docs: initial design proposal #14
Conversation
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]> docs: updates terminology and simplifies message Signed-off-by: Jennifer Power <[email protected]>
jpower432
force-pushed
the
docs/design
branch
from
a561af2 to
8c85395
Compare
Signed-off-by: Jennifer Power <[email protected]>
jpower432
changed the title
Signed-off-by: Jennifer Power <[email protected]>
|
@afflom @sabre1041 PTAL. The intention of this PR is to serve as a jumping off point and allow this to receive and and incorporate feedback. Please let me know if this would be preferred in a GitHub Discussion rather than a PR. This also might be be a good opportunity to come up with a proposal templates for updates. I could create a follow-on PR for a way to propose enhancements. |
|
|
||
| The purpose of the Emporous initiative is to create a scalable cross-content correlation framework that enhances the traceability of decentralized software artifacts. | ||
|
|
||
| # Workflow and Critical User Journeys |
There was a problem hiding this comment.
Is it worth mentioning that the CLI is the reference implementation of the Emporous client library? (More than one way to interact with the Emporous client)
| On the client side, scoping queries to namespaces and repositories will be supported. | ||
| ## CLI/Client Libraries | ||
| We have existing CLI and library code bases that manage single and linked artifacts. These will continue to be used to publish single artifacts and manage local storage. The CLI/libraries will be extended to interface with the proposed API changes. | ||
| ## Service Layer |
There was a problem hiding this comment.
Can we refer to this as an optional component? Or if a smart proxy is unavailable, will the client instantiate its own local "service layer"?
There was a problem hiding this comment.
Even if the service is running on a user's machine it is still a running service and is still acting as a gateway between the client and registry. Is there a better way this could be conveyed in your opinion? I do not believe this functionality to be optional.
| The attribute query endpoint can be used to automate building applications from existing artifacts. The endpoint will resolve an attribute query to an index manifest of matching descriptors that can be used for artifact publishing. | ||
|
|
||
| To enable efficiency in this workflow, it would be best practice to only publish one component or file per artifact. | ||
| However, if an artifact is published with more than one file, the Emporous client will allow attribute filtering on individual artifacts. |
There was a problem hiding this comment.
I posit that an artifact is a blob + metadata. So, are we filtering a singular blob reference within a manifest that has multiple blob references?
There was a problem hiding this comment.
The use of artifact throughout this document refers to an OCI artifact (there is an entry in the glossary for this). I would consider an entry for a blob + metadata to be a descriptor. Does this add any clarification?
| To enable efficiency in this workflow, it would be best practice to only publish one component or file per artifact. | ||
| However, if an artifact is published with more than one file, the Emporous client will allow attribute filtering on individual artifacts. | ||
|
|
||
| ### Search Domains |
There was a problem hiding this comment.
I think that the concept of trusted domains is important to this section. From prior discussions, we have identified at least two zones present within a search domain: trusted and untrusted. A trusted zone is a registry that has been explicitly added to the user's search domain. The untrusted zone pertains to registries discovered via links published within the trusted zone.
If my use of the words trusted and untrusted are problematic, please disregard my words and use synonyms.
There was a problem hiding this comment.
This might also be important to discovered pURL references.
There was a problem hiding this comment.
I agree with adding something to convey the zones. I think we can use the word "discovered" for registries that have artifacts that satisfy the query, but are not specified by the user. Thoughts?
| } | ||
| ``` | ||
|
|
||
| ### Signatures |
There was a problem hiding this comment.
I think that a signature being a searchable attribute is relevant to this discussion.
There was a problem hiding this comment.
i.e. "A compromised key was used to sign content. Show all content signed by that key"
Co-authored-by: Alex Flom <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
…ce section Signed-off-by: Jennifer Power <[email protected]>
…ignatures Signed-off-by: Jennifer Power <[email protected]>
Signed-off-by: Jennifer Power <[email protected]>
|
Recommend discussion on community call, added to 2023-02-01 agenda. |
|
Converting to a draft, just to keep it from being merged into this repo until we find the correct place for it. |
3 participants
High level design document or approach
TODO: Add high level architecture diagram.
Signed-off-by: Jennifer Power [email protected]