oras-project · TerryHowe · Jun 7, 2024 · Jun 6, 2024
@@ -10,7 +10,7 @@ sidebar_position: 0
 The following languages are currently supported:
 
 - [Go](./go.mdx)
-- [Python](https://oras-project.github.io/oras-py/getting_started/user-guide.html) 
+- [Python](https://oras-project.github.io/oras-py/getting_started/user-guide.html)
 - [Rust](./rust.mdx) (in progress)
 
 ## Unified Experience

@@ -148,7 +148,7 @@ Git has a `-s` command line option to do this automatically:
 If you forgot to do this and have not yet pushed your changes to the remote
 repository, you can amend your commit with the sign-off by running
 
-    git commit --amend -s 
+    git commit --amend -s
 
 ## Pull Request Checklist
 

@@ -16,21 +16,21 @@ sidebar_position: 40
 
 ## Contributor Ladder
 
-Hello! We are excited that you want to learn more about our project contributor ladder! 
-This contributor ladder outlines the different contributor roles within the project, 
-along with the responsibilities and privileges that come with them. 
+Hello! We are excited that you want to learn more about our project contributor ladder!
+This contributor ladder outlines the different contributor roles within the project,
+along with the responsibilities and privileges that come with them.
 Community members generally start at the first levels of the "ladder" and advance up it as their involvement in the project grows.
 Our project members are happy to help you advance along the contributor ladder.
 
-Each of the contributor roles below is organized into three sections. 
-"Responsibilities" are tasks that a contributor is expected to do. 
-"Requirements" are qualifications a person needs to meet to be in that role, 
+Each of the contributor roles below is organized into three sections.
+"Responsibilities" are tasks that a contributor is expected to do.
+"Requirements" are qualifications a person needs to meet to be in that role,
 and "Privileges" are rights contributors on that level are entitled to.
 
 ### Contributor
-A Contributor directly adds value to the project. 
-Contributions need not be code. 
-Individuals at the Contributor level may be new contributors, 
+A Contributor directly adds value to the project.
+Contributions need not be code.
+Individuals at the Contributor level may be new contributors,
 or they may only contribute occasionally.
 
 * Responsibilities include:
@@ -54,22 +54,22 @@ or they may only contribute occasionally.
 
 ### Owners Structure
 There are two types of owners in the ORAS project hierarchy: organization owners and subproject owners.
-ORAS organization owners oversee the overall project and its health. 
-Subproject owners focus on a single repository, 
-a group of related repositories, 
-a service (e.g., a website), 
+ORAS organization owners oversee the overall project and its health.
+Subproject owners focus on a single repository,
+a group of related repositories,
+a service (e.g., a website),
 or subproject to support the other subprojects (e.g., marketing or community management).
 
-Changes in ORAS Organization owners have to be announced via an 
-[issue on the Community repository](https://github.com/oras-project/community/issues). 
+Changes in ORAS Organization owners have to be announced via an
+[issue on the Community repository](https://github.com/oras-project/community/issues).
 Changes to sub-project owners are to be announced via the appropriate sub-project issue.
 
-You can find more information on the roles of organization owners and 
+You can find more information on the roles of organization owners and
 subproject owners in the [governance](https://github.com/oras-project/community/blob/main/governance/GOVERNANCE.md).
 
 ## Inactivity
-It is important for contributors to be and stay active to set an example and show commitment to the project. 
-Inactivity is harmful to the project as it may lead to unexpected delays, 
+It is important for contributors to be and stay active to set an example and show commitment to the project.
+Inactivity is harmful to the project as it may lead to unexpected delays,
 contributor attrition, and a lost of trust in the project.
 
 * Inactivity is measured by:
@@ -81,24 +81,24 @@ contributor attrition, and a lost of trust in the project.
 
 ## Involuntary Removal or Demotion
 
-Involuntary removal/demotion of a contributor happens when responsibilities and requirements aren't being met. 
-This may include repeated patterns of inactivity, extended period of inactivity, 
-a period of failing to meet the requirements of your role, 
-and/or a violation of the Code of Conduct. 
-This process is important because it protects the community and its deliverables while also opens up opportunities for new 
+Involuntary removal/demotion of a contributor happens when responsibilities and requirements aren't being met.
+This may include repeated patterns of inactivity, extended period of inactivity,
+a period of failing to meet the requirements of your role,
+and/or a violation of the Code of Conduct.
+This process is important because it protects the community and its deliverables while also opens up opportunities for new
 contributors to step in.
 
 Involuntary removal or demotion is handled through a vote by a majority of the current Maintainers.
 
 ## Stepping Down/Emeritus Process
-If and when contributors' commitment levels change, 
-contributors can consider stepping down (moving down the contributor ladder) vs moving to emeritus status 
+If and when contributors' commitment levels change,
+contributors can consider stepping down (moving down the contributor ladder) vs moving to emeritus status
 (completely stepping away from the project).
 
