owned this note
owned this note
Published
Linked with GitHub
# OCI Weekly Discussion
###### tags: `oci` `discussion`
Time: 1700 GMT (1300 EST; 1000 PST; 1900 CET; 0300 AEST; 0100 CST)
- [OCI Calendar](https://calendar.google.com/calendar/b/2/r?cid=bGludXhmb3VuZGF0aW9uLm9yZ19pMHNhZG8waTM3ZWtuYXI1MXZzdThtZDVoZ0Bncm91cC5jYWxlbmRhci5nb29nbGUuY29t)
- [Conference URL](https://zoom.us/j/6449415895?pwd=S2tJVGVra0dYdlZCRjJwdXdPdGRQQT09) with embedded passcode
- One tap mobile
[+16465588656,,6449415895#](+16465588656,,6449415895#) US (New York)
[+16699006833,,6449415895#](+16699006833,,6449415895#) US (San Jose)
Passcode: 77777 *(5 7's)*
Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 644 941 5895
Find your local number: https://zoom.us/u/aLDk4OXTu
*template at the bottom*
## June 1, 2023
### Attendees:
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- image-spec: renaming the "scratch" descriptor ("filler" ?) [Brandon or Tianon]
- https://github.com/opencontainers/image-spec/issues/1067
- https://github.com/opencontainers/image-spec/pull/1068
- _add your items_
### Notes:
- _add your notes_
## May 25, 2023
### Attendees:
- ToddySM
- Brandon Mitchell
- Aaron Friel
- Brian Goff
- Derek McGowan
- Jon Johnson
- Mike Brown
- Phil Estes
- Tianon Gravi
- Brandon Klein
- Victor Lu
- Sajay Antony (chat only)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- distribution-spec needs an approver for `+dev`: <https://github.com/opencontainers/distribution-spec/pull/417>
- Add artifactType to index: <https://github.com/opencontainers/image-spec/pull/1066>
- _add your items_
### Presentation/Discussion Agenda Items:
- Unblocking discussion on <https://github.com/opencontainers/image-spec/pull/1030>?
Previous call discussed moving this to distribution spec; but there was concern about registry support. How can we unblock?
- Garbage collection in registries (ToddySM)
### Notes:
## May 18, 2023
**Recording**: https://youtu.be/qjSOsm85C6c
### Attendees:
- Brandon Mitchell
- Phil Estes
- Toddy SM
- Brian Goff
- Tianon Gravi
- Mike Brownn (IBM)
- Sajay ANtony
- Aaron Freil
- Derek McGowan
- Ramkumar Chinchani
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Using `+dev` in version: <https://github.com/opencontainers/image-spec/pull/1050>, <https://github.com/opencontainers/runtime-spec/pull/1198>
- Scratch blob content: <https://github.com/opencontainers/image-spec/pull/1064>
- _add your items_
### Presentation/Discussion Agenda Items:
- Risks when copying annotations from image to runtime: <https://github.com/opencontainers/image-spec/pull/1061>
- `org.opencontainers.image.source.subpath`: <https://github.com/opencontainers/image-spec/pull/1062>
- FYI - Tommorrow is the first CNCF Artifact WG Meeting
From Slack:
> Hi TAG! The TAG will host a preliminary meeting of the proposed Artifacts WG tomorrow Friday May 19 to finish the group's charter and start work towards its goals. More info on the proposed group and its mission is in this issue and the draft charter.
> If you'd like to contribute to simplifying packaging, delivery and deployment of both configuration and binary content please join the group! Slack channel here: #wg-artifacts.
> Info for tomorrow's meeting:
> Event page (RSVP for an invite): https://community.cncf.io/events/details/cncf-tag-app-delivery-presents-wg-artifacts-project-meeting/
> Date/Time: Friday May 19 @ 1600 UTC (https://www.timeanddate.com/worldclock/converter.html?iso=20230519T160000&p1=1440&p2=64&p3=1960&p4=tz_aet)
> Zoom URL: https://zoom.us/j/7276783015?pwd=R0RJMkRzQ1ZjcmE0WERGcTJTOEVyUT09
> Notes URL: https://docs.google.com/document/d/1E7iKPOuyA1jxPe8vDG8aPd8jtnCEbpDpCifXDvDCnA0/edit
> Charter URL: https://docs.google.com/document/d/1w_lo2RZDKeEzQg4DMV-9Tq4ir_znONj_ypJ27CUfMgY/
> Slack: https://cloud-native.slack.com/archives/C04UQDWS4M7
- Can we target date for OCI 1.1 GA? (ToddySM)
### Notes:
From the chat:
- Gitlab
- https://github.com/moby/buildkit/pull/3610#issuecomment-1453858526
- https://gitlab.com/gitlab-org/container-registry/-/issues/967
- granted, we're basically _always_ in an "request for comment" period, but what about a public notice of RFC that is open for say 60 days, with something about raising blockers.
## May 11, 2023
**Recording**: https://youtu.be/8ASCmKinQaQ
### Attendees:
- Brian Goff (MSFT)
- Josh Dolitsky (Chainguard)
- Ramkumar Chinchani
- Michael Brown
- Mike Brown
- Victor Lu
- Tianon Gravi
- Brandon Klein
- Sajay Antony
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Wasm (Brian)
### Notes:
- (horrifyingly oversimplified notes by Tianon)
- Brian: can we store "wasi" modules in the config object for the runtime to install?
- Tianon: yes*
- spec says unknown fields should be ignored (so you don't need our "permission")
- wasi is big moving target, so it would be useful to have more implementation proof that the proposal is "sufficient" before we codify it in the spec (and thus try to avoid spec churn)
From Chat:
- https://github.com/opencontainers/image-spec/pull/1055/files
## May 4, 2023
**Recording**: https://youtu.be/Fto6y9QSWgg
### Attendees:
- Brandon Mitchell
- Aaron Friel
- Brandon (Klein?)
- John Kjell
- Michael Brown
- Sajay Antony
- ToddySM
- Tianon Gravi
- Ramkumar Chinchani
- Mike Brown (IBM)
- Brian Goff
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Use `+dev` instead of `-dev`: <https://github.com/opencontainers/image-spec/pull/1050>
- Clarify when errors are allowed: <https://github.com/opencontainers/image-spec/pull/1030>
- `Content-Type` syntax: <https://github.com/opencontainers/distribution-spec/issues/408>
- Allow 307 responses: <https://github.com/opencontainers/distribution-spec/issues/397>
- `Content-Length` omitted on patch requests: <https://github.com/opencontainers/distribution-spec/pull/404>
- Registry vs repository terminology: <https://github.com/opencontainers/distribution-spec/pull/325>
- _add your items_
### Notes:
From the chat:
00:12:25 Sajay Antony: +1 to More Brandons
00:26:57 Ramkumar Chinchani: allowlist/denylist could be a registry-specific policy, every deployment will have an opinion
00:34:21 Aaron Friel: encoding my artifact type by using the casing bits of spongebob case as a sidechannel
00:35:02 Ramkumar Chinchani: Another example of HTTP rfcs conflicting with dist-spec … "Range" is one other
00:37:09 Aaron Friel: In accordance with the RFC this is also valid:
Content-Type: application/vnd.oci.image.index.v1+json (Generated by Friel)
00:41:13 Aaron Friel: @Tianon looking forward to your media type experiments and seeing which runtimes break on comments and parameters
00:41:14 Sajay Antony: I like differing to the RFC as a disambiguation.
