Brandon Mitchell
Brandon Mitchell
> Could extracting zip files introduce code execution, zip bombs, and path traversal attacks? I believe a check could be written that parses the zip/tar without writing the contents to...
This is still triggering false positives.
If it's content addressable (with a verified digest) how would a URL be malicious in a way that a registry hosted blob isn't?
> deps bump possibly for security fixes. What dependencies are you referring to? The `go.mod` doesn't list any.
There is a proposal to replace this with #496.
Documenting the community decision made today: We are making a breaking change to clients that followed the spec to document the majority of real world implementations. There are three different...
@opencontainers/distribution-spec-maintainers I plan to turn this on today, and it can be disabled if we later discover an issue.
This has been enabled.
> If we know they don't have reference we also know whether they do. @mikebrow Since this is a "MAY", the absence of the header needs to be treated as...
> isn't it more expensive to force all clients to assume existence every time make the extra referrers requests? It's very expensive and will be at least half of the...