[opam-devel] current opam-repository policy : who can modify a package description

Hannes Mehnert hannes at mehnert.org
Mon Feb 22 16:23:43 GMT 2016


Hello,

On 02/22/16 11:09 AM, Fabrice Le Fessant wrote:
> * the future authentification system for opam-repository will prevent
> anybody, except maybe admins, from modifying somebody else's package. Thus,
> the current policy will not be possible in that future;

I'm really glad that the opam-repository mostly consists of package
authors who submit their packages, and nearly no intermediaries who
write custom patches (as in the debian world).

The current workflow is that an author publishes their release, with
lower bounds on dependencies.  Will be the same in the future.

When a new release of any dependency is issued, this might be
incompatible with earlier versions (unfortunately we don't enforce
semantic versioning, afaik elm does this and opam should adapt).  This
is the main reason for the existence of repository maintainers - they
fix upper bounds of dependent packages to have the opam-repository in a
working state (otherwise users, who download it and want to install
things end up with a broken repository; or the release process of any
package needs to involve the coordination of all reverse dependencies -
I don't believe this is realistic).

The signing proposal retains the role of repository maintainers for
exactly this purpose - but it will need a quorum (of 3? - the concrete
number needs some discussion) of repository maintainers to coordinate
(otherwise, a single compromised repository maintainer can arbitrarily
modify the entire repository, which means there's no need for signing by
authors in the first place).

Any modification to the opam file needs to be signed by either the
author(s) [there may be multiple people who own a single package] or a
quorum of repository maintainers.  There's no categorisation of
modifications into 'allowed for repository maintainer/allowed only by
author'.

I expect that quickfixes, such as patches for platform X, or upper bound
of dependency Y, will get upstreamed to the authors.  I think a
notification system which automatically informs the author would be
great to have (independent of the signing)!


hannes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.ocaml.org/pipermail/opam-devel/attachments/20160222/fa90690a/attachment.sig>


More information about the opam-devel mailing list