Skip to content

oci: permit zstd-compressed layers#127

Open
cyphar wants to merge 1 commit intodocker-library:mainfrom
cyphar:zstd
Open

oci: permit zstd-compressed layers#127
cyphar wants to merge 1 commit intodocker-library:mainfrom
cyphar:zstd

Conversation

@cyphar
Copy link

@cyphar cyphar commented Aug 18, 2025

Support for this was added back in v1.1.0, and we have started to see
images using ZStandard compression.

Signed-off-by: Aleksa Sarai cyphar@cyphar.com

@cyphar
oci: permit zstd-compressed layers
4d344c7 
Support for this was added back in v1.1.0, and we have started to see
images using ZStandard compression.

Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
@cyphar cyphar requested a review from a team as a code owner August 18, 2025 17:18
@tianon
Copy link
Member

tianon commented Aug 18, 2025

I'll echo my thoughts from docker-library/official-images#17720 - namely that I don't think we'll be using it any time soon in DOI. I'd maybe be open to allowing this to be validated in a way that's optional and opt-in by default, but we are explicitly and intentionally opinionated in our validation here (because our primary use case for this validation is ensuring that our own output matches our expectations).

I'll take a closer look later and see if there's a clean way I'd be willing to have that plumbed through from the higher-level validation functions.

@tianon tianon mentioned this pull request Aug 18, 2025
Open
@tianon
Copy link
Member

tianon commented Aug 18, 2025

I'll take a closer look later and see if there's a clean way I'd be willing to have that plumbed through from the higher-level validation functions.

I'm not 100% sold (on either maintaining this or this specific implementation), but maybe something like this:

diff --git a/oci.jq b/oci.jq
index 7b9794e..4e1f1eb 100644
--- a/oci.jq
+++ b/oci.jq
@@ -133,6 +133,7 @@ def media_type_oci_image: "application/vnd.oci.image.manifest.v1+json";
 def media_type_oci_config: "application/vnd.oci.image.config.v1+json";
 def media_type_oci_layer: "application/vnd.oci.image.layer.v1.tar";
 def media_type_oci_layer_gzip: media_type_oci_layer + "+gzip";
+def media_type_oci_layer_zstd: media_type_oci_layer + "+zstd";
 
 # https://github.com/distribution/distribution/blob/v3.0.0/docs/content/spec/manifest-v2-2.md#media-types
 def media_type_dockerv2_list: "application/vnd.docker.distribution.manifest.list.v2+json";
@@ -322,7 +323,12 @@ def validate_oci_image($opt):
 				empty # trailing comma
 			)
 		else
-			validate_IN(.mediaType; media_types_layer)
+			validate_IN(.mediaType;
+				media_types_layer,
+				if $opt.allowZstdLayers then
+					media_type_oci_layer_zstd
+				else empty end
+			)
 		end
 		| validate_IN(.artifactType; null)
 	)

Which would be used something like:

validate_oci_image({ allowZstdLayers: true })

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyphar @tianon