Skip to content

spec: update to image-spec v1.1.1#630

Merged
cyphar merged 11 commits intoopencontainers:mainfrom
cyphar:image-spec-1.1
Oct 3, 2025
Merged

spec: update to image-spec v1.1.1#630
cyphar merged 11 commits intoopencontainers:mainfrom
cyphar:image-spec-1.1

Conversation

@cyphar
Copy link
Copy Markdown
Member

@cyphar cyphar commented Oct 1, 2025

Fixes #455
Closes #565
Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar cyphar added this to the 0.6.0 milestone Oct 1, 2025
@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Oct 1, 2025
edited
Loading

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 89.13043% with 10 lines in your changes missing coverage. Please review.
✅ Project coverage is 72.89%. Comparing base (5be7a47) to head (9726fba).
⚠️ Report is 94 commits behind head on main.

Files with missing lines Patch % Lines
mutate/mutate.go 73.33% 3 Missing and 1 partial ⚠️
oci/casext/mediatype/parse.go 85.00% 2 Missing and 1 partial ⚠️
oci/casext/verified_blob.go 85.00% 2 Missing and 1 partial ⚠️
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main     #630      +/-   ##
==========================================
+ Coverage   72.74%   72.89%   +0.14%     
==========================================
  Files          70       71       +1     
  Lines        6002     6164     +162     
==========================================
+ Hits         4366     4493     +127     
- Misses       1188     1213      +25     
- Partials      448      458      +10
Files with missing lines Coverage Δ
cmd/umoci/config.go 71.94% <100.00%> (+0.25%) ⬆️
cmd/umoci/utils_ux.go 94.27% <100.00%> (+2.60%) ⬆️
internal/assert/assert.go 100.00% <100.00%> (ø)
internal/funchelpers/verify_error.go 100.00% <100.00%> (+22.22%) ⬆️
internal/testhelpers/testhelpers.go 100.00% <100.00%> (+40.00%) ⬆️
oci/cas/dir/dir.go 60.57% <ø> (ø)
oci/casext/blob.go 86.66% <100.00%> (+17.61%) ⬆️
oci/casext/blobcompress/algo.go 100.00% <100.00%> (+10.52%) ⬆️
oci/casext/walk.go 74.71% <100.00%> (+3.92%) ⬆️
oci/layer/unpack.go 59.16% <100.00%> (ø)
... and 3 more

... and 1 file with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@cyphar cyphar force-pushed the image-spec-1.1 branch 2 times, most recently from 92c0532 to 36c79e3 Compare October 2, 2025 06:49
@cyphar cyphar mentioned this pull request Oct 2, 2025
Open
@cyphar cyphar force-pushed the image-spec-1.1 branch 2 times, most recently from 0743e02 to a4a6ce6 Compare October 2, 2025 07:44
@cyphar

This comment was marked as resolved.

Sign in to view
@cyphar

This comment was marked as resolved.

Sign in to view
cyphar added 7 commits October 3, 2025 17:07
@cyphar
assert: move most panics to be in an assertion form
210b31f 
This new assertion package originally comes from pathrs-lite
(filepath-securejoin) but as the sole copyright holder, SUSE hereby
sublicences this version as Apache-2.0 so it can be used with umoci.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
casext: improve Blob.RawData sanity check
de8512a 
The sanity check for Blob.RawData really should verify that the data is
the correct size, as opposed to just >0. In addition, this is a
programmer error and so should cause a panic.

Fixes: 4a02437 ("casext: provide raw blob data when fetching parsable blobs")
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
pprint: add tests for manifest and config pprint
5aaf54e 
This lets us have nice snapshot tests for fields that aren't going to be
used on the kinds of images we can use in our integration tests (such as
the Windows-specific fields).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
mutate: handle DescriptorPath rewriting more delicately
157f759 
When rewriting the DescriptorPath, we would previously only modify
descriptors that exactly match our old descriptor and replace all of the
fields.

This is less than ideal -- in principle we want to replace all
descriptors that have the same digest, but without clearing any fields
(to avoid clearing annotations from descriptors that have extra
annotations which is conceivable).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
deps: bump to image-spec v1.1.1
eb9098b 
There were a few build failures related to the embedding of the
ispec.Platform struct, as well as some lint errors due some fields being
marked as deprecated.

In addition, add some new snapshot tests for pretty-printing the new
examples in the spec. As we do not yet support pretty-printing this
data, these tests will be adjusted in a future patch in this series when
we add support for it.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
stat: pretty-print image-spec v1.1 fields
cb23ce1 
These are fairly straight-forward, the only notable thing is that we
have a minimal xxd(1) implementation to pretty-print the embedded data
in descriptors.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
cas: dir: use image-spec-defined constants
a41097f 
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar force-pushed the image-spec-1.1 branch 2 times, most recently from 7847e5c to 7c4cde1 Compare October 3, 2025 10:58
cyphar added 3 commits October 3, 2025 21:01
@cyphar
casext: add basic support for embedded descriptor data
b668139 
The logic for reading is fairly straight-forward -- we replace the
VerifiedReadCloser with a pre-verified bytes.Buffer.

There are only a few notable other changes needed:

 * Our hardening integration tests needed to be modified -- some images
   have started to use embedded descriptor data for some blobs (such as
   the config blob), which makes modifying the on-disk blobs no longer
   fail to validate (as we do not try to read from the on-disk blob in
   that case).

 * The DescriptorPath updating in the image mutator needs to clear
   embedded data from existing descriptors, otherwise we will end up
   with descriptors that have new digests but old embedded data. Ideally
   we would re-generate it, but we can do this in the future when we
   add more general write support for embedded descriptor data.

This patch does not add support for creating these kinds of descriptors,
that is left for a future patch.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
casext: add handling for empty JSON media-type
3668aa9 
While this is a fairly hypothetical problem, the spec explicitly defines
what "application/vnd.oci.empty.v1+json" should look like and so we
should validate it.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
stat: do not error out for "invalid" config blobs
fe8c448 
With the existence of OCI arifacts we should at least provide some
information with "umoci stat" rather than erroring out if we see an
image that has a configuration blob that is non-standard. Other
operations will still fail, of course.

We will still error out if the manifest is invalid -- this is mainly
because the stat code already implicitly requires the top blob to be a
manifest (and our reference resolution logic only targets manifests
currently). Also, even OCI artifacts still use manifests (they were
forced to because of similar issues with registries).

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar
CHANGELOG: add image-spec v1.1.1 reference
9726fba 
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar merged commit 9402f89 into opencontainers:main Oct 3, 2025
19 checks passed
@cyphar cyphar deleted the image-spec-1.1 branch October 3, 2025 12:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

0.6.0

Development

Successfully merging this pull request may close these issues.

feature: add support for OCI Artifacts (including GC)

2 participants

@cyphar @codecov-commenter