I don't know if I'm doing anything wrong, but I've used oras.WithManifestAnnotations() to push my artefact with some metadata, that worked well because if I curl the repo directly I see it there:

$ curl -sL -u"user:pass" https://my-repo/v2/oso-plugins/manifests/oso-legacy | jq .
{
  "schemaVersion": 2,
  "config": {
    "mediaType": "application/vnd.unknown.config.v1+json",
    "digest": "sha256:44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a",
    "size": 2
  },
  "layers": [
    {
      "mediaType": "application/vnd.oci.image.layer.v1.tar",
      "digest": "sha256:8e985dc2c81bd5e8bfafb2858b9a9cb420c02a29d5a96f32eb00f5850556410a",
      "size": 755,
      "annotations": {
        "hook": "chmod +x ~/.oso/bin/oso-legacy",
        "org.opencontainers.image.title": "oso-legacy"
      }
    }
  ],
  "annotations": {
    "caveats": "to get auto-completions do this...",
    "description": "a bridge to the past",
    "shortDescription": "a plugin"
  }
}

But then when I pull it using desc, artefacts, err := oras.Pull(...) I can loop through the artefacts and get the annotations from each of them, but desc.Annotations is empty...

The result of fmt.Println(desc.Annotations) is:

Annotations: map[]

This is the minimum viable product for the recursive copy/discover. I restored some files that were removed for pkg/oras/copy.go namely pull.go, since it has the semantics I'm looking for in this implementation, and added back the ProviderIngester interface.

Signed-off-by: Julius Liu [email protected]

Hello,

I have been working on a project using the oras client (v2) against a repository hosted on ECR. We are storing an artifact with quite a lot of individual items (431 layers on the final manifest), which seems to cause ECR to chunk the response:

# REPO contains the API of the target repository, private in this case
❯ curl -X GET -I --user "AWS:$(aws ecr get-login-password)" "${REPO}/manifests/latest"
HTTP/1.1 200 OK
Content-Type: application/vnd.oci.image.manifest.v1+json
Docker-Distribution-Api-Version: registry/2.0
Sizes:
Date: Fri, 23 Sep 2022 09:14:00 GMT
Transfer-Encoding: chunked

The library currently explicitly checks for net/http.Response.ContentLength when validating the response, which is for these cases -1 and errors out: GET "${REPO}/manifests/latest": unknown response Content-Length, coming from registry/remote/repository.go

I tried to replicate the behavior with the open source registry image, but even with a manifest with >10000 layers it responds non-chunked, so this might unfortunately be a bit annoying to replicate fully locally.

This is an implementation of the "copy API". It solves several outstanding issues with the oras go library, with the intent of making it easier to work with, easier to understand, and more flexible.

• Instead of Push and Pull, there is a single func Copy(). You copy from a ref in one Target to a ref (which may be the same as the first) in another Target
• Target is suspiciously like remotes.Resolver because, as of now, that is precisely what it is. That is likely to change going forward

This makes the interface much simpler to use and understand.

This also opens possibilities like using different URLs or different authentication for different targets. You treat a local bunch of files as a target (from or to) just like a remote registry. Memory, file, registry, oci layout, all are just targets.

The directory examples/advanced/ contains some good examples of how this is used.

Currently, we have an UpEdges method which returns the nodes directly pointing to the current node, and a DownEdges method which returns the nodes directly pointed by the current node. However, the UpEdges / DownEdges names may not be appropriate, and we are considering using other names.

The current candidates are:

• UpEdges / DownEdges:
  • Pros: Currently being used.
  • Cons: There is no academic terms for "up edges" and "down edges" of a Directed Acyclic Graph (DAG).
• Referrers / References:
  • Pros: Closer to the domain.
  • Cons: The potential concern is that we have too many things named references.
• Parents / Children:
  • Pros: Straightforward.
  • Cons: DAGs are not trees.

Let's brainstorm for more names and do a vote!

I am trying to decouple dependencies on containerd, to make the oras-go pkg a bit friendlier to take a dependency on. I'm starting on the resolver code since it is in the center of everything. And I plan on working my way towards images next.

For implementing the resolver I am following the oci-spec line by line, hence my notes in http.go (don't want to miss details). For auth, I started out with some basic oauth2 flows so that I can work without having to install docker. I haven't put much thought into anything beyond that just yet.

I have not started debugging this PR, but I'm anxious about getting too far ahead of myself so I wanted to put it up early. I'm pretty happy with the direction it's headed in so far, but I am open to discuss.