-Contact the Maintainers about changing to Emeritus status, 
+Contact the Maintainers about changing to Emeritus status,
 or reducing your contributor level.
 
 ## Contact
-* For inquiries, please drop a message in the #oras channel in the CNCF Workspace. 
-You can follow the instructions in the [community resources](../community/community_resources.mdx#joining-the-slack-channel) 
+* For inquiries, please drop a message in the #oras channel in the CNCF Workspace.
+You can follow the instructions in the [community resources](../community/community_resources.mdx#joining-the-slack-channel)
 to join it.
@@ -5,7 +5,7 @@ sidebar_position: 50
 
 # Security Policy
 
-Thank you for taking the time to report a security vulnerability. 
+Thank you for taking the time to report a security vulnerability.
 We would like to investigate every report thoroughly.
 
 ## Reporting a Vulnerability
@@ -22,7 +22,7 @@ Click on `Security` and then `Report a vulnerability`
 
 ![Screenshot of how to report a vulnerability](../../static/img/reporting_a_security_concern.png)
 
-**Step 3** 
+**Step 3**
 
 You can fill in all the details of the vulnerability and click on `Submit report`.
 This report will be visible to only the maintainers (and anyone else required to look into the issue).
@@ -40,16 +40,16 @@ Please send us a report whenever you:
 
 The ORAS maintainers will acknowledge and analyze your report within 14 working days for high severity issues.
 
-Any vulnerability information you share with us, stays with the maintainers. 
+Any vulnerability information you share with us, stays with the maintainers.
 We will only disclose the information that is required to resolve the problem.
 
 We will update you on the status of the report throughout.
 
 ## Fixing the issue
 
-Once a security vulnerability has been identified, the maintainers (contributors, if required) will work on finding a solution. 
+Once a security vulnerability has been identified, the maintainers (contributors, if required) will work on finding a solution.
 The development and testing for the fix will happen in a private GitHub repository in order to prevent premature disclosure of the vulnerability.
 
-After the fix has been tested and deemed fit to be made public, 
-the changes will be merged from the private GitHub repository to the appropriate public branches. 
+After the fix has been tested and deemed fit to be made public,
+the changes will be merged from the private GitHub repository to the appropriate public branches.
 All the necessary binaries will be built and published.
@@ -308,7 +308,7 @@ ACR Artifact Documentation: [aka.ms/acr/artifacts](https://aka.ms/acr/artifacts)
 - [Authenticating with Zot Registry](https://zotregistry.dev/user-guides/user-guide-datapath/#authentication_2)
 
   ```
-  echo $ZR_PASSWORD | oras login <registry-ip>:5000 -u $ZR_USER --password-stdin 
+  echo $ZR_PASSWORD | oras login <registry-ip>:5000 -u $ZR_USER --password-stdin
   ```
 
 - [Pushing Artifacts to Zot Registry](https://zotregistry.dev/user-guides/user-guide-datapath/#push-an-artifact)

@@ -64,7 +64,7 @@ flowchart TD
     B -->|No| E[type=manifest.config.mediaType]
 ```
 
-For artifact authors, the sections below should help deciding on the blob and 
+For artifact authors, the sections below should help deciding on the blob and
 config mediaTypes.
 
 ## Dissecting the Manifest
@@ -110,9 +110,9 @@ in this case the config is an empty blob as per the [empty descriptor guidance][
 
 ### Artifacts with config
 
-Clients have been using the `config.mediaType` property  to declare the artifact type. 
-For OCI artifacts that have a valid config blob the config blob may use its own 
-mediaType and the `artifactType` property can be set to indicate the type of artifact. 
+Clients have been using the `config.mediaType` property  to declare the artifact type.
+For OCI artifacts that have a valid config blob the config blob may use its own
+mediaType and the `artifactType` property can be set to indicate the type of artifact.
 
 ```json
    {
@@ -136,8 +136,8 @@ mediaType and the `artifactType` property can be set to indicate the type of art
 
 #### Prior Art
 
-Before version 1.1 of the [image specification][image-spec], the `config.mediaType` 
-was used to indicate the type of the artifact. 
+Before version 1.1 of the [image specification][image-spec], the `config.mediaType`
+was used to indicate the type of the artifact.
 For example the artifact type below for the helm chart is `application/vnd.cncf.helm.config.v1+json`
 as the manifest does not have the `artifactType` property.
 
