I’m generally of the opinion that if we reference an object in another object, the object must exist in the registry. We’ve built the image spec and distribution implementations with this concept from the beginning. It prevents a lot of mistakes in pushing content that could otherwise be exposed to users.

The enforced order (“DAG order” we’ll call it), would be the following for a push that follows this invariant:

1. images and layers.
2. image-index.
3. signature.

It sounds like the benefit of relaxing this ordering is to allow one to push a signature or SBOM before the image-index is pushed, so that when one tries to pull the new image, the attachment is guaranteed to exist.

Is it worth relaxing the fundamental design principle of the registry to solve this particular problem? I think we need a better statement of impact before we drop a design principle that has gotten us this far.

I’m voting “Yes”, but with the statement that we need to make it a MUST to validate the presence of targeted subject. I am not aware of how this will cause problems with existing implementations on the client side, but understand if they need to relax adherence. If there is a clear use case that can’t be done with out relaxing this validation, I’m generally open to hearing about it (and acknowledge that I may have missed it in prior discussion).