Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usage of pin-depends in opam-repository released packages #14978

Closed
hannesm opened this issue Oct 2, 2019 · 4 comments · Fixed by #14980
Closed

Usage of pin-depends in opam-repository released packages #14978

hannesm opened this issue Oct 2, 2019 · 4 comments · Fixed by #14980

Comments

@hannesm
Copy link
Member

hannesm commented Oct 2, 2019

Dear valued maintainers,

opam packages released to opam-repository contain checksums of tarballs to ensure that the same tarball is used for installation as intended by the person doing a release. opam packages which point to a branch / tag are generally not accepted AFAICT.

opam 2.0 introduced a pin-depends stanza to specify dependencies of certain off-trunk dependencies (i.e. a custom version of yyy). I just discovered that the opam-repository contains few packages with pin-depends, which I assume should not be there, applying the same rule above.

# git grep -A1 pin-depends
packages/emile/emile.0.5/opam:pin-depends: [
packages/emile/emile.0.5/opam-  [ "mrmime.dev" "git+https://github.com/mirage/mrmime.git" ]
--
packages/mirage-block-xen/mirage-block-xen.1.6.2/opam:pin-depends: [
packages/mirage-block-xen/mirage-block-xen.1.6.2/opam-  ["mirage-xen.dev" "git+https://github.com/mirage/mirage-xen"]
--
packages/mrmime/mrmime.0.1.0/opam:pin-depends: [
packages/mrmime/mrmime.0.1.0/opam-  [ "crowbar.dev" "git+https://github.com/stedolan/crowbar.git" ]
--
packages/sendmail-lwt/sendmail-lwt.0.1.0/opam:pin-depends: [
packages/sendmail-lwt/sendmail-lwt.0.1.0/opam-  [ "crowbar.dev" "git+https://github.com/stedolan/crowbar.git" ]
--
packages/sendmail/sendmail.0.1.0/opam:pin-depends: [
packages/sendmail/sendmail.0.1.0/opam-  [ "crowbar.dev" "git+https://github.com/stedolan/crowbar.git" ]

//cc @kit-ty-kate @AltGr @camelus maybe camelus should discover and warn the usage thereof? (it could as well warn/error if there's no checksum)

//cc @dinosaure (who's the maintainer of most packages above)

(see #14977 for a fix of mirage-block-xen)
@dinosaure
Copy link
Contributor

emile should safely uses mrmime.0.1.0 👍

However, about crowbar, I noticed several times a lock about dependencies when I use it for tests. @kit-ty-kate is more aware.

@kit-ty-kate
Copy link
Member

The crawbar issue is due to #14978 and can't be fixed with a pinned-dependency. It's safe to remove all of them then. Sorry for this, I'm responsible for most of the merge I believe. Sending a fix in a minute.

@kit-ty-kate
Copy link
Member

@hannesm could you open an issue on Camelus? I'm going to close this one as soon as it is fixed in opam-repository

@kit-ty-kate kit-ty-kate mentioned this issue Oct 2, 2019
Merged
@hannesm hannesm mentioned this issue Oct 2, 2019
Open
@hannesm
Copy link
Member Author

hannesm commented Oct 2, 2019

@kit-ty-kate done ocaml-opam/Camelus#34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove all pinned dependency from opam-repository kit-ty-kate/opam-repository
3 participants
@hannesm @dinosaure @kit-ty-kate