Add sorting by artifact creation datetime #82
Conversation
There was a problem hiding this comment.
Since I'm betting we'll add other criteria, over time, I'd suggest having a default sort order of desc on created, but provide for other sorting options in the future.
For instance, to specify the sort order of asc, the user would pass ?orderBy=created:desc Which raises a good question. What are good patterns for including two values on a parameter?
?artifactType=example/scan&sortBy=created:asc
|
|
||
| **Pre-Defined Annotation Keys:** | ||
| This defines a set of keys that have been pre-defined for use by authors of ORAS artifacts. | ||
| - `org.cncf.oras.artifact.created` date and time on which the artifact was created (string, date-time as defined by [RFC 3339][rfc-3339]) |
There was a problem hiding this comment.
While we only have one annotation now, should this be placed in an ./annotations.md file? I'm sure we'll have many more, which we'll add as needed.
There was a problem hiding this comment.
I think it's nicer to have inline until it gets too big. Is there a reason to move it to a new file now?
There was a problem hiding this comment.
We can do it later, as we have more annotations.
There was a problem hiding this comment.
A note on the annotation namespace. We'll want to change this, but I created #89 to track this, so I'd suggest we merge this, and do a separate PR to address 89 as we close on the namespace.
| @@ -36,7 +36,8 @@ Future Minor versions MUST be additive. | |||
| ## Artifact Referrers API results | |||
|
|
|||
| - Implementations MUST implement [paging](#paging-results). | |||
| - Implementations MAY implement [`artifactType` filtering](#filtering-results). | |||
| - Implementations MUST implement [sorting](#sorting-results) | |||
There was a problem hiding this comment.
I'm sure we'll get some pushback on this, but I agree we MUST provide sorting, or the paging becomes only partially helpful. Paging and sorting are combined to get the top N of a given artifactType.
I suppose we could also throw a 400 when sortby parameter is passed? But, I'd suggest results MUST be sorted descending by default, with the option to sortby=created:asc
| @@ -141,6 +142,13 @@ The value of the header would be: | |||
| ``` | |||
| Please see [RFC5988][rfc5988] for details. | |||
|
|
|||
| ### Sorting Results | |||
| The `/referrers` API MUST allow for artifacts to be sorted by the date and time in which they were created, which SHOULD be included in the artifact manifest's list of `annotations`. | |||
| The artifact's creation time MUST be the value of the `org.cncf.oras.artifact.created` annotation, as specified in the [artifact-manifest spec][artifact-manifest-spec]. | |||
There was a problem hiding this comment.
suggest link to a new ./annotations.md file.
There was a problem hiding this comment.
Acking this is deferred to when we have more annotations.
|
Adding xref to #80 |
|
I think that I'd prefer to not include sorting method/parameters in this version. We don't support multiple sort orders or attributes in any other API on the registry, and doing that here creates additional complications, especially for smaller registries. Having a single order allows for the most common use case to be addressed without going overboard. This proposal already makes me a little concerned about overcomplicating, so I would also appreciate feedback on how to simplify this. |
|
I can go either way on the annotations file. |
|
What do you mean by start with an optional standard? The way the PR currently reads, the sorting is a MUST. I was pushing back against the need to support more than descending ordering and/or sorting by other attributes. I think we should not plan to add that support, as that begins to cause issues for a registry implemented as a static website/filesystem and requires additional indexes/fields to be lifted out of the manifest. |
|
Just thinking out loud here -- should we consider changing this to the time the actual artifact was pushed? I worry about lifting an annotation out of the manifest and using it for sorting. Especially considering it's expected to be a time value. If someone includes this annotation, but doesn't conform to a certain time format, what is the expected behavior? Should we store the value of this annotation in our database as a string? Should we attempt to parse the time and convert it to something standard so that multiple time formats can be used? What if someone puts a version number in the time field to get the sorting functionality? Do we start rejecting manifests that contain this annotation but aren't conforming to the time RFC? If we changed to the actual time of push, instead of lifting an annotation: Pros
Cons
|
That was the initial thought. However, since our goal is to enable content promotion, what does "push" mean? Is it the push to the first registry, and it's maintained as it's promoted to other registries? How does the 2nd registry know it's the second registry? (your cons list). We did discuss putting the dependency on clients to pull/push in the right order, but that just leaves a long list of holes that would surface, making the value and ordering non-trusted. This is how we landed on sorting by the new annotation, as the client determines the created date, and the registry just reflects that. Similar to a file on your local disk. As a file is copied across folders, and different machines, the last modified date (pseudo for created date) is maintained.
This is an excellent question, and something we'll need to cope with as annotations become more generally used. I realize we're starting to deal with a larger set of issues, but this is the right time to start dealing with issues I think we recognize we need to solve. ie meta-data querying BTW, I'm also ok if we don't require this in the spec. I do want to enable a registry to be able to implement the sorting pattern. and it be consistent when other registries decide to implement it. I do not think we should let an unknown quantity (if any) static registries limit the rest of the dynamic registries from being to deliver on this pretty well defined need to sort scan results/updates/signatures/sboms in an order. |
SteveLasker
changed the title
Signed-off-by: Michael Brown <[email protected]>
michaelb990
force-pushed
the
sorting-proposal
branch
from
d7b9639 to
083baf1
Compare
I've been hearing feedback about issues with
returning an unordered list of references for
use cases that may have a high number of artifacts.
Scan results or short-lived signatures are two examples
of this. In most cases, the artifact which was created
the most recently is usually the more important one.
This is an initial attempt at specifying how that might
look like.
Would love feedback about:
createdannotation be sorted last in the list of results./referrersapi.