You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I was having a look at the implementation based on container images (I was trying to see if I could spot the problem in #1823 that only the first module dependency has it's version range set).
Anyway, I am concerned that your manifests don't follow the guidelines from OCI about storing content other than OCI container images in an OCI registry.
They recommend not using actually empty files, due to problems with it some implementations, but more to the point, the spec says that when content other than OCI container images is packaged, "the config.mediaType value MUST be set to a value specific to the artifact type or the empty value."
Basically, you should be using the well-known empty mediaType, and specifying the artifactType (you must specify it, if you make the config empty). Otherwise, you're going to cause problems when people try to use this with their internal OCI registries, or mix-and-match these on ACRs with other manifest types.
But now that I've looked at all this, I have a couple of other suggestions (and I apologize that nobody said this earlier):
I don't think you should put the manifest annotation in the layer -- it belongs on the top-level of the manifest. Frankly, you should put more of the top-level module manifest values into that top-level annotations, particularly the pre-defined keys that match what's in the PS Module manifest, like authors, source, revision, etc.
Finally, I hate to say this now, when you're clearly far down this trail, but ... you're clearly not doing the right thing, wrapping nupkgs into tgz balls. You should just put the module in the tarball. If you're using OCI, you don't need nupkg. If you did that, you could even put the manifest in a separate layer, so that you could fetch just the manifest -- instead of having to encode it and stuff it into an annotation. On top of that, you'd be in a better position to add SPDX layers later for SBOMs etc.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I was having a look at the implementation based on container images (I was trying to see if I could spot the problem in #1823 that only the first module dependency has it's version range set).
Anyway, I am concerned that your manifests don't follow the guidelines from OCI about storing content other than OCI container images in an OCI registry.
They recommend not using actually empty files, due to problems with it some implementations, but more to the point, the spec says that when content other than OCI container images is packaged, "the config.mediaType value MUST be set to a value specific to the artifact type or the empty value."
Basically, you should be using the well-known empty mediaType, and specifying the
artifactType(you must specify it, if you make the configempty). Otherwise, you're going to cause problems when people try to use this with their internal OCI registries, or mix-and-match these on ACRs with other manifest types.But now that I've looked at all this, I have a couple of other suggestions (and I apologize that nobody said this earlier):
I don't think you should put the manifest annotation in the layer -- it belongs on the top-level of the manifest. Frankly, you should put more of the top-level module manifest values into that top-level annotations, particularly the pre-defined keys that match what's in the PS Module manifest, like authors, source, revision, etc.
Finally, I hate to say this now, when you're clearly far down this trail, but ... you're clearly not doing the right thing, wrapping nupkgs into tgz balls. You should just put the module in the tarball. If you're using OCI, you don't need nupkg. If you did that, you could even put the manifest in a separate layer, so that you could fetch just the manifest -- instead of having to encode it and stuff it into an annotation. On top of that, you'd be in a better position to add SPDX layers later for SBOMs etc.
Beta Was this translation helpful? Give feedback.
All reactions