Open lbussell opened 5 months ago
lbussell
commented
5 months ago [Triage] This has potential to simplify our image info file if we can use this to check for base image updates. However, it may be less practical to use if we would need to submit a separate request to MCR for each image's manifest instead of sending one request to grab our image info file for all of the current base image digests.
lbussell
commented
5 months ago This seems to have limited ROI for us at the moment. If there are any users who would benefit from the addition of these OCI image annotations, we would like to hear about your scenario.
I'll leave this issue open to solicit discussion for a while.
xendon
commented
1 month ago Well, I just wanted to open an issue regarding this. So here is the first scenario.
Annotations would be great for us since we need to fulfill some requirements made by the BSI (Bundesamt für Sicherheit in der Informationstenik), regarding the so called "Cyber Resilience Act" of the EU (see: Technical Guideline TR-03183).
Whit the mentioned opencontainers annotations, we would be able to create a kind of treeview of all our components to hand it over to our auditor. In addition, we're using "Docker Scout" which is indeed able to validate base images based on the given annotations.
lbussell
commented
1 month ago Thanks for chiming in @xendon. Which specific annotation(s) would help in your scenario? I'm assuming org.opencontainers.image.base.name and org.opencontainers.image.base.digest?
See the list of pre-defined OCI image annotations here:
https://github.com/opencontainers/image-spec/blob/main/annotations.md#pre-defined-annotation-keys
Several of these annotations overlap with our
image-info.jsonspec. Of note are:(The base image annotations were added to the spec in 2021)
We have already computed lots of this information when we build our images. We should consider adding these annotation to image manifests in addition to (or instead of) tracking it ourselves in image-info.json files.