[ocaml-platform] OPAM: signing the repository

Louis Gesbert louis.gesbert at ocamlpro.com
Sat Jun 6 02:36:32 BST 2015

> - Daniel Bünzli, 05/06/2015 13:32 -
> Here are a few comments.


> * It seems to me that you introduce the concepts of "developer", "package maintainer" and "author" which are all the same. It would be clearer if a single name was kept and used consistently.

Correct, indeed. Let's pin to "developer", avoiding confusion with "repostitory maintainer" (or just "maintainer" ?)

> * I'm not sure that "Date is in the ISO 8601 standard" is what you actually want as this is an incredibly flexible standard to represent date and time (e.g. you can use a year, week number and week day). What you are likely meaning is that the date is in the RFC 3339 standard, a sane subset of the ISO 8601 standard.

Hmm, I just copied that from TUF without looking into the details... Will fix with something more precise, thanks!

> * Wouldn't it be better to bring the compiler-as-package work to an end before doing this so that you don't have to special case for them (and thus reduce the complexity, attack surface, etc.) ?

The two different hierarchies and naming policies for /packages and /compilers are indeed a mess; 
that's why we suggest refactoring the /compilers hierarchy in the proposal.

Compilers-as-packages, though, doesn't completely fix the problem: in its current form, it still uses compiler definitions. The difference is that they are limited to metadata (e.g. a list of core packages, that are required and immovable), while currently compiler definitions refer to source archive and upstream patches.

Completely getting rid of compiler files would be nice, but requires some more design: adding specific tags, and maybe fields, to opam files, and handling those properly. I'll see if I can work something out, this has already been waiting for too long.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.ocaml.org/pipermail/platform/attachments/20150606/c5f01971/attachment.sig>

More information about the Platform mailing list