Skip to content
This repository has been archived by the owner on Jul 18, 2023. It is now read-only.

OCI artifact manifest, Phase 1-Reference Types #29

Closed
wants to merge 1 commit into from
Closed

OCI artifact manifest, Phase 1-Reference Types #29

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion MAINTAINERS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
+ Derek McGowan <derek.mcgowan@docker.com> (@dmcgowan)
+ Mike Brown <brownwm@us.ibm.com> (@mikebrow)
+ Stephen Day <stevvooe@gmail.com> (@stevvooe)
+ Joey Schorr <jschorr@petricorp.io> (@josephschorr)
+ Joey Schorr <jschorr@redhat.com> (@josephschorr)
73 changes: 12 additions & 61 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,66 +1,17 @@
# OCI Artifacts
# OCI Artifacts (Experimental) with OCI Artifact Reference Support
SteveLasker marked this conversation as resolved.
Show resolved Hide resolved

## Artifact Guidance Documents
This is an experimental branch of oci artifacts, validating the [oci.artifact.manifest spec][oci-artifact-manifest-spec] support of reference types. Reference types are required to meet the [Notary v2 Requirements][nv2-requirements] for not changing the target digest or tag, and the [Notary v2 Scenarios][nv2-scenarios] for content movement within and across registry implementations. Reference types enable a wider range of scenarios, including secure supply chain artifacts that may be represented as a graph as they move across environments.

1. [Artifact Author Guidance](./artifact-authors.md)
![](media/net-monitor-graph.svg)

## Supporting Documents
## Table of Contents:

- [Term Definitions](./definitions-terms.md)
- [OCI Artifact Manifest Overview][oci-artifact-manifest]
- [OCI Artifact Reference Type Manifest Spec](./artifact-reftype-spec.md)
- [ORAS experimental support for oci.artifact.manifest references][oras-artifacts] to `push`, `discover`, `pull` referenced artifact types.

## Project Introduction and Scope

Container registries, implementing the [distribution-spec][distribution-spec], provide reliable, highly scalable, secured storage services for container images. Customers either use a cloud provider implementation, vendor implementations, or instance the open source implementation of [distribution][distribution]. They configure security and networking to assure the images in the registry are locked down and accessible by the resources required. Cloud providers and vendors often provide additional values atop their registry implementations from security to productivity features.

Applications and services typically require additional artifacts to deploy and manage, including [helm](https://helm.sh) for deployment and [Open Policy Agent (OPA)](https://github.com/open-policy-agent/opa/issues/1413) for policy enforcement.

Utilizing the [manifest][image-manifest] and [index][image-index] definitions, new artifacts, such as the [Singularity project][singularity], can be stored and served using the [distribution-spec][distribution-spec].

This repository provides a reference for artifact authors and registry implementors for supporting new artifact types with the existing implementations of distribution.
More particularly this repository has been tasked by the [OCI TOB](https://github.com/opencontainers/tob/blob/master/proposals/artifacts.md) to serve 3 primary goals:

1. **artifact authors** - [guidance for authoring new artifact types.][artifact-authors] Including a clearing house for well known artifact types.
1. **registry operators and vendors** - guidance for how operators and vendors can support new artifact types, including how they can opt-in or out of well known artifact types. Registry operators that already implement `media-type` filtering will not have to change. The artifact repo will provide context on how new `media-type`s can be used, and how `media-type`s can be associated with a type of artifact.
1. **clearing house for well known artifacts** - artifact authors can submit their artifact definitions, providing registry operators a list by which they can easily support.

By providing an OCI artifact definition, the community can continue to innovate, focusing on new artifact types without having to build yet another storage solution (YASS).

## Project Governance and License

- [Artifact Authors- How To][artifact-authors]
- [The Apache License, Version 2.0](LICENSE)
- [Maintainers](MAINTAINERS)
- [Maintainer guidelines](MAINTAINERS_GUIDE.md)
- [Contributor guidelines](CONTRIBUTING.md)
- [Project governance](GOVERNANCE.md)
- [Release procedures](RELEASES.md)

## Code of Conduct

This project incorporates (by reference) the OCI [Code of Conduct][code-of-conduct].

## Governance and Releases

This project incorporates the Governance and Releases processes from the OCI project template: https://github.com/opencontainers/project-template.

## Project Communications

This project would continue to use existing channels in use by the [OCI developer community for communication](https://github.com/opencontainers/org#communications)

### Versioning / Roadmap

Artifacts will reference specific [distribution][distribution-spec], [index][image-index] and [manifest][image-manifest] versions in its examples, identifying any dependencies required.

