-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature request: Allow pin-depends to have a checksum #4737
Comments
Definitely useful and I'd be more than happy to add those when generating lockfiles in opam-monorepo! |
Why not use
(or
? Pinning to archives seems a little weird to me. |
This can be useful to ensure reproducibility. The opam-repository metadata are a evolving, usually for the best but they have a tendency to make it impossible to build old versions of one's software because the opam solver cannot come up with a solution anymore. This bit us more than once when I was working at @cryptosense and I know for a fact that some others also suffered from this (cc @Leonidas-from-XIV). The whole point of the opam-monorepo lockfile is that it contains enough information to be able to install every package, with the assurance you'll get the exact same version of the sources, hence the use of pins. We use git pins when it makes sense but when we simply want to use a released version pinning to the tarball makes more sense, especially since it happens quite often that the tarball and the sources for the corresponding tag differ (e.g. We're also trying to make those lockfiles as opam compatible as possible. Opam should be able to install the right versions from the lockfile as well, although for now it still has to go through the solver so it might fail if the upstream metadata did change in a breaking way. Support for checksum verification in this case would benefit both |
Thank you for the detailed explanation! I didn't mean to question the usefulness of the feature requested, but indeed that seems to make sense. I believe |
Curently the
pin-depends
does not have any syntax to set a checksum for its archive, the same wayurl
orextra-source
have.Pin dependecies with fixed archives are used extensively by opam-monorepo.
For example for opam-monorepo itself: https://github.com/ocamllabs/opam-monorepo/blob/2710ab7ee3a1cddb613b79ce74f3701330340f61/opam-monorepo.opam.locked
I feel like this could be useful to have in general for other users as well.
cc @NathanReb
The text was updated successfully, but these errors were encountered: