Can the subject of an Artifact manifest reference a non-existing manifest?

[Wwwsylvia]

The ORAS Artifact Manifest Spec states that,

subject descriptor An OPTIONAL reference to any existing manifest within the repository. When specified, the artifact is said to be dependent upon the referenced subject.

However, the Manifest Referrers API says that,

referrers: A list of artifact descriptors that reference the given manifest. The list MUST include these references even if the given manifest does not exist in the repository. The list MUST be empty if there are no artifacts referencing the given manifest.

Which means, the Artifacts returned by the Referrers API may have a non-existing subject. Isn't this behavior inconsistent with the Artifact spec? If the behavior of Referrers API is by design, should we update the Artifact Spec to keep them consistent?

[SteveLasker]

Thanks @Wwwsylvia, This was a debated topic. It boiled down to maintaining an initial steady state, but recognicating that some registries may not want to delete the signatures or SBOMs. There are other similar APIs in the distribution spec that allow for blobs to be deleted, even though a manifest references them.

So, for now, we agreed to enforce validation on put. In the referrers API example, we recognize that some registries MAY choose to keep the referenced artifacts, even if the subject was deleted

[Wwwsylvia]

Thanks @SteveLasker for the clarification! 🙂