oci discussionTime: 1700 GMT (1300 EST; 1000 PST; 1900 CET; 0300 AEST; 0100 CST)
Dial by your location
+1 646 558 8656 US (New York)
+1 669 900 6833 US (San Jose)
877 369 0926 US Toll-free
855 880 1246 US Toll-free
Meeting ID: 644 941 5895
Find your local number: https://zoom.us/u/aLDk4OXTu
Working groups:
template at the bottom
Recording: https://youtu.be/XojSHq6L0mI
Notes from the zoom chat:
00:12:43 Brian Goff (@cpuguy83): Oh I came at just the right time.
00:14:03 Brian Goff (@cpuguy83): I have a rant about this every go release.
00:14:11 Tianon (he/him): the longer I use Go, the more heavily https://fasterthanli.me/articles/i-want-off-mr-golangs-wild-ride resonates with me
00:14:25 Ramkumar Chinchani: if we disagree with their approach, we should write our own language&compiler
00:16:23 Jory Burson (LF): Preach. Tianon!
Recording: https://youtu.be/bOq246XSSq8
Notes from the zoom chat:
00:29:55 Tianon (he/him): "As implied by the 202 status code, deletion may happen asynchronously."
00:30:25 Tianon (he/him): Replying to ""As implied by the 2…" sorry, MAY
00:35:23 Jory Burson (LF): Tuesday, 1 April, from 10:00-12:00
00:36:37 Jeff Carter: there is a "I'm a teapot" code, maybe there should be a "i'm a wizard" code
00:36:41 Brian Goff (@cpuguy83): Because http/2 requires wizardry.
00:40:53 Jeff Carter: how is the json formatted?
00:42:23 Samuel Karp: need to drop, thanks
00:42:41 Tianon (he/him): Replying to "how is the json form…" in the canonical way (as opposed to canonical json)
00:54:22 Tianon (he/him): I'll blow away those 10 thousand manifests to the tune of the famous disturbed song too
Recording: https://youtu.be/pVBydQhEP2E
none
From the zoom chat:
00:03:05 Tianon (he/him): Harry starting right into a landmine 😀
00:03:49 Tianon (he/him): https://github.com/opencontainers/image-spec/blob/v1.1.1/annotations.md#pre-defined-annotation-keys:~:text=org.opencontainers.image.ref.name
00:08:26 Ramkumar Chinchani: This SHOULD be a fully qualified reference name, without any assumed default registry. (e.g., registry.example.com/my-org/my-image:tag instead of my-org/my-image:tag). only for base.name?
00:10:49 Tianon (he/him): @Brian Goff (@cpuguy83) gonna pipe up for his Microsoft friends that he wants UTF-16 instead 😂
00:11:08 Tianon (he/him): Replying to "@Brian Goff (@cpuguy…" the untold horrors of the Windows ecosystem
00:11:32 Brian Goff (@cpuguy83): And we're not there 🙂
00:12:18 Harry Randazzo: Gotta drop early, I'll come next week with more landmines 😅
00:13:50 Brian Goff (@cpuguy83): Replying to "@Brian Goff (@cpuguy…" 16 is better than 8 right?
00:14:21 Brian Goff (@cpuguy83): Quick someone say something controversial
Recording: https://youtu.be/NWn9I09lx2k
Notes from the zoom chat:
00:05:34 Brian Goff (@cpuguy83): Kelvin or bust.
00:09:48 Tianon (he/him): https://github.com/docker-library/official-images/issues/17720#issuecomment-2450200677
00:13:40 Brian Goff (@cpuguy83): Much easier to add the field… that said transport layer compression is ideal.
00:15:11 Brian Goff (@cpuguy83): Oh no, Sajay is gone.
00:15:18 Brian Goff (@cpuguy83): Oh nevermind,
00:15:25 Brian Goff (@cpuguy83): UI disappeared.
00:15:34 Sajay Antony: I'm just staying silent on this one @Brian.
00:16:22 Brian Goff (@cpuguy83): Good news, Go is going to add content negotiation to the stdlib.
00:17:00 Tianon (he/him): Replying to "Good news, Go is goi…" https://github.com/golang/go/issues/19307 for folks unfamiliar with that discussion
00:18:10 Sajay Antony: Server side CPU and compression offloading will really have to evaluated is my guess.
00:18:47 Ramkumar Chinchani: i am also hearing transcoding?
00:19:28 Brandon Mitchell: https://github.com/opencontainers/image-spec/blob/main/image-layout.md
00:19:38 Sajay Antony: Image downloading 5-10GB models onto 100s of VMs.
00:19:54 Sajay Antony: "Imagine"
00:27:01 Tianon (he/him): KILL DIFFID
00:27:07 Jeff Carter: We’ve started to see 150 gb models recently
00:29:42 Brian Goff (@cpuguy83): Not compressing layers fixes a lot of issues at the runtime side.
00:30:39 W. Trevor King: I have to drop for another meeting; fun times :)
00:36:39 Tianon (he/him): Replying to "Not compressing laye…" yeah, for sure – compression is what makes mounting tarballs hairy (making a map of the files in the tar is trivial otherwise)
00:38:04 Ramkumar Chinchani: main concern is … is there enough information at all places (servers and clients) where gzip(gunzip(gzip(blob)) = gzip(blob) etc
00:38:21 Sajay Antony: Hoops we have to jump through @Brian - containerd/accelerated-container-image: A production-ready remote container image format (overlaybd) and snapshotter based on block-device.
