# Distribution Weekly Discussion ###### tags: `distribution` `discussion` Time: 1500 GMT (0700 PST; 1000 EST; 1600 CET; 0100 AEDT) - [One tab Online Zoom Link](https://zoom.us/j/96409535845?pwd=Z08zSlBrOFpncldKYlZkNXZ2TzRjUT09) (a Zoom account is needed) - One tap mobile [+12532158782,,96409535845#](+12532158782,,96409535845#) US (Tacoma) [+16699006833,,96409535845#](+16699006833,,96409535845#) US (San Jose) - Find your local number: https://zoom.us/u/adFij7i6RQ - Meeting ID: 964 0953 5845 - Passcode: 77777 - Videos: [CNCF Community Distribution Meetings YouTube Playlist](https://www.youtube.com/watch?v=nEtUSulCnoo&list=PLXUbd8J1vXB_dFMMnvy78utdTOF1mE4_-) *template at the bottom* ## May 10, 2022 ### Attendees: - James Hewitt - Hayley Swimelar - Milos Gajdos ### Actionable Agenda Items: - Need to widen the discussion to include tooling/landscape. ### Presentation/Discussion Agenda Items: - Sparse indexes aka [Enable image index manifests to be pushed without their referenced images](https://github.com/distribution/distribution/issues/3628) (James Hewitt) ### Notes: - Covered the use case (in the issue) - Made it clear that the use case here is users running registries specifically to support their own infrastructure. This type of integrity check is important for public registries. - Hayley and Milos are concerned about losing graph integrity within the registry and not being able to distinguish if that is caused by an error condition (lost storage etc) or an intentially sparse manifest. There is no metadata stored by the registry that could be used to annotate a manifest list with the expected platforms - all content stored by the registry is content addressable. ## September 21, 2021 [Recording](https://youtu.be/zzjDaDEMWyE) ### Attendees: - Milos Gajdos (Docker) - Brandon Mitchell - Steve Lasker (Microsoft) - Sajay Antony (Microsoft) - Chandan Kumar Pradhan - Ashish Paikray ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - [Draft Artifacts Spec](https://github.com/oras-project/artifacts-spec/releases/tag/1.0.0-draft.1), eanbling secure supply chain artifacts (Steve) - _add your items_ ### Notes: ## July 27, 2021 ### Attendees: - Brandon Mitchell - Bracken Dawson (IBM) - Hayley Swimelar (GitLab) - _add yourself_ ### Actionable Agenda Items: - 2.7.2 release: - Should [#3459](https://github.com/distribution/distribution/pull/3459) be included to remediate [CVE-2020-26160](https://github.com/advisories/GHSA-w73w-5m7g-f7qc)? I think the backport for the release/2.7 branch is very different. ### Presentation/Discussion Agenda Items: - _add your items_ ### Notes: - Bracken will backport #3459 into 2.7.2 and check for any other potentially missed vulnerabilities. - Bracken will find out who is working on the release channels (library/registry on Docker Hub) and progress the issue if needed/possible. ## July 20, 2021 ### Attendees: - Brandon Mitchell - Steve Lasker (Microsoft) - Hayley Swimelar (GitLab) - Yan Wang (VMWare) - Bracken Dawson (IBM) - _add yourself_ ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - Buildx registry support for caching - approach for how to persist content in registries (Steve) - Discuss next steps on [disallowing blob descriptors in manifest lists](https://github.com/distribution/distribution/issues/3452). - _add your items_ ### Notes: - [Ability to add a descriptor as a 1st class manifest](https://github.com/opencontainers/distribution-spec/issues/252) - [Define a manifest](https://github.com/opencontainers/distribution-spec/issues/290) - Haley - would like a sense of predictability. Principals of least suprpise. - If we need to do inspection of mediaType, specific artifactTypes may stop working. Defining a set of constraints around what to expect, within contraints on the APIs. - Brandon - would like to find an end state that applies to anyone doing tasks like buildx. - Bracken - Joāo's issue to move BuildX to OCI Manifest: https://github.com/moby/buildkit/issues/2251 - Issue with index containing blobs for a registry include: - Garbage collection processes - Translation of manifests to older media types - Validation of manifest - Would be useful for registries to standardize the lifecycle management / GC (Brandon) - https://github.com/opencontainers/distribution-spec/discussions/292 - https://github.com/notaryproject/distribution/blob/reference-types/docs/reference-types.md - Artifact Reference Types: - [Twitter/Video of the e2e experience](https://twitter.com/SteveLasker/status/1400587349629702144?s=20) - [CNCF Distribution implementation of Artifact Reference Types](https://github.com/notaryproject/distribution/blob/reference-types/docs/reference-types.md) - [ORAS client for pushing/pulling Artifact ReferenceTypes](https://github.com/oras-project/oras/blob/reference-types/docs/artifact-manifest.md) ## July 6, 2021 ### Attendees: - João Pereira (GitLab) - Bracken Dawson (IBM) - Yan Wang (VMWare) - Jack Baines (IBM) - Hayley Swimelar (GitLab) - Brandon Mitchell ### Actionable Agenda Items: - João: v2.7.2 release - What's left to be done? Looking at the [milestone](https://github.com/distribution/distribution/milestone/20), it seems like we don't need to complete all of these, maybe for the letsecrypt lib. - João: v3.0.0 release - We should start discussing breaking changes we'd like to get in. - Bracken: How/if/when to [remove the manifests in blob store woraround](https://github.com/distribution/distribution/pull/3365#issuecomment-873190860) given the [naughty buildx behaviour](https://github.com/docker/buildx/issues/173). - João: We need to open an issue to propose removing this in v3. - Issue opened: https://github.com/distribution/distribution/issues/3452 ### Presentation/Discussion Agenda Items: - _add your items_ ## May 11, 2021 ### Attendees: - _add yourself_ ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - _add your items_ ### Notes: ## May 4, 2021 Cancelled ## April 27, 2021 ### Attendees: - Steve Lasker (Microsof) - Hayley Swimelar (GitLab) - Wayne Warren (Digitalocean) - Yan Wang (VMWare) - _add yourself_ ### Actionlble Agenda Items: - [CNCF Distribution Logo Voting](https://github.com/distribution/distribution/issues/3351) (Steve) - _add your items_ ### Presentation/Discussion Agenda Items: - [OCI: Working Group proposal for Reference Types](https://github.com/opencontainers/tob/issues/96) (Steve) - [Reference Type Persistence w/CNCF Distribution](https://github.com/notaryproject/distribution/pull/9/files#diff-af3b780e144d0e1a3ca962e09d4dd3c484eb3ed74e2a48289be9b215c52f2548R1) (Steve) - _add your items_ ### Notes: - Logo - Narrow down to 7, 16, 17 with the font of 12. - Post the 3 for a runnoff: https://github.com/distribution/distribution/issues/3351 - Final voting by next weeks meeting, May 4th - Reference Types - Hayley: Concern around garbage collection and performance to find reference types - Hayley: Question for whether this should be an extension, or promoted as draft-a, b, c and merged into main as it seems like a core capability - Steve: Agreed. The CNCF distribution branch has an implementation to work through those questions. The reverse-index is persisted for retrieval: https://github.com/notaryproject/distribution/blob/prototype-2/docs/reference-types.md#implementation - What root should we use for the references API? /v2/_ext, or the redhat model for extensions/v2, as used in Quay.io - Next steps: - Steve: Confirm the extension path - Steve: Post a video of reference types for folks to review and discuss further - 2.7 Release - One item remaining: https://github.com/distribution/distribution/pull/3238 - Quick discusion captured in the PR to maintain the current behavior in 2.7, with a config option to change the TTL. Then, in 3.0, make the TTL change the default. ## April 13, 2021 Cancelled ## April 6, 2021 Cancelled ## March 30, 2021 ### Attendees: - Steve Lasker (Microsoft) - Yan Wang (VMWare) - João Pereira (GitLab) ### Actionable Agenda Items: - CNCF Distribution Logo updates (Steve) - Distribution release progress, v2.7.2 check points (Milos & Yan) ### Presentation/Discussion Agenda Items: - [Linking Artifacts in Registries](https://github.com/opencontainers/artifacts/pull/29) - Enbling Notary v2, SBoM, Nydus and other extensions (Steve) - _add your items_ ### Notes: ## March 23, 2021 - Cancelled ## March 15, 2021 - Cancelled ## March 9, 2021 - Cancelled ## March 2nd 2021 [Video Recording](https://youtu.be/5hSshSk0gBk) ### Attendees: - Steve Lasker (Microsoft) - Milos Gajdos (Docker) - Bracken Dawson (IBM) - Hayley Swimelar (GitLab) - Wayne Warren (Digitalocean) - Yan Wang (VMWare) ### Actionable Agenda Items: - Stabilizing the build, need some owners (Steve) - [expose `driver.FileInfo` via new `distribution.