For a client to verify a fetch, it must read a potentially unbounded amount of data in order to verify it matches the sha256 digest. If the trusted metadata is the 2-tuple (size, sha256) then a client can error out if the remote gives it more than size bytes. For OCI/Docker containers, the metadata today includes both. In ostree, it doesn't, and I regret it.

Thanks, that's useful to know. From a D-Bus API point of view we return an a{sv} so it's easy enough to add. From a requesting-using-a-uri point of view it's harder, although maybe we can redirect with ? parameters. I'll ponder, thanks.