This adds the discoverer interface back to the main branch. Some caveats:

• Needed to port over some docker code but plan on removing with my re-tooling work

@sajayantony @shizhMSFT

See https://github.com/oras-project/oras-go/issues/225 for details, but here's the tldr:

% oras pull 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Error: GET "https://080565210187.dkr.ecr.us-west-2.amazonaws.com/v2/my.repo/manifests/my.tag": empty response Docker-Content-Digest

The expected outcome (what this PR claims to fix):

% oras pull 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Downloading 3cd22ae067a3
Downloaded empty artifact
Pulled 080565210187.dkr.ecr.us-west-2.amazonaws.com/my.repo:my.tag
Digest: sha256:32aef68c20b6f25d69ecbc2f3f98e28f6f6fdacade75ee879459b61f610583f0

Resolves #225

Once we have the least code working, we should update the examples so that people can try themselves.

Examples (originally from @sajayantony 's list):

• [x] Download Manifest
• [x] Download a Blob given the digest
• [x] Put Manifest
• [x] Create manifest with Annotation
• [x] Upload Blob
• [x] Upload Manifest with blob
• [x] Copy Artifact
• [x] Insecure TLS / Plain HTTP
• [ ] HTTP Client Configuration

When using this pattern:

eg, egCtx := errgroup.WithContext(ctx)
for /* ... */ {
	limiter.Acquire(ctx, 1)
	eg.Go(func() error {
		defer limiter.Release(1)
		// ...
		return nil
	})
}
if err := eg.Wait(); err != nil {
	return err
}

If ctx is cancelled then Acquire may return an error, which will then cause Release to panic after it's called more times than the semaphore was successfully acquired.

This change uses the SetLimit functionality which has been added to errgroup.Group and provides a small wrapper around it in the internal/syncutil package to improve the ergonomics of its usage.

Some artifacts(e.g., Windows base images) contain layers whose distribution is restricted by license. When these images are pushed to a registry, restricted artifacts are not included.

For now, oras.Copy and oras.Fetch will fail if the target artifact contains an non-distributable(foreign) layer since the layer blob doesn't exist in the remote registry. We should

1. By default skip blob copying if a layer is non-distributable
2. Provide option to enforce copying a non-distributable layer and follows the foreign link for fetching

Per discussion in the #oras slack channel, we need to enable the dependabot for oras-go v1 branch. It can help to bump up the dependencies for oras-go v1 automatically.

@lucacome Would you be able to help with this configuration?

The OCI layout can be viewed as a simplified local repository, which should also support the equivalence of Referrers API.

Proposal: Let content/oci.Store and content/oci.ReadOnlyStore implement registry.ReferrerFinder.

Given an OCI layout, the current implementation of oras-go has no means to discover content so that users cannot copy or extract any information from the OCI layout unless they know the entry point.

Proposal:

1. Refactor https://github.com/oras-project/oras-go/blob/258bfba7524104a5a76a597184ca0d038f4e3086/registry/repository.go#L51-L66 of the registry.Repository interface as TagFinder.
2. Let content/oci.Store and content/oci.ReadOnlyStore implement TagFinder.

Hi team @oras-project/oras-go-maintainers ,

Considering ORAS-go v2 is still experimental, ORAS-go v1 is stable and will be maintained by the ORAS community until ORAS v2 GA.

Currently, ORAS-go v1 is not under active development, the ORAS community might only cut new releases to include necessary bug fixes.

There were four PRs merged since the ORAS-go 1.2.1 release:

Meanwhile, @lucacome also requested a new patch release of v1. So I want to request a new release v1.2.2.

We need at least 4 approvals from 6 @oras-project/oras-go-maintainers to vote for releasing and cutting the tag v1.2.1 based on the v1 branch.

• [ ] Avi Deitcher (@deitch)
• [x] Josh Dolitsky (@jdolitsky)
• [ ] Sajay Antony (@sajayantony)
• [x] Shiwei Zhang (@shizhMSFT)
• [x] Steve Lasker (@stevelasker)
• [ ] Sylvia Lei (@Wwwsylvia)

Please respond LGTM or REJECT (with reasoning).

Such as https://github.com/oras-project/oras-go/blob/7dcd0973b194e89a51ac02bec91354fcba1f881a/README.md?plain=1#L29 and https://github.com/oras-project/oras-go/blob/7dcd0973b194e89a51ac02bec91354fcba1f881a/README.md?plain=1#L41-L44