With 1.2.1 almost out of the door, time has come to review the roadmap discussed back in December and choose where we'll be going for 1.3. Original mail attached for reference.
The topic that is burning hot at the moment is, specially after the Debian Haskell build host has been compromised, security: we have no signing at all at the moment, and we need to improve on this before it becomes a problem. TUF [1] has devised a sane amount of rules for repository management and signing that should make it easier to get it right in OPAM. Hannes has mentionned writing an OCaml implementation for TUF, which could get very helpful. Also of importance is Windows support. It should at least be straighforward and documented to get a basic Cygwin setup working. That goes with adding automated tests (appveyor can now be added in Github alongside Travis). Related is cleaning up external command usage (even if not really justified by a Windows port only, as David Allsopp pointed out) -- replacing curl calls by cohttp, use ocaml-fileutils... These are the other main features, that'll probably take more time if we are to focus eg. on security: * a plugin mechanism with plugins for example for OCaml (for better agnosticity), external dependency handling [2], documentation generation... * a 'provides:' field in OPAM files [3]. This is a loose requirement if we want to switch the repository to have OCaml itself in a package (which is already possible, but the system compiler may yet be an issue). * More flexible switch handling (multi-switch packages, per-switch remotes, layered switches for cross-compilation...) * Tracking of files installed by packages. While unrelated to repo signing, this might have some security implications, so we might want to bring it in. * With file tracking, generating a binary repo (with some limitations) could be quite straight-forward. Which of these do you think is most important ? Have I forgotten anything ? Cheers, Louis [1] http://theupdateframework.com/ [2] https://github.com/ocaml/opam/blob/master/doc/design/depexts-plugins [3] https://github.com/ocaml/opam/blob/master/doc/design/provides.md
--- Begin Message ---Hi all, with some lag after the 1.2 release, I'd like to open some space for a collective discussion of the priorities for where the energies should go next. We have mainly 3 directions for improvements: first, portability, with the main goal of a Windows version. Second, agnosticity, with the goal to make OPAM more generic, and try and open it to users outside of the OCaml community (wouldn't OPAM for Haskell be fun ?). Third, there are always lots of features and improvements that have been asked for, and would improve the experience of current users. So here is a summary of what I've gathered. Feel free to add your own. ## Portability - **Rewrite parallel command engine.** / done. - **Native system manipulation (cp, rm, curl...).** These are mostly done through calls to the shell or external programs. It's not very pretty but quite pragmatic actually... until we want to run on Windows without Cygwin. Anyway, this wouldn't be the end of portability issues. - **Windows support.** for OPAM itself to begin with. This should be pretty close. - **Packages on Windows.** Locate common issues and attempt to find generic fixes. - Allow **direct use of more solvers** or solver servers. - **Support cross-compilation** This is quite an open issue at the moment. ## Agnosticity - **Isolate OCaml-specific stuff.** E.g. specific opam-file variables. See ocaml-specific.md - **Separate as plugins** To open the gate to OPAM without these plugins, or with other ones - **Compilers as packages.** This should mostly work now, but needs some tests and strengthening. The main thing still to do is to handle the system compiler changes properly ; that part should be made more generic anyway (see discussion on hooks) ## Features - A **provides** field. Generally useful, but particulary so with compilers-as-packages - Releasing the **"features" field** for easier package configuration - **Track installed files** - **Improve security**: just checking md5s is quite light ; package scripts can write anywhere - **OS-specific handling of dependencies** (eg dependencies on packages from the OS) with plugins (#1519) - Specify and implement **hooks** - Find a nicer way to **share dev repos** / undoable "pinning sources" - **Per-switch remotes** - **Multi-switch packages** - Support for (automatic generation of) **binary packages** - Nicer **ocamlfind interaction** Cheers, Louis Gesbert_______________________________________________ opam-devel mailing list [email protected] http://lists.ocaml.org/listinfo/opam-devel
--- End Message ---
_______________________________________________ opam-devel mailing list [email protected] http://lists.ocaml.org/listinfo/opam-devel
