Open brackendawson opened 2 years ago
Maybe we should also be validating the platform fields? Or is anyone relying on linking amd64 clients to an i386 image?
Unfortunately, I don't think we'd be able to pull that off. We had a check in docker engine, but it broke way too many cases where images were cross-compiled and uploaded with the wrong metadata (but referenced with the correct os/arch in the manifest list)
@thaJeztah asked what happens If you upload a
application/vnd.docker.distribution.manifest.list.v2+json
(manifest list) to distribution but specify the incorrect media type for the referenced manifest/s. The answer is the manifest list is accepted. It is also accepted if the size is wrong. The only property that is checked is that the digests either exist in the manifest store or the layer store (because of #3122).I think we should be validating the mediaType and size. Maybe we should also be validating the platform fields? Or is anyone relying on linking amd64 clients to an i386 image?
We should also check the OCI Index, I have not. If we do any of this for the OCI Index then we will break the method BuildKit uses to store build caches in a registry by referencing blobs from an index.