\*Enumerator` interface methods](https://github.com/distribution/distribution/issues/3366) (Wayne) - 2.8 release - Need to propagate some PRs from `main` to `2.8`, etc. - There seems to be some project milestone dashboard on GH - _add your items_ ### Presentation/Discussion Agenda Items: - Positioning of official [registry image](https://hub.docker.com/_/registry) on Docker Hub (Steve) - How do we reconcile [distribution/registry](https://hub.docker.com/r/distribution/registry) - Official built from [docker/distribution-library-image](https://github.com/docker/distribution-library-image) - [CNCF Distribution logo](https://github.com/distribution/distribution/issues/3351) discussions (Steve) - _add your items_ ### Notes: - distribution/distribution is automated, building the binaries. Need to look into connecting this to docker/distribtuion-library-image - Belief the GitHub folks have been curating the build process (Crhis Patterson). - What is the definition of a stable build - PRs are building, passing checkes, run some basic end to end test. - Discuss with Justin regarding ownership of https://hub.docker.com/r/distribution/registry - This would be the handoff from CNCF Distribution - Docker Inc would then own https://github.com/docker/distribution-library-image to produce the image at: https://hub.docker.com/_/registry - Yan Wang volunteered to update https://hub.docker.com/r/distribution/registry - Validate action looks to be outdaed and can be retired - [expose `driver.FileInfo` via new `distribution.\*Enumerator` interface methods](https://github.com/distribution/distribution/issues/3366) - appears we have concensus, just need a release to merge it into. Target 2.8 release. - Should start talking about a 3.0 release, and what, if any breaking changes would be in 3.0 - Move to go modules would be a breaking change - should we skip the 2.8 release, and start working on 3.0 - the new incoming work for listing and notary links apis will take some time to stabilize. Should we cut an early 3.0 with go.mod changes, and add the listing and like apis to the 3.0 base, with a 3.1 staged release. - If we're going to move to 3.0, which may delay some from adopting, should we pull in the security changes to a 2.8 release? - Milos was chasing some of the security fixes that could go into 2.8. - Would like to fix some of the build failures. - Decision: ship a 2.8 release with the security fixes to leave the 2.x release train in a stable and secure space. (Milos & Yan to organize) 2.8 branch will base from 2.7. - 3.0 will start the go module changes and base for new capabilities. - Start capturing issues for what would go into 3.0, including interface changes and new capabilities. - main contains the base for 3.0 as it has the go.mod changes. - Main is the active branch for the next release, with release branches (2.7, 2.8). Main is currently farther ahead as changes for go modules have been already merged. ## February 23, 2021 [Video Recording](https://youtu.be/dywWcwE2Iu0) ### Attendees: - Steve Lasker (Microsoft) - xf - Bracken Dawson (IBM) - Yan Wang (VMWare) - Derek McGowan ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - 2.7.2 and/or 3.0 releases. - [expose `driver.FileInfo` via new `distribution.\*Enumerator` interface methods](https://github.com/distribution/distribution/issues/3366) ### Notes: - Discussed status of various git repos for distribution, and various images on docker hub. - Need one, or more folks to volunteer to get the build system in good shape so additional PRs can be merged, and a release cut - Derek can help with some handoff and testing assistance - Vulnerability notifications, possibly nancy? - Queued up a few agenda items for next weeks discussions ## February 16, 2021 ### Attendees: - _add yourself_ ### Agenda Items: - cancelled, no agenda ## February 9, 2021 [Video Recording](https://youtu.be/nEtUSulCnoo) ### Attendees: - Wayne Warren - Justin Cormack - Steve Lasker (Microsoft) - Milos Gajdos (Docker) - Kyle Squizzato (Mirantis) - Jack Baines (IBM) - Bracken Dawson (IBM) - Yan Wang (VMWare) ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - [Artifact Manifest for Reference Objects, like Notary v2, SBoMs, Nydus, ...](https://github.com/opencontainers/artifacts/pull/27) (Steve) - [libtrust dependency](https://github.com/docker/libtrust) (Justin) - We should cut v3 release