[opam-devel] mailing liste for opam-repo maintainers

[Michael Grünewald]

Two mostly off-topic comments prompted by this paragraph:

> On 22 Feb 2016, at 16:41, David Allsopp <dra-news at metastack.com> wrote:
> 
> On this string of PRs, I’m wondering if you’re treating the symptom, and not the cause. Each PR so far is to do with an altered checksum from a code service’s binary release system which suggests that they’re not canonical (i.e. that they’ve changed the zip in what should be a trivial manner – e.g. putting the files in a different order). Rather than fixing the checksums, and causing this to happen again at the whim of a zip library, would it not be better to put in place a policy that zip links should not be to GitHub/BitBucket/Whatever auto-generating URLs but to actual static files (e.g. on github.io)?

1. It is surprisingly difficult to deterministically produce archives using
   common archiving tools. One of the “simplest” way to achieve this is

    find “${DIRECTORY}" -name '.git' -prune -o -type f -print\
        | sort\
        | cpio -o -a --format=ustar\
        > “${ARCHIVE}”

   Using widely available compression algorithms will break determinism
   (gz, bz2, xz) maybe because of multi-threading or a randomization
   strategy used to avoid worst-case distribution scenarios.  This is
   mostly specualtive, as I did not any effort to check this. :)


2. The build system bsdowl I write and use for my OCaml packages supports
   production of GPG-signed archives with `make dist` see
   for instance https://github.com/michipili/lemonade for a short
   example.

Best regards,
Michael