00:41:30 Brandon Mitchell: Hat tip to Ram for directly asking the question I was too polite to ask. :D
00:49:08 Brian Goff (@cpuguy83): Definitely my assumption as well.
00:53:07 Brian Goff (@cpuguy83): I guess in this case the registry would only really be able to store this using the lowest common denominator compression… assuming it wouldn't want to store the same compressed data in 2 (or more) different formats.
00:53:37 Brian Goff (@cpuguy83): Which makes zstd a no-go here.
00:56:20 Brian Goff (@cpuguy83): Oh that's a great point, @Tianon (he/him)
00:57:03 Ramkumar Chinchani: network is cheap/free is a myth - i keep getting ratelimited everywhere there are other cheap/free myths about CPU and memory
Recording: https://youtu.be/wlIuxqH818k
Notes from the zoom chat:
00:03:04 Sajay Antony: Good to see you Josh.
00:06:49 Brian Goff (@cpuguy83): <shudderas as I look at my Teams window>
00:07:30 Brandon Mitchell: The browser app is the only way I share a screen in zoom now.
00:19:28 Tianon (he/him): https://oci.dag.dev/?repo=tomcat 😅 (more advanced filtering would be awesome IMO, but I don't have high confidence that it's realistic to expect registries to implement it)
00:19:49 Sajay Antony: There are older issues for improved tag listing
00:19:49 Sajay Antony: - [RFP] replace catalog API functionality · Issue #22 · opencontainers/distribution-spec
00:19:49 Sajay Antony: Lexial discussion - Proposal: Allow listing tags in reverse lexical order · Issue #545 · opencontainers/distribution-spec
00:19:49 Sajay Antony: There have been a lot of request for better tag listing/searching
00:22:26 Tianon (he/him): image index 👀
00:23:34 Sajay Antony: John had pointed to GCR manifest/list endpoint in one of those issues and also - docs: initial commit for search extension by rchincha · Pull Request #504 · opencontainers/distribution-spec
00:25:47 Tianon (he/him): see https://oci.dag.dev/?repo=gcr.io/go-containerregistry/crane for the data GCR provides in practice
00:26:06 Tianon (he/him): Replying to "see https://oci.dag…" "timeCreatedMs": "-6795364578871", this is adorable though
00:29:36 Tianon (he/him): https://github.com/opencontainers/distribution-spec/issues/443 + https://github.com/opencontainers/distribution-spec/issues/446
00:31:21 Ramkumar Chinchani: https://github.com/opencontainers/wg-auth
00:33:56 Ramkumar Chinchani: Replying to "https://github.com/o…" auth not in the spec is messed up
00:35:37 W. Trevor King: I think it's worth trying to find things that can improve the conformance tests in a bunch of tiny pivots, instead of trying to address all the sticky points in one big pivot. Yes, there will be lots of bits that stay sticky until eventually all the issues get polished out, but you aren't hamstrung in the meantime
00:36:53 Sajay Antony: @Ramkumar Chinchani does zot support 512 manifests?
00:39:32 Ramkumar Chinchani: Replying to "@Ramkumar Chinchani …" Yes it does. We moved away from hardcoded digest algos a while ago.
00:41:04 Ramkumar Chinchani: Replying to "@Ramkumar Chinchani …" But as always, trust but verify.
00:41:33 Sajay Antony: NTD for another call folks. Hard to skip that one.
00:43:53 W. Trevor King: I'm also not Quay, but was poking around re: referrer API pessimisim and found https://www.redhat.com/en/blog/announcing-open-container-initiativereferrers-api-quayio-step-towards-enhanced-security-and-compliance from December
00:44:07 Samuel Karp: Which redirect?
00:45:33 Samuel Karp: https://opencontainers.org/about/governance
Recording: https://youtu.be/XukRCe16WEU
Notes from the zoom chat:
00:08:51 Brandon Mitchell: https://github.com/C2SP/C2SP/blob/main/BLAKE3.md
00:09:40 Jory Burson (LF): Merging https://github.com/opencontainers/tob/pull/146
00:24:40 Tianon (he/him): "Go-http-client" shaking my fist at Go
00:28:16 Sajay Antony: I like the idea of an intent honestly.
00:29:15 Jory Burson (LF): Brb - need to take a quick call
00:32:21 Tianon (he/him): retention policies and a truly content-addressable store are concepts that are somewhat at odds, and that is part of why this is a hard conversation we keep having 😄
00:32:53 Sajay Antony: @Michael @shama - do you folks see scanners being able to produce this header.
00:32:57 Tianon (he/him): Replying to "retention policies a…" ie, can't have meaningful content-addressable storage if the content you're trying to address goes away 😅
00:37:03 Sajay Antony: That compounded usecase is what I am concerned about.
00:41:52 Kyle Crane: I am new to the community.
00:42:03 Sajay Antony: Good discussion and seems like I got involved in his and missed an overlapping meeting. NTD folks.