00:43:10 Tianon Gravi: I'm far too tired for that 😅
00:43:29 Tianon Gravi: it's definitely not defined as allowed in "mediaType" fields, so this would only be for "Content-Type" I think
00:43:40 Aaron Friel: Reacted to "it's definitely not ..." with 👍
00:45:38 Tianon Gravi: PUT https://index.docker.io/v2/tianon/test/manifests/sPoNgEbOb: MANIFEST_INVALID: manifest invalid; if present, mediaType in manifest should be 'application/vnd.oci.image.manifest.v1+json' not 'aPpLiCaTiOn/vNd.oCi.iMaGe.mAnIfEsT.V1+jSoN'
00:46:03 Sajay Antony: Reacted to "PUT https://index.do…" with 😂
00:47:01 Tianon Gravi: https://explore.ggcr.dev/?image=tianon/test:sPoNgEbOb
00:55:53 Ramkumar Chinchani: also multi-tenant access control
00:57:08 John Kjell: 400-499 😂
## April 27, 2023
**Recording**: https://youtu.be/33V8H3a_3aA
### Attendees:
- Ramkumar Chinchani
- Josh Dolitsky
- Brandon Klein
- Brandon Mitchell
- Brian Goff
- Jason Hall
- John Kjell
- Jon Johnson
- Leroy
- Mike Brown (ibm)
- Tianon Gravi
- Lachlan Evenson
- Samuel Karp
- Aaron Friel
- Jeanine Burke
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Tag image-spec 1.1.0-rc.3 <https://github.com/opencontainers/image-spec/pull/1049> - https://github.com/opencontainers/image-spec/releases/tag/v1.1.0-rc.3 in pre release
- Tag distribution-spec 1.1.0-rc.2 <https://github.com/opencontainers/distribution-spec/pull/403> - https://github.com/opencontainers/distribution-spec/releases/tag/v1.1.0-rc.2 in pre release
- Push to next week PR1030 <https://github.com/opencontainers/image-spec/pull/1030>
- wasi is back, now with p: https://github.com/opencontainers/image-spec/issues/1053
- Jason Hall will open a PR to capture output of discussion
- https://github.com/opencontainers/image-spec/pull/1055
- Discuss language to require implementations not to have an allowlist of media types
- Aaron will revise the PR based on today's discussion
- _add your items_
### Presentation/Discussion Agenda Items:
- Image-spec 1.1.0 milestone: <https://github.com/opencontainers/image-spec/milestone/14>
- Distribution-spec 1.1.0 milestone: <https://github.com/opencontainers/distribution-spec/milestone/6>
- _add your items_
### Notes:
From the chat:
00:08:10 John Kjell: Proper sorting enabled for when we get to rc.10 😂
00:13:02 Josh Dolitsky: :drake-no:
00:16:13 Brandon Mitchell: Semver++
00:16:42 Jason Hall: TIL https://semver.org/spec/v2.0.0-rc.2.html
00:17:22 Brandon Mitchell: We need tianon
00:17:40 Samuel Karp: Time for a governance change to support github?
00:18:11 Josh Dolitsky: jon, you could have just said we have quorum and nobody would have challenged
00:19:04 Samuel Karp: me neither...
00:19:33 Josh Dolitsky: youll hear from the lawyers
00:19:40 Brandon Mitchell: The commit to tag is the one before the dev
00:19:53 Jason Hall: lol are there GG maintainers?
00:20:00 Brian Goff: So was reader ❤️
00:20:35 Josh Dolitsky: The HTML/PDF artifacts have been uploaded here: https://github.com/opencontainers/distribution-spec/releases/tag/v1.1.0-rc.2
00:20:41 Josh Dolitsky: skipped the malware this time
00:20:43 Mike Brown: Reacted to "The HTML/PDF artifac..." with 👍
00:22:04 Samuel Karp: Reacted to "So was reader ❤️" with 😂
00:22:39 Jason Hall: wow josh is a lot better at this
00:23:09 Josh Dolitsky: we need brandon back on the bike
00:23:24 Jon Johnson: v1.1.0-rc.3'
00:23:25 Jon Johnson: v1.1.0-rc.3
00:24:17 Jon Johnson: https://github.com/opencontainers/image-spec/releases/tag/v1.1.0-rc.3
00:25:00 Jason Hall: let's fork semver
00:25:07 Jon Johnson: slimver
00:25:08 Aaron Friel: wow what a take to join the call to
00:25:25 Aaron Friel: What are we currently discussing?
00:27:18 Brandon Mitchell: Wsaaaaaaaaaaaaaaaammmmm
00:27:29 Josh Dolitsky: dont text and drive plz
00:27:51 Brandon Mitchell: Reacted to "dont text and drive ..." with 😂
00:31:45 Brandon Mitchell: Every registry today has a manifest allow list
00:34:43 Brandon Mitchell: There's a difference between the media type and config media type
## April 20, 2023
Canceled for KubeCon EU
## April 19, 2023
### In person meeting at KubeCon EU
Open Container Initiative Meeting
Date: Wednesday, April 19
Time: 2:30pm - 5:00pm (5:30am PT / 8:30am ET)
Room: D203-204
https://hackmd.io/31EBLRysR8OQLZyH82LDdg
## April 13, 2023
**Recording**: https://youtu.be/Bx-urZXikMk
### Attendees:
- Brandon Mitchell
- Ramkumar Chinchani
- Jon Johnson
- Josh Dolitsky
- Tianon Gravi
- Victor Lu
- Derek McGowan
- Syed Ahmed
- Michael Brown
- Sajay Antony
- Mike Brown (IBM)
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- PRs needing review for next release:
- Nits and shifting layer requirements: <https://github.com/opencontainers/image-spec/pull/1042>
- Add artifactType to image manifest: <https://github.com/opencontainers/image-spec/pull/1043>
- Define artifactType usage in referrers API response: <https://github.com/opencontainers/distribution-spec/pull/395>
- Distribution spec 1.1 release? (Josh)
- <https://github.com/opencontainers/distribution-spec/milestone/6>
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
From chat:
00:10:57 Josh Dolitsky: in the spec:
It MUST match the following regular expression:
^[0-9]+-[0-9]+$
00:12:41 Tianon Gravi: fwiw, I've seen non-container-related HTTP implementations make this same mistake with Range headers (as a datapoint of it being semi-common, despite the HTTP spec)
00:14:27 Tianon Gravi: something something "strict in what you send, generous in what you accept" (probably the reason this has happened in so many places in the first place)
00:19:16 Josh Dolitsky: Ok, this is is ready for green clicky https://github.com/opencontainers/distribution-spec/pull/401
@jon @derek @brandon
00:21:16 Tianon Gravi: https://github.com/opencontainers/image-spec/pull/1023
00:23:52 Sajay Antony: https://github.com/opencontainers/image-spec/pull/1023#issuecomment-1428455309
00:31:35 Josh Dolitsky: need to drop 👋
00:34:08 Ramkumar Chinchani: LGTM
00:39:11 Tianon Gravi: the only merge conflict appears to be from the other PR we merged today 😄
00:39:47 Tianon Gravi: "artefact manifest"
00:40:27 Sajay Antony: Reacted to ""artefact manifest"" with 😂
00:40:32 Mike Brown: aRtifact
00:40:44 Brandon Mitchell: add 😂
00:40:45 Michael Brown: ærtifact
00:42:01 Tianon Gravi: https://github.com/opencontainers/image-spec/compare/85f34e9bc20cc8d1e75dbc3c2c2d4059a26a7ae9..63b8bd02f5b5a2ce464a9a8ea6df049c326ce20f is the link GitHub provides
00:42:11 Tianon Gravi: you click on the "force-pushed" part of the text
00:42:41 Tianon Gravi: I _really_ wish GitHub would do something better there for things that include both a rebase _and_ other changes 🙃
00:43:28 Sajay Antony: Reacted to "I _really_ wish GitH..." with 👍🏼
00:44:54 Sajay Antony: Can we merge - https://github.com/opencontainers/distribution-spec/pull/395/files
00:47:58 Tianon Gravi: maybe we can add https://github.com/opencontainers/image-spec/pull/1020 to the list to discuss? before I hit approve on it and put Brandon even further in a corner 😄
00:57:15 Tianon Gravi: why don't GitHub's reactji have 😭 yet 😂
01:01:35 Sajay Antony: Index of signatures for multi-arch.
