anil.recoil.org
+3
-3
CONTRIBUTING.md
+3
-3
CONTRIBUTING.md
···-The current points of contact and the full list of maintainers is available in [wiki/Governance](https://github.com/ocaml/opam-repository/wiki/Governance).-Informations about the infrastructure is available in [wiki/Infrastructure-info](https://github.com/ocaml/opam-repository/wiki/Infrastructure-info).+The current points of contact and the full list of maintainers is available in [./governance/README.md](./governance/README.md).+Information about the infrastructure is available in [wiki/Infrastructure-info](https://github.com/ocaml/opam-repository/wiki/Infrastructure-info).Typically maintainers gather weekly to discuss ongoing topics, review PRs together and train maintainers in training.If you wish to help and become an opam-repository maintainer, you can send a message to the maintainers listed above and you will be invited to the next meeting in which they will explain how things work.···-You can read about them in [wiki/Policies](https://github.com/ocaml/opam-repository/wiki/Policies).
+42
governance/README.md
+42
governance/README.md
···+To contact the maintainers in a more synchronous way you can join the [#opam-repository channel on the OCaml Discord](https://discord.gg/vDH7bMjjYW)
+179
governance/policies/README.md
+179
governance/policies/README.md
···+Packages in this repository should meet the [criteria for inclusion](./archiving.md#inclusion-criteria)+* In case of a mistake, reverting a PR is allowed if the revert happened reasonably soon after the merge (e.g. < 1 day), to make sure a minimal number of users have pulled the repository in a state where the PR was in.+* Packages whose author want inaccessible for security reasons can be marked with `available: false`+* Packages whose author want gone from opam-repository can make their case with a PR marking them with `available: false`. If the package(s) in question are not used by any other packages the PR should be good to merge, otherwise, a case by case basis, at the discretion of the opam-repository maintainers, is applied.+* Users that use opam < 2.1.6 or opam < 2.2.0~beta2 on macOS can sometimes lack GNU patch. The default macOS patch command does not support removal of files and would make `opam update` fail.+## 2. Packages should not be modified in a way that makes it uninstallable with an existing and working setup+* Packages providing very little utility (e.g. one module with just one function defined as a one liner) do not seem justified to go in opam-repository and take one of the available names and space in the git repository that every user has to download+* opam-repository is a curated package repository, we hope to provide useful packages for the large majority of OCaml users+* If a package has a compatible interface as another and users mixup their name often, it can become a security risk.+* Developers spending time on a software, to find a package with the same name exists in opam-repository already and was added with malicious intents by another person, would be extremely frustrating for the developer and confusing for users if the project had been publicly announced prior.+* Strict equality constraints with packages that live in the same source repository (`{= version}`) are accepted (and even encouraged) if the maintainer in planning to publish all the packages in that repository at once everytime there is some change. While this leads to a number of packages that are the same as their previous versions, this simplifies releases for maintainers that are in those cases, and makes the link simpler between the tag in their source repository and the version number in opam-repository.+* Early `<` constraints are allowed if it is known for sure that the package will not be compatible with said upcoming version or to prevent likely runtime failures with a next major version for example.+* Strict constraints (in particular `=` and `<=`/`<`) make the user experience worse by disallowing the combination of several packages requiring different strict dependencies in the same opam switch.+* Strict constraints also make the work of opam-repository maintainers harder by the sheer number of PR that would simply change the constraints of a package.+* Strict constraints also make testing of the opam ecosystem worse by not testing the new releases of packages against packages that might be compatible with them (reverse dependencies, aka. revdeps).+* It is prefered to use `>=` over `>` when writing dependency constraints because it makes constraints easier to read in most cases and would include potential package revisions or point-releases. For example `> "1.0.0"` would also include a potential `1.0.0-1` revision in the future, and `> "0.9"` would also include a potential `0.9.1` release that might not exists at the moment and that might not include the fix you need.