rather sooner; now that the `v3 go.mod` has been merged in (Milos) - _add your items_ ### Notes: Please notice we have a new CNCF/Bevy link. - Libtrust - library for supporting v1 manifests. - v1 schemas. IBM doesn't allow v1 schemas to be uploaded. ACR has had bugs with customers attempting to copy v1 schemas within the registry. - - Is it time to deprecate support for v1 schemas? - Artifact Manifest - ## February 2, 2021 ### Attendees: - Steve Lasker (Microsoft) - Wayne Warren (Digitalocean) - João Pereira (GitLab) - Yan Wang (VMWare) ### Actionable Agenda Items: - PRs & Issues to discuss - [PR Labels](https://hackmd.io/RZ0ztSGXRKyCuFnyaHztEw) - _add your items_ ### Presentation/Discussion Agenda Items: - [Listing API Requirements](https://github.com/opencontainers/distribution-spec/pull/229) & [Registry Listing API discussions](https://github.com/opencontainers/distribution-spec/issues/222) (Steve) - [Tag delete API](https://github.com/opencontainers/distribution-spec/issues/114) (João) - _add your items_ ### Notes: - PR Labels - Wayne sorting them, creating a list view - Separate spec affecting, features and bugs - Wayne will cull through the backlog, assigning labels - Wondering if there are any guidelines for CNCF projects that we could use/extend (João) - Listing API - Digitial Ocean, like all other registries have custom APIs - wayne - would like to layer size, and other details of a manifest/or repo content - Many registires base their costs on disk/storage size - Tag Delete (Joao) - GitLab has a tag expiration feature which relies heavily on tag deletes. This does not scale without a dedicated tag delete API. - Yan - Harbor explination for how tags are managed ## January 27, 2021 ### Attendees: - Steve Lasker (Microsoft) - Justin Cormack (Docker) - Sebastiaan van Stijn (Docker) - Hayley Swimelar (GitLab) - Bryan Clark (GitHub) - Chris Patterson (GitHub) - Wayne Warren (Digitalocean) - João Pereira (GitLab) - Milos Gajdos (Docker) - Yan Wang (VMWare) - He WeiWei (VMWare) ### Agenda Items: - Welcome - Status - CI - Test frameworks - Release ### Notes: - Discussion of [OCI Conformance tests](https://github.com/opencontainers/oci-conformance)0 - would like to improve tests - Update the Distribution CI system - Distribution needs a release. There hasn't been a release for over a year. Some security issues/fixes that need publishing - master: rename import paths for go.mod (v3); https://github.com/docker/distribution/pull/3225 **NOTE**: With the repository being moved to https://github.com/distribution/distribution, we should probably rename the module (and imports) accordingly, further qualifying next release to be `v3.0.0` - We should ideally support ACMEv2 for lets encrypt in the next release https://github.com/docker/distribution/issues/3041 as ACMEv1 is near EOL https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 - A GitHub org to move the release from docker/distribution. Looks like we can use https://github.com/distribution (Chris Patterson starting process for name take-over) - Ask to have all the bugs in forks PRd back to distribution. - Discussion of splitting PRs into bugs and features, categorizing them for review in the appropriate categories - Discussion whether feature additions to distribution should be aligned with an equivalent oci-distribution-spec addition. - Discussion on maintainer process, such as how many maintainers are required to approve a PR. - Possibly split out into smaller working groups eg: - grooming the backlog of PRs with specific issue types - Wayne volunteered to shepherd the backlog - Hayley volunteered for this group - Add DCO to distribution projects - Invite to open PRs on the governance docs - Cadence: weekly calls, but split ever other week workring groups (backlog & conformance tests) and group discussions - Steve to coordinate with Amye for weekly meetings on the CNCF calendar with automated recordings - In the weekly calls we'll split out the details of the groups - https://github.com/distribution/distribution/ is now the new home, with main as the default branch - Coordinate the blog post with Justin Cormack which should go out in a week (template for copying) # Template ## Meeting Date ### Attendees: - _add yourself_ ### Actionable Agenda Items: - _add your items_ ### Presentation/Discussion Agenda Items: - _add your items_ ### Notes: