is there a way to semi-automatically get a comprehensive opam package version list for all transitive dependencies of a build?
E.g. when building seppo.social for a security audit that would come in handy.
Dear @mro,
not explicitly dune related, but there is orb, which is an alternative to use opam (it uses opam libraries under the hood), and produces a three-fold:
- environment variables (see https://builds.robur.coop/job/orb/build/1ef85cdc-e919-421c-a005-31ffc15bec45/f/build-environment)
- installed system packages (see https://builds.robur.coop/job/orb/build/1ef85cdc-e919-421c-a005-31ffc15bec45/f/system-packages)
- the full frozen opam switch export (see https://builds.robur.coop/job/orb/build/1ef85cdc-e919-421c-a005-31ffc15bec45/f/opam-switch)
From these three things, in case your opam package and dependencies are reproducible, you can reproduce the exactly same artifact. Be aware that orb is as well tested for reproducibility on a daily fashion, and we have both Debian/Ubuntu packages (at https://apt.robur.coop) and FreeBSD packages (https://pkg.robur.coop).
It is meant to be executed in a clean container/jail, and doesn’t cleanup the system packages. Thus it is a good idea to start with a nearly empty container 
Enjoy and don’t hesitate to ask further questions.
1 Like