opam install --locked behavior may not be the one expected by users

[lefessan]

Currently, opam install --locked means that opam will use a file .opam.locked, if it exists, instead of the .opam file, not even looking at the content of it.

As a consequence, if you add a dependency in your .opam file, opam install --locked will not install that dependency, as it only reads the .opam.locked file.

Users may expect that opam install --locked would read both files, and merge the constraints, i.e. the .locked file is only adding constraints on the .opam file, so that the behavior would be:

• For existing dependencies, the versions from the .locked file are used
• For new dependencies, they are installed
• If there is a conflict between existing and new dependencies, opam install --locked would fail with an advice to remove the .locked file as it is probably obsolete

This behavior is typically important for tools that want to correctly manage .opam and .locked files automatically, for example to mimic cargo's behavior.

[AltGr]

The two files are already read and used to show a warning for this specific purpose:

[WARNING] Lock file foo.opam.locked is outdated, you may want to re-run opam lock:
          Dependencies present in opam file not in lock file:
            - bar

I would strongly advise against silently merging the dependencies, as the locked files are meant for reproducibility and that would break the purpose. I see three possible resolutions for this issue:

• keep the things as is
• turn the warning into an error
• turn the warning into a prompt (forced to no if non-interactive) to proceed with a merge then automatically update the lock file — this might be closest to how lock files work in other systems.

[lefessan]

You are supposing that the user is using opam directly, but in my case, I am using drom to handle all this, and I need a way for drom to trigger the correct behavior of opam.

Moreover, running opam lock again will not do what I want: I want to keep the environment as close as possible to the locked file, just adding the dependency. What you propose would add the dependency without keeping the locked versions, and then locking the new state, it's not what I want !

So, I am not asking for it to be the default behavior (though I think that, from a user's perspective, it is a better experience), but I would want an option that I can use to call opam from drom and have this behavior. Maybe it could be some kind of generic merge feature, allowing to merge dependencies from multiple files, not only locked files.