Hello Hannes and thanks for your interest!
do you have machine-readable data what went into the binaries that are being downloaded (i.e. which version of what) [nowadays the buzzword is "Software Bill of Materials] – NB: and opam switch export --full --freeze is a good start for the opam packages
In fact, currently only the ocaml-platform binary is being downloaded. The tools are then compiled in a sandbox switch on the local machine, and cached in a local opam repository. Only the version of OCaml and of the tool is kept as info in the local cache.
do you have security in mind? the curl | sudo bash is not very nice from a security perspective, since that may do any harm.
We do have security in mind! We wanted a one line copy-paste installation for new users. So, we went for an install script, although we will consider your advice on setting up a package repository!
is there an update path? when I run your installer, how to upgrade to the latest version of “platform installer” (can I check whether an update is available and what will change?)?
Currently, the update path is simply to re-run the install script:
bash < <(curl -sL https://github.com/tarides/ocaml-platform-installer/releases/latest/download/installer.sh)
But there is no way to know if there is a new release, apart from checking the github releases page. Thanks a lot for the inputs! I’ll reach out to you soon by private message, as your work and experience on reproducible builds might help for the ongoing remote repo!