21:59:34 #startmeeting 2019-02-27 discussion 21:59:35 Meeting started Wed Feb 27 21:59:34 2019 UTC. The chair is vbatts|work. Information about MeetBot at http://wiki.debian.org/MeetBot. 21:59:35 Useful Commands: #action #agreed #help #info #idea #link #topic. 21:59:35 The meeting name has been set to '2019_02_27_discussion' 22:04:28 #topic [org] contribution workflow 22:04:33 #link https://github.com/opencontainers/org/pull/6 22:08:05 22:12:01 split the PR into two things: 1) move the CoC and security; 2) the web render for contributions 22:21:18 https://help.github.com/en/articles/adding-a-code-of-conduct-to-your-project 22:25:28 #topic what's needed for distribution-spec v1? (lasker) 22:25:56 search could be one of those things. But could be added later. 22:27:14 process for registering media-types 22:29:01 annotations are okay for _optional_ metadata 22:29:41 but this is not suitable for scanners that need required/expected information to determine the artifact type 22:31:32 https://github.com/SteveLasker/RegistryArtifactTypes/blob/master/mediaTypes.md 22:33:24 [notice] let it be known that lasker is the first sucessful screen share on uberconference. Also, not using a linux host (_windows_) 22:36:19 https://github.com/opencontainers/image-spec/blob/master/media-types.md 22:39:12 application/vnd.oci.image.ext.* 22:40:52 new challenge for cyphar when it's morning his time: wire up uberconf chat window to matrix to IRC to Slack and back 😂 22:41:03 estesp[m]: lol yes 22:41:31 don't cross the streams 22:46:54 #link https://github.com/SteveLasker/RegistryArtifactTypes/blob/master/mediaTypeMappings.json 22:51:07 vbatts likes the idea of a handshake where mediatypes are shared from the server so the client can decide. 22:52:05 what the server exports doesn't _have_ to be the exclusive set, but maybe there could be a boolean saying the server side does do blacklist/whitelist 22:52:21 error codes need to be clear 22:52:32 this approach does not break backwards compat 22:53:13 agree... 22:54:16 Couldn't registries having (or not having support) for a particular media type be used for some malicious entity looking for registries not updated? 22:54:26 Like Wordpress putting the version string on the login page? 22:56:21 +1! 22:56:44 I'm not too sure if it would or wouldn't. To me it sounds a lot like associating human-readable names for a given file extension. `application/vnd.oci.image.config.v1+json` is to Docker as `.tar.gz` is to Tarballs 22:58:27 #link https://github.com/opencontainers/distribution-spec/issues/58 22:59:23 atlas and lasker: the image-index is not quite useful 22:59:25 #link https://github.com/opencontainers/image-spec/blob/master/image-index.md 23:00:04 #TooManySlack 23:00:10 lol 23:00:17 #SlackOverflow 23:00:24 xD 23:00:35 As an end user of registries (and someone running one) I can get behind this approach of not trying to define it too strictly and just allowing each repo maintainer to decide when/how/what they support as long as they have a way to identify what type of image that artifact represents via the media types.. and just notify (error response) on unsupported. 23:02:29 yes please on some sort of proposal approach/framework.. gives us a place to rally specific discussions around. 23:03:00 #topic weekly meetings? (atlas) 23:03:49 vbatts|work: I know everyone has too many meeting, though i think that may be helpful here and keep progress rolling. 23:04:45 vbatts|work: also, having a proposal workflow like a write-up (markdown or google doc) where comments and conversation can more directly track across mailing-list, slack, etc. 23:05:44 #endmeeting