## Frequently Asked Questions (FAQ)

**Q: Does this change the OCI Charter or Scope Table?**

A: No. Artifacts are a prescriptive means of storing [index][image-index] and [manifest][image-manifest] within [distribution][distribution-spec] implementations.

[artifact-authors]: ./artifact-authors.md
[code-of-conduct]: https://github.com/opencontainers/org/blob/master/CODE_OF_CONDUCT.md
[distribution]: https://github.com/docker/distribution
[distribution-spec]: https://github.com/opencontainers/distribution-spec/
[image-index]: https://github.com/opencontainers/image-spec/blob/master/image-index.md
[image-manifest]: https://github.com/opencontainers/image-spec/blob/master/manifest.md
[singularity]: https://github.com/sylabs/singularity
[oci-artifact-manifest]: ./artifact-manifest.md
[oci-artifact-manifest-spec]: ./artifact-reftype-spec.md
[nv2-requirements]: https://github.com/notaryproject/notaryproject/blob/main/requirements.md
[nv2-scenarios]: https://github.com/notaryproject/notaryproject/blob/main/scenarios.md
[oras-artifacts]: https://github.com/deislabs/oras/blob/prototype-2/docs/artifact-manifest.md
2 changes: 1 addition & 1 deletion artifact-authors.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ The manifest `config.mediaType` is the equivalent of a file extension, enabling
|Icon|Artifact|`config.mediaType`|
|-|-|-|
|<img src="https://github.com/opencontainers/artwork/blob/master/oci/icon/color/oci-icon-color.png?raw=true" width=30x>|[OCI Image][image-spec]|`application/vnd.oci.image.config.v1+json`|
|<img src="https://github.com/helm/helm-www/blob/main/themes/helm/static/img/apple-touch-icon.png?raw=true" width=30x>|[Helm Chart](https://helm.sh)|`application/vnd.cncf.helm.chart.config.v1+json`|
|<img src="https://github.com/helm/helm-www/blob/master/themes/helm/static/img/apple-touch-icon.png?raw=true" width=30x>|[Helm Chart](https://helm.sh)|`application/vnd.cncf.helm.chart.config.v1+json`|
|<img src="https://github.com/sylabs/singularity/blob/master/docs/logos/singularity_v3.png?raw=true" width=30x>|[Singularity][singularity], by [Sylabs][sylabs]|`application/vnd.sylabs.sif.config.v1+json`|

## Defining a Unique Artifact Type
Expand Down
76 changes: 76 additions & 0 deletions artifact-manifest-spec.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# OCI Artifact Manifest Spec (Phase-1 Reference Types)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like it's been hashed out in the past, but what's to stop us from using the existing image manifest spec and adding only the additional fields needed to enable references? In my mind, this would just be subjectManifest as an optional field that would allow registries to begin tracking these relationships on push and use that to implement a references or referrers API.

I think that we should at least list out the reasons why we think we need a new manifest type and why we can't use the existing spec. Especially with the conversations going on about another "object manifest" type in the future, I'd really like to keep the number of schemas that registries have to implement to a minimum. Adding fields to the existing spec seems like it might be simpler and reduce the overall churn over the next few years.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One major issue is that if any object can have a reference (which is a reverse reference for gc) and also a normal link to a manifest, we can no longer guarantee that there are no cycles in the garbage collection graph, and gc becomes intractable.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding was that the garbage collector will not be using the reference link in the manifest?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

gc becomes intractable

I'm not sure if I 100% agree with this, but I do agree that it becomes more complicated. It's hard to really discuss because there are so many different GC policies.

I don't like that this doc prescribes GC behavior, though, as it limits the power of how this kind of relationship could be used.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The limitation is simply a minimum scoped set of scenarios we're confident we can support until we have the time to work through all the scenarios in #37.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@justincormack is there a restriction preventing an ArtifactManifest from referencing an ArtifactManifest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nope. See the example where an SBOM is signed. The SBOM is an artifact reference type, and the signature is also an artifact referenceType

image

The OCI artifact manifest generalizes the use cases of [OCI image manifest][oci-image-manifest-spec] by removing constraints defined on the image-manifest such as a required `config` object and required & ordinal `layers`. It then adds a `subjectManifest` property supporting reference types. The addition of a new manifest does not change, nor impact the `image.manifest`. It provides a means to define a wide range of artifacts, including a chain of related artifacts enabling SBoMs, on-demand loading, signatures and metadata that can be related to an `image.manifest` or `image.index`. By defining a new manifest, registries and clients opt-into new capabilities, without breaking existing registry and client behavior or setting expectations for scenarios to function when the client and/or registry doesn't yet implement the new capabilities.