+* It is prefered to use `<` over `<=` when writing dependency constraints because it would ignore any revision packages. For example `<= "1.0.0"` would not take into account a potential `1.0.0-1`, and `<= "0.9"` would not take into account a potential `0.9.1` release.+* Packages that are linked with already existing suite of packages that have adopted this version scheme for historical reasons.+* Packages whose maintainers want/need to change the version scheme to a version number that would be below the latest available version. For example `sexplib.113.33.03` was the latest version of that package before Jane Street decided to reset the version scheme for readability reason to `0.9.0`, however 0.9.0 < 113.33.03 so the `v` prefix is here to make sure the order of version is kept, as 0.9.0 < 113.33.03 < v0.9.0. See [the opam manual section on version ordering](https://opam.ocaml.org/doc/Manual.html#version-ordering) for more details.+* It is much easier for users to write version constraints if they don't have to second guess for each dependencies if the version number contains a `v` prefix or not.+* Packages for whom `ocaml` is historically a part of the name and not a simple suffix (e.g. ocamlfind, ocamlgraph, ocamldap, …)+* Packages whose name without the prefix/suffix would evoke something else that might also be an opam package or lack context (e.g. ocaml-lsp-server, ocaml-manual, …)+* opam-repository is an OCaml focused repository, so while many projects' name start with `ocaml-` or end with `-ocaml`, if all of their package name would also include `ocaml` it would quickly become fairly annoying and redundant for users.+* Maintaining the metadata for many developement packages would mean too much work for the opam-repository maintainers.+* On the user's side, such package would lack checksum and thus have to be redownloaded and kept uptodate, everytime they do `opam update`+* opam-repository currently strives to make installation as lightweight as possible for users of those packages. If a package were to install dependencies that is only used by (for example) developers of said package, it would be detrimental to their user experience, by having to compile and install packages they're not going to use. Example of such packages are: `ocamlformat`, `merlin`, …. Which are in 99% of cases only required when developing a package. For people who want to install developement dependencies however, opam 2.2 introduced the `with-dev-setup` variable.+* opam is a source based package manager, it is not currently designed to handle portable binary packages properly.+* As it currently stands adding a binary package would require the facilities to ensure compatibilities with subarchitectures (e.g. x86_64 v1, …) which we do not have.+* opam-repository currently strives to provide the same experience regardless of your platform. Binary package would go against that as each platform would have to be packaged separately, or downloaded all together and sort which one to use on site. Either of these solutions would make the user's experience worse and the maintainers life worse as well.+* opam-repository packages are expected to be able to install at any time. Packages have a checksum to verify there hasn't been any malicious or unexpected changes to the archive after downloading it. If the source archive were to be changed, everyone who tries to install it would only receive failures, and even if it was fixed in a subsequent PR, it would still break users who have not used `opam update`.+The [extra-files field](https://opam.ocaml.org/doc/Manual.html#opamfield-extra-files) is not allowed in this repository. Please use [extra-source](https://opam.ocaml.org/doc/Manual.html#opamsection-extra-sources) if you need to include external files.+* opam-repository is trying to use a minimal amount of files and size, thus any files not required are prohibited.+* For cryptographic signing of the repository, not allowing extra-files reduces the complexity thereof.+See the [announcement](https://discuss.ocaml.org/t/ann-opam-repository-policy-change-checksums-no-md5-and-no-extra-files/14720) and [discussion](https://github.com/ocaml/opam-repository/issues/25876) for further details.+To prepare opam-repository for signing, adding only weak hash algorithms as checksums is prohibited.+* Weak hash algorithms would induce that cryptographic signatures would be weak, or would need another set of checksums. This is costly and convolutes the repository.+See the [announcement](https://discuss.ocaml.org/t/ann-opam-repository-policy-change-checksums-no-md5-and-no-extra-files/14720) and [discussion](https://github.com/ocaml/opam-repository/issues/25876) for further details.