00:42:20 Sajay Antony: *this -> scanner
00:42:30 Tianon (he/him): Replying to "I am new to the comm…" at the risk of being a little bit weird, I really love your name and hope you're familiar with https://github.com/google/go-containerregistry/tree/main/cmd/crane 😄❤️
00:45:44 Kyle Crane: Replying to "I am new to the comm…" Full disclosure, I am working on https://www.signal.fyi/ . Here to make sure I am building in alignment with community best practice. This is the normal name reference I get: https://dyinglight.fandom.com/wiki/Kyle_Crane
00:53:33 Jory Burson (LF): I came back!
00:56:00 Jory Burson (LF): DAG-nabbit!
Recording: https://youtu.be/tEyIaHmtVlI
Notes from the zoom chat:
00:10:44 Brandon Mitchell: https://github.com/opencontainers/distribution-spec/blob/7872490e9d4943b20f11e21475bc13fd2e02b7d8/spec.md#L164-L166
00:11:48 Ramkumar Chinchani: Maybe some alg-names are special keywords and become an exception
00:12:01 Sajay Antony: Do we know why are they using the tag schema?
00:12:43 Tianon (he/him): a fun example of different ways these length limits become load-bearing in sometimes unexpected ways: https://github.com/goharbor/harbor/issues/15067
00:14:13 Mike Brown: https://github.com/opencontainers/distribution-spec/pull/256
00:17:06 Jory Burson (LF): Imma get a Blake3 hat for this call
00:18:48 Tianon (he/him): Replying to "Imma get a Blake3 ha…" if you actually do so, you should reach out to Jon because he's definitely a hat guy and would probably love this
00:22:36 Brandon Mitchell: https://github.com/opencontainers/image-spec/blob/fbb4662eb53b80bd38f7597406cf1211317768f0/descriptor.md#L156-L162
00:25:57 Tianon (he/him): "finding holes in stuff [we] never even considered" is wking's historic OCI legacy 🙂
00:26:30 Sajay Antony: What client/registry is this facing a problem with?
00:28:02 Tianon (he/him): Replying to "What client/registry…" given Mrunal is back too, I'm guessing this is FIPS-related (where Uncle Sam has decided that SHA-512 is "post-quantum safe" even though it just moves the goalpost further out) 👀
00:36:21 Ramkumar Chinchani: Replying to "What client/registry…" isn't all crypto like that?
00:37:56 Tianon (he/him): Replying to "What client/registry…" sure, but if the goal is explicitly the combination of FIPS compliance and post-quantum, I think there might be other hashing algorithms we should consider as well/instead
00:38:14 Tianon (he/him): Replying to "What client/registry…" ie, if we have to break a lot of stuff to get SHA-512 working, let's do that work for something more interesting instead
00:41:50 Tianon (he/him): Replying to "What client/registry…" I talked to a few folks (who I unfortunately couldn't convince to join this call) about post-quantum hashing who have a lot more experience with it than I do (which doesn't take much but it's something), and their honest recommendation was that blake3 is probably worth considering over SHA-512, but with the important caveat that it's not FIPS-approved
00:43:56 Mrunal Patel: Replying to "What client/registry…" I think it would be best to make it configurable so both aspects are covered. 1. Being compliant with FIPS 2. Using the most secure / best crypto export recommended algorithm that FIPS hasn't caught up to yet.
00:45:37 Tianon (he/him): Replying to "What client/registry…" the "fractal of complexity" option, yep, I dig it 😁 (that's in-line with how the formats are designed for sure, and I imagine is part of why in-toto's "descriptor" analogue has digests be a list instead of a single value)
00:52:17 Tianon (he/him): https://github.com/CloudNativeAI/model-spec/blob/main/docs/spec.md fwiw, someone's been listening and these are tar-based 🙂
00:53:30 Brandon Mitchell: Replying to "https://github.com/C…" I chimed in on that one when they wanted to make it an Artifact without tars.
00:55:10 Tianon (he/him): https://github.com/moby/moby/pull/48798 merged yesterday 👀
Recording: https://youtu.be/cu5qD5I0T7Q
Notes from zoom chat:
00:02:39 Brandon Mitchell: https://opencontainers.org/about/tob/
00:13:39 Samuel Karp: I'm guessing I missed this; is there a short summary of the motivation for sha512 over sha256?
00:14:43 Ramkumar Chinchani: We have been discussing BLAKE3 for performance reasons https://crypto.stackexchange.com/questions/88585/post-quantum-security-of-the-blake-family
00:15:13 Samuel Karp: Yeah, performance reasons for BLAKE3 make sense, but both sha256 and sha512 are from the SHA-2 family.
00:16:11 Ramkumar Chinchani: In general, the theme is a future of mixed crypto is near, possibly very near
00:16:17 Syed Ahmed: It’s a suggestion from CNSA
00:16:56 Syed Ahmed: https://media.defense.gov/2022/Sep/07/2003071836/-1/-1/0/CSI_CNSA_2.0_FAQ_.PDF
00:17:42 Jory Burson (LF): (TOB election, in case someone wants to nominate cough Sam cough
00:17:47 Jory Burson (LF): https://github.com/opencontainers/tob/issues/147
00:18:06 Mike Brown: PAUL SCHWEIGERT paulschw@us.ibm.com ibm research working on quantum safe algs.. or at least would have the links
00:18:33 Mrunal Patel: Thanks Mike!
