Overview

General

Bundle Bar (bundle.bar) is a new type of registry for storing small artifacts.

Over the past few years, several projects have explored the concept of using OCI to distribute packages; however, many registries are designed for Docker support (rightfully so), and do not have full support for other artifacts.

Since container images have unique requirements, we have decided to focus our efforts on smaller, alternative artifacts. While container images are technically supported on Bundle Bar, we have implemented a 5MB upload limit per artifact (25MB for Pro plans). Upload things such as configuration files, tarballs, modules, and binaries.

Sign up today via GitHub or with email+password. Our Basic plan is free to use with a verified email address, and our Pro plan is $25/month with a 7-day free trial (no credit card required).

Open Container Initiative (OCI)

Founded in 2015, the Open Container Initiative (OCI) defines the specifications which make all software leveraging container technologies interoperable.

Based on top of Docker's original registry V2 API, the OCI Distribution Spec defines HTTP endpoints to use for uploading and downloading container images.

Expanding upon the scope of OCI, the OCI Artifacts project was recently started to provide guidance on how to use the OCI Distribution Spec to distribute "non-container" things.

While much of this is still a work-in-progress, Bundle Bar intends to adhere strictly to the OCI Distribution Spec and follow the guidelines described by OCI Artifacts as each evolves.

How we determine types

When manifests are uploaded to the registry, we inspect a field in the JSON located at config.mediaType. Based on the value of that field, we are able to determine a collection of recognized artifact types.

Here is an example of a valid Helm chart manifest:

{
  "schemaVersion": 2,
  "config": {
    "mediaType": "application/vnd.cncf.helm.config.v1+json",
    "digest": "sha256:8ec7c0f2f6860037c19b54c3cfbab48d9b4b21b485a93d87b64690fdb68c2111",
    "size": 117
  },
  "layers": [
    {
      "mediaType": "application/tar+gzip",
      "digest": "sha256:1b251d38cfe948dfc0a5745b7af5ca574ecb61e52aed10b19039db39af6e1617",
      "size": 2487
    }
  ]
}

The config.mediaType for Helm charts is application/vnd.cncf.helm.config.v1+json.

Here is a list of all of our recognized types and their associated config.mediaType:

Artifact typeconfig.mediaType
Helm Chartapplication/vnd.cncf.helm.config.v1+json
Web Assembly Module (WASM)application/vnd.wasm.config.v1+json
Open Policy Agent (OPA) Bundleapplication/vnd.cncf.openpolicyagent.config.v1+json
Docker Imageapplication/vnd.docker.container.image.v1+json
Open Container Initiative (OCI) Imageapplication/vnd.oci.image.config.v1+json

If the config.mediaType you provide does not match one of our recognized types, you can certainly still upload it, but your artifact will treated as unknown. You are encouraged to use Bundle Bar for all sorts of things.

Support

Are you experiencing an issue with your account? Want us to add a new recognized type? Do you have an idea for a new feature?

Please send us an email and we will get back to you ASAP: support@bundle.bar

You can also reach our bagel on Twitter: @bundlebarbagel.

Security disclosure

If you are reporting a security vulnerability, please send an email to security@bundle.bar (thank you in advance).

You are also encouraged to encrypt your email using our public key located here (Fingerprint: 0E7F990287D5F5F7C1FCD2F165639A2346DC9F5D).

Depending on the vulnerability, we offer bounties if responsibly disclosed:

AmountDescription
$1,000Ability to access some part of our internal system
$500Ability to access another user's account or private data

We would also like to give you some sort of public thanks, unless of course you would like to remain anonymous.

About

Bundle Bar is a service launched in 2020, owned and operated by Blood Orange, LLC.