Should opam use a lockfile by default?

That would not help in some of the breaking changes (package no longer available upstream, with a new tarball provided). And we are trying to avoid adding patches without incrementing the versions now.

Hello, chiming in to provide some hints, and see where some extensions or ironing is needed :slight_smile:

  • Archives no longer existing should no longer be a problem with opam 2’s cache: all upstream files are kept, indexed by their hash(es), and the policy is to never clean that cache. In other words, you can still download a package archive if the package has been removed from the repo, but you didn’t run opam update. Even if the upstream is no longer there.


  • The opam repository is on git, and you can use the same syntax as ffor pins to use it at a specific commit. Combined with the cache mentionned above, it means you can really re-use the exact same repository for your rebuilds.


    opam repo add locked-repo git+

    or even

    opam switch create reproducible --repos=locked-repo=git+

    Don’t know what hash you are currently on ? It’s part of the output of opam config report.

Hope this helps!