Explicitly recommend content digest information #556
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
burgerdev
requested review from
dmcgowan,
jzelinskie,
jonjohnsonjr,
jdolitsky,
mikebrow,
stevvooe and
sudo-bmitch
as code owners
rchincha
approved these changes
Oct 24, 2024
sajayantony
approved these changes
Oct 24, 2024
dmcgowan
reviewed
Oct 24, 2024
dmcgowan
reviewed
Oct 24, 2024
sudo-bmitch
requested changes
Oct 25, 2024
|
Thanks for the suggestions, @sudo-bmitch, and sorry for the delay. I'm happy with the change now, wdyt? |
The changes LGTM. Please squash the commits and I'll kick off the CI. @burgerdev |
The spec mandated only the verification of digests in the response headers, not the requested digests. That allowed conformant clients not to validate content at all, leaving the users of these clients exposed to accidental or malicious bad content. This commit adds a "SHOULD verify" clause to the blob and manifest pull sections. It's not a MUST to keep it somewhat backwards compatible with requirements of 1.1 and prior, but it's not a MAY to convey that "the full implications should be understood and the case carefully weighed" (description in RFC 2119) for a client not to verify digests. This commit also aligns the recommendations for server-returned digests between manifest and blob - now both can be ignored, but must be verified if used. Fixes: opencontainers#549 Co-authored-by: Brandon Mitchell <[email protected]> Signed-off-by: Markus Rudy <[email protected]>
burgerdev
force-pushed
the
require-digest-verification
branch
from
d9cc775 to
24084d4
Compare
sudo-bmitch
approved these changes
Dec 11, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The spec mandated only the verification of digests in the response headers, not the requested digests. That allowed conformant clients not to validate content at all, leaving the users of these clients exposed to accidental or malicious bad content.
This commit adds a "SHOULD verify" clause to the blob and manifest pull sections. It's not a MUST to keep it somewhat backwards compatible with requirements of 1.1 and prior, but it's not a MAY to convey that "the full implications should be understood and the case carefully weighed" (description in RFC 2119) for a client not to verify digests.
Fixes: #549
cc @sudo-bmitch