Artifacts: RC1 (Reference Type Support)

[SteveLasker]

To support Notary v2 Signatures, and other supply chain artifacts like SBoMs which are associated with a target artifact, registries will need to support reference types.

Timing

To support a Fall 2021 release, RC1 will be a time and quality based release, with the core capabilities supporting reference types. Additional capabilities will come online in RC2 and further releases.

Scope

This item captures the output of the Working Group for Reference Types as a dependency for Notary v2 signatures and content stores.

Reference Type RC1 is a dependency of Notary v2 RC1.

Reference Type RC1 will support

1. persistence of an artifact, declaring the other artifacts (manifests) it depends upon
2. discovery of artifacts being referenced by a target artifact. (example: the list of signatures and any SBoMs which refer to the net-monitor:v1 image
3. content lifecycle, enabling clear end-user understanding for the lifecycle of content as artifacts are deleted, and garbage collection is managed.

The manifest and scope of capabilities will be limited to what's needed for 2021. This is currently tracked in OCI artifact manifest #29
In RC2, we'll have time to support the broader set of scenarios, for enhanced versioning. This is currently tracked in WIP generic object spec #37

RC1 will attempt to incorporate as much from PR #37 as possible. However, we'll shoot for the simplicity and stability of the core requirements for RC1.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.

[github-actions]

This issue was closed because it has been stalled for 30 days with no activity.