Closed tianon closed 3 months ago
If I understood correctly, this requirement for Container images is related to making sure that the configuration in
mediaType.config
applied matches the layers that were set up in the for the container on the file system exactly. Otherwise you could potentially apply the wrong configuration to the wrong image and _do bad things_tm.
The bad things people worry about are runtimes improperly deduping images. So you may have a config for v1.2 of a WASM image being deployed by a WASM capable runtime, and try to upgrade it to v1.3 and the runtime would respond that it already has that image id and keep running the v1.2 WASM application.
That could also be used maliciously by those that want to poison the cache and potentially access data they shouldn't have access to, by creating a WASM app with a configuration matching a well known trusted image. If the malicious image is pulled first, for testing in an untrusted sandbox, and the trusted image is later requested to run with secure data, the malicious image would be run with access to the secure data.
Thanks! Two follow up questions:
Hah, https://github.com/opencontainers/image-spec/issues/743 is very related 🚀
The
config
digest is used by a number of popular runtimes/orchestrators as an identifier for an image with an amount of assumed uniqueness.