Modifying the Immutable: Attaching Artifacts to OCI Images

The presentation discusses the challenges faced in modifying immutable container images and the solutions that were proposed and implemented.

• The challenge was to modify immutable container images to include additional data such as S-bombs and signatures
• Multiple solutions were proposed including creating a new artifact manifest, extending an existing manifest, and using a hierarchical pointing system
• The immutability of container images is achieved through a Merkle tree structure and content addressability
• Multi-platform images have their own manifest of manifests with platform-specific descriptors
• The presentation emphasizes the importance of efficiency and avoiding unnecessary API calls

The presenter discussed the challenge of modifying immutable container images and the need to include additional data such as S-bombs and signatures. Multiple solutions were proposed, including creating a new artifact manifest and extending an existing manifest. The presenter emphasized the importance of efficiency and avoiding unnecessary API calls. The presentation also discussed the structure of multi-platform images and the need for platform-specific descriptors. Overall, the presentation provided insights into the challenges faced in DevOps and cybersecurity when working with container images.

Images are now being pushed to OCI registries with more and more metadata, including attestations, signatures, and SBOMs. What is involved with adding your own artifacts? This talk walks through how OCI recently standardized the process, and describes how additional data can be added to an image without modifying its immutable digest. You'll learn how tooling can ship SBOMs along side images, both for the vendor generating the SBOM and the user searching for it. And this talk will cover many of the gotchas you may encounter when implementing this yourself.