00:19:32 Tianon (he/him): Replying to "https://media.defens…" my reading of this is "if you're using SHA, make sure it's 384 or 512", not "you should use SHA-512", but maybe I've missed something 😅
00:20:52 Syed Ahmed: Replying to "https://media.defens…" No, that’s what I read as well. looks like we have the option of 384/512
00:29:12 Mike Brown: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests
00:29:28 Mrunal Patel: Thanks!
00:30:19 Mike Brown: “Registered algorithms: While the algorithm component of the digest string allows the use of a variety of cryptographic algorithms, compliant implementations SHOULD use SHA-256.”
00:35:53 Ramkumar Chinchani: https://zotregistry.dev/ zot should also support this imo out of the box
00:36:07 Brandon Mitchell: https://github.com/olareg/olareg
00:36:22 Mrunal Patel: Thanks for the links!
00:36:26 Mike Brown: https://github.com/opencontainers/go-digest
00:36:48 Brandon Mitchell: https://github.com/regclient/regclient
00:36:57 Brandon Mitchell: "regctl image mod"
00:48:13 Jory Burson (LF): @Brandon Mitchell I’ve readied the member notice for the release, any questions before that goes out
00:48:35 Brandon Mitchell: Replying to "@Brandon Mitchell I’…" None from me, ship it
00:49:18 Jory Burson (LF): Replying to "@Brandon Mitchell I’…" 30 day period ends on March 1, FYI
00:57:26 Brandon Mitchell: https://github.com/kubernetes-sigs/node-feature-discovery/releases/tag/v0.17.0
01:02:19 Ramkumar Chinchani: ntd
Recording: https://youtu.be/bWmUfnFMmjY
None
actions.yml to avoid breaking everyone's CI:
Notes from the zoom chat:
00:04:12 Ramkumar Chinchani: https://github.com/containerd/containerd/pull/10705 just fyi, if folks not already aware
00:07:45 Brandon Mitchell: https://github.com/opencontainers/image-spec/releases/tag/v1.0.2
00:11:19 Jory Burson (LF): That explains it, I was hanging out in the wrong zoom 🤦♀️
00:18:22 Tianon (he/him): pretty sure the major.minor.patch terminology predates semver 😅
00:25:20 Derek McGowan: Co-located with which event?
00:33:08 Samuel Karp: I won't be able to attend Amsterdam
00:35:47 Mike Brown: container plumbing days / mini summit for oci.. spin it with some AI related projects how does oci enable ___
00:37:07 Tianon (he/him): "miner patch"
00:41:28 Mike Brown: optimize process for handling oci media types… more than “convert"
00:42:49 Mike Brown: “only one mount is required for each container image instead of one mount per layer "
00:42:54 Mike Brown: interesting ^^
00:43:29 Samuel Karp: the container mountns only sees one mount that is the rootfs, but we do have more mounts outside the container mountns
00:45:22 Brandon Mitchell: https://github.com/opencontainers/wg-image-compatibility/tree/main/docs/proposals
00:47:45 Brandon Mitchell: https://github.com/opencontainers/image-spec/blob/main/image-index.md
00:50:28 Mike Brown: https://github.com/opencontainers/image-spec/blob/main/specs-go/v1/descriptor.go#L52-L72
00:50:44 Brandon Mitchell: https://github.com/regclient/regclient/pull/775
00:52:28 Mike Brown: ah missed you guys were talking about some new prefer… vs first of a specific match to a set of platform fields
00:52:56 Mike Brown: thought we were going with the later.. for k8s like scenarios
00:56:55 Derek McGowan: https://github.com/containerd/platforms/pull/20
00:58:43 Brian Goff: buildkit…
00:58:51 Brandon Mitchell: My prefer string is ugly https://github.com/regclient/regclient/pull/775/files#diff-fa22c7f98e5449042e7dd1aba9e5cfdfec3e706dad98dbf18f9bec0a65039087R134-R138
01:01:20 Mike Brown: standards .. he who merges first..
01:01:20 Jory Burson (LF): I have to drop, talk to you folks soon!
01:02:56 Mike Brown: where I get nervous is trying to “partial” match or match one way before using a field and a different way after updating a tool
01:05:40 Samuel Karp: have to drop now
Recording: https://youtu.be/SrYt6Y2GnX0
Regrets:
None
Notes from the zoom chat:
00:16:46 Brandon Mitchell: Golang discussion on Blake3: https://github.com/golang/go/issues/36632
00:17:30 Brandon Mitchell: Also at https://github.com/golang/go/issues/32447
00:26:33 Sajay Antony: I see the love for Blake3 and want to front load all the conversations with the Security folks.
00:27:05 Sajay Antony: NTD>
00:37:16 Ramkumar Chinchani: https://specs.opencontainers.org/
00:37:21 Ramkumar Chinchani: ^ this is a real thing?
