policy question: existing packages without checksums

Question

policy question: existing packages without checksums

Closed this issue 3 months ago · 2 comments

Dear everyone,

there's a bunch of packages without checksum. I wanted to ensure everyone is on the same page.

My goal is to discuss what to do with the packages that are not checked (i.e. that are available etc. in the opam-repository). I put them into categories and suggested what I'd do. If you agree, let me know - I'm happy to prepare a PR with the suggestions I noted.

arbitrary packages (my suggestion: mark as `available: false` - each package has a newer version available in opam-repository)

see #25981

merlin and lsp (inconsistent, there are further `preview` versions with `available: false`), suggestion: mark the remaining two with `available: false`

ocaml-lsp-server.1.9.0~4.13preview (available: false)
ocaml-lsp-server.1.9.2~4.14preview (available: false)
ocaml-lsp-server.1.13.2~5.0preview (flags: avoid-version)
dot-merlin-reader.4.4~5.0.preview (src: "git+https://github.com/kit-ty-kate/merlin.git#500")
merlin-lib.4.4~5.0.preview (src: "git+https://github.com/kit-ty-kate/merlin.git#500")
merlin.4.3.2~4.13preview (available: false)
merlin.4.4.1~4.14preview (available: false)
merlin.4.6.1~5.0preview (available: false)

ocaml source

ocaml-src.4.13.dev (flags: avoid-version)
ocaml-src.4.14.dev (flags: avoid-version)
ocaml-src.5.0.dev (flags: avoid-version)

statmemprof (suggestion: add checksums)

note there's as well 4.04.2+statistical-memproif, and 4.06.1 - both with checksums
see #25982

ocaml-variants.4.03.0+statistical-memprof (src: "https://github.com/jhjourdan/ocaml/archive/memprof_4.03.tar.gz")
ocaml-variants.4.05.0+statistical-memprof (src: "https://github.com/jhjourdan/ocaml/archive/memprof_4.05.0.tar.gz")
ocaml-variants.4.06.0+statistical-memprof (src: "https://github.com/jhjourdan/ocaml/archive/memprof_4.06.0.tar.gz")
ocaml-variants.4.07.1+statistical-memprof (src: "https://github.com/jhjourdan/ocaml/archive/memprof_4.07.1.tar.gz")

variants (suggestion: keep them, but better not accept new ones without a tarball)

ocaml-variants.4.10.0+nnpcheck (src: "git+https://github.com/kayceesrk/ocaml.git#4.10.0+nnp+check")
ocaml-variants.4.12.0+domains (src: "git+https://github.com/ocaml-multicore/ocaml-multicore.git#4.12+domains")
ocaml-variants.4.12.0+domains+effects (src: "git+https://github.com/ocaml-multicore/ocaml-multicore.git#4.12+domains+effects")
ocaml-variants.5.0.0+tsan (src: "https://github.com/ocaml-multicore/ocaml-tsan/archive/5.0.0+tsan.tar.gz")
ocaml-variants.4.02.3+buckle-master (src: "https://github.com/bloomberg/ocaml/archive/master.zip")

variants + trunk

Answer 1 · 2024-05-30T08:41:01.000Z

For merlin preview and the arbitrary packages I would go with available:false.
In the first case this is what we did with all other preview packages

Answer 2 · 2024-06-03T09:28:38.000Z

updated the list above, and put links to the PRs that were merged. closing since I don't think there'll be anything for the compilers.

arbitrary packages (my suggestion: mark as available: false - each package has a newer version available in opam-repository)

merlin and lsp (inconsistent, there are further preview versions with available: false), suggestion: mark the remaining two with available: false