search

cnabio / cnab-to-oci

Tool to convert CNAB bundle.json to OCI index
Apache License 2.0
54 stars 43 forks source link

Decide enforcing tags for bundles #101

Open radu-matei opened 4 years ago

radu-matei commented 4 years ago

The current behaviour of cnab-to-oci is to allow pushing to a repository without a tag:

$ cnab-to-oci push testdata/cnab/bundle.json --target localhost:5000/no-tag-test
Starting to copy image cnab/helloworld:0.1.1...
Completed image cnab/helloworld:0.1.1 copy
Pushed successfully, with digest "sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268"

$ cnab-to-oci pull localhost:5000/no-tag-test                                   
Error: failed to resolve bundle manifest "localhost:5000/no-tag-test": object required

$ cnab-to-oci pull localhost:5000/no-tag-test@sha256:b4936e42304c184bafc9b06dde9ea1f979129e09a021a8f40abc07f736de9268

If a bundle is pushed without a tag, pulling it has to be performed using the full SHA256 digest, which is unknown to a potential consumer of the bundle. Should we enforce pushing with a specific tag? (Or at least by default?)

Note that this is also significant in the context of signing.

carolynvs commented 4 years ago

I would hazard a guess that 99% of the time, someone who did this either a) assumed that it would use latest as the tag because they aren't familiar with the tool and hope it works like docker or b) made a mistake and didn't want it to push an untagged bundle.

If we do need to keep this behavior around, I suggest it is put behind a flag for people who explicitly want it.