-
Notifications
You must be signed in to change notification settings - Fork 638
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
descriptor: MUST URIs and SHOULD http(s) for descriptor's 'urls' #442
Conversation
Seems fine to me |
I can also add a link to RFC 7540 §3 if folks want to see HTTP/2 punting to HTTP/1.1 on this (although HTTP/2's |
@@ -34,9 +34,11 @@ The following fields contain the primary properties that constitute a Descriptor | |||
This property exists so that a client will have an expected size for the content before processing. | |||
If the length of the retrieved content does not match the specified length, the content SHOULD NOT be trusted. | |||
|
|||
- **`urls`** *array* | |||
- **`urls`** *array of strings* |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this change doesn't belong to this PR, as https://github.com/opencontainers/image-spec/blob/master/manifest.md#image-manifest-property-descriptions still says just array
, please drop this change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The in-flight opencontainers#431 is using JSON Schema's uri format [1], which requires RFC 3986. This commit makes that an official spec requirement by adding a MUST to the Markdown. It also SHOULDs the http(s) schemes, because they're widely supported and are deployed in existing Docker images. And Vincent and Antonio both like SHOULDing them [2] ;). [1]: https://tools.ietf.org/html/draft-wright-json-schema-validation-00#section-7.3.6 [2]: opencontainers#436 Signed-off-by: W. Trevor King <wking@tremily.us>
8729ba4
to
876489a
Compare
1 similar comment
This OPTIONAL property specifies a list of URLs from which this object MAY be downloaded. | ||
This OPTIONAL property specifies a list of URIs from which this object MAY be downloaded. | ||
Each entry MUST conform to [RFC 3986][rfc3986]. | ||
Entries SHOULD use the `http` and `https` schemes, as defined in [RFC 7230][rfc7230-s2.7]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should https only would be nicer :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no danger of using a maliciously substituted blob, because you'll hash it when you get it. Using HTTP just means detecting that sort of denial of service is more expensive. And it means packet sniffers can see what you're asking for. I expect there are situations where both of those are acceptable risks.
The in-flight #431 is using JSON Schema's
uri
format, which requires RFC 3986. This commit makes that an official spec requirement by adding a MUST to the Markdown. It also SHOULDs the http(s) schemes, because they're widely supported and are deployed in existing Docker images. And @vbatts and @runcom both like SHOULDing them ;).Fixes #436.