Replies: 9 comments 28 replies
-
Phase 2 Publish ConcernI'm not clear in Phase 2 what the OCI-based publish flow would look like. Is the client authenticating with OCI and attempting to publish the new full log to the tag? If so, how does a registry enforce policy on the upload? Is there a way to interject scanning/policy into commodity OCI registries? |
Beta Was this translation helpful? Give feedback.
-
Some of the greatest value of a component registry, in my option, is the ability to query for a component that implements a given interface. For example, as an application developer that needs to use a key/value store, I would like to ask for each of the components known to the registry that implement the key/value interface. Has there been thought about querying for components that may implement a given interface, and where that might fit into the phases? |
Beta Was this translation helpful? Give feedback.
-
To recap yesterday's (Jan 3, 2024) Registry SIG meeting, We can delay getting agreement on what happens after |
Beta Was this translation helpful? Give feedback.
-
Took a look at the design document for the OCI artifacts, it looks like the manifest format is still being determined? I am mostly interested with how the artifacts will be consumed by the various wasm and container runtimes. I believe some folks from this group are aware/involved; In the CNCF wg-wasm group we have started pulling folks together from across various projects in the eco system to come up with an OCI Artifact format that will work for multiple wasm runtimes and container runtimes because as of now it is a bit fragmented and project specific. Hope someone from Warg effort can join and we can coordinate with the WASM Artifacts format in Warg. |
Beta Was this translation helpful? Give feedback.
-
Just wanted to call out here as well that as you integrate with OCI, let me know if anything is missing from the oci-distribution crate as I am one of the maintainers! Just want to make sure we don't block anything from that side |
Beta Was this translation helpful? Give feedback.
-
I have most of what is described as "Phase 1" code-complete here: https://github.com/lann/warg-loader Included is a basic CLI for listing and fetching packages and a README with brief instructions for testing. |
Beta Was this translation helpful? Give feedback.
-
While there's broad consensus on Phase 1, there's rightfully a lot of concern from SIG-Registries members about Phase 2+. Core ObservationTo start with, I would argue that the most fundamental parts of warg are well understood, essentially complete, and easily justified to stakeholders. e.g.
Some other elements of warg however have never fully been solved, have lots of work left, and are not appealing to all of our stakeholders. These elements have slowed us down and made completion and stability harder to reach. e.g.
Simplifying WargInstead of marking our Warg implementation as a "prototype", simplify it into something that can be ready and stable quickly and solves or avoids unsolved problems.
Changing Phase 2Getting to and stabilizing this simpler version of warg can be our plan for Phase 2. There's no clear deadline for when "Phase 2" needs to happen anyway and if we don't have the resources to implement it, we can pivot to something simpler. So I think being more optimistic with Phase 2 doesn't cost us much. |
Beta Was this translation helpful? Give feedback.
-
Warg-loader Release Criteria ProposalBefore we release/launch/announce |
Beta Was this translation helpful? Give feedback.
-
The prototype and scope of the proposed Going to pose a question, do we want to extend the |
Beta Was this translation helpful? Give feedback.
-
Based on a number of discussions about the best way to get Warg into production, I'd like to propose the following development roadmap:
Existing implementation
The existing implementation will become "the Warg prototype"; code will be ported from the prototype into the new codebase as appropriate.
New implementation
The new implementation will use a phased approach to deliver a minimal subset of Warg's functionality as soon as possible with additional functionality being added in incremental updates while maintaining a high level of quality and stability for consumers.
Phase 1: Warg-on-OCI
This iteration will scale Warg back to a fairly basic versioned package artifact delivery system that requires only an OCI Distribution Spec-compliant registry as infrastructure. The Warg-specific logic will be implemented by a Rust library that exposes a simple interface which can: resolve namespaces to hosts, list versions of a named package, and fetch content for a package version. This should be sufficient to allow downstream consumers like wasm-compose to start using Warg. Package publishing will be via existing OCI tooling like ORAS.
Phase 2: Package Logs
This iteration will add Warg's immutable package logs to the OCI implementation by publishing the full log (on each update) to a specific OCI tag, e.g.
<registry>/<namespace>/<package>:warg-log
. At this phase the log will include just the "publish" and "yank" entries, enabling yanks to be exposed in the Rust library. This will also introduce Warg publishing tooling which will still largely wrap an existing OCI implementation but with the addition of log management. One notable omission at this phase is publisher record signing; the registry operator will still need to be fully trusted at this point.Phase 3: Registry Logs (Package Transparency)
This phase will add the mechanisms necessary to audit the operation of a registry via verifiable logs covering the state of the registry over time. This will be the first phase where custom infrastructure may be required, though we may want to re-evaluate e.g. Sigstore's Rekor for this.
Further Features
At this point there will be several features that should be available to implement in any order or in parallel based on consumer feedback and interest:
Beta Was this translation helpful? Give feedback.
All reactions