Recording: https://youtu.be/FwppRjliSb0
Notes from zoom chat:
00:04:34 Tianon (he/him): ouch
00:04:40 Tianon (he/him): I'm losing feeling in my toes just thinking about that
00:05:40 Tianon (he/him): I used to live in a place that gets snow, and now I live in Las Vegas, and that's very much not a coincidence
00:10:23 Brian Goff: referrers 🙂
00:13:16 Tianon (he/him): plop a new entry in the index; platform: { os: "metadata", architecture: "logo" }
00:13:25 Tianon (he/him): Replying to "plop a new entry in …" (for the avoidance of doubt, this is mostly trolling Brandon)
00:17:20 Brandon Mitchell: https://oci.dag.dev/
00:18:02 Tianon (he/him): Replying to "https://oci.dag.dev/…" OSS, too: https://github.com/jonjohnsonjr/dagdotdev
00:18:11 Tianon (he/him): Replying to "https://oci.dag.dev/…" (so you can run your own instance and access private data, if you need to)
00:19:18 Tianon (he/him): make the registry accept otherwise-invalid tags like xxx:_metadata to store repo-level data 👀
00:22:38 Sajay Antony: Replying to "make the registry ac…" Yep we agreed on some tag like that to have teams push their repo metadata to have the front end expose the content on the UX.
00:24:37 Mike Brown: sure would be nice if someone open sourced their registry api
00:25:05 Tianon (he/him): Replying to "sure would be nice i…" https://pkg.go.dev/cuelabs.dev/go/oci/ociregistry
00:26:17 Sajay Antony: Docker Blue … 😂
00:26:23 Brandon Mitchell: https://github.com/opencontainers/distribution-spec/issues/485
00:26:30 Brian Goff: Is the API for Hub even published?
00:26:53 Jory Burson (LF): That’s the funniest thing I’ve heard in a long while
00:27:35 Tianon (he/him): Replying to "That’s the funniest …" gonna quit tech and become a comedian ❤️
00:29:53 Jory Burson (LF): I will have to drop at the half hour but my update is that I don’t have any updates today! The Trademark Board is missing a vote or two to finish ratifying OCI’s budget. But that’s it!
00:34:17 Samuel Karp: https://github.com/opencontainers/tob#members
00:39:58 Tianon (he/him): I don't know anyone with an affinity for old software (cough https://github.com/tianon/oci-schema1 cough)
00:42:31 Brian Goff: That's some jq
00:46:16 Brandon Mitchell: https://github.com/opencontainers/distribution-spec/pull/391
00:47:51 Samuel Karp: Mute?
00:49:52 Sajay Antony: zoom is messing me with. compounded with remote machine.
00:50:38 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/1225
00:50:40 Sajay Antony: I'll take a look at 1225.
Canceled for holidays
Canceled for holidays
Recording: https://youtu.be/sjSFqoQTElw
From the zoom chat:
00:19:20 Brian Goff: If it was Seattle… I was probably there, but I don't recall.
00:19:36 Brian Goff: Replying to "If it was Seattle…" So helpful 🙂
00:19:37 Ramkumar Chinchani: fat fingers!
00:19:52 Ramkumar Chinchani: just going over the agenda items
00:21:24 Brandon Mitchell: https://containerplumbing.org/videos
00:24:12 Brian Goff: I would love to go, but life says probably otherwise.
00:41:58 Brandon Mitchell: https://datatracker.ietf.org/doc/html/rfc6919
00:42:03 Brian Goff: Love Levitz
Recording: https://youtu.be/CUyH319O9hM
From the zoom chat:
00:07:49 Sajay Antony: Yes I remember we agreed on the using the digest tag. But then its guidance only.
00:12:50 Sajay Antony: There is in general a lot of new content given all the security push.
00:14:06 Brian Goff: Graphic
00:15:14 Sajay Antony: I'd vote for removing the fallback tag in 2.0 and leave the world to settle for the next 6 months+
00:17:47 Sajay Antony: Zoom doing its thing
00:20:37 Sajay Antony: Ah .. build on a base image is interesting.
00:30:21 Jory Burson (LF): I have to drop at the half hour but wanted to share a few Back of House updates for you all:
Recording: https://youtu.be/o918_rZ5I_A
From the zoom chat:
00:01:05 Peter Treese: Hello from Baltimore
00:03:13 Brandon Mitchell: https://hackmd.io/El8Dd2xrTlCaCG59ns5cwg?both#
00:03:23 Brandon Mitchell: I know our paths have crossed a few times in the past
00:05:45 Brandon Mitchell: https://github.com/CloudNativeAI/model-spec/blob/main/docs/spec.md
00:08:54 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/1197
00:09:22 Brian Goff: If they aren't tar-shaped then it'll be pear-shaped.
00:11:15 Brian Goff: "Straight forward" depending on what standard you are using 🙂
00:17:14 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/1141
00:23:35 Brian Goff: omg it's been so long.
00:25:21 Brian Goff: Feels good to break the rules.
00:35:03 Brian Goff: Compatability
00:35:41 Brian Goff: As Tianon mentioned earlier, OCI is more or less, what Docker defined 11 years ago.
00:36:47 Brian Goff: Replying to "As Tianon mentioned …" Not to diminish effort that's been put into OCI, but everything has had to center around the original Docker implementations.
00:39:41 Brian Goff: Replying to "As Tianon mentioned …" And to add, stuff in OCI tends to bubble up from work done in the runtimes/community rather than handed down from the spec.
00:40:11 Peter Treese: Thank guys. bye
00:50:59 Brian Goff: Parallel pulls/processing.
Canceled, US holiday.
