Hello, On 02/22/16 11:09 AM, Fabrice Le Fessant wrote: > * the future authentification system for opam-repository will prevent > anybody, except maybe admins, from modifying somebody else's package. Thus, > the current policy will not be possible in that future;
I'm really glad that the opam-repository mostly consists of package authors who submit their packages, and nearly no intermediaries who write custom patches (as in the debian world). The current workflow is that an author publishes their release, with lower bounds on dependencies. Will be the same in the future. When a new release of any dependency is issued, this might be incompatible with earlier versions (unfortunately we don't enforce semantic versioning, afaik elm does this and opam should adapt). This is the main reason for the existence of repository maintainers - they fix upper bounds of dependent packages to have the opam-repository in a working state (otherwise users, who download it and want to install things end up with a broken repository; or the release process of any package needs to involve the coordination of all reverse dependencies - I don't believe this is realistic). The signing proposal retains the role of repository maintainers for exactly this purpose - but it will need a quorum (of 3? - the concrete number needs some discussion) of repository maintainers to coordinate (otherwise, a single compromised repository maintainer can arbitrarily modify the entire repository, which means there's no need for signing by authors in the first place). Any modification to the opam file needs to be signed by either the author(s) [there may be multiple people who own a single package] or a quorum of repository maintainers. There's no categorisation of modifications into 'allowed for repository maintainer/allowed only by author'. I expect that quickfixes, such as patches for platform X, or upper bound of dependency Y, will get upstreamed to the authors. I think a notification system which automatically informs the author would be great to have (independent of the signing)! hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ opam-devel mailing list opam-devel@lists.ocaml.org http://lists.ocaml.org/listinfo/opam-devel