To enable a fall 2021 focus on supply chain security, **Phase 1** will narrowly focus on Reference Type support, giving time for further generalization with less time constraints.

For usage and scenarios, see [artifact-manifest.md](./artifact-manifest.md)

## Example OCI Artifact Manifests

The following are Phase 1 examples:

- [`net-monitor:v1` oci container image](./artifact-manifest/net-monitor-oci-image.json)
- [`net-monitor:v1` notary v2 signature](./artifact-manifest/net-monitor-image-signature.json)
- [`net-monitor:v1` sample sbom](./artifact-manifest/net-monitor-image-sbom.json)
- [`net-monitor:v1` nydus image with on-demand loading](./artifact-manifest/net-monitor-image-nydus-ondemand-loading.json)

## OCI Artifact Manifest Properties

For **Phase 1**, an artifact manifest provides an optional collection of blobs and a reference to the manifest of another artifact.

- **`schemaVersion`** *int*
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just drop this, as it is a vestige of old types. No need to carry this into new versions.

Copy link
Member

@mikebrow mikebrow Jul 21, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can I get a hell yes! ( to removing it)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've always wondered how schemaVersion relates to the embedded mediaType version: application/vnd.oci.artifact.manifest.v1+json
I'd be happy to avoid the duplication.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All of everything we see today is schemaVersion 2. It was just used to differentiate it early on. It's not needed for new manifests where this doesn't matter.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just asking for clarity.
There is a difference in the schema of the .json document between image.manifest, image.index and artifact.manifest
What I believe you're saying is the manifest.mediaType version provides enough info for how to process the .json document?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What I believe you're saying is the manifest.mediaType version provides enough info for how to process the .json document?

Implementations generally shouldn't be trying to peek inside an artifact in order to understand how to process it. By that point, it's often too late. Instead, content should generally be presented alongside a descriptor, which contains the mediaType of the content.

For a registry, these descriptors are sometimes communicated via HTTP headers by the client on push and the server on pull. Sometimes, the descriptors are embedded within other content, e.g. when pulling a manifest list, you select one of the manifests entries (based on some criteria, e.g. platform) and process what you fetch based on the mediaType in that descriptor.

If you try to use the embedded mediaType to process everything, you'll probably end up having to parse content twice. Once to find its mediaType, then again to parse based on the mediaType.

Very old clients didn't send or process HTTP headers sufficiently to behave properly, so this schemaVersion existed to differentiate between schema 1 and schema 2 images. Now that we live in a universe with a nice type system, that shouldn't be necessary.

If you were to add a schemaVersion field to a new kind of artifact, you absolutely don't want to set it to 1 or 2, because this could break old clients that are using schemaVersion to select between two manifest schemas. You could use schemaVersion: 3, but it's easier to just drop it altogether and rely on mediaTypes and descriptors in order to parse content.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks Jon,
Based on all this feedback and more understanding for how versioning is processed for the document to safely evolve, I did remove schemaVersion from the current artifact.manifest and examples


This REQUIRED property specifies the artifact manifest schema version.
For this version of the specification, this MUST be `3`. The value of this field WILL change as the manifest schema evolves. Minor version changes to the `oci.artifact.manifest` spec MUST be additive, while major version changes MAY be breaking. Artifact clients MUST implement version checking to allow for future, yet unknown changes. Artifact clients MUST ignore additive properties to minor versions. Artifact clients MAY support major changes, with no guarantee major changes MAY impose breaking changing behaviors. Artifact authors MAY support new and older schemaVersions to provide the best user experience.

- **`mediaType`** *string*
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Embedding the mediaType directly in the object itself makes future migration challenging or impossible. I know this supports being able to detect the type of the object, but usually this should be done through a specific descriptor path.

If we want to have this ability, we should come up with a different name. Using the mediaType to set the content of "THIS" document will be confusing, since we use it in both roles.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure how this correlates with the ^ q&a.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good thread to tug on, for some background: opencontainers/image-spec#411 (review)


This field contains the `mediaType` of this document, differentiating from [image-manifest][oci-image-manifest-spec] and [oci-image-index]. The mediaType for this manifest type MUST be `application/vnd.oci.artifact.manifest.v1+json`, where the version WILL change to reflect newer versions. Artifact authors SHOULD support multiple `mediaType` versions to provide the best user experience for their artifact type.