Recording: https://youtu.be/nrYorcaWNqE
Notes from the zoom chat:
00:06:19 Brandon Mitchell: https://github.com/opentofu/libregistry/tree/oci/registryprotocols/ociclient
00:10:46 Sajay Antony: basically pass in the upstream information?
00:12:16 Sajay Antony: Could you share information on the NS parameter?
00:16:34 Sajay Antony: If this is in scope or distribution, I'm trying to understand how a registry operator would use this? Creating a pull through cache rule in Amazon ECR - Amazon ECR
00:21:21 Mike Brown: https://github.com/opencontainers/distribution-spec/issues/12
00:26:13 Brandon Mitchell: ocidir://path/dir#upstream_repo:tag
00:29:29 Brandon Mitchell: docker pull proxy.example.org#docker.io/proj/image:tag
00:30:59 Sajay Antony: I'm curious if the goal is the expand the distribution spec to be a proxy as well?
00:36:39 Sajay Antony: Its quite a bit of wiring up. I think enabling a proxy for your clusters is a common theme.
00:37:06 Sajay Antony: NTD for the not so fun conflict I have.
Miss this group more 🙂
00:37:27 Mike Brown: said another way we are already proxying and need to formalize and secure it between client/registry
00:37:45 Mike Brown: and client/proxy cases
00:43:00 Ramkumar Chinchani: sorry, back from the dentist, left side still numb
00:48:11 Brian Goff: Also need to be able to experiment.
00:49:31 Brandon Mitchell: "Implementations MAY implement SHA-512 digest verification for use in descriptors." is the ultimate incompatibility feature in OCI today. :D
00:50:16 Ramkumar Chinchani: https://github.com/project-stacker/stacker
00:50:29 Ramkumar Chinchani: https://github.com/project-machine/atomfs
00:51:17 Brian Goff: Everyone hates writing json but only some people hate writing yaml.
00:51:44 Brian Goff: (tongue in cheek)
00:52:53 Brandon Mitchell: woot, OCI Layouts! 😀
Canceled for KubeCon meeting.
Recording: https://youtu.be/iYPf7hyDR5U
Recording: https://youtu.be/I7U0YbJafXQ
Notes from the zoom chat:
00:04:56 Brandon Mitchell: https://github.com/opencontainers/tob/pull/144
00:06:19 Ramkumar Chinchani: Replying to "https://github.com/o…" Cgroups lib but limited to golang?
00:09:39 Brandon Mitchell: https://github.com/opencontainers/image-spec/issues/1216
00:09:41 Sajay Antony: the uid changes, i forgot to submit my review. before.
00:20:17 Jory Burson (LF): containerd - shall we highlight that anywere
00:21:36 Brian Goff: GPT loves to write docs.
00:23:11 Brandon Mitchell: (Oh, and Sajay too, derp)
00:24:53 Brandon Mitchell: https://github.com/opencontainers/tob/issues/118
00:25:20 Samuel Karp: CIVS usually
00:30:05 Tianon (he/him): gonna get gregkh back in here one way or another! 😂
00:30:45 Sajay Antony: This group has been super supportive.
00:37:34 Sajay Antony: Sorry folks need to drop. Have to be in another call.
00:37:36 Ramkumar Chinchani: NTD
Recording: https://youtu.be/dqWUxX3fKvI
Notes from the zoom chat:
00:05:51 Tianon (he/him): https://github.com/kolyshkin
00:06:01 Brandon Mitchell: https://github.com/opencontainers/runc/issues/4114
00:10:59 Tianon (he/him): https://jqlang.github.io/jq/manual/v1.6/
00:11:11 Tianon (he/him): https://jqlang.github.io/jq/
00:11:44 Tianon (he/him): https://github.com/tianon/debian-bin/blob/7a94f900c5c6974b8c5f6b201034d1b09ae266df/jq/dpkg-version.jq
00:14:26 Brandon Mitchell: https://github.com/opencontainers/image-spec/issues/1216
00:17:09 Ramkumar Chinchani: Replying to "https://github.com/o…" don't we want to stay away from "Config" wrt artifacts?
00:23:17 Ramkumar Chinchani: Replying to "https://github.com/o…" lesser of two bad choices?
00:26:22 Ramkumar Chinchani: Replying to "https://github.com/o…" non-runnable artifacts
00:28:50 Sajay Antony: NTD to drop for cat herding. Will join back if that get's over faster 🙂
00:43:54 Tianon (he/him): https://github.com/distribution/distribution/blob/c427f845035d28faab65a9218407293bd917e7d5/docs/content/about/configuration.md#redirect
Recording: https://youtu.be/5W9qXmhWTR4
Notes from the zoom chat:
00:19:26 Tianon (he/him): arguably, every image is EOL the minute it's created, right? they can't be updated 🤔
00:19:54 Tianon (he/him): Replying to "arguably, every imag…" "supported" is probably more accurately a feature of tags - ie, "this tag will likely be updated in the future for bug fixes, security updates, etc"
00:25:05 Sajay Antony: Replying to "arguably, every imag…" This is also why we didn't invest too much effort into standardizing this.
00:28:41 Brandon Mitchell: Someone is about to break Tianon's world model: https://ttl.sh/
00:36:25 Sajay Antony: NTD. Folks.
00:36:29 Sajay Antony: Sorry.
