Billy Zha

Synchronized offline with @toddysm that using https-->http auto handling like below command will fail: ```bash oras login oras.e2e.test \ --resolve oras.e2e.test:80:0.0.0.0:5000 --insecure ``` ORAS user have below options to make...

I found that if a port is specified in the registry name for login, then it will also be recorded in the auth config file, e.g. if I used below...

If a user want login a registry hosted at 0.0.0.0:5000, and the registry credential stored without port, they will have to use ```shell oras login oras.e2e.test \ --resolve oras.e2e.test:80:0.0.0.0:5000 \...

Investigated implementation of existing registry clients tools and documented in a [HackMD doc](https://hackmd.io/7lGl2zRqQMWt413TttyyVw?view#Compare-the-user-experience-in-other-registry-clients).

Moving it to 2.0 since the auto fallback incurs security level change, which is breaking. If HTTPS is not supported and falls back to HTTP, the data transmission is not...

> Should we consider not auto closing any issue that’s in a milestone? Definitely, will raise a PR to add it.

This is already supported by `oras push --config [:]` but still missing in `oras attach`. One valid use case is `Artifact with config data` (#3 in [image-spec guidance](https://github.com/opencontainers/image-spec/blob/v1.1.0-rc5/manifest.md#guidelines-for-artifact-usage)).

👍 Sounds like a counterpart of `--include-subject` to me.

> Any news about this issue? @shizhMSFT @FeynmanZhou @sajayantony for planning

Thanks for providing this great idea. It should be added to oras so user won't need to find the digest of a certain arch by themselves. cc @FeynmanZhou