consume lima templates over OCI registries

[developer-guy]

Description

OCI registries are evolving to store any kind of artifact, thanks to OCI artifacts. So many tools are out there that have been already adapted consuming their configs over OCI registries such as conftest (ability to pull/push Rego policies), Flux (kustomizer.dev), Tekton (Tekton Bundle), Helm (Charts OCI Registry support), etc.

What I'd like to propose is that we can store and distribute Lima templates over OCI registries too:

# devopps/my-lima-template:v0.1.0 this image will hold the template itself within its layer
$ lima start template://devopps/my-lima-template:v0.1.0

cc: @AkihiroSuda @dentrax @jandubois

[developer-guy]

please assign it to use if you are ok on this

[jandubois]

$ lima start template://devopps/my-lima-template:v0.1.0

I think it would need some different protocol schema name than template to avoid ambiguity; the example you give above is a valid file reference.

Personally I'm a bit worried about using protocols that are not easily inspectable with just a browser, as lima templates can execute provisioning scripts, so can access data from the host and exfiltrate it at will. It would be trivial to have a template that sends your ~/.aws/config to a server somewhere. That's why I would never install a template without manually checking it first, just like I don't like running curl ... | sudo bash.

It there really a compelling use case for storing lima templates in a registry, and not just at some https url, which is already supported?

[AkihiroSuda]

I agree with @jandubois . Using a remote URL is highly discouraged.