01:05:07 Sajay Antony: If artifact type was there in index. CNAB folks discussion would have been really easy.
01:06:09 Jon Johnson: Reacted to "If artifact type was..." with 👍
## April 6, 2023
**Recording**: https://youtu.be/I6EgMx-rdBE
### Attendees:
- _add yourself_
- Scott Rigby (can attend 2nd half of the meeting)
- Ramkumar Chinchani
- Mike Brown (IBM)
- Aaron Friel
- Toddy Mladenov
- Sajay Antony
- Vincent Batts
- Scott Rigby
- Jason Hall
- Andrew Block
- Tianon Gravi
- Jon Johnson
- Derek McGowan
- Brian Goff
- Steve Lasker
- Michael Brown
- John Kjell
-
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- [Scott Rigby] I would like to discuss the best ways(s) for cross-polination with CNCF around OCI artifacts. There is a proposed CNCF Working Group on improving OCI Artifacts for cloud native App Delivery (possibly using extensions, mostly likely implemented as a sub-project of ORAS, but definitely including end user improvements such as search and discovery). Please see this GitHub issue: https://github.com/cncf/tag-app-delivery/issues/
- Goal: how to search for artifacts
- Adding artifactType to image manifest: https://github.com/opencontainers/image-spec/pull/1043
- Using artifactType in referrers response: https://github.com/opencontainers/distribution-spec/pull/395
- Tianon is now a maintainer: https://github.com/opencontainers/image-spec/pull/1044
### Notes:
## March 30, 2023
**Recording**: https://youtu.be/ERJPxtL5WjM
### Attendees:
- Brandon Mitchell
- Ramkumar Chinchani
- Tianon Gravi
- Aaron Friel
- Jon Johnson
- Jesse Butler
- Victor Lu
- Derek McGowan
- Jamie Wu
- Brandon Klein
- Michael Brown
- Jason Hall
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Nits and shifting layer requirements: <https://github.com/opencontainers/image-spec/pull/1042>
- Add artifactType to image manifest: <https://github.com/opencontainers/image-spec/pull/1043>
- Define artifactType usage in referrers API response: <https://github.com/opencontainers/distribution-spec/pull/395>
- Archiving `artifacts` repo: <https://github.com/opencontainers/artifacts/issues/63>
- _add your items_
## March 23, 2023
**Recording**: https://youtu.be/w-FWd986Qic
### Attendees:
- Brandon Mitchell
- Aaron Friel
- John Kjell
- Ramkumar Chinchani
- Brandon Klein
- Jason Hall
- Jon Johnson
- Amye Scavarda Perrin
- Derek McGowan
- Jesse Butler
- ToddySM
- Victor Lu
- Tianon Gravi
- Samuel Karp
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Warning header merged! 🎉 https://github.com/opencontainers/distribution-spec/pull/393
- <https://github.com/opencontainers/image-spec/pull/1029>
- Should this be split into two PRs? (to get the nits merged)
- How do we want to handle `mediaType` -> `artifactType` for artifacts without a dedicated config (pushing the scratch blob)
- Opt 1: scratch = null so `mediaType` can mismatch content
- Opt 2: custom `mediaType` extension (`+oci`)
- Opt 3: define `artifactType` in the config descriptor
- Opt 4: define `artifactType` in the image manifest
- Option 4 was preferred by the team
- **Did not get to the below agenda items**
- Artifact manifest removal
- merged in distribution-spec: <https://github.com/opencontainers/distribution-spec/pull/383>
- image-spec: <https://github.com/opencontainers/image-spec/pull/999>
- Need for updated RC to communicate to partners. Added by @sajay but might not able to make it this weeek and if the folks on the call want, we can move out to next week.
- Request for comments and review on https://github.com/opencontainers/image-spec/pull/1030
- Add insecure HTTPs support in conformance tests: https://github.com/opencontainers/distribution-spec/pull/394
Example of option 4:
```json
{
"schemaVersion": 2,
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"artifactType": "application/vnd.cyclonedx", // add new artifact type
"config": {
"mediaType": "application/vnd.oci.artifact.scratch.config.v1+json", // use static media type when artifactType defined
"size": 2,
"digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a"
},
"layers": [
{
"mediaType": "application/vnd.cyclonedx+json",
"size": 15362,
"digest": "sha256:216c9f9553bf811a4ff2d6d60f0b007752414805e1bb62611282481837cf7def"
},
{
"mediaType": "application/vnd.cyclonedx+xml",
"size": 15362,
"digest": "sha256:216c9f9553bf811a4ff2d6d60f0b007752414805e1bb62611282481837cf7def"
}
],
"annotations": {
"org.opencontainers.artifact.created": "2023-03-03T19:42:34Z",
"org.opencontainers.artifact.description": "CycloneDX JSON SBOM"
},
"subject": {
"mediaType": "application/vnd.oci.image.manifest.v1+json",
"size": 1024,
"digest": "sha256:81b44ad77a83506e00079bfb7df04240df39d8da45891018b2e5e00d5d69aff3"
}
}
```
## March 16, 2023
**Recording**: https://youtu.be/U9GXGABqP0Y
### Attendees:
- _add yourself_
- Josh Dolitsky
- Jason Hall
- Brandon Mitchell
- Jon Johnson
- Sajay Antony
- ToddySM
- Tianon Gravi
- Aaron Friel
- Mike Brown (IBM)
- Ramkumar Chinchani
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- RFC: server-sent warnings: https://github.com/opencontainers/distribution-spec/issues/390
- deprecation vs warning header?
- https://datatracker.ietf.org/doc/html/draft-dalal-deprecation-header-00#page-7
- Guidance for registry/client tool implementers wrt "artifacts"? This is holding up progress/releases.
- https://github.com/opencontainers/image-spec/pull/1029
- [Jon] Add a `+oci` [structured suffix](https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml) for single-layered artifacts?
- Will this get a review after 1029? https://github.com/opencontainers/image-spec/pull/1030
- Minimum chunk size: https://github.com/opencontainers/distribution-spec/pull/391
## March 9, 2023
**Recording**: https://youtu.be/4qOyBLVTJaA
### Attendees:
- _add yourself_
- Aaron Friel
- Phil Estes (AWS)
- Brandon Klein
- Mark Rossetti
- James Sturtevant
- Bradley D. Thornton
- Ramkumar Chinchani
- Mike Brown (IBM)
- Sajay Antony
- Brian Goff (MSFT)
- Tianon Gravi
- Brandon Mitchell
- Jamie Wu
- Lachlan Evenson
- Michael Brown
- Syed Ahmed
- ToddySM
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- containerd security issue w/ large configs: https://github.com/containerd/containerd/security/advisories/GHSA-259w-8hf6-59c2
- should OCI recommend a
- Last arg for clean Artifact Manifest. We are very close to standardizing something that will yield CVEs for years to come by overloading Image Manifest and standardizing the current behavior of registry implementations while ignoring the cost of additional complexity and ambiguity on client implementations. Overloading type definitions leads to type confusion and parsing vulnerabilities. Known issues:
- The above issue with large configs is completely relevant. If artifacts upload arbitrary sized blobs to configs, runtime spec would like to specify that blobs have a limit when used in the config field.
