Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include hash/checksum for dependencies in lock file #4994

Open
mjambon opened this issue Jan 13, 2022 · 2 comments
Open

Include hash/checksum for dependencies in lock file #4994

mjambon opened this issue Jan 13, 2022 · 2 comments
Labels
KIND: FEATURE WISH

Comments

@mjambon
Copy link
Contributor

mjambon commented Jan 13, 2022

opam lock produces a lock file (.locked) which looks like this:

...
depends: [
  "ANSITerminal" {= "0.8.2"}
  "alcotest" {= "1.5.0"}
  "astring" {= "0.8.5"}
  "atd" {= "2.2.1"}
  "atdgen" {= "2.2.1"}
  "atdgen-runtime" {= "2.2.1"}
  "base-bigarray" {= "base"}
  "base-bytes" {= "base"}
  "base-threads" {= "base"}
...

For security reasons, we would like a way to check not just the version of all the transitive dependencies but also check their contents against a checksum. Is this possible?
@kit-ty-kate
Copy link
Member

It’s not possible with a lock file in the current state of things.
However I believe opam switch export --freeze is what you are looking for.

@mjambon
Copy link
Contributor Author

mjambon commented Jan 13, 2022

opam switch export --freeze could help but it requires the current switch to be clean i.e. specific to the project. Maybe there's an easy way to use one switch per project? Alternatively, filtering the switch export to keep only the dependencies found in the lock file should work if there's an easy way to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
KIND: FEATURE WISH
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mjambon @kit-ty-kate @rjbou