opam icon indicating copy to clipboard operation
opam copied to clipboard
verified publisher icon ocaml

`opam show` displays a `source-hash` that is not the installed commit

Open Halbaroth opened this issue 3 months ago • 4 comments

Let's image that you use opam pin to install a modified dependency. After modifying the code, you expect that running opam pin again will update the installed package to the latest commit. However, the installed package is not updated and the source-hash outputs by opam show is wrong: it does not agree with the current installed version!

The following MRE to reproduce the bug:

cd /tmp
git clone --depth 1 https://github.com/geneweb/unidecode.git
cd unidecode
opam switch create . --deps-only
eval $(opam env)
git switch -c foo
echo "_opam/" >> .gitignore
echo "(* FOO *)" >> src/unidecode.mli
git commit . -m "foo"
opam pin unidecode . -y
cat _opam/lib/unidecode/unidecode.mli | grep FOO
echo "(* BAR *)" >> src/unidecode.mli
git commit . --amend
opam pin unidecode . -y
cat _opam/lib/unidecode/unidecode.mli | grep BAR

The latest command failed but git rev-parse HEAD and opam show unidecode | grep source-hash have the same output.

A first workaround failed too:

opam unpin unidecode -n
opam pin unidecode . -y
cat _opam/lib/unidecode/unidecode.mli | grep BAR

This workaround successes:

opam unpin unidecode 
opam pin unidecode . -y
cat _opam/lib/unidecode/unidecode.mli | grep BAR

But it's inefficient to have to install the package from the opam-repository just to update the local version.

EDIT: my version of opam is 2.3.0.

Halbaroth avatar Aug 30 '25 11:08 Halbaroth

EDIT: my version of opam is 2.3.0.

Would you be able to try with the latest stable version of opam (2.4.1) ?

You can install it using:

bash -c "sh <(curl -fsSL https://opam.ocaml.org/install.sh)"

kit-ty-kate avatar Aug 30 '25 17:08 kit-ty-kate

Also note that the source-hash discrepancy part of your ticket is a duplicate of https://github.com/ocaml/opam/issues/3567, which is not hard to do but not trivial either. So far it hasn't been deemed critical compared to other larger issues we've been working on fixing, but in time we'll get to it. In the meantime, you're welcome to contribute a fix if you have the time though.

kit-ty-kate avatar Aug 30 '25 17:08 kit-ty-kate

@rjbou managed to reproduce the faulty opam pin add behaviour. We're looking into it

kit-ty-kate avatar Sep 01 '25 12:09 kit-ty-kate

Thanks for your help. I was certain this issue was a duplicate because I ran into this bug several times last years. I didn't manage to find #3567 by myself.

The bug is still present with the latest stable version.

I quickly checked the code and it makes sense that opam pin does not update the pinned package because it does not check the hash. In opamPinCommand, I found this definition:

      let no_changes =
        target_url = Stdlib.Option.map OpamFile.URL.url cur_urlf &&
        (version = Some cur_version || version = None)
      in

As both url and version does not contain the hash, it cannot detect the change.

Halbaroth avatar Sep 01 '25 12:09 Halbaroth