AltGr
commented
4 years ago The difference is that pin-depends is clearly specified to be effective only when the package gets pinned. So it is harmless when using the repository, and might be useful when using e.g. opam pin foo --dev (where it will become effective).
This said, leaving them could be a mistake, so I don't really have an opinion about adding a warning.
see https://github.com/ocaml/opam-repository/issues/14978 opam packages released to opam-repository contain checksums of tarballs to ensure that the same tarball is used for installation as intended by the person doing a release. opam packages which point to a branch / tag are generally not accepted AFAICT.
opam 2.0 introduced a pin-depends stanza to specify dependencies of certain off-trunk dependencies (i.e. a custom version of yyy). I just discovered that the opam-repository contains few packages with pin-depends, which I assume should not be there, applying the same rule above.