Clarify conditions under which the registry may reject a manifest for having non-existent references

[andaaron]

This wording really bothers me, as is sounds contradictory and interpretable.

A registry MAY reject a manifest of any type uploaded to the manifest endpoint if it references manifests or blobs that do not exist in the registry.
A registry MUST accept an otherwise valid manifest with a `subject` field that references a manifest that does not exist, allowing clients to push a manifest and referrers to that manifest in either order.

The second line mentions the subject reference can point to a manifest which does not exist. On the other hand the first sentence allows the registry to reject the incoming manifest in such a case.

I understand the reason why some references are more equal than others, but let's make that clear. Maybe rephase:

A registry MAY reject a manifest of any `mediaType` uploaded to the manifest endpoint if its properties or type `descriptor` reference blobs that do not exist in the registry, with the exception of the reference in the property `subject`. 
A registry MUST accept an otherwise valid manifest with a `subject` field that references a manifest that does not exist, allowing clients to push a manifest and referrers to that manifest in either order.
All other properties of type `descriptor`, such as `config`, `layers` or `manifests`, which are not empty, SHOULD point to blobs which are already present on the registry, and the registry MAY reject the upload in case they are missing.

Or is this too much detail?

See https://github.com/opencontainers/distribution-spec/blob/main/spec.md?plain=1#L209

[sudo-bmitch]

I agree that's been awkward phrasing. Have a look at #445 and let me know if that's easier to read.

[andaaron]

445 Looks good from my side.