butler: From a DevOps perspective, that would be an anti-pattern, fwiw 02:31:33 Jesse Butler: ^^ that wasnโ€™t in ref to Josh, that was in ref to conversation in room 02:37:21 Aaron Friel: CI pipeline will fail once multiplied by how many engineers don't notice the CI pipeline is broken, to be fair ๐Ÿ™‚ 02:37:34 vbatts: also fair 02:37:38 Jon Johnson: https://opencontainers.org/posts/blog/2020-10-30-consuming-public-content/ 02:37:43 Jesse Butler: Thatโ€™s not helpful, Aaron ๐Ÿ™‚ 02:37:58 Aaron Friel: I've been known to undermine my own arguments, I contain multitudes 02:38:09 Jesse Butler: Proof of a true visionary 02:38:27 Jon Johnson: Reacted to "Proof of a true vi..." with ๐Ÿ‘€ 02:42:38 vbatts: IPSX FVER across my knuckles, Jesse 02:42:42 Aaron Friel: move to make ChatGPT a voting member of TOB 02:42:49 Sajay Antony: Reacted to "move to make ChatGPT..." with ๐Ÿ‘ 02:43:01 Jesse Butler: Ten years Vincent. TEN. 02:44:26 cpuguy83: It's GSD behavior. 02:44:44 Sajay Antony: ORAS needs to fix that. but then again its a client implementation. 02:44:52 Jesse Butler: ^^ fair 02:45:01 ToddySM: It is a โ€œmagicโ€ that is unreliable 02:45:06 Sajay Antony: Reacted to "It is a โ€œmagicโ€ that..." with ๐Ÿ‘ 02:45:12 Jesse Butler: Thereโ€™s no magic in the cloud. :TM: 02:45:29 cpuguy83: Unless you are trying to migrate somebody to the cloud. 02:45:39 cpuguy83: There's no :trollface: 02:45:46 Josh Dolitsky: Reacted to "Unless you are try..." with ๐Ÿ”ฅ 02:46:00 vbatts: y'all 02:46:09 Brandon Mitchell: :D 02:46:56 cpuguy83: 15mins left 02:47:12 Sajay Antony: Again Jon's PR for portability 02:47:26 Josh Dolitsky: I'm a tool with existing clients out in the wold - OCI what should I do? I'm a tool that is brand new - OCI what should I do? Should those answers be different^ ? 02:47:53 Samuel Karp: "Tools which create artifacts SHOULD NOT default to creating Artifact Manifests when encountering an OCI image-spec 1.1-compliant registry." 02:47:57 Sajay Antony: @Aaron - https://github.com/opencontainers/image-spec/pull/1004 02:49:07 Aaron Friel: ORAS 1.1 adds explicit switches 02:49:11 Aaron Friel: the rc does 02:51:13 Jesse Butler: Well so much of the fallback difficulty is that so many 1.0 registries implement random behaviorโ€ฆ which makes this all feel a bit like bikeshedding 02:52:45 Aaron Friel: @Jon I hope I haven't contributed to this consternation by making the issue on distribution-spec asking about fallback behavior. T'would be ironic if I contributed to this kerfuffle. 02:53:06 cpuguy83: Yeah I misunderstood where we were headed. 02:55:37 Jon Johnson: @Aaron I think the issue you opened sparked the conversations in the dev calls, which prompted me to open the PR as a path forward 02:55:48 Aaron Friel: Ironic! 02:55:51 Aaron Friel: ๐Ÿ˜† 02:56:05 Jon Johnson: Reacted to "๐Ÿ˜†" with ๐Ÿ˜‚ 02:56:27 Josh Dolitsky: 9 02:56:29 Josh Dolitsky: 9 02:56:29 Jon Johnson: Have to drop off a bit early, thanks for putting up with me and waiting for me everyone <3 02:56:30 Josh Dolitsky: 9 02:57:18 Jon Johnson: Can't hear sajay, can someone ask him to comment that on 999? 02:58:58 Sajay Antony: I'll comment Jon. 02:59:33 Sajay Antony: Basically I'm worried about changing behavior of image manifest for existing clients who uses artifacts. 03:00:54 Sajay Antony: Probably depends on the changes or fields you want to add in the image manifest. 03:05:19 Aaron Friel: Congrats on this marathon everyone