00:38:52 Tianon (he/him): https://github.com/jonjohnsonjr/tarp
00:40:48 Tianon (he/him): Replying to "https://github.com/j…" yeah this reports empty for these layers too, wild; I wonder where it stores the ownership data 🤔
00:44:54 Tianon (he/him): https://github.com/git/git/blob/fd3785337beb285ed7fd67ce6fc3d3bed2097b40/archive-tar.c#L229-L232
00:57:00 Brandon Mitchell: https://github.com/opencontainers/image-spec/blob/main/layer.md#hardlinks
00:58:45 Tianon (he/him): I tried to replicate with <<<$'FROM bash\nRUN echo hi > foo.txt\nRUN ln foo.txt bar.txt' and the end result makes bar.txt a copy of foo.txt, not a hard link
00:59:02 Tianon (he/him): Replying to "I tried to replicate…" (confirming our expectations)
00:59:11 Brian Goff: Nope
Recording: https://youtu.be/NQflxFMrwqI
From the zoom chat:
00:05:41 Philip Laine: https://github.com/opencontainers/distribution-spec/pull/66
00:08:26 Brandon Mitchell: The slack join link is here: https://opencontainers.org/community/overview/
00:36:46 Sajay Antony: This is so interesting. I need to drop for a standing conflict. Erlang versioning I need to read up.
00:40:34 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/1197
00:45:44 Sajay Antony: Managed to get out of that meeting 🙂
00:50:38 Sajay Antony: folks have been working on CRI signature and other item validations.
00:51:29 Brandon Mitchell: custom extensions for that make a lot of sense, I worry about it getting into the k8s api directly
00:54:11 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/970
00:59:02 Brandon Mitchell: Now I'm triggered
01:01:44 Sajay Antony: atomic referrer put API, Latest referrer of an artifactType
01:02:03 Sajay Antony: Fun stuff later folks.
Recording: https://youtu.be/jur-zCrG61E
Recording: https://youtu.be/e7kLLkLvYCE
From the zoom chat:
00:06:45 Brandon Mitchell: https://groups.google.com/a/opencontainers.org/g/tob
00:07:32 Brandon Mitchell: https://github.com/opencontainers/image-tools
00:08:40 Sajay Antony: Sounds good.
00:08:48 Sajay Antony: Will reply.
00:12:41 Brandon Mitchell: https://github.com/orgs/opencontainers/teams
00:18:16 Brandon Mitchell: https://github.com/orgs/opencontainers/teams/website
Recording: https://youtu.be/SWQMmkaNWvQ
From the zoom chat:
00:05:51 Jory Burson (LF): https://youtu.be/rvrZJ5C_Nwg?t=130
00:06:50 Brandon Mitchell: So a blurry affiliation.
00:07:05 Jory Burson (LF): https://docs.google.com/document/d/1tHcSsCwlIPRr6RKaCxtY2yCMl-0Nc9PVXX-jeVmYutk/edit
00:09:57 Tianon (he/him): on the timing discussion Brandon and I were having, OCI and CNCF were both ostensibly created/announced in June 2015, although OCI had immediate action in July and CNCF didn't do much until the following year (which tracks with the "what are we?" early confusion CNCF had that I was mentioning)
00:10:39 Ramkumar Chinchani: CNCF got it right by creating a formal project onboarding process
00:13:00 Tianon (he/him): Replying to "CNCF got it right by…" for OCI, that's really more of a reflection of OCI's purpose and focus - it was never intended to be a collection of projects, but rather a place to collaborate and coordinate on the very low-level bits
00:14:20 Brandon Mitchell: Reacted to "for OCI, that's real…" with ➕
00:15:20 Brian Goff: lol, answering other people's questions.
00:16:16 Brian Goff: No, no history on hardlinks between layers here.
00:17:58 Tianon (he/him): I've sent a ping out to more Moby project maintainers to see if anyone there is willing to chime in on hard links between layers (although not holding my breath; this is a pretty hefty edge case scenario 😄)
00:19:39 Brian Goff: Replying to "I've sent a ping out…" Yeah, I imagine a lot of 🤷
Recording: https://youtu.be/7B4WAZfsB4A
From the zoom chat:
00:13:42 Brian Goff: Nope
00:17:42 Sajay Antony: I'm actually really excited to see that KEP materialize.
00:21:25 Sajay Antony: Volumes all the way down.
00:24:55 Brandon Mitchell: https://docs.google.com/document/d/1E7iKPOuyA1jxPe8vDG8aPd8jtnCEbpDpCifXDvDCnA0/edit#
00:29:25 Brandon Mitchell: https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/4639-oci-volume-source#non-goals
00:29:50 Brandon Mitchell: "Manifest list use cases are left out for now and will be restricted to matching architecture like we do today for images." I may have misread that
00:30:06 Tianon (he/him): Replying to ""Manifest list use c…" yeah that sounds correct IMO
00:30:40 Tianon (he/him): Replying to ""Manifest list use c…" but the whole discussion has me thinking about how interesting it might be to have the runtime/orchestrator mount an OCI layout inside a container 🤔
00:34:39 Sajay Antony: layers are blobs.
00:34:55 Sajay Antony: but for image its clearly defined.
00:38:23 Brian Goff: So OCI is now a nix store
00:39:25 Sajay Antony: Glad we put in the limit.
