identify objects by size too
cgwalters opened this issue · comments
Colin Walters commented
For a client to verify a fetch, it must read a potentially unbounded amount of data in order to verify it matches the sha256 digest. If the trusted metadata is the 2-tuple (size, sha256)
then a client can error out if the remote gives it more than size
bytes. For OCI/Docker containers, the metadata today includes both. In ostree, it doesn't, and I regret it.
Richard Hughes commented
Thanks, that's useful to know. From a D-Bus API point of view we return an a{sv}
so it's easy enough to add. From a requesting-using-a-uri point of view it's harder, although maybe we can redirect with ?
parameters. I'll ponder, thanks.