features.md: add unsafe annotation list

opencontainers / runtime-spec

OCI Runtime Specification

http://www.opencontainers.org

Apache License 2.0

3.19k stars 541 forks source link

features.md: add unsafe annotation list #1202

Closed AkihiroSuda closed 10 months ago

AkihiroSuda commented 1 year ago

https://github.com/opencontainers/runtime-spec/blob/main/features.md should return the list of unsafe annotations. (“org.systemd.”, “run.oci.”, etc.)

https://github.com/opencontainers/image-spec/pull/1061/files#r1194531089

cyphar commented 1 year ago

I like this idea, though I think runtimes should opt for listing the precise annotations they consider unsafe rather than specifying namespaces (after all, the runtime should know which annotations they support and what they do). But the format should probably support specifying namespaces in cases where the runtime really wants to indicate a whole namespace is unsafe.

AkihiroSuda commented 1 year ago

PR:

https://github.com/opencontainers/runtime-spec/pull/1205

I like this idea, though I think runtimes should opt for listing the precise annotations they consider unsafe rather than specifying namespaces (after all, the runtime should know which annotations they support and what they do). But the format should probably support specifying namespaces in cases where the runtime really wants to indicate a whole namespace is unsafe.

Yes. Actually, a precise annotation string is also valid as a "prefix"