-
Notifications
You must be signed in to change notification settings - Fork 672
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Manifest list should not be identified by HTTP headers #390
Comments
On Sat, Oct 15, 2016 at 05:09:41PM -0700, Adrian Colley wrote:
“will always discover … by following a descriptor” is too strict the
I think it's less absolute. If you can verify the digest, ignore As an example of the “can't verify the digest” case, you could have an And regardless of how you determine the content type, I'd recommend we |
Yes, @wking is correct. I was wrong when I said that manifests were reached only through Other than the sentence that mentions HTTP headers (quoted above), the spec does not attempt to resolve conflicts between media types, and this is fine. |
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type (this sounds like what you're suggesting here). If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers#390 [2]: opencontainers#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
On Mon, Oct 17, 2016 at 03:42:10PM -0700, Adrian Colley wrote:
I've filed #392 to drop the line. |
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers#390 [2]: opencontainers#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers/image-spec#390 [2]: opencontainers/image-spec#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers/image-spec#390 [2]: opencontainers/image-spec#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers/image-spec#390 [2]: opencontainers/image-spec#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers/image-spec#390 [2]: opencontainers/image-spec#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
As Adrian Colley points out [1], clients may not be aquiring the manifest over HTTP. In most cases, folks will know (from a Content-Type header, a descriptor media type, or other means) what type of blob they're dealing with before they look at the blob. I expect client behavior like [2]: If you can verify the digest, ignore Content-Type. If you can't verify the digest, respect the Content-Type and require it to match your expected media type (if any). But in the absence of an HTTP-API spec I don't think we need to talk about this at all. [1]: opencontainers/image-spec#390 [2]: opencontainers/image-spec#390 (comment) Signed-off-by: W. Trevor King <wking@tremily.us>
The manifest-list spec says:
This is incorrect. A client will always discover a manifest list by following a descriptor in the
refs/
directory, and the descriptor will state the media type. The media type will unambiguously distinguish manifests from manifest lists. No part of the spec requires obtaining a manifest/manifest list over HTTP.In the event that a manifest list is obtained over HTTP, any mismatch between the
Content-Type
in the HTTP response header and themediaType
in the corresponding descriptor should be resolved in the spec rather than being implementation-defined. I suggest that the descriptor's mediaType should win.The text was updated successfully, but these errors were encountered: