Some random musings on ostree vs OCI/Docker format

[Colin Walters <walters verbum org>]

Since we've been using both ostree and docker/OCI in
Project Atomic, the format/management differences between the two
come up often.  I added an entry about this in the docs even:


In some aspects, OSTree I think is better:
 - git remote style model
 - lossless unpack/reassemble ( tried and failed with Docker tarsum[1])
 - meaningful commit checksums with gpg signatures
 - Ability to do download + unpacking as streaming operations

One thing to note though is that for base OS trees, the content *has*
to be trusted since it runs as root.  However, when looking at using OSTree
for container images, unlike the base OS case, we can't assume that the checksums
in the format are correct.   

So currently, Flatpak is doing is forcing ostree to re-checksum.  But if we're not
really trusting the format much, it seems the advantages of ostree as transport format
(as opposed to the tarballs underlying OCI/Docker) diminish. 

However, we would clearly need to bring static deltas to 

On the flip side though, I think there's a lot of interest in
using ostree's on-disk checksums for OCI images, and that's going
to continue.

So I see a few 

[1] https://github.com/projectatomic/skopeo/issues/11