-
Notifications
You must be signed in to change notification settings - Fork 209
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: an OCI-Referrers header on manifest pull #454
Comments
For me, an
Doing that math on this example, there are 42 artifacts and 1 index that don't have referrers themselves, so this would eliminate 43 API calls in this example. That can easily grow as more images are pushed per index (e.g. risc-v, wasm, perhaps zstd variants on images) and metadata gets pushed per image (e.g. there's VEX reports, more SBOM formats, reproducibility data, multiple signatures from different parties, etc). The For the |
I like the optimization part but one of the concerns I have with the |
The way I was thinking about it, the header would make no promises about the future at all; it only represents state as is visible to the client “at the time of forming the response”. I.e. in a A necessarily happens-before B. If C is racing D (i.e. there is no D happens-before C relationship), a client that sees I.e. adding the |
Curious to hear if from other who know the http spec better - For example consider something like Content-Length: 708
Docker-Distribution-Api-Version: registry/2.0
Etag: "sha256:..."
Docker-Content-Digest: sha256:...
Content-Type: application/vnd.oci.image.manifest.v1+json
Link: <http://localhost:5000/v2/hello-world/referrers/sha256:3e207b409db364b595ba862cdc12be96dcdad8e36c59a03b7b3b61c946a5742a>; rel="related" Also if we don't want to reuse |
The primary benefit of this proposal is to report when there is nothing to link; that can’t be presented with a |
I agree that caching is a client side concern and this just needs to return the current state at the time of the manifest get. A client cache is always at risk of becoming stale, particularly with any content not covered by content addressability (tags, headers, referrers list, and whether content exists). We can leave that as an implementation problem. I'm ready to move forward with the |
I understand the desire for this, but it's a feature that benefits the client while adding a fair amount of burden on the server. I can see the |
As long as referrers are fairly rarely used, when pulling an image, determining if there are any referrers requires an extra round-trip (if the registry is known to support the referrers API) or two (if the registry does not support the API and the referrers tag schema needs to be used).
Assuming there are registries where the implementation makes it cheap enough (I have no idea if that’s the case), it seems potentially valuable to allow a manifest pull request to include a header indicating referrers presence:
OCI-Referrers: present|absent
.If this header is present:
present
/absent
value indicates whether there, at the time of forming the response, was at least one referrer.A registry where determining the existence of referrers is costly could choose not to include the header; the client would then need to make an explicit “Listing Referrers” request.
I’m not sure about specifying the
present
value, I don’t think it helps clients.Alternatively, an
OCI-Referrers-Artifact-Types
header listing the artifact types of all included referrers could eliminate even more roundtrips (for clients which e.g. only care about signatures and not SBOMs), at the cost of possibly being even costlier for registry to obtain.It might even make sense to specify both.
If referrers use ever becomes very widespread, these headers would just add overhead, because clients would almost always want to list the referrers. In that case, registries could choose to stop including these headers.
I apologize if this was already discussed; I couldn’t find anything searching issues in this repo.
The text was updated successfully, but these errors were encountered: