[ocaml-platform] Secure OPAM?

Gabriel Scherer gabriel.scherer at gmail.com
Sat Jan 17 15:19:46 GMT 2015

There is an excellent piece at LWN.net (do consider subscribing to
this source of quality technical news) about a recent discussion in
the Python community on how to "secure" their package manager

The article discusses in particular a library called TUF (The Update
Framework) that aims to help solve the problem in a
package-manager-agnostic way.
(this page has some other interesting links, eg. to a similar
discussion in the Ruby community about RubyGems)

Is there a reference point to a discussion of the security aspects of
the OPAM package manager? What I found so far is this 2013 issue by
Edwin Török on signing packages:

As far as I know, the current status is that OPAM checks downloaded
packages against the checksum in opam-repository, so it protects
against an attacker changing upstream releases, assuming the
opam-repository remains trusted and there is no man-in-the-middle
(MITM) attack when the user downloads the metadata -- afaik it uses
only HTTP currently.

More information about the Platform mailing list