[PROPOSAL] Generic namespace for describing OCI images and layers

[prabhu]

Information about the images and their layers via properties is useful while generating SBoM for oci images. Trivy uses the following names.

• aquasecurity:trivy:LayerDigest
• aquasecurity:trivy:LayerDiffID
• aquasecurity:trivy:ImageID

Syft uses the following

• syft:location:0:layerID
• syft:location:1:layerID

Instead of requesting another one for cdxgen and other orgs, could we come up with something generic using "org.opencontainers" etc? Example:

• org.opencontainers.image.layer.digest
• org.opencontainers.image.layer.id
• org.opencontainers.image.id

[jkowalleck]

like the idea in general, but...
my thoughts:

• who would own this OCI-related namespace, then? Is there any org or a general committee? did you get in touch with opencontainers(Open Container Initiative), maybe they have such a thing already?
• where is the taxonomy for this namespace? just having it registered/reserved and having no FFA taxonomy, that serves no purpose. So as long as there is no peer-reviewed and general agreed taxonomy details, I'd veto this proposal.
• I am concerned that this would create a non-standard nobody would use, so there should be consensus about the details of this taxonomy, first.

[jkowalleck]

@stevespringett suggested:

one possibility is to put this under the cdx namespace in the same way we support maven, go, and npm today.