Feature request: Allow pin-depends to have a checksum

[kit-ty-kate]

Curently the pin-depends does not have any syntax to set a checksum for its archive, the same way url or extra-source have.
Pin dependecies with fixed archives are used extensively by opam-monorepo.
For example for opam-monorepo itself: https://github.com/ocamllabs/opam-monorepo/blob/2710ab7ee3a1cddb613b79ce74f3701330340f61/opam-monorepo.opam.locked

I feel like this could be useful to have in general for other users as well.

cc @NathanReb

[NathanReb]

Definitely useful and I'd be more than happy to add those when generating lockfiles in opam-monorepo!

[AltGr]

Why not use

git+https://github.com/0install/0install#v2.17

(or #4a837bd638d93905b96d073c28c644894f8d4a0b if you want to be more specific)
instead of

https://github.com/0install/0install/releases/download/v2.17/0install-v2.17.tbz

?

Pinning to archives seems a little weird to me.

[NathanReb]

This can be useful to ensure reproducibility. The opam-repository metadata are a evolving, usually for the best but they have a tendency to make it impossible to build old versions of one's software because the opam solver cannot come up with a solution anymore. This bit us more than once when I was working at @cryptosense and I know for a fact that some others also suffered from this (cc @Leonidas-from-XIV).

The whole point of the opam-monorepo lockfile is that it contains enough information to be able to install every package, with the assurance you'll get the exact same version of the sources, hence the use of pins. We use git pins when it makes sense but when we simply want to use a released version pinning to the tarball makes more sense, especially since it happens quite often that the tarball and the sources for the corresponding tag differ (e.g. dune subst has been run to replace watermarks in the tarball etc...).

We're also trying to make those lockfiles as opam compatible as possible. Opam should be able to install the right versions from the lockfile as well, although for now it still has to go through the solver so it might fail if the upstream metadata did change in a breaking way.

Support for checksum verification in this case would benefit both opam-monorepo — as it uses the opam libraries to fetch the sources at the given URLs (be it tarballs or git repos) — and opam itself as it would be better at handling those lockfiles and any such pins if anyone else has a use for them (I can imagine someone using this to declare deps to libraries or tools not released to opam for instance).

[AltGr]

Thank you for the detailed explanation! I didn't mean to question the usefulness of the feature requested, but indeed that seems to make sense. I believe opam switch export might allow you to do this at the moment, but it's probably not convenient for your use-case.