Referrers API should return a list of descriptors, not full manifests
Closed this issue · 2 comments
The current proposed referrers API returns the full manifest of each artifact. This will cause scaling issues, especially as registries add support for the data field in the manifest which would allow a manifest to contain full blobs in the manifest json. I also believe that it complicates the registry implementations because it means that the API now returns 2 types of information -- metadata about the reference relationship AND the full manifest of each reference. This may cause issues for registry operators if they need/want to authorize those operations separately or if that data is stored in two separate locations.
I've put together a doc comparing the existing proposal with the changes I'm proposing to return descriptors instead. I will follow this issue with a PR changing the API to a list of descriptors.
After conversation with with @mnltejaswini @avtakkar - I think the current manifest actually does make sense in my opinion since its optional. The one change we were really considering is removing all property hoisting due to encryption and indexing requirements and clients can decode the manifest and validate the digest.
https://gist.github.com/aviral26/ca4b0c1989fd978e74be75cbf3f3ea92
Whether it lands on data or payload to avoid delaying on OCI is something this project and extension for distribution can choose.
To help frame the conversation, I've added a discussion: Artifact-spec referrers/ API Response