Closed Wwwsylvia closed 2 years ago
Thanks @Wwwsylvia, This was a debated topic. It boiled down to maintaining an initial steady state, but recognicating that some registries may not want to delete the signatures or SBOMs. There are other similar APIs in the distribution spec that allow for blobs to be deleted, even though a manifest references them.
So, for now, we agreed to enforce validation on put. In the referrers API example, we recognize that some registries MAY choose to keep the referenced artifacts, even if the subject was deleted
Thanks @SteveLasker for the clarification! 🙂
The ORAS Artifact Manifest Spec states that,
However, the Manifest Referrers API says that,
Which means, the Artifacts returned by the Referrers API may have a non-existing
subject
. Isn't this behavior inconsistent with the Artifact spec? If the behavior of Referrers API is by design, should we update the Artifact Spec to keep them consistent?