Description
The rapidsai/base and rapidsai/notebooks 2025.12 images are not OCI compliant.
Specifically they use some media types not listed at https://specs.opencontainers.org/image-spec/media-types/. We learned about this recently because skopeo failed to process them:
time="2025-12-17T18:41:13Z" level=fatal msg="copying image 1/2 from manifest list: initializing image from source docker://rapidsai/base:25.12-cuda12-py3.10: unsupported docker v2s2 media type: "application/vnd.docker.image.rootfs.diff.tar.zstd""
(build link)
Reproducible Example
2025.10.0 images:
$ docker manifest inspect "rapidsai/notebooks:25.10-cuda13-py3.13"
$ docker pull "rapidsai/notebooks@sha256:8a8301e85add01f44c13a3c2929b9f3fe57fc552ad8f55cd9287439434d783e4"
$ docker manifest inspect "rapidsai/notebooks@sha256:8a8301e85add01f44c13a3c2929b9f3fe57fc552ad8f55cd9287439434d783e4"
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"size": 34014,
"digest": "sha256:fa7db77be8b593c15fc7d8820a1020ea17db91e0bbacaaa2bf6747e953eeb534"
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
"size": 24363704,
"digest": "sha256:27a43c58f9332008ec44a397c10c1ae70a4c11df1589f47a73a6859fe968e84b"
},2025.12.0 images:
$ docker manifest inspect "rapidsai/notebooks:25.12-cuda13-py3.13"
$ docker pull "rapidsai/notebooks@sha256:130f5fedd1c0e0f702622d354e2bb451bb73d84fa3a30d86045db7750e4df3cd"
$ docker manifest inspect "rapidsai/notebooks@sha256:130f5fedd1c0e0f702622d354e2bb451bb73d84fa3a30d86045db7750e4df3cd"
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"config": {
"mediaType": "application/vnd.docker.container.image.v1+json",
"digest": "sha256:9b0081bcf9629679c5b986c9418b357179450c275393a713049fc948bd13fd08",
"size": 34026
},
"layers": [
{
"mediaType": "application/vnd.docker.image.rootfs.diff.tar.zstd",
"digest": "sha256:f89553d0e471cb0322627510dbf888d12c44695ee7c138cf2499ac336e02ffe0",
"size": 24365331
},
Notes
I think I see the chain of events that led to this:
In June 2025, the base image rapdisai/ci-conda was switch to zstandard compression: rapidsai/ci-imgs#281
In November 2025, a new version of Docker or BuildKit (don't remember which) led us to opt out of attestations in builds, causing --preserve-attestations=false to be passed to docker buildx (#821).
That unintentionally opted builds in this repo out of passing oci-mediatypes=true, allowing the building to use layer media types understood by docker that aren't part of the OCI spec:
Description
The
rapidsai/baseandrapidsai/notebooks2025.12 images are not OCI compliant.Specifically they use some media types not listed at https://specs.opencontainers.org/image-spec/media-types/. We learned about this recently because
skopeofailed to process them:(build link)
Reproducible Example
2025.10.0 images:
2025.12.0 images:
Notes
I think I see the chain of events that led to this:
In June 2025, the base image
rapdisai/ci-condawas switch to zstandard compression: rapidsai/ci-imgs#281In November 2025, a new version of Docker or BuildKit (don't remember which) led us to opt out of attestations in builds, causing
--preserve-attestations=falseto be passed todocker buildx(#821).That unintentionally opted builds in this repo out of passing
oci-mediatypes=true, allowing the building to use layer media types understood bydockerthat aren't part of the OCI spec: