There may be a use case where debuginfo-carrying container images are available on registries or filesystems, and where extracting that content could serve container debugging tasks. hypothetical algorithm: - given a list of image names - periodically make contact with designated registry across https://docs.docker.com/registry/spec/api/ - fetch authentication token if needed - download image manifest json, thence layer fs-delta files (tarballs) - scan resulting tarballs as ordinary libarchive inputs - use fs-delta blob hexid as archive path key - need only ever scan once! - https://gist.github.com/cirocosta/17ea17be7ac11594cb0f290b0a3ac0d1 or podman-intermediated: - given a list of image names - perform periodic "podman pull"s - podman mount - scan contents in -F mode - "podman unmount" afterwards - ... or podman save; scan the resulting tarball's contents as sub tarballs - one problem is how to scan only new layers (and not waste time instantiating old at all)