Open prabhu opened 6 months ago
Many .opam files have no name or version for the parent component. Can these be made mandatory?
I don't think this can be made mandatory. Some folks add version from git tag when publishing opam package to repository and .opam file itself has no version at all, or some "1.0" placeholder. Same is popular with Rust crates that are being published from pipelines, version number is overridden by the pipeline.
There is no concept of a group or namespace. There is a homepage, github.com in most cases, so there is some possibility of constructing a namespace to avoid collisions.
Opam has notion of repository, and multiple repositories can be added. opam show
outputs both package version and repository from which it comes. This repository can be though of a namespace.
There are no hashes of any kind in the lock files. How can this be acceptable?
Sadly this is true. There are some hashes for packages downloaded in local cache, see here for some info on that.
While opam lock command has --direct-only, this information is not persisted in the lock file, so a tool that parses the lock file directly has no clue how it was generated
In case of CI pipeline which builds the project and needs to produce the SBOM, probably opam should better be interrogated about the state of dependency tree, versions, hash sums, etc. This will give the precise information. Opam has corresponding OCaml library to work with opam state, it's pretty straightforward to emit this kind of information. "Offline" SBOM for some repository without any opam environment seems to be challenging indeed.
Summoning some opam/ocaml people. cc @AltGr @avsm @kit-ty-kate
Would be great to see SBOM generation support for opam.
One more link on opam supply chain https://github.com/ocaml/opam/wiki/Opam-supply-chain
I suggest looking into opam switch export --full --freeze
which creates a file that is independent of the opam-repository and includes the tarball checksums, build instruction, etc.
opam.locked file has pinned versions.
https://github.com/facebook/infer/blob/54c6397a1a9b73f752e05bf933993bf849ff4bc9/opam/infer.opam.locked
Have to check if
opam show
command can be used to construct the dependency tree since the lock file appears quite rudimentary.Questions for ocaml/opam developers
--direct-only,
this information is not persisted in the lock file, so a tool that parses the lock file directly has no clue how it was generated.Useful links