Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Can pull referrer with oras pull without knowing the digest #834

Open
1 task
SamirPS opened this issue Feb 24, 2023 · 7 comments
Open
1 task

Can pull referrer with oras pull without knowing the digest #834

SamirPS opened this issue Feb 24, 2023 · 7 comments
Labels
enhancement New feature or request experimental Issues or pull requests depending on WIP specs
Milestone

Comments

@SamirPS
Copy link
Contributor

SamirPS commented Feb 24, 2023

What is the version of your ORAS CLI

Version: 1.0.0-rc.1+unreleased Go version: go1.20 Git commit: 8bda262 Git tree state: clean

What would you like to be added?

For example, if I take this multi-arch image and copy it to azure

docker.io/library/ubuntu:lunar -> xxx.azurecr.io/test:lunar

I now have an artefact named one.json. I attach it to the amd64 platform with this command, for example:

oras attach xxx.azurecr.io/test:lunar --platform linux/amd64 one.json

Now if I do

oras discover xxx.azurecr.io/test:lunar

I will have 0 artefacts discovered, but if I do

oras discover xxx.azurecr.io/test:lunar  --platform linux/amd64

Oras will find the one.json artefact with this digest sha256:digestofsbom. These two outputs are excepted.

Now if I do:

oras pull xxx.azurecr.io/test:lunar  --platform linux/amd64

It will say downloaded empty artefacts. But if I do

oras pull xxx.azurecr.io/test:lunar@sha256:digestofsbom

It downloads the one.json artefact.

What @SteveLasker and I proposed is to add this command, for example, to pull the artefacts:

oras pull xxx.azurecr.io/test:lunar --platform linux/amd64 --artifactType application/spdx+json --top 1 --orderby desc

Why is this needed for ORAS?

Some people will use Oras without knowing anything about digest or manifest. It will permit to have for them a great user experience. Also, if I attached multiple files to the amd64 ( sbom, license,...), it's great to be able to download all files with a single command and not need to get the digest for each file.

Are you willing to submit PRs to contribute to this feature?

  • Yes, I am willing to implement it.
@SamirPS SamirPS added the enhancement New feature or request label Feb 24, 2023
@qweeah qweeah added this to the future milestone Feb 25, 2023
@qweeah
Copy link
Contributor

qweeah commented Feb 25, 2023

👍 Sounds like a counterpart of --include-subject to me.

@shizhMSFT shizhMSFT added the experimental Issues or pull requests depending on WIP specs label Mar 22, 2023
@github-actions
Copy link

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

@github-actions github-actions bot added the stale Inactive issues or pull requests label Jul 23, 2023
@SamirPS
Copy link
Contributor Author

SamirPS commented Jul 30, 2023

Any news about this issue?

@qweeah qweeah removed the stale Inactive issues or pull requests label Jul 31, 2023
@qweeah
Copy link
Contributor

qweeah commented Jul 31, 2023

Any news about this issue?

@shizhMSFT @FeynmanZhou @sajayantony for planning

@shizhMSFT
Copy link
Contributor

The subject field is introduced for the OCI Index manifest in image-spec v1.0.0-rc4. We can continue the discussion from there.

@shizhMSFT
Copy link
Contributor

@SamirPS You might be interested in opencontainers/image-spec#1020, especially the following diagram:

graph TD;

sboms-->lsbom;
sboms-.->index;
sboms-->wsbom;

lsbom[sbom]-.->linux;

index-->linux;
index-->windows;

wsbom[sbom]-.->windows;
Loading

@shizhMSFT
Copy link
Contributor

@sajayantony Currently, we don't have a standard to create the sboms in the above diagram. Will that be in the corresponding OCI spec? or it is purely up to the client implementation? If it is the latter, we probably can propose one solution for oras.

# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
enhancement New feature or request experimental Issues or pull requests depending on WIP specs
Projects
None yet
Development

No branches or pull requests

3 participants