upx VS image-spec

According to this source:

Following optimization, tools like UPX can compress the resulting binary, significantly reducing file size. This compression is invaluable for resource-constrained environments but adds a decompression step during binary execution.

I have been using UPX but I'm quite sure if there's something out there that offers better compression.

Ah that's nice, long ago I used parchment.js to load a inform7 created z5 file on my website. You could try to compress your executable with upx https://upx.github.io/

In this process, the given packer tool embeds a natively compiled PE into another executable that contains the information needed to unpack the original content and execute it. Perhaps the most well known packer, which is not even for malicious purposes, is Golang's UPX package.

Rewrite in C#, and use an obfuscator on the DLL. You can also write some parts in C++ as many variable and function names are forgotten when compiling. You should also encrypt the PCK, and see if you can embed it. If it's embedded, you can make it more annoying to deal with by packing it with https://upx.github.io/

Another good example of false positives like this would be binaries that are compressed with UPX - the way it works is apparently very similar to how stub-loader malware operates and signature detection tools will flag it as malicious.

This will optimise the release binary to be as small as possible. Additionally with upx we can create really small docker image !

Then I compressed it with upx, cp small.exe smallUpx.exe && upx --brute smallUpx.exe, got a 10752 bytes executable, half the size, but still pretty large

Eventually, once zstd support gets fully supported, and tiny gzip compression windows are not a limitation, then compressing a full layer would almost certainly have a better ratio over several smaller layers

https://github.com/opencontainers/image-spec/issues/803

Please note that label-schema has been superseded by https://github.com/opencontainers/image-spec/blob/main/annotations.md<^

GitHub Container Registry stores container images within your organization or personal account, and allows you to associate an image with a repository. It currently supports both the Docker Image Manifest V2, Schema 2 and Open Container Initiative (OCI) specifications.

We build all services as containerized workloads, i.e., OCI images - sometimes called Docker images. We deploy these to the Kubernetes product offered by the cloud vendor. Whenever we need some capability, containers are the answer. This insulates our applications from the vendor. In principle, we could switch providers as long as Kubernetes is available.

Build images with anything that makes OCI compliant images, push, and profit.

it's funny that you mention this because it is actually the thing that is next on my agenda for the image, as you can probably see already I bake in OCI image annotations in our image, which is great for including some core pieces of meta data. In addition to this though I will soon be including custom labels for Base64 encoded YAMLs for Kubernetes deployments using this image. I will look at including helm configuration as well. Then it should be just as easy as: $ docker pull registry.gitlab.com/crafty-controller/crafty-4:latest $ docker image inspect registry.gitlab.com/crafty-controller/crafty-4:latest | jq -r ".[].Config.Labels.\"org.arcadiatech.crafty.k8s.deployment\"" | base64 -d | kubectl apply -f -

They still don't do anything really of substance, they're just gateways to their vendor's world - booking systems, payment systems, etc. You learn those as you go along. Yes, as a potential employee, you need to be able to tick those boxes on your CV, but if you understand the underlying technology, it's mostly a matter of booking your own AWS or Azure server for $5-10 a month for a few weeks, and fooling around. (Docker is a bit different in the sense that they were the first to popularize today's de-facto container image standard, the "Docker container", which has since been accepted as a proper standard and renamed to "OCI image format"; but at the end of the day, at this point in time, Docker in itself is still just a company out for the money, and the multi-GB installation of their product can, for the essential functionality part, be replaced by a few hundred lines of Bash code. The cool boys today don't use Docker, they use [Podman(https://podman.io/), which is essentially a much more lightweight drop-in replacement ;-) )

For Docker, wouldn't it be good to include OCI metadata? Or does docker build do that?