- Removing `mediaType` from manifests resulted in type confusion
This is exactly what we're proposing to do for config blobs: the descriptor will describe the "artifactType", not the content of the blob.
https://github.com/advisories/GHSA-qq97-vm5h-rrhg
& https://www.cvedetails.com/cve/CVE-2021-41190/
- Clients do not handle arbitrary/malformed image content well, e.g.: plausible path to RCE in Anchore when it scans a "specially crafted manifest".
With lowercase-a artifacts, we expose more clients to arbitrary content. If we standardize this and encourage it, we have not done an analysis like [#1025](https://github.com/opencontainers/image-spec/issues/1025) on client behavior.
https://www.cvedetails.com/cve/CVE-2020-11075/
- Docker clients crashed due to trusting layers, blobs were valid for Images content ([see commit](https://github.com/moby/moby/commit/8d3179546e79065adefa67cc697c09d0ab137d30)).
Just as with Anchore, we have not modeled the impact of giving arbitrary content to clients which trusted content to be configs & layers.
https://www.cvedetails.com/cve/CVE-2021-21285
- quay/claircore may have exactly this type of vulnerability here. Is it generally safe to treat any blob whose mediaType terminates in in ".tar" as a tarball? No! The media type of the config blob is undefined post-999.
https://github.com/quay/claircore/blob/35f60dd69a229051d0c494b959bbc023842bd98e/libindex/fetcher.go#L261-L291
- Updating the image manifest, approval needed for at least one:
- <https://github.com/opencontainers/image-spec/pull/1023>
- <https://github.com/opencontainers/image-spec/pull/1029>
- <https://github.com/opencontainers/image-spec/pull/1030>
- Request to remove blob delete from conformance tests (email from JFrog)
- Fix JSON Schema: <https://github.com/opencontainers/image-spec/pull/931>
- Chunked uploads need a minimum size header from the server: <https://github.com/opencontainers/distribution-spec/issues/374>
### Presentation/Discussion Agenda Items:
- _add your items_
- Windows LayerFolder https://github.com/opencontainers/runtime-spec/issues/1185
### Notes:
## March 2, 2023
**Recording**: https://youtu.be/lZ7LRwgEVTQ
### Attendees:
- Lachlan Evenson
- Brandon Mitchell
- Ramkumar Chinchani
- ToddySM
- Sajay Antony
- Tianon Gravi
- Aaron Friel
- Vincent Batts
- Amye SP
- Jesse Butler
- Michael Brown
- Brandon Klein
- John Kjell
- Phil Estes
- Mike Brown(IBM)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes? (Lachlan Evenson)
- _add your items_
### Presentation/Discussion Agenda Items:
- decision on 999
- https://github.com/opencontainers/image-spec/pull/999
- Can we consider codifying lower a artifacts into image-spec prior to this (aaron)
- We need to codify the way to use image space prior to consider merging this PR (vbatts)
- Do we have an action plan to merge 999? In order to merge 999 these things must first be merged? (vbatts)
-
- Cleanup PRs
- https://github.com/opencontainers/image-spec/pull/1013 - closed
- https://github.com/opencontainers/image-spec/pull/1016 - closed
- descriptor schema: add missing data and artifactType definitions
- https://github.com/opencontainers/image-spec/pull/1022
- manifest: provide guidance on SCRATCH descriptor (config and layer)
- https://github.com/opencontainers/image-spec/pull/1023
- https://github.com/opencontainers/image-spec/pull/1029
Discussion
- If 999 is to be accepted the following PRs should be merged prior and there should be a decision about if artifact manifest should be moved to a feature branch for continued work.
- Below is the list of PRs that are being considered prior to the merge of #999
- https://github.com/opencontainers/image-spec/pull/1022
- https://github.com/opencontainers/image-spec/pull/1023
- Conversation - Drop the function, keep the const, clarify what scratch means, should we move forward with 1029
- https://github.com/opencontainers/image-spec/pull/1030
- We should also add issue #1025 table to a markdown and have it tagged. It's useful to have as a tool to have to understand the decision
- Not Covered
- v1.1 milestone and possible timelines. (@sajay)
### Notes:
## February 23, 2023
**Recording**: https://youtu.be/YTzqnUr8z_A
### Attendees:
- Brandon Mitchell
- ToddySM
- Lachlan Evenson
- Victor Lu
- Mike Brown(IBM)
- Tianon Gravi
- John Kjell
- Michael Brown (AWS)
- Jon Johnson
- Aaron Friel
- albi
- Sajay Antony
- Phil Estes
- Nisha Kumar
- Jamie Wu
- Ramkumar Chinchani
- Jesse Butler
- cpuguy83 (Brian Goff)
- Amye
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Decide on a minimal image manifest: <https://github.com/opencontainers/image-spec/issues/1025>
- Clarify ignore:
- <https://github.com/opencontainers/image-spec/pull/1028>
- <https://github.com/opencontainers/image-spec/pull/902>
- <https://github.com/opencontainers/image-spec/pull/1023>
- What could a new artifact manifest look like?
- _add your items_
### Notes:
## February 16, 2023
**Recording**: https://youtu.be/HOYIbfmGXLU
### Attendees:
- vbatts
- Aaron Friel
- Jason
- John Kjell
- Brandon Mitchell
- Josh Dolitsky
- Mike Majors
- Sajay Antony
- Brian Goff
- Tianon Gravi
- Mike Majors
- Ramkumar Chinchani
- Lachlan Evenson
- Jesse Butler
- Josh Dolitsky
- Jamie Wu
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- [manifest: clarify that layers is technically OPTIONAL](https://github.com/opencontainers/image-spec/pull/1016) @vbatts
- [manifest: provide guidance on SCRATCH config descriptor](https://github.com/opencontainers/image-spec/pull/1023) @vbatts
- https://github.com/opencontainers/image-spec/issues/1025
- Open to changing "ignored" language? @friel https://github.com/opencontainers/image-spec/pull/1028
- https://github.com/opencontainers/image-spec/pull/902
- OK to merge https://github.com/opencontainers/distribution-spec/pull/383 ? (Josh)
- _add your items_
### Notes:
## February 9, 2023
**Recording**: https://youtu.be/WMcd0anCJVQ
### Attendees:
- vbatts
- Brandon Mitchell
- Sajay Antony
- Jason Hall
- Aaron Friel
- Josh Dolitsky
- Jesse Butler
- Tianon Gravi
- Jamie Wu
- John Kjell
- Derek McGowan
- Victor Lu
- Mike Brown, IBM
- Amye Scavarda Perrin
- Ramkumar Chinchani
- Michael Brown
- Toddy
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- `OCI-Subject-Processed` response header: https://github.com/opencontainers/distribution-spec/pull/379
- `OCI-Filters-Applied` response header: https://github.com/opencontainers/distribution-spec/pull/380
- https://github.com/opencontainers/distribution-spec/issues/378
- https://github.com/opencontainers/image-spec/pull/999
- https://github.com/opencontainers/image-spec/pull/1004
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## February 2, 2023
Cancelled
## February 1, 2023
**Recording**:
On-site hybrid event at CNSecurityCon:
<https://hackmd.io/moB5-fsQTbGmDpnrsY-4yg>
## January 26, 2023
**Recording**: https://youtu.be/w39590Jn5zg
### Attendees
- Ramkumar Chinchani
- Brandon Mitchell
- Sajay Antony
- Michael Brown
- Tianon
- Chris Crone
- Dave O'Connor
- Syed Ahmed
### Note Taker
### Actionable Agenda Items:
- **Jason:** deprecating non distributable layers?
