Open sudo-bmitch opened 1 month ago
tianon
commented
1 month ago I've personally used it for large layers that canonically exist elsewhere (so mirroring them to another registry doesn't add a ton of value for me), but it's also a bit of an unexpected privacy breach.
sajayantony
commented
1 month ago I remember @jonjohnsonjr had some input on when we had this discussion about URLs field.
rchincha
commented
1 month ago url field as it is used currently is potentially dangerous if pointing to a malicious source. One suggestion was to move the url under annotations just to satisfy regulatory requirements should they arise.
sudo-bmitch
commented
1 month ago If it's content addressable (with a verified digest) how would a URL be malicious in a way that a registry hosted blob isn't?
tianon
commented
1 month ago Privacy/tracking is the thing that comes to mind for me right away.
Another potential concern (theoretical) is that my registry provider may be taking measures to detect and block collision attacks (like GitHub does! ❤️), but this could be used to bypass that in a way that doesn't even notify the user it fetched content from an unexpected place (and not unexpected in the "my registry redirected me to S3 or somewhere else inside their trust boundary" way but rather in a "content author was able to redirect me to a malicious place").
With the deprecation of nondistributable layers, I'm curious if the descriptor urls field should also be deprecated. Are there existing uses of this field outside of nondistributable layers? If so, I'm curious if those uses break any clients or registries?