descriptor: MUST URIs and SHOULD http(s) for descriptor's 'urls' #442
Conversation
|
Seems fine to me |
|
I can also add a link to RFC 7540 §3 if folks want to see HTTP/2 punting to HTTP/1.1 on this (although HTTP/2's |
| @@ -34,9 +34,11 @@ The following fields contain the primary properties that constitute a Descriptor | |||
| This property exists so that a client will have an expected size for the content before processing. | |||
| If the length of the retrieved content does not match the specified length, the content SHOULD NOT be trusted. | |||
|
|
|||
| - **`urls`** *array* | |||
| - **`urls`** *array of strings* | |||
There was a problem hiding this comment.
this change doesn't belong to this PR, as https://github.com/opencontainers/image-spec/blob/master/manifest.md#image-manifest-property-descriptions still says just array, please drop this change
The in-flight opencontainers#431 is using JSON Schema's uri format [1], which requires RFC 3986. This commit makes that an official spec requirement by adding a MUST to the Markdown. It also SHOULDs the http(s) schemes, because they're widely supported and are deployed in existing Docker images. And Vincent and Antonio both like SHOULDing them [2] ;). [1]: https://tools.ietf.org/html/draft-wright-json-schema-validation-00#section-7.3.6 [2]: opencontainers#436 Signed-off-by: W. Trevor King <wking@tremily.us>
wking
force-pushed
the
descriptor-url-specifics
branch
from
8729ba4
to
876489a
Compare
|
LGTM |
1 similar comment
|
LGTM |
| This OPTIONAL property specifies a list of URLs from which this object MAY be downloaded. | ||
| This OPTIONAL property specifies a list of URIs from which this object MAY be downloaded. | ||
| Each entry MUST conform to [RFC 3986][rfc3986]. | ||
| Entries SHOULD use the `http` and `https` schemes, as defined in [RFC 7230][rfc7230-s2.7]. |
There was a problem hiding this comment.
should https only would be nicer :-)
There was a problem hiding this comment.
There's no danger of using a maliciously substituted blob, because you'll hash it when you get it. Using HTTP just means detecting that sort of denial of service is more expensive. And it means packet sniffers can see what you're asking for. I expect there are situations where both of those are acceptable risks.
The in-flight #431 is using JSON Schema's
uriformat, which requires RFC 3986. This commit makes that an official spec requirement by adding a MUST to the Markdown. It also SHOULDs the http(s) schemes, because they're widely supported and are deployed in existing Docker images. And @vbatts and @runcom both like SHOULDing them ;).Fixes #436.