- **`artifactType`** *string*
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is an artifactType different than a mediaType? Why not just have a mediaType?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as you determined above this spec reads as it is looking at "this" format (manifest) to be defined by mediaType and artifactType is a sub-type within artifacts registered with iana.. with certain additional rules and content types expected in the blobs (artifact blobs)

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a second type system then?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm may be missing some level of detail to the question here.
There are a few manifests that registries would know how to process. Hopefully, we can converge on a few, and not have too many, but we are adding one more to generalize and add capabilities over the oci.image.manifest
The registries need to know about these manifest, as defined by the manifest.mediaType. At least that's how I read the difference between image.manifest and image.index

This decouples the registry from knowing about the specific artifacts, just like a filesystem knows how to store files, but doesn't care about the file.extension.

artifactTypes are the means by which Helm, WASM, Notary, SPDX, CycloneDX, Cosign identify themselves. The registry doesn't care from a processing perspective for how to store and retrieve it. But, the registry UX could show icons and details for the type and security scanners can determine how they scan and process the different types of artifacts, as they know what it is, so they know how to scan them. Similarly, each artifact tooling would know if they should continue processing the manifest, or reject it. Just like Word knows how to reject opening a .mp4 file, vs a .docx file.
And, the /referreres API can filter by the artifactType so it could be requested to only return artifactType=cncf.notary.v2 manifests.

Copy link

@deleteriousEffect deleteriousEffect Jul 23, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with Steve here, having a spec that allows any kind of typed object to be put in a field requires registry implementations to become stricter with what they accept compared to today. For example, registries might reject an otherwise well-formed and to spec OCI Image because they don't recognize the config blob's media type, since they need to verify each object is something they know how to deal with in relatively fundamental ways. For distribution, this is as basic as knowing where this object should be located at all, given the digest.

I don't believe ignoring the unknown mediatypes is appropriate for registries accepting pushes either, as this has implications for lifecycle management. For example, I believe some implementations accepted buildkit caches, but since they are OCI Image Index which presumably contained manifests, the associated blobs were deleted during garbage collection. This is pretty opaque to the end user, and I believe that registries which do lifecycle management of manifests and their referenced objects should return MANIFEST_INVALID during push if they are not able to maintain the lifecycle of the manifest correctly.

Having a broad category of "manifests" and "blobs", which are distinctions that I think most people here understand conventionally, allow registries to have a basic understanding of the level of expectations around an object without having to know the media type beforehand. There are already separate API routes for blobs and manifests, so this distinction exists within the v2 API spec today.

For manifests, this does mean that registry implementations will have to know about the mediatype to read the manifest content correctly since registry implementations are expected to perform actions that require inspecting the manifest, such as validation. However, for an object that's classified as a blob, the registry implementation is safe to make certain assumptions such as, that that object will not reference other objects in a way that's relevant to the registry, and that it should not be parsed as JSON. Having this clarity would allow registries and clients enough wiggle room to work together without having to keep in lock step.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@deleteriousEffect I generally agree with you, but I don't see how this relates to artifactType.


Phase 1 of the OCI Artifact spec will support reference types to existing [OCI Artifacts][oci-artifacts]. The REQUIRED `artifactType` is unique value, as registered with iana.org. See [registering unique types.][registering-iana]. The `artifactType` is equivalent to OCI Artifacts that used the `manifest.config.mediaType` to differentiate the type of artifact. Artifact authors that implement `oci.artifact.manifest` use `artifactType` to differentiate the type of artifact. example:(`example.sbom` from `cncf.notary`).

- **`blobs`** *array of objects*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to self.. need to officially define layer in the distribution spec.. missed it.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure if I like defining blobs here gut says CAS should own blobs.. and image would do layers is array of blobs.. having ordinality .. over here in artifacts spec.. this would be artifacts or artifactBlobs is array of blobs where ordinality is optional..

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

course we could do the same thing by changing objects to CAS objects or something similar..

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer something pointing towards their use. Should this be "subjects"? How does it relate to the manifest?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We seem to be discussing the differences between a manifest, which represents an artifact (container image, helm, wasm, opa, ...) and the content that makes up that artifact, represented as blobs

These are distinct types. They both use descriptors to define how they're persisted as CAS objects, but they do have different meanings, where the registry, and a client processes a manifest for it's content, but should just store and serve blobs (aka layers)
I'm going to defer this one for now, as this concept, as I understand it, is core to the referenceTypes and the work being built atop it.
I'll suggest we continue this conversation as we transition to the artifacts-spec repo.


An OPTIONAL collection of 0 or more blobs. The blobs array is analogous to [oci.image.manifest layers][oci-image-manifest-spec-layers], however unlike [image-manifest][oci-image-manifest-spec], the ordering of blobs is specific to the artifact type. Some artifacts may choose an overlay of files, while other artifact types may store indepdent collections of files.

- Each item in the array MUST be a [descriptor][descriptor], and MUST NOT refer to another `manifest` providing dependency closure.
- The max number of blobs is not defined, but MAY be limited by [distribution-spec][oci-distribution-spec] implementations.
- An encountered `descriptor.mediaType` that is unknown to the implementation MUST be ignored.

- **`subjectManifest`** *descriptor*
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would just call this subject, since there is not reason to restrict to a specific manifest.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How would that be different than another entry in the [blobs] collection?
This has been the subject of the cycles and lifecycle management question that revolve around a manifest is the thing we reason about for user interaction, where the blobs have been implementation details the client and registry can optimize around.
I'd like to have more conversation around this to understand what it would mean for an artifact to contain blobs, but link to other blobs, as opposed to focusing on artifacts reference other artifacts (manifests)


An OPTIONAL reference to any existing manifest within the repository. When specified, the artifact is said to be dependent upon the referenced `subjectManifest`.
- The item MUST be a [descriptor][descriptor] representing a manifest. Descriptors to blobs are not supported. The registry MUST return a `400` response code when `subjectManifest` is not found in the same repository, and not a manifest.

- **`annotations`** *string-string map*

This OPTIONAL property contains arbitrary metadata for the image manifest.
This OPTIONAL property MUST use the [annotation rules](annotations.md#rules).

See [Pre-Defined Annotation Keys][annotations]

## Push Validation

Following the [distribution-spec push api](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#push), all `blobs` *and* the `subjectManifest` descriptors SHOULD exist when pushed to a distribution instance.

## Lifecycle Management

For Phase 1, artifact types will be limited to reference types. A reference type is an artifact that doesn't have a lifecycle unto itself. A container image is said to have an independent lifecycle. A reference type, such as an SBoM or signature have a lifecycle tied to the `subjectManifest`. When the `subjectManifest` is deleted or marked for garbage collection, the defined artifact is subject to deletion as well. A distribution instance SHOULD delete, (refCount -1) the artifact when the `subjectManifest` is deleted.

### Tagged `referenceTypes`

As signatures and SBoMs are not considered independent artifact types, they SHOULD NOT have a tag, simplifying the lifecycle management. As the `subjectManifest` is marked for deletion (refCount=0), the `referenctType` is also marked for deletion (refCount -1). However, these artifacts MAY have tags as future versions of the artifact manifest MAY support independent types.
Copy link

@jonjohnsonjr jonjohnsonjr May 19, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My understanding was that the garbage collector will not be using the reference link in the manifest?

@nishakm see here and above

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we all recognize adding any content added to registries needs enough info to manage its lifecycle. This includes GC on incomplete uploads or enough information for users to delete their content.

While registries implement GC and deletion management differently, we're just making sure we've provided the right level of information in the manifests to enable lifecycle management and set user expectations for consistency across registries.

For phase 1, we're scoping this tightly so we can see how this evolves over time. For instance, we definitely want to support independent artifacts with subjectManifest references that have tags. This is the larger #37 effort that this will evolve into. We're just scoping independent artifacts out for now, as it's not critical to our phase 1 scope for the fall of 2021

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo.. referenctType


[oci-artifacts]: https://github.com/opencontainers/artifacts
[oci-config]: https://github.com/opencontainers/image-spec/blob/master/config.md
[oci-image-manifest-spec]: https://github.com/opencontainers/image-spec/blob/master/manifest.md
[oci-image-manifest-spec-layers]: https://github.com/opencontainers/image-spec/blob/master/manifest.md#image-manifest-property-descriptions
[oci-image-index]: https://github.com/opencontainers/image-spec/blob/master/image-index.md
[oci-distribution-spec]: https://github.com/opencontainers/distribution-spec
[media-type]: https://github.com/opencontainers/image-spec/blob/master/media-types.md
[artifact-type]: https://github.com/opencontainers/artifacts/blob/master/artifact-authors.md#defining-a-unique-artifact-type
[registering-iana]: ./artifact-authors.md#registering-unique-types-with-iana
[descriptor]: https://github.com/opencontainers/image-spec/blob/master/descriptor.md
[annotations]: https://github.com/opencontainers/image-spec/blob/master/annotations.md
Loading