-
Notifications
You must be signed in to change notification settings - Fork 187
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ensure OCI artifacts are handled strictly by digest #1245
Comments
We could make |
#1244 will changed some of the underlying code, but this flow remains intact. |
Exactly! I would also want to check how artifacts are stored as well, as I'm not familiar with that part yet. |
Flux has an internal artifact format common to all source types which is a gzip tarball with stripped file header info. The digest of a Flux artifact is advertised in |
Currently artifact revision (i.e. digest) is obtain here:
source-controller/internal/controller/ocirepository_controller.go
Lines 392 to 393 in 53ee3a3
It is also observed as a condition here:
source-controller/internal/controller/ocirepository_controller.go
Lines 408 to 417 in 53ee3a3
However, verification and fetching is only done by URL, and it's possible there is an update in registry in between all of these calls:
source-controller/internal/controller/ocirepository_controller.go
Line 431 in 53ee3a3
source-controller/internal/controller/ocirepository_controller.go
Lines 455 to 456 in 53ee3a3
There maybe other race coditions. It will be easy enough to address this and reinfoce use of the same digest for all of the registry API calls.
The text was updated successfully, but these errors were encountered: