oras icon indicating copy to clipboard operation
oras copied to clipboard

Published 20 hours ago verified publisher icon oras-project

Can pull referrer with oras pull without knowing the digest

Open SamirPS opened this issue 2 years ago • 7 comments

What is the version of your ORAS CLI

Version: 1.0.0-rc.1+unreleased Go version: go1.20 Git commit: 8bda262f901e8ef8404cf23d59c5f47f4280fdf3 Git tree state: clean

What would you like to be added?

For example, if I take this multi-arch image and copy it to azure

docker.io/library/ubuntu:lunar -> xxx.azurecr.io/test:lunar

I now have an artefact named one.json. I attach it to the amd64 platform with this command, for example:

oras attach xxx.azurecr.io/test:lunar --platform linux/amd64 one.json

Now if I do

oras discover xxx.azurecr.io/test:lunar

I will have 0 artefacts discovered, but if I do

oras discover xxx.azurecr.io/test:lunar  --platform linux/amd64

Oras will find the one.json artefact with this digest sha256:digestofsbom. These two outputs are excepted.

Now if I do:

oras pull xxx.azurecr.io/test:lunar  --platform linux/amd64

It will say downloaded empty artefacts. But if I do

oras pull xxx.azurecr.io/test:lunar@sha256:digestofsbom

It downloads the one.json artefact.

What @SteveLasker and I proposed is to add this command, for example, to pull the artefacts:

oras pull xxx.azurecr.io/test:lunar --platform linux/amd64 --artifactType application/spdx+json --top 1 --orderby desc

Why is this needed for ORAS?

Some people will use Oras without knowing anything about digest or manifest. It will permit to have for them a great user experience. Also, if I attached multiple files to the amd64 ( sbom, license,...), it's great to be able to download all files with a single command and not need to get the digest for each file.

Are you willing to submit PRs to contribute to this feature?

  • [ ] Yes, I am willing to implement it.

SamirPS avatar Feb 24 '23 10:02 SamirPS

👍 Sounds like a counterpart of --include-subject to me.

qweeah avatar Feb 25 '23 03:02 qweeah

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

github-actions[bot] avatar Jul 23 '23 01:07 github-actions[bot]

Any news about this issue?

SamirPS avatar Jul 30 '23 16:07 SamirPS

Any news about this issue?

@shizhMSFT @FeynmanZhou @sajayantony for planning

qweeah avatar Jul 31 '23 00:07 qweeah

The subject field is introduced for the OCI Index manifest in image-spec v1.0.0-rc4. We can continue the discussion from there.

shizhMSFT avatar Jul 31 '23 05:07 shizhMSFT

@SamirPS You might be interested in https://github.com/opencontainers/image-spec/pull/1020, especially the following diagram:

graph TD;

sboms-->lsbom;
sboms-.->index;
sboms-->wsbom;

lsbom[sbom]-.->linux;

index-->linux;
index-->windows;

wsbom[sbom]-.->windows;

shizhMSFT avatar Jul 31 '23 05:07 shizhMSFT

@sajayantony Currently, we don't have a standard to create the sboms in the above diagram. Will that be in the corresponding OCI spec? or it is purely up to the client implementation? If it is the latter, we probably can propose one solution for oras.

shizhMSFT avatar Jul 31 '23 05:07 shizhMSFT