Archives checksums are not checked along with their corresponding urls

[kit-ty-kate]

Let's say you have a package A with the following url section:

src: "https://github.com/<name1>/<project1>/archive/0.1.tar.gz"
checksum: "md5=a18d39762a27e18ff4548978536b8477"

and a package B with the following url section:

src: "https://github.com/<name2>/<project2>/archive/0.1.tar.gz"
checksum: "md5=a18d39762a27e18ff4548978536b8477"

If the archive of A is already present in the archive cache then if you try to install package B the archive from package A will be extracted instead and the build might fail (or worst: succeed and then install the wrong thing).

Tested with opam 2.0.0/rc4/final

[hannesm]

I don't fully understand - in your example the two checksums are equal, and that means that both archives should be equal as well!?

[kit-ty-kate]

no the two archives have distinct contents. One does really have the right checksum and the other does not and that's the problem

[rjbou]

As opam cache archives using the checksum, when package B is installed, archive is found in cache. One way to validate the archive checksum is to do not use caching. Even with that, by default, opam2 downloads package from opam.ocaml.org using their hashes.
This checksum validation should be done prior to repository acceptance.

[rjbou]

Option --check-upstream and lint 60 added in #3758 (returns error if the archive is reachable && don't validate the checksum).
Closing this issue, feel free to open it if needed.
Thanks for the report!