[opam-devel] current opam-repository policy : who can modify a package description

Fabrice Le Fessant fabrice.le_fessant at ocamlpro.com
Mon Feb 22 10:09:12 GMT 2016


As discussed on here:
the current opam-repository policy is loose, in the sense that anybody can
modify anybody else's package description. I think the reason for that, in
the past, has been that it allowed the repository maintainers to improve
the global quality of the repository.

I think it's time to discuss if we should keep this policy, or if we should
be a little more strict about that. Here are a few reasons to make the
policy stricter:

* the future authentification system for opam-repository will prevent
anybody, except maybe admins, from modifying somebody else's package. Thus,
the current policy will not be possible in that future;

* when a packge description is updated without the owner knowing it, it can
lead to inconsistences (the owner might update the package later without
applying the patch, or propose a new version without the patch, thus
leading to a regression) and the owner might not learn about the problem
(it happened to me this week-end, as I would have not known about a
regression in ocp-build if I had not noticed a PR on ocp-index that uses

* a maintainer's fix might be of less quality than an owner's fix, because
he might not know why something is done or not done. Discussing with the
upstream developer usually is thus a better approach.

* the strict policy has been used for years by Debian, with good success.

For all  these reasons, I propose to switch to the strict mode. Of course,
some fixes are still possible directly by maintainers, such as fixing
broken urls (without changing the checksum). These exceptions should be
specified too.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160222/10019109/attachment.html>

More information about the opam-devel mailing list