- <https://github.com/opencontainers/image-spec/pull/965>
- **Jon:** upon pushing a manifest with `subject`, the registry should respond with a header that says "I parsed and processed this subject, and updated referrers"; this is a clear positive signal that the registry supports the referrers API.
- **Jon:** https://github.com/opencontainers/image-spec/pull/999 - dropping Artifact Manifest from v1.1
- Agenda items for next week's meeting go here: (Feb 1, 2pm to 5pm in person and virtual)
- https://hackmd.io/moB5-fsQTbGmDpnrsY-4yg
## January 19, 2023
**Recording**: https://youtu.be/E6RdnQxU5ZM
### Attendees:
- Brandon Mitchell
- Jon Johnson
- Vincent Batts
- Jesse Butler
- Tianon
- Severin Neumann
- Toddy Mladenov
- Jason Hall
- Brian Goff
- Sajay Antony
- Ramkumar Chinchani
- Aaron Friel
- Jamie Wu
- Mike Brown
- Amye Scavarda Perrin
-
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- [1] Question: is it possible/feasible to make something like suggested in the issue below possible (obtain container/image id from within the container)?
- https://github.com/opencontainers/runtime-spec/issues/1105
- Main use case: correlate monitoring data from inside the container (application) with the outside (infrastructure)
- [2] Continued discussion, adding capabilities endpoint and client use case guidance
- https://github.com/opencontainers/distribution-spec/issues/365
- should this become two issues?
- [3] New Open Standards Survey: https://www.research.net/r/FG78BXB
- [4] [Specify accepted manifest types #373](https://github.com/opencontainers/distribution-spec/pull/373) @sajay
### Notes:
## January 12, 2023
**Recording**: https://youtu.be/SjF5PURhmw8
### Attendees:
- Brandon Mitchell
- Brandon Caton
- Dave O'Connor
- nisha
- Jon Johnson
- Jamie Wu
- cpuguy83
- Syed Ahmed
- Josh Dolitsky
- Victor Lu
- Michael Brown
- Jesse Butler
- Ramkumar Chinchani
- Brandon Klein
- Sajay Antony
- Tianon
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Check-in on 1.1 release
- <https://github.com/opencontainers/image-spec/milestone/14>
- <https://github.com/opencontainers/distribution-spec/milestone/6>
- Discuss adding version endpoint, client requirements
- https://github.com/opencontainers/distribution-spec/issues/365
- ..
### Notes:
## January 5, 2023
**Recording**: https://youtu.be/RlWvaGxg_jg
### Attendees:
- Brandon Mitchell
- Phil Estes
- Ramkumar Chinchani
- Michael Brown
- Brandon Klein
- Tianon
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- _add your items_
### Presentation/Discussion Agenda Items:
- How are people feeling about 1.1 release at end of month? (Josh)
- Milestone tracking:
- <https://github.com/opencontainers/image-spec/milestone/14>
- <https://github.com/opencontainers/distribution-spec/milestone/6>
- Discussion on the registry ability to not include annotations in referrers response
- <https://github.com/opencontainers/distribution-spec/pull/367>
- Recommend to refuse the manifest push rather than alter the referrers response per descriptor or filter out responses
- Limit descriptor size to 40kb for a manifest with a subject
- 40kb * 100 responses per page = 4mb limit on index
- registries can then implement pagination with a fixed 100 entries per page rather than checking each additional descriptor for the limit
- some clients already limit individual annotations to 4kb
- allows arbitrary annotations for future use cases, but with a bounded max size
- Registries MAY reject a manifest push that exceeds these limits
- _add your items_
## December 28, 2022
Canceled
## December 22, 2022
Canceled
## December 15, 2022
**Recording**: https://youtu.be/uuBb-2NTYIw
### Attendees:
- Brandon Mitchell
- Tianon
- Jesse Butler
- Michael Brown
- Sajay Antony
- Mike Brown
- Jason Hall
- Jon Johnson
- Toddy Mladenov
- Samuel Karp
-
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- WG Proposal for Authn/Authz: <https://github.com/opencontainers/tob/pull/119>
- Timeline for tagging 1.1 distribution/image-spec
- Still want to see some implementations
- Milestone tracking:
- <https://github.com/opencontainers/image-spec/milestone/14>
- <https://github.com/opencontainers/distribution-spec/milestone/6>
- Determining if registry supports the new manifest and referrers?
- https://github.com/opencontainers/distribution-spec/issues/365 [@sajay]
- Meeting schedule for rest of the year
- Calendars have been cleared until Jan - ASP
-
### Notes:
## December 8, 2022
**Recording**: https://youtu.be/PzWqxhqNrLQ
### Attendees:
- Brandon Mitchell
- Sajay Antony
- Jesse Butler
- Ramkumar Chinchani (Cisco/zot)
- Michael Brown
- Tianon
- Samuel Karp
-
- _add yourself_
### Note Taker:
- https://github.com/opencontainers/distribution-spec/issues/365
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- determining whether a registry supports reference types: https://github.com/opencontainers/distribution-spec/issues/365
- There is a desire for client tooling to fail fast, before the blob push, when the future manifest push will fail
### Notes:
## December 1, 2022
**Recording**: https://youtu.be/PnuKGurvEn4
### Attendees:
- _add yourself_
- Brandon Mitchell
- Sajay Antony
- Tianon
- Brian Goff
- Jamie (AWS ECR)
- Jon Johnson
- Ramkumar Chinchani
- ToddySM
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- [Distribution PR #366](https://github.com/opencontainers/distribution-spec/pull/366) (Brandon)
- https://opencontainers.slack.com/archives/C0LQVA03W/p1669781318238629
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
- Discussing `artifactType` and blob `mediaType`
- Some discussion happened at [KubeCon](https://hackmd.io/nZzK_4AfRz-xgya6KkqseA#Standardizing-artifact-media-types-and-annotations---allowing-interoperability-among-clients-Nisha-KumarBrandon-Mitchell)
- Notary / COSE discussion: <https://github.com/notaryproject/notaryproject/issues/207>
- Must be ignored?
- https://github.com/opencontainers/image-spec/blob/main/image-index.md?plain=1#L46
- https://github.com/opencontainers/image-spec/pull/902
- Can clients detect when the new artifact manifest is not supported by a registry
- Related discussion: https://fosstodon.org/@bmitch/109417666339330970
- Push to not fallback or automatically upgrade because of portability concerns (Brandon)
- No good answer to interpret different errors, Brandon is just giving the error back to the user as-is.
## November 24, 2022 is cancelled
## November 17, 2022
**Recording**: https://youtu.be/LL18erQULwc
### Attendees
- John Ericsson (Nix Community / Obsidian Systems)
- David Arnold (Nix Community / IOHK)
- Brandon Mitchell
- Ramkumar Chinchani (zot/Cisco)
- Brandon Klein (SNL)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Ways to bring the Nix ecosystem closer to OCI
- Maybe a new "non-conflicting" layer type?
- Could work for other, too: eg. _Guix_
### Notes:
- Nix/Guix "layers"
- Non-conflicting (disjoint mount points)
- Immutable
- Need to support numerous tiny images, no artificial limits.