00:39:31 Sajay Antony: Need to drop folks.
00:40:49 Brian Goff: Now you just need a mat with different conclusions that you can jump to.
00:41:08 Brian Goff: Replying to "Now you just need a …" That's an "Office Space" reference
Recording: https://youtu.be/8usYqCou9TU
Zoom chat:
00:16:02 Ramkumar Chinchani: basically, http download something and bind-mount into container
00:16:52 Sajay Antony: Tianon , you bring the Joy.
00:17:23 Tianon (he/him): Replying to "Tianon , you bring t…" I try so hard - these meetings can be so dry sometimes and I want us to remember we're people 😄
00:21:14 Brandon Mitchell: I like how Non-distributable layers says that they may include URLs but that it doesn't determine non-distributable: https://github.com/opencontainers/image-spec/blob/main/layer.md#non-distributable-layers
00:22:17 Sajay Antony: Ah the OCI - docker - same difference.
00:22:27 Ramkumar Chinchani: https://sysdig.com/blog/exploit-detect-mitigate-log4j-cve/
00:25:04 Brandon Mitchell: https://github.com/opencontainers/image-spec/pull/442
00:27:19 Sajay Antony: Oh wow song download with multiple formats indexes would be cool.
00:27:32 Tianon (he/him): no interesting references to urls in https://github.com/opencontainers/distribution-spec/commit/c90b0f145ac6bc09d2636ee214486ac333edc284
00:32:39 Brian Goff: I don't think we talked about it last week and I missed the week before. Anything new re: Blake3?
00:34:34 Sajay Antony: Is there a way for Buildkit to produce Blake3 already?
00:34:51 Brian Goff: Replying to "Is there a way for B…" Nope.
00:36:54 Brandon Mitchell: https://github.com/opencontainers/go-digest/pull/66
00:37:06 Tianon (he/him): one* PR away! 😂
00:37:12 Brian Goff: Sorry, missed the last few minutes due to school calling me.
00:37:19 Tianon (he/him): Replying to "Is there a way for B…" *actual number may vary
00:37:33 Tianon (he/him): (talk to your doctor Docker to see if PRs are right for you)
00:39:12 Brian Goff: Same (re: 3rd party lib)
00:40:29 Tianon (he/him): https://github.com/golang/go/issues/36632
NTD for another meeting.tony: Sounds like Brian is signing up for championing blake3 😂
Recording: https://youtu.be/OFyzjajQ7gk
From the zoom chat:
00:03:31 Brian Goff: 2nd day of school for the kids and I'm already done this morning.
00:05:47 Tianon (he/him): and the buildkit issue is "fixed" but the fix isn't enabled by default (it's opt-in 🙃)
00:06:58 Brandon Mitchell: https://github.com/opencontainers/image-spec/issues/803
00:07:28 Brian Goff: lol I think its easier to say "z-standard" then it is to say "z-s-t-d"
00:08:19 Tianon (he/him): Replying to "lol I think its easi…" "zee studd" slurring the u a bit, for the cursed option
00:10:54 Brian Goff: +1 should
00:15:04 Sajay Antony: content Negotiation per blob?
00:19:58 Mike Brown: IMO.. on the 803 PR use plain language in a note: regarding some registries and clients MAY also… and explain that this is optional and may not be supported in all 1.0/1.1 image manifest implementations
00:32:15 Brian Goff: We have 2 digests now.
00:32:50 Brian Goff: Probably also don't need 2 digests if you can verify the uncompressed blob digest.
00:33:00 Brian Goff: (with transport compression)
00:38:31 Sajay Antony: Need to drop for some fun compliance work discussions
00:46:56 Jory Burson (LF): Back to school!
00:49:42 Brian Goff: 🎤
00:49:57 Jory Burson (LF): Oh captain my captain!
00:52:20 Mike Brown: https://github.com/opencontainers/image-spec/pull/775
00:52:21 Tianon (he/him): it's probably not productive to say "a compelling reason to get the marginal gains of zstd" in the things we're missing? 😂
00:53:00 Brian Goff: /me writes a 2nd thing called zstd
00:53:53 Brandon Mitchell: Embrace, extend, confuse
00:54:19 Brandon Mitchell: https://github.com/opencontainers/distribution-spec/issues/551
00:55:35 Mike Brown: 775 may be controversial but: “Container Runtimes
Implemented and upstreamed for containerd stack
containerd (1.3+)
https://github.com/containerd/imgcrypt
Implemented and upstreamed for RedHat stack
cri-o 1.17+
buildah 1.5+
skopeo“
The sixth year of archived call logs is located on OCI GitHub as oci-weekly-notes-2024-apr-2025-mar.md.
The fifth year of archived call logs is located on OCI GitHub as oci-weekly-notes-2023-apr-2024-mar.md.
The fourth year of archived call logs is located on OCI GitHub as oci-weekly-notes-2022-apr-2023-mar.md.
The third year of archived call logs is located on OCI GitHub as oci-weekly-notes-2021-apr-2022-mar.md.
The second year of archived call logs is located on OCI GitHub as oci-weekly-notes-2020-apr-2021-mar.md.
Older call logs are archived on the OCI GitHub here covering March 2019 - March 2020.
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe