[opam-devel] mailing liste for opam-repo maintainers
Michael Grünewald
michipili at gmail.com
Mon Feb 22 16:14:45 GMT 2016
Two mostly off-topic comments prompted by this paragraph:
> On 22 Feb 2016, at 16:41, David Allsopp <dra-news at metastack.com> wrote:
>
> On this string of PRs, I’m wondering if you’re treating the symptom, and not the cause. Each PR so far is to do with an altered checksum from a code service’s binary release system which suggests that they’re not canonical (i.e. that they’ve changed the zip in what should be a trivial manner – e.g. putting the files in a different order). Rather than fixing the checksums, and causing this to happen again at the whim of a zip library, would it not be better to put in place a policy that zip links should not be to GitHub/BitBucket/Whatever auto-generating URLs but to actual static files (e.g. on github.io)?
1. It is surprisingly difficult to deterministically produce archives using
common archiving tools. One of the “simplest” way to achieve this is
find “${DIRECTORY}" -name '.git' -prune -o -type f -print\
| sort\
| cpio -o -a --format=ustar\
> “${ARCHIVE}”
Using widely available compression algorithms will break determinism
(gz, bz2, xz) maybe because of multi-threading or a randomization
strategy used to avoid worst-case distribution scenarios. This is
mostly specualtive, as I did not any effort to check this. :)
2. The build system bsdowl I write and use for my OCaml packages supports
production of GPG-signed archives with `make dist` see
for instance https://github.com/michipili/lemonade for a short
example.
Best regards,
Michael
More information about the opam-devel
mailing list