Miloslav Trmač
Miloslav Trmač
FWIW c/image ≥ 5.22.0 is rather more tolerant of unknown MIME types. That should show up in Podman soon, currently there is https://github.com/containers/podman/releases/tag/v4.2.0-rc3 . I’m afraid I can’t now spare...
OTOH this goes against the idea of isolating containers from the system. A common unprivileged container has no business knowing where on the host its files are located (or even...
At least in one implementation an image (config) digest directly points to a node path `/var/lib/containers/storage/overlay-images/$digest/`, and the container ID directly points to a `/var/lib/containers/storage/overlay-containers/$digest`. Of course actually _exploiting_ that...
> Of course actually _exploiting_ that would require a sandbox breakout, but it’s a piece of the puzzle. Compare https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r where an attacker benefits from knowing the pod ID in...
I think it is very valuable to have end-to-end integrity and authorship guarantees, so I was thinking more along the lines of finding ways to deliver the existing signatures by...
Tracking who brought the data in might be useful, but that aspect is not unique to Notary (if this is something that needs to be tracked, the same problem needs...
`GetBlobAt` is not for “resumable” pulling, that’s specifically for the `zstd-chunked` format (pulling only the changed files, essentially.). Pulls are only retried at the image granularity (but any correctly-pulled layer...
@justadogistaken I mean… what problem are you _actually trying to solve_, if any? If you want to see how the implementation works just for a survey or something, the code...
> Since we build the manifest from scratch whenever we commit an image, we shouldn't be producing manifests that mark layers with types from different specs This is not just...
> We have images built with Kaniko that can be run by Podman 3.3.1 on CentOS Stream 8, but not pushed to another registry because of this. Yes, that’s the...