Explain why automatic content discovery is optional

Automatic content discovery creates an information disclosure risk. There are a variety of mitigations to this risk, for example, storing knowledge of public, cached layers elsewhere, or performing the authz check to determine all of the blobs the user has access to prior to performing the mount check. Signed-off-by: Sargun Dhillon <[email protected]>
opencontainers · Jun 22, 2021 · 728e5d0 · 728e5d0
1 parent 87f4a24
commit 728e5d0
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/FAQ.md b/FAQ.md
@@ -75,3 +75,9 @@ The process of mounting a blob is supposed to fail in such a way that if a blob
 Clients should try to use the automatic content mount origin discovery mechanism when they do not know of an origin in the registry with the requisite blob. 
 Nonconformant registries may return a non-201 or non-202 error code. 
 If the client is trying to be defensive to nonconformant registries, and receives a non-201 or non-202 error code, it should fall back to [pushing the blob](https://github.com/opencontainers/distribution-spec/blob/main/spec.md#pushing-blobs).
+
+**Q: How come `from` is required on cross-repo mount for some registries?**
+
+Mounting without having to specify `from`, also known as automatic mount origin discovery, requires the registry to determine whether or not a blob exists in any repository. 
+If the existence check for the blob is done first, an immediate failure will indicate the lack of presence of a blob. 
+On the other hand, if the registry needs to perform further work to determine if the blob can be accessed by the mounter, it could create an information disclosure risk, in leaking that presence of a blob with that digest in the registry.