- Nix/Guix ideomatic usage
- No "base image"
- Turtles all the way down!
- Read-only paths can be done with https://github.com/opencontainers/runtime-spec/blob/main/config-linux.md#readonly-paths
- Jon Johnson: Seems like two things to consider:
1. How to represent these images (image-spec)
2. How to unpack these differently from overlay (runtime-spec)
- Tianon Gravi: runtime-spec doesn't specify unpacking though, that's runtime-specific (runtime-spec just specifies "rootfs" and it's implementation defined how to create that from an image) O:)
- Nisha Kumar: The problem with regarding to running a /store like rootfs is putting the right binary in the right place such that the container runtime can find it
- Brandon Mitchell: I'm wondering if the implementation could be as easy as an annotation that indicates the name of the non-conflicting path, which has the potential to be backwards compatible.
- John Ericson: Sounds great!!
## November 10, 2022
**Recording**: https://youtu.be/HV_4mACIWrY
### Attendees:
- Brandon Mitchell
- Jason Hall
- Phil Estes
- Derek McGowan
- Mike Brown (IBM)
- Josh Dolitsky
- Jon Johnson
- Kevin Parsons
- Sajay Antony
- Christian Kniep
- Kazu
- Brian Goff
- Tianon
- Toddy
- Michael Brown (AWS)
- Ramkumar Chinchani (zot/Cisco)
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- [Jason] wasi/wasm change needs image-spec approvers 🙏: https://github.com/opencontainers/image-spec/pull/964
- [Jason] Dockerhub doesn't actually support "OCI Artifacts"
- continued harmful confusion about these terms
- We should clarify that "OCI Artifacts" is this: https://github.com/opencontainers/image-spec/blob/main/artifact.md
- ...and not this: https://github.com/opencontainers/artifacts
- Jason's AI from OCI Summit to migrate artifact author guidance to image-spec, then archive/delete `artifacts` repo.
- Tianon: "subject" field issue with Docker Hub is fixed as of today! 😇
- [Jason] referrers API: "registries MAY hoist the manifest contents into the `data` of the descriptor
- which means we can change "annotations MUST be hoisted" to "annotations MAY be hoisted"
- clients should be prepared to fetch manifests if they want to filter on annotation data
- Jon's issue: https://github.com/opencontainers/distribution-spec/issues/357
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## November 3, 2022
**Recording**: https://youtu.be/kjleG_01EqQ
### Attendees:
- Brandon Mitchell
- Josh Dolitsky
- Sajay Antony
- Mike Brown (IBM)
- Michael Brown (AWS)
- Jesse Butler
- Tianon
- ASP
- Bjorn Neergaard
- Cory Snider
- Brian Goff
- Nisha Kumar
- Ramkumar Chinchani (zot/Cisco)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Road to releasing 1.1. What's left? (Michael Brown)
- Should we set a target release date and work towards that? (Josh)
### Presentation/Discussion Agenda Items:
- Implied directories: <https://github.com/opencontainers/image-spec/pull/970>
- Support for Diff Pulls?: <https://github.com/opencontainers/distribution-spec/issues/360>
- _add your items_
### Notes:
- Road to releasing 1.1. What’s left? (Michael Brown)
- [Image Spec Milestone](https://github.com/opencontainers/image-spec/milestone/14)
- [Distribution Spec Milestone](https://github.com/opencontainers/distribution-spec/milestone/6)
- [Zot is adding support](https://github.com/project-zot/zot/pull/936)
- can we set a timeline?
- Josh: maybe Jan 17
- Amye: seems too soon, what about a few weeks later?
- https://events.linuxfoundation.org/cloudnativesecuritycon-north-america/ is a good one to track to, Feb 2-3
- Docker Hub currently has a filter/block on the subject field
## October 27, 2022
**Recording**: https://youtu.be/IuTYxTUj-bA
### Attendees:
- Brandon Mitchell
- Jon Johnson
- Brandon Klein
- Jadjit Singh
- Tianon
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- Adding a header for pulls <https://github.com/opencontainers/distribution-spec/pull/358>
- Relaxing annotation requirement on referrers API response <https://github.com/opencontainers/distribution-spec/issues/357>
- CNCF/KubeCon meeting <https://hackmd.io/nZzK_4AfRz-xgya6KkqseA>
### Notes:
- (Jon and Brandon Mitchell had some productive chatting)
## October 24, 2022
KubeCon NA in Detroit!
**Recording**: https://youtu.be/8lPr9cbLSmA
**Event specific notes**: https://hackmd.io/nZzK_4AfRz-xgya6KkqseA
## October 20, 2022
**Recording**: https://youtu.be/O1aNjcC_0d8
### Attendees:
- Lachlan Evenson
- Amye Scavarda Perrin
- Brandon Mitchell
- Nisha Kumar
- Tianon Gravi
- Michael Brown
- Josh Dolitsky
- Phil Estes
- Jon Johson
- Sajay Antony
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- <https://github.com/opencontainers/image-spec/pull/957>
- _add your items_
### Presentation/Discussion Agenda Items:
- OCI summit Monday, October 24 (before KubeCon): https://hackmd.io/nZzK_4AfRz-xgya6KkqseA
- Propsal: Change artifactType from SHOULD to MUST (Lachlan) - https://github.com/opencontainers/image-spec/issues/968
- Improvements to artifactType definition and examples for clarity (Lachlan)
- _add your items_
### Notes:
## October 13, 2022
**Recording**: https://youtu.be/UbbbFroXIAQ
### Attendees:
- Brandon Mitchell
- Michael Brown
- Samuel Karp
- Nisha
- Sajay
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Artifact Testing Reviews needed <https://github.com/opencontainers/image-spec/pull/942>
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- OCI summit Monday, October 24 (before KubeCon): https://hackmd.io/nZzK_4AfRz-xgya6KkqseA
- Deprecating foreign layers [Jason]
- The only use of them in the wild is [moving away from them](https://techcommunity.microsoft.com/t5/containers/announcing-windows-container-base-image-redistribution-rights/ba-p/3645201)
- [Justin says](https://twitter.com/justincormack/status/1580536342114492417) they can be deprecated
- Can we add language [here](https://github.com/opencontainers/image-spec/blob/main/layer.md#non-distributable-layers) along the lines of, "This layer type is considered deprecated, and not recommended for future use. Clients should still consider them when moving images (for backward compatibility) but in general SHOULD NOT produce new layers with that type."
- Wasm considerations for image-spec [Jason]
- Wasm is using OCI images to package and distribute (that's good!)
- ...but currently only building single-platform images, and lying about their OS+arch being `linux/amd64` (that's bad!)
- want to do better, but image-spec guidance is lacking
- `.platform.os` field is `REQUIRED` but not meaningful to Wasm
- guidance is to use values of Go's `GOOS` and `GOARCH`
- As specified, this would mean `os=js`, `arch=wasm`
- Go's Wasm support is lagging far behind Rust and TypeScript.
- aside: `GOARCH=wasm` is 32-bit -- `wasm64` may come later
- aside: `amd64` variants [#852](https://github.com/opencontainers/image-spec/issues/852)
- Wasm may have variants (`spin` and `slight` today) -- should they register them with OCI?
- They seem okay with `os=wasi`, `arch=wasm`, `variant=spin` (etc)
- **Specific asks:**
- specifying an exception to the `GOOS` rule for `wasi`?
- specifying known variants for when `arch=wasm`, but you can also BYO?
