Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature request: Allow pin-depends to have a checksum #4737

Open
kit-ty-kate opened this issue Jun 30, 2021 · 4 comments
Open

Feature request: Allow pin-depends to have a checksum #4737

kit-ty-kate opened this issue Jun 30, 2021 · 4 comments

Comments

@kit-ty-kate
Copy link
Member

kit-ty-kate commented Jun 30, 2021

Curently the pin-depends does not have any syntax to set a checksum for its archive, the same way url or extra-source have.
Pin dependecies with fixed archives are used extensively by opam-monorepo.
For example for opam-monorepo itself: https://github.com/ocamllabs/opam-monorepo/blob/2710ab7ee3a1cddb613b79ce74f3701330340f61/opam-monorepo.opam.locked

I feel like this could be useful to have in general for other users as well.

cc @NathanReb

@NathanReb
Copy link

Definitely useful and I'd be more than happy to add those when generating lockfiles in opam-monorepo!

@AltGr
Copy link
Member

AltGr commented Jul 30, 2021

Why not use

git+https://github.com/0install/0install#v2.17

(or #4a837bd638d93905b96d073c28c644894f8d4a0b if you want to be more specific)
instead of

https://github.com/0install/0install/releases/download/v2.17/0install-v2.17.tbz

?

Pinning to archives seems a little weird to me.

@NathanReb
Copy link

This can be useful to ensure reproducibility. The opam-repository metadata are a evolving, usually for the best but they have a tendency to make it impossible to build old versions of one's software because the opam solver cannot come up with a solution anymore. This bit us more than once when I was working at @cryptosense and I know for a fact that some others also suffered from this (cc @Leonidas-from-XIV).

The whole point of the opam-monorepo lockfile is that it contains enough information to be able to install every package, with the assurance you'll get the exact same version of the sources, hence the use of pins. We use git pins when it makes sense but when we simply want to use a released version pinning to the tarball makes more sense, especially since it happens quite often that the tarball and the sources for the corresponding tag differ (e.g. dune subst has been run to replace watermarks in the tarball etc...).

We're also trying to make those lockfiles as opam compatible as possible. Opam should be able to install the right versions from the lockfile as well, although for now it still has to go through the solver so it might fail if the upstream metadata did change in a breaking way.

Support for checksum verification in this case would benefit both opam-monorepo — as it uses the opam libraries to fetch the sources at the given URLs (be it tarballs or git repos) — and opam itself as it would be better at handling those lockfiles and any such pins if anyone else has a use for them (I can imagine someone using this to declare deps to libraries or tools not released to opam for instance).

@AltGr
Copy link
Member

AltGr commented Jul 30, 2021

Thank you for the detailed explanation! I didn't mean to question the usefulness of the feature requested, but indeed that seems to make sense. I believe opam switch export might allow you to do this at the moment, but it's probably not convenient for your use-case.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants