[opam-devel] current opam-repository policy : who can modify a package description
Fabrice Le Fessant
fabrice.le_fessant at ocamlpro.com
Mon Feb 22 10:09:12 GMT 2016
As discussed on here:
the current opam-repository policy is loose, in the sense that anybody can
modify anybody else's package description. I think the reason for that, in
the past, has been that it allowed the repository maintainers to improve
the global quality of the repository.
I think it's time to discuss if we should keep this policy, or if we should
be a little more strict about that. Here are a few reasons to make the
* the future authentification system for opam-repository will prevent
anybody, except maybe admins, from modifying somebody else's package. Thus,
the current policy will not be possible in that future;
* when a packge description is updated without the owner knowing it, it can
lead to inconsistences (the owner might update the package later without
applying the patch, or propose a new version without the patch, thus
leading to a regression) and the owner might not learn about the problem
(it happened to me this week-end, as I would have not known about a
regression in ocp-build if I had not noticed a PR on ocp-index that uses
* a maintainer's fix might be of less quality than an owner's fix, because
he might not know why something is done or not done. Discussing with the
upstream developer usually is thus a better approach.
* the strict policy has been used for years by Debian, with good success.
For all these reasons, I propose to switch to the strict mode. Of course,
some fixes are still possible directly by maintainers, such as fixing
broken urls (without changing the checksum). These exceptions should be
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the opam-devel