- Questions from Jon:
- what's the layer media type? (A: `application/vnd.docker.image.rootfs.diff.tar.gzip`)
- do they set the entrypoint? (A: No, not today, but we could recommend/require it)
- Resuming interrupted PATCH request (Brandon)
- API to get status of an upload is not defined
- Procedure to get the current "Location" and "Range" is not defined by OCI
- Docker API has a `GET /v2/<repo>/blobs/uploads/<uuid>` ([ref](https://github.com/distribution/distribution/blob/5cb406d511b7b9163bff9b6439072e4892e5ae3b/docs/spec/api.md#upload-progress))
- Related: <https://github.com/opencontainers/distribution-spec/issues/352>
- New Netlify image is needed <https://github.com/opencontainers/opencontainers.org/issues/120> (Brandon)
- Embedding Platform in Config <https://github.com/opencontainers/image-spec/pull/949> (Brandon)
### Notes:
## October 6, 2022
**Recording**: https://youtu.be/8X8vxWohmqA
### Attendees:
- Brandon Mitchell
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- https://hackmd.io/nZzK_4AfRz-xgya6KkqseA
### Notes:
## September 29, 2022
**Recording**: https://youtu.be/DyUfew4gF3c
### Attendees:
- Brandon Mitchell
- ASP
- Sajay Antony
- Mike Brown (IBM)
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- OCI Meeting at KubeCon + virtual; October 24th from 10am to 12pm Central
- RC2 is looking for votes: <https://github.com/opencontainers/image-spec/pull/958>
### Notes:
## September 22, 2022
**Recording**: https://youtu.be/F9gmGcKq9rM
### Attendees:
- Lachlan Evenson
- Mike Brown (IBM)
- Brandon
- Sajay
- Tianon
- Brian Goff
- VBatts
- Nisha
- Ramkumar Chinchani
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Continue discussion on RC1 release [Brandon/Josh/Sajay]
- Distribution spec - https://github.com/opencontainers/distribution-spec/pull/348
- Image Spec - https://github.com/opencontainers/image-spec/pull/953
- Reviewing 1.0.3 tagging option: <https://github.com/opencontainers/image-spec/issues/918>
- _add your items_
### Notes:
## September 15, 2022
**Recording**: https://youtu.be/jqtaJn6s6uo
### Attendees:
- Samuel Karp
- Sajay Antony
- Brandon Mitchell
- Josh Dolitsky
- Michael Brown (IBM)
- Michael Brown (AWS)
- Brian Goff
- Brandon Klein
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- [Rename refers field to subject](https://github.com/opencontainers/image-spec/pull/950)
- [Distribution Spec](https://github.com/opencontainers/distribution-spec/pull/344)
- Need approval from maintainers @sajay
- Discuss about process for release of spec to enable downstream consumers of the new specification @lachie83 (out on jury duty)
- https://github.com/opencontainers/image-spec/issues/952
- https://github.com/opencontainers/distribution-spec/issues/337
- Remaining items:
- <https://github.com/opencontainers/image-spec/issues/940>
- <https://github.com/opencontainers/distribution-spec/issues/337>
- Cutting an RC:
1. Open a PR titled `v1.0.0-rc0`
2. TODO (contents of PR)
3. Email to `dev@opencontainers.org.`
4. Subject `[image-spec VOTE] tag <shorthash> as v1.1.0-rc0 (closes Mon 19 Apr 2021 10:00:00 PM UTC)` (date is 7 days from now)
5. Body:
```
```
- _add your items_
### Notes:
## September 8, 2022
**Recording**: https://youtu.be/9k2QbsrbkY0
### Attendees:
- Samuel Karp
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- <https://github.com/opencontainers/image-spec/issues/940>
- <https://github.com/opencontainers/opencontainers.org/pull/118>
- _add your items_
### Notes:
## September 1, 2022
**Recording**: https://youtu.be/t28jnJgPOqI
### Attendees:
- Brandon Mitchell
- Michael Brown
- Josh Dolitsky
- Nisha Kumar
- Sam Karp
- Brandon Thorin Klein
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- <https://github.com/opencontainers/image-spec/issues/940>
- <https://github.com/opencontainers/distribution-spec/issues/337>
- _add your items_
### Notes:
- [Michael] turn [this issue](https://github.com/opencontainers/distribution-spec/issues/340) into a vote.
- Nisha is adding alternatives to refers/referrers to <https://github.com/opencontainers/image-spec/issues/940>
## August 25, 2022
**Recording**: https://youtu.be/yycxvdu8HpM
### Attendees:
- Phil Estes
- Lachlan Evenson
- Brandon Mitchell
- Mike Brown
- Vincent Batts
- Sajay Antony
- Jesse Butler
- Tianon Gravi
- Ramkumar Chinchani
- Kyle Smith
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Working Group Proposal Merge (Brandon):
- [image-spec](https://github.com/opencontainers/image-spec/pull/934)
- [distribution-spec](https://github.com/opencontainers/distribution-spec/pull/335)
- Issue and PR review (Brandon)
- _add your items_
### Notes:
- Future TODO items:
- Update image-spec spec.md definitions to match distribution-spec
- "Refers": add "field" or "to"?
- "Referrers": add "list"?
- Change Object to *object*
- Change "registry SHOULD accept a manifest with a `refers`" to "MUST"
- include details of why, how to GC
- Change `<reference>` to `<digest>` and define `<digest>`
- "tags may be added in the future"
- Add "note" to "Multiple clients could attempt to update the tag simultaneously resulting in race conditions and data loss."
## August 18, 2022
**Recording**: https://youtu.be/d7WHS5fPl3k
### Attendees:
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Working Group Proposal Updates (Brandon):
- [image-spec](https://github.com/opencontainers/image-spec/pull/934)
- [distribution-spec](https://github.com/opencontainers/distribution-spec/pull/335)
- Possibility of project meeting at KubeCon? (ASP)
- Need to check on availability for hybrid
- [Naming discussion](https://github.com/opencontainers/wg-reference-types/issues/41)
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## August 11, 2022
**Recording**: https://youtu.be/Hfy8umF8p20
### Attendees:
- Brandon Mitchell
- Sajay Antony
- Josh Dolitsky
- Jimmy Zelinskie
- Vincent Batts
- Lachlan Evenson
- Michael Brown (AWS)
- Nisha
- Samuel Karp
- Brian Goff
- Trianon Gravi
- Ramkumar Chinchani
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Working Group Proposal (Brandon, Josh, Sajay, Nisha, and many others):
- [image-spec](https://github.com/opencontainers/image-spec/pull/934)
- [distribution-spec](https://github.com/opencontainers/distribution-spec/pull/335)
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
- next-steps on the referers API WG:
- Get this Zoom recording, and share for review
- https://github.com/opencontainers/image-spec/pull/934
- https://github.com/opencontainers/distribution-spec/pull/335
- Allow for 2wks - 1mo for review before merge
-
## August 4, 2022
No agenda, canceled
## July 28, 2022
No agenda, just a short informal discussion on GC policies and the working group.
## July 21, 2022
No agenda, canceled
## July 14, 2022
No agenda, canceled
## July 7, 2022
### Attendees:
- _add yourself_
- Brandon Mitchell
- Ramkumar Chinchani (Cisco/zot)
- Sajay Antony
- Mike Brown (IBM)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
- How should new specs be delivered from a WG to OCI?