@@ -165,7 +165,7 @@ as the manifest does not have the `artifactType` property.
 Artifacts may store metadata in the manifest as annotations and need not have a config or blobs.
 For these the `artifactType` property is used to declare the type of the artifact.
 The config property is required in the manifest and for maximum compatibility
-an empty layer is also created as per the  [empty descriptors guidance][empty-descriptor].  
+an empty layer is also created as per the  [empty descriptors guidance][empty-descriptor].
 
 ```json
 {
@@ -191,10 +191,10 @@ an empty layer is also created as per the  [empty descriptors guidance][empty-de
 }
 ```
 
-### Artifact authoring decision tree 
+### Artifact authoring decision tree
 
 Putting it all together with the types of artifacts listed above and
-[Artifact Guidance in the image specification][artifact-guidelines], the decision tree 
+[Artifact Guidance in the image specification][artifact-guidelines], the decision tree
 below should help determine what fields to set when creating an artifact.
 
 ```mermaid

@@ -1,6 +1,6 @@
 ---
 title: Reference
-sidebar_position: 3 
+sidebar_position: 3
 ---
 
 # Understanding References in the Open Container Initiative (OCI) Standard
@@ -30,11 +30,11 @@ This reference is a combination of three parts:
 1. **Registry**: This is akin to the home or the server where your images or artifacts are stored.
 Think of it as the overarching domain. Examples include Docker Hub (docker.io),
 GitHub Container Registry (ghcr.io), or your own private registry.
-2. **Repository**: This is a segment of the reference, after the registry where a particular 
+2. **Repository**: This is a segment of the reference, after the registry where a particular
 application or service's images are stored.
 The repository doesn't necessarily follow a hierarchy within the registry, meaning `a/b/c`
 and `a/b/c/d` are both valid and distinct repositories, with no implied hierarchy between them.
-3. **Tag or Digest**: This is the last part indicating the version of the image or artifact 
+3. **Tag or Digest**: This is the last part indicating the version of the image or artifact
 you want to pull or push.
 
 #### References by Tag
@@ -123,7 +123,7 @@ defaults or shortcuts. For instance, if you were to use docker to pull an image
 using the reference `nginx`, docker would automatically resolve this to
 `docker.io/library/nginx:latest`. Here, `docker.io` is the default registry and
 `library/nginx` is the repository with a 'library' prefix for official images and `latest` is the
-default tag. 
+default tag.
 
 ### Conclusion
 

@@ -38,7 +38,7 @@ create and list reference types.
 The creation of a reference artifact is a two-step process:
 
 - **Step One**: PUT an artifact, say Artifact A, using the PUT Manifest and
-blob upload APIs if the artifact has blob content. The prerequisite for a reference 
+blob upload APIs if the artifact has blob content. The prerequisite for a reference
 type is that the subject artifact must be known so that it may be added to the subject.
 
 - **Step Two**: Put another artifact, say Artifact B, which refers to Artifact A.
@@ -62,11 +62,11 @@ reference to Artifact A by specifying the digest of Artifact A as the subject.
 The association is now established in the registry.
 
 :::tip NOTE
-The specification does allow  pushing the reference artifact **without** requiring 
-the presense of the the `subject` in the target registry or OCI-Layout. 
+The specification does allow  pushing the reference artifact **without** requiring
+the presense of the the `subject` in the target registry or OCI-Layout.
 :::
 
-The following example shows the manifest of Artifact B with a reference to Artifact A 
+The following example shows the manifest of Artifact B with a reference to Artifact A
 in the `subject` field.
 
 ```json
@@ -134,7 +134,7 @@ of a certain media type from the registry, which then responds with the filtered
 The response will include the `OCI-Filters-Applied: artifactType` header to indicate
 that the response is filtered by the `artifactType` query parameter.
 
-The artifact type is determied by the same rules as per 
+The artifact type is determied by the same rules as per
 [OCI artifacts guidlines](artifact.mdx#determining-the-artifact-type).
 
 ```mermaid
@@ -203,23 +203,23 @@ sequenceDiagram
 
     Note over C,R: Save to OCI Layout or file system
 
-    C->>+C: Save manifest, config and blobs 
+    C->>+C: Save manifest, config and blobs
     Note over C: Pull Workflow Ends
 ```
 
 ## The Power of Associations
 
 The introduction of Reference Types (Associations) opens a world of possibilities in
-managing and linking of OCI Artifacts while also empowering the following scenarios: 
+managing and linking of OCI Artifacts while also empowering the following scenarios:
 
-- Discovery and distribution of artifacts like SBOMs or signatures for supply chain. 
-- Movement of a graph of OCI content across environments. 
-- Content management of a graph of artifacts by archiving, deleting or moving them 
+- Discovery and distribution of artifacts like SBOMs or signatures for supply chain.
+- Movement of a graph of OCI content across environments.
+- Content management of a graph of artifacts by archiving, deleting or moving them
 together.
 
-To further explore this concept, dive deeper into the 
+To further explore this concept, dive deeper into the
 [OCI Distribution Specification][distribution-spec] and the [OCI Image Specification][image-spec].
-These comprehensive guides will provide more insights into the use of 
+These comprehensive guides will provide more insights into the use of
 reference types and other details of managing OCI Artifacts.
 
 [listing-referrers]: https://github.com/opencontainers/distribution-spec/blob/v1.1.0-rc3/spec.md#listing-referrers