sajayantony
commented
2 years ago I think digest pinned deployments will never see an updated scan report if we use the index to constantly append and recompose the images. This was my reason for supporting the first solution here
Ok thinking more through that even in the tag based model you need to lookup other tags. I think updating the tag pointing to an index has a few interesting areas to discuss. Like will pushing an patched image to the same tag cause lookup of previous images to fail?
It didn't cross my mind that distribution spec didn't explicitly call out preconditions and it seems like clarifying that will avoid a lot of issues.
sudo-bmitch
yizha1
I think most of our work has focused on the ORAS artifact-spec work. It would be useful if there's a backwards compatible solution that can sign images on registries without the newer ORAS artifact-spec APIs. Possible options I'm thinking of:
For the first option, to push multiple signatures, we may need to wrap the signature artifacts with an OCI Index and the Index replaces the list of artifacts we'd see from the new API query. To handle race conditions, that may have to be a best-effort / user problem, unless we can get ETag and Precondition Semantics supported in the registry.
For the second option, there may be users that want that to tightly control what is associated with their image, who want this ability rather than the API anyway. The challenge is that this requires the existing runtimes to recursively descend through Index to find the image to run, and I'm not sure they do that if they don't see the platform field or if there's an Index within an Index, which may result in breaking changes to existing image runtimes that aren't checking the signatures. This would need a lot of testing if we went that way.
Are there other options than these, and is there interest in adding any of these backwards compatibility features to Notary v2?