- [Draft: WG for Reference Spec](https://github.com/opencontainers/tob/pull/114)
- https://github.com/opencontainers/artifacts/pull/56
- image-spec needs some pruning:
- https://github.com/opencontainers/image-spec/pull/927
- https://github.com/opencontainers/image-spec/pull/926
### Notes:
## June 30, 2022
### Attendees:
- Brandon Mitchell
- Phil Estes
- Ramkumar Chinchani (Cisco)
- Tianon
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- Options for immutable tags [distribution-spec PR #320](https://github.com/opencontainers/distribution-spec/pull/320) (Brandon)
- Creation of a working group to standardize the reference syntax. (Brandon)
- [PR Opened](https://github.com/opencontainers/tob/pull/114)
- Cross-registry blob mounting ([distribution-spec#323](https://github.com/opencontainers/distribution-spec/issues/323)) interest? (Jon)
- _add your items_
### Notes:
## June 23, 2022
### Attendees:
- Tianon
- Jason
- Flavian
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- Nisha: are registries required to verify digests on push?
- Tianon: image-spec says SHOULD, no conformance test though
- https://github.com/opencontainers/image-spec/blob/v1.0.1/descriptor.md#verification
- Nisha: zot seems to not verify
- Jason: zot is listed as conformant
- https://github.com/opencontainers/oci-conformance/tree/main/distribution-spec/v1.0/zot
- [Jason] OCI recommending a header for manifest/blob pulls to denote the image ref that request is being made for
- help registry operators attribute pulls to images --> better rate limits
- build this into clients
- go-containerregistry prototype [here](https://github.com/google/go-containerregistry/pull/1369)
- Flavian: potentially also a useful signal for GC -- e.g., don't GC something that was implicated in a pull in the last N days
- Quay does something similar, where blobs are associated with a repo instead of a manifest until a subsequent manifest push references the blob; blobs only referenced by repos and not by manifests are GCed after ~1h.
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## June 16, 2022
### Attendees:
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## Jun 9, 2022
### Attendees
- David Arnold
- Zack Newman
- Flavian Missi
- Tianon
- Brandon Mitchell
- Josh Dolitsky
- Sajay Antony
- _add yourself_
### Note Taker:
- Brandon
### Actionable Agenda Items:
- _add your items_
### Presentation/Discussion Agenda Items:
- OCI Image support for Nix Store Paths:
- https://github.com/opencontainers/image-spec/issues/922
### Notes:
- Looking to store Nix data in OCI blobs
- Can't use layers because of overlay limits on number of layers
- Would use their own distribution-spec implementation
- Need some kind runtime to assemble filesystem without overlay for Nix components
- Nix currently has a cache, sometimes forced to rebuild on a cache miss, would like a registry to keep the store
- When glibc updates, all child objects in the store need to be recreated
## Jun 2, 2022
### Attendees
- Brandon Mitchell
- Tianon
- Nisha
- Josh Dolitsky
- Mike Brown
- _add yourself_
### Note Taker:
- Nisha/Brandon
### Actionable Agenda Items:
- Who's taking notes?
- PR https://github.com/opencontainers/image-spec/pull/919
- How do we bother the image spec maintainers
- Brandon did a ping all maintainers on github
- Josh will reach out to Steveeo(?)
- [Proposal F](https://github.com/opencontainers/wg-reference-types/issues/50)
- Still waiting for PR to review
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## May 26, 2022
### Attendees
- Brandon Mitchell
- Tianon
- Brandon K
- Nisha
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- PR https://github.com/opencontainers/image-spec/pull/919
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
## May 12, 2022
### Attendees:
- Phil Estes (AWS)
- Sajay Antony
- Tianon
- Flavian Missi
- Silvin Lubecki
- _add yourself_
### Note Taker:
-
### Actionable Agenda Items:
- ~~Punted from last week: [image-spec maintainers](https://github.com/opencontainers/image-spec/pull/910) (Josh)~~
- Merged 🎉
- [Minimum criteria for new maintainers](https://github.com/opencontainers/image-spec/issues/912) (Josh)
- 2 PRs already open to add [Sajay](https://github.com/opencontainers/image-spec/pull/911) and [Brandon](https://github.com/opencontainers/image-spec/pull/909)
- The issue of timezones
### Presentation/Discussion Agenda Items:
-
### Notes:
- New maintainers: a new PR template will be added so that existing maintainers can nominate new maintainers (Nisha volunteered to submit PR)
-
## May 5, 2022
### Attendees:
- Sajay Antony
- Brandon Mitchell
- Flavian Missi
- _add yourself_
### Note Taker:
-
### Actionable Agenda Items:
- [image-spec maintainers](https://github.com/opencontainers/image-spec/pull/910) (Josh)
- [distribution-spec registry vs repository](https://github.com/opencontainers/distribution-spec/pull/325) (Brandon)
### Presentation/Discussion Agenda Items:
- How should changes to distribution-spec be proposed? https://github.com/opencontainers/distribution-spec/issues/324 (Brandon)
### Notes:
-
## April 28, 2022
### Attendees:
- Sajay
- Brandon M
- Brandon K
- Ram
- Tianon
- Josh
- MII
- Kyle S
### Note Taker:
-
### Actionable Agenda Items:
-
### Presentation/Discussion Agenda Items:
- https://github.com/opencontainers/image-spec/issues/907
### Notes:
-
## April 21, 2022
### Attendees:
- Vincent Batts
- Brandon Mitchell
- Samuel Karp
- Mike Brown (IBM)
- Brandon Klein
- Kyle Smith (Full Sail)
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
- Areas for future standards
- Authentication
- Defining the reference and how "alpine" goes to Hub
- Allowing redirects in distribution-spec response codes
- What is needed for [Proposal E](https://github.com/opencontainers/wg-reference-types/pull/38) to get merged in spec changes
- [[RFC] move descriptor (and layout?) to distribution-spec](https://github.com/opencontainers/image-spec/issues/907)
- Issue with slack join link is being worked on
## April 14, 2022
### Attendees:
- Brandon Mitchell
- Phil Estes
- Vincent Batts
- Tianon
- Amye
- Brandon Klein
- Brian Goff
- Josh Dolitsky
- Steve Lasker
- Sajay
- Ramkumar Chinchani
- Mike Brown(IBM)
- Kyle Smith
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- _add your items_
### Presentation/Discussion Agenda Items:
- [Immutable tags](https://github.com/opencontainers/distribution-spec/pull/320) (Brandon)
- Working Group Update: [Proposal E](https://github.com/opencontainers/wg-reference-types/pull/38) (Brandon)
- _add your items_
### Notes:
## April 2021 - March 2022 Call Logs
The third year of archived call logs is located on OCI GitHub as [oci-weekly-notes-2021-apr-2022-mar.md](https://github.com/opencontainers/.github/blob/master/meeting-notes/oci-weekly-notes-2021-apr-2022-mar.md).
## April 2020 - March 2021 Call Logs
The second year of archived call logs is located on OCI GitHub as [oci-weekly-notes-2020-apr-2021-mar.md](https://github.com/opencontainers/.github/blob/master/meeting-notes/oci-weekly-notes-2020-apr-2021-mar.md).
## March 2019 - March 2020 Call Logs
Older call logs are archived on the OCI GitHub [here](https://github.com/opencontainers/.github/blob/master/meeting-notes/oci-weekly-notes-2019-mar-2020-mar.md) covering March 2019 - March 2020.
## Template
## Meeting Date
### Attendees:
- _add yourself_
### Note Taker:
- _add note taker_
### Actionable Agenda Items:
- Who's taking notes?
- _add your items_
### Presentation/Discussion Agenda Items:
- _add your items_
### Notes:
- _add your notes_