Explain why automatic content discovery is optional

Automatic content discovery creates an information disclosure risk. There are a variety of mitigations to this risk, for example, storing knowledge of public, cached layers elsewhere, or performing the authz check to determine all of the blobs the user has access to prior to performing the mount check. Signed-off-by: Sargun Dhillon <sargun@sargun.me>
opencontainers · Jun 18, 2021 · 18d9675 · 18d9675
1 parent 7c81269
commit 18d9675
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/FAQ.md b/FAQ.md
@@ -73,3 +73,10 @@ There is no suggested behavior in the specification for what to do if the tag do
 
 The process of mounting a blob is supposed to fail in such a way that if a blob cannot be cross-mounted, the registry is supposed to initiate an upload. Clients should try to use the automatic content discovery mechanism. Non-conformant 
 registries may return a non-201 or non-202 error code. If the client is trying to be defensive to non-complaint registries, and receives a non-201 or non-202 error code, it should fall back to other methods.
+
+**Q: How come `from` is required on cross-repo mount for some registries?**
+
+Mounting without having to specify `from`, also known as automatic content discovery, requires the registry to determine whether or not a blob exists in a repository. If the existence check for the blob is done first, an immediate failure will 
+indicate the lack of presence of a blob. On the other hand, if the registry needs to perform further work to determine if the blob can be accessed by the mounter, it could create an information disclosure risk, in leaking that presence of a blob 
+with that digest in the registry.
+