Image Layout: Stop Putting Everything in Registries

The presentation discusses the benefits of using OCI-compliant images in DevOps and cybersecurity practices.

• OCI-compliant images offer more portability and plug-and-play capabilities in the DevOps ecosystem
• The end goal is to have a more efficient, modular, and secure system
• OCI is a good packaging format for shipping and storing data, but not for querying vulnerabilities
• Annotations and attestations are important metadata for auditing and security purposes
• Image signing should include the final name of the repository

The speaker mentions that lawyers require attendees to visit their booth in the expo hall, emphasizing the importance of following legal requirements. They also provide QR codes for attendees to access presentation slides and a GitHub link for the demo of the OCI layout. The speaker intentionally tampers with the contents of the blobs to change the digest and highlights the importance of vulnerability scans in cybersecurity practices.

We're starting to put everything in registries, container images, signatures, SBOMs, attestations, cat pictures, we need to slow down. Our CI pipelines are designed to pass things as directories and files between stages, why aren't we doing this with our container images? OCI already defines an Image Layout Specification that defines how to structure the data on disk, and we should normalize how this is used in our tooling. This talk looks at the value of using the OCI Layout spec, what you can do today, what issues we're facing, and a call to action for more standardization between tooling in this space.