Change should to must in v2 spec

We found some examples of manifests with URLs specififed that did
not provide a digest or size. This breaks the security model by allowing
the content to change, as it no longer provides a Merkle tree. This
was not intended, so explicitly disallow by tightening wording.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
This commit is contained in:
Justin Cormack 2021-08-20 12:11:45 +01:00
parent ecdf4b7e43
commit 1660df4b60
No known key found for this signature in database
GPG key ID: CBC0AC323D731540

View file

@ -220,7 +220,7 @@ image. It's the direct replacement for the schema-1 manifest.
- **`urls`** *array* - **`urls`** *array*
Provides a list of URLs from which the content may be fetched. Content Provides a list of URLs from which the content may be fetched. Content
should be verified against the `digest` and `size`. This field is must be verified against the `digest` and `size`. This field is
optional and uncommon. optional and uncommon.
## Example Image Manifest ## Example Image Manifest