Enforce every files in the files/ subdirectory to be listed in extra-files

[kit-ty-kate]

Currently that isn’t enforced. You can add any files (patches, …) to a package in a repository without checksums.
This should be enforced.

[hannesm]

the reverse should as well be checked -- since this guarantee is atm not here, conex needs to jump through some hoops (instead of "just using the hash of the opam file as the single required checksum).

Is there anything that ensures directory traversal is not possible (i.e. are .. / / avoided / not followed?)

[kit-ty-kate]

the reverse should as well be checked

I’m not sure what you mean by that. I’ve just tried and the reverse is enforced:

$ opam lint ./opam
error 53: Mismatching 'extra-files:' field: "some-non-existant-file"

Is there anything that ensures directory traversal is not possible (i.e. are .. / / avoided / not followed?)

As far as i can see from testing, yes. Also

opam/src/state/opamFileTools.ml

Line 610 in 4b103bd

(mismatching_extra_files <> []));

is a simple string compare so no disk access

[hannesm]

@kit-ty-kate thanks, indeed I meant your "some-non-existent-file" case.

[rjbou]

to cite @AltGr

extra-files was introduced way after the files/ overlay, and first used internally (to check changes in these files) ; which is why it couldn't be made mandatory directly
but that could be changed now