+102
governance/policies/archiving.md
+102
governance/policies/archiving.md
···+- The primary opam repository, (referred to here as the "primary repo") is located at [ocaml/opam-repository](https://github.com/ocaml/opam-repository). The primary repo is curated to ensure that compatible packages are co-installable on as many supported platforms as possible, and it is the default package repository.+- "Primary repo criteria" refers to the criteria used to decide whether a version of a package is suitable for continued inclusion in the primary repo.+- The archive opam repository, (referred to here as the "archive repo")" is located at [ocaml/opam-repository-archive](https://github.com/ocaml/opam-repository-archive) and records packages that were once in the primary repo, but no longer meet the primary repo criteria.+- "Supported platforms" are those listed under [Tier 1 and Tier 2 by the OCaml compiler](https://github.com/ocaml/ocaml?tab=readme-ov-file#overview)+- A package's "maximum compiler version" is the upper bound of the OCaml compiler versions supported by a package. Support is derived either based on explicit version bounds set on the `ocaml` dependency in a package's dependency cone, or implicitly based on failed installs detected through our CI and health check processes.+- The "compiler cutoff threshold" is an OCaml compiler versions stipulated by the opam repository maintainers. It sets a lower bound on the compiler versions supported by the primary repo.+- A package is said to "meet the compiler cutoff threshold" iff its maximum compiler version is greater then or equal to the compiler cutoff threshold.+- The "maintenance intent" of a package refers to the explicitly declared intent of a maintainer to support versions of a package, recorded in the packages `opam` file metadata.+This threshold is subject to change by the opam repo maintainers based on the oldest compiler available on maintained distributions.+A version of a package may be published on the primary repo, and will continue to remain listed there, so long as the following criteria hold:+3. The package version falls within a package's maintenance intent, or is a dependency of a package satisfying the primary repo criteria.+4. The package version is installable on at least one of the supported platforms. (Note that it is not required that CI tests are passing, since working installation may require manual system configuration.)+Note that this property is transitive along a package's dependency tree: if a package satisfies the primary repo criteria, then its dependencies do as well.+At regular intervals, no less than every six months, the opam repo maintainers will reevaluate all packages to determine if they satisfy the [primary repo criteria](#criteria-for-inclusion-to-the-primary-repo-the-default-opam-repository). Packages that do not will be subject to archiving, according to the following process:+- Maintainers will have two weeks to fix the version so that it satisfies the criteria or approve of the archiving.+- If two passes without hearing from the maintainers, the package will be marked as unmaintained and a call for a new maintainer will be submitted to the community via [discuss.ocaml.org under the opam-repository topic](https://discuss.ocaml.org/tag/opam-repository).+When it has been decided that a set of package versions (aka "versions") should be archived, archiving will proceed according to the following process:+- Any dependencies without upper bounds will have upper bounds added, recording the latest available version of the dependency in the primary repo at the time of archiving.+- The commit message should have the title `Archive packages` and its body should contain the hash of the commit that adds the packages to the archive.+- Meaning: Records the commit hash of the primary repo at the time a package version is archived.+- Allowed values: a list of strings matching version numbers, possibly using the special keywords `(latest)`, `(any)` and `(none)`+- Expresses the declared intent of the maintainers to maintain only certain versions ranges of a package.+- `["(latest)" "(latest-1)"]` the maintainer will only maintain the latest `X.Y.Z` version and `(X-1).Y.Z`+- `["(latest)" "(latest).(latest-1)"]` the maintainer will only maintain the latest `X.Y.Z` version and `X.(Y-1).Z`+- `["(latest).(any).(latest)"]` the maintainer will maintain every Y for each X.Y.Z (where X is the latest)+- `["2.(latest)"]` the maintainer will maintain the latest minor version specifically of version "2" of the package+- [Package Archiving: Plan](https://github.com/ocaml/opam-repository/wiki/Package-Archiving:-Plan)