[opam-devel] more committers needed ?

Anil Madhavapeddy anil at recoil.org
Wed Mar 30 12:03:39 BST 2016 

That actually sounds like the perfect workflow for signing... if there was some way to sign it (perhaps keybase.io via JavaScript) without a CLI, it would be much more widely adopted.

-anil

> On 30 Mar 2016, at 12:02, Louis Gesbert <louis.gesbert at ocamlpro.com> wrote:
> 
> Note that it would become more complicated with our upcoming signed 
> repository, since the package maintainer needs to sign for each new release.
> Maybe we could find a way to re-use git signed commits as releases, but that 
> sounds complicated and could be an attack vector.
> 
> More simply, the mechanism could do all the work, and poll the package 
> maintainer for a signature (assuming he wouldn't sign without actually 
> checking ?) . Something like a mail with instructions and archive + cryptohash 
> to verify, then a command to run and it's done.
> 
> Le mercredi 30 mars 2016, 11:38:39 Thomas Gazagnaire a écrit :
>>> The OPAM tool indeed supports this model, but the automation
>>> infrastructure isn't fully written and deployed yet.  There are various
>>> tools in-flight that do portions of this, but none exist that poll the
>>> --dev repository (e.g. for a new GitHub release) and autocreate a PR.
>> yes, that's a very good idea! (and not difficult to do actually)
>> 
>>> I think that's an interesting idea, as instead of the repository
>>> maintainer pushing a release and OPAM package, we could take the burden
>>> off the creator and poll for releases on the upstream GitHub repositories
>>> instead.
>>> 
>>> One advantage of this "pull" model is that it ensures that the upstream
>>> `opam` metadata is sane, since that would form the basis for the PR.
>>> Right now they can diverge due to manual intervention.
>>> 
>>> Anil
>>> 
>>>> On 22 Feb 2016, at 22:14, Cheng Lou <chenglou92 at gmail.com
>>>> <mailto:chenglou92 at gmail.com>> wrote:
>>>> 
>>>> Sorry for hijacking the discussion. I'm new to OPAM, but is there a
>>>> reason why PRs for package upgrades can't be managed automatically? E.g.
>>>> asking for a git URL and either periodically check for new release tags,
>>>> or check on the fly when installing a library.
>>>> 
>>>> On Wednesday, February 17, 2016 at 7:27:49 AM UTC-5, Fabrice Le Fessant
>>>> wrote: Hi,
>>>> 
>>>>   If there is some need to help managing PRs to the opam-repository,
>>>>   Grégoire Henry (OCamlPro-Henry on Github) and myself (lefessan on
>>>>   Github) are volunteers to spend some time doing it.>> 
>>>> Best regards,
>>>> --Fabrice
>>>> 
>>>> _______________________________________________
>>>> opam-devel mailing list
>>>> opam-devel at lists.ocaml.org <mailto:opam-devel at lists.ocaml.org>
>>>> http://lists.ocaml.org/listinfo/opam-devel
>>> 
>>> _______________________________________________
>>> opam-devel mailing list
>>> opam-devel at lists.ocaml.org
>>> http://lists.ocaml.org/listinfo/opam-devel

More information about the opam-devel mailing list