An oci://... or pkg:oci/... PURL refers to a container image that conforms to the Open Container Initiative (OCI) image specification. Like Docker images, OCI artifacts are stored and distributed as separate blobs over an API - not a single file.
Key reasons:
Spec-compliant registries: OCI images must be fetched using the OCI Distribution Spec, which requires reading manifests and downloading blobs via digest.
Registries vary: There’s no universal registry or URL format-ghcr.io, quay.io, and gcr.io all differ.
Complex structure: You must:
Fetch the manifest
Retrieve each layer blob
Resolve any associated artifacts (e.g., signatures, SBOMs)
Tooling is required: Use tools like oras, skopeo, or crane to pull artifacts - a single wget URL simply doesn’t exist.
So, like Docker, an OCI PURL also cannot be resolved to a direct download link without orchestrating a registry-aware client process.
An oci://... or pkg:oci/... PURL refers to a container image that conforms to the Open Container Initiative (OCI) image specification. Like Docker images, OCI artifacts are stored and distributed as separate blobs over an API - not a single file.
Key reasons:
Spec-compliant registries: OCI images must be fetched using the OCI Distribution Spec, which requires reading manifests and downloading blobs via digest.
Registries vary: There’s no universal registry or URL format-ghcr.io, quay.io, and gcr.io all differ.
Complex structure: You must:
Fetch the manifest
Retrieve each layer blob
Resolve any associated artifacts (e.g., signatures, SBOMs)
Tooling is required: Use tools like oras, skopeo, or crane to pull artifacts - a single wget URL simply doesn’t exist.
So, like Docker, an OCI PURL also cannot be resolved to a direct download link without orchestrating a registry-aware client process.