[Fedora-packaging] ocaml signature hashing: really neccessary?

Richard W.M. Jones rjones at redhat.com
Fri Jun 15 11:29:13 UTC 2007

Axel Thimm wrote:
> I wonder whether this is maybe overdesigned. AFAIU this signature
> hashing was made because ocaml is not considered stable enough to
> carry over signatures from release to release.
> Same could be told about hundreds of C libraries, wouldn't the
> neccessity in ocaml then imply a neccessity to hash C-library APIs as
> well? Maybe it's something we will consider to do someday, but the
> order would be to cater for C/C++/Fortran/etc libraries first and then
> for niche languages like ocaml.
> I think it's a bit too much, or did I miss something important (I'm
> not a real ocaml user, there is just this one application that even
> justifies ocaml's existance ;)

No, it's really necessary and has nothing to do with stability or 
otherwise of OCaml (which is a very mature language that has been around 
in one form or another since the mid 80s).

When OCaml compiles a library A, it takes a hash over the whole 
interface -- every single function, every argument to every function, 
and some of the internals, are just some of the things included in this 

When OCaml compiles library B which depends on library A, it encodes the 
hash of A into B.

Now we come to link a program against library B (and hence against 
library A).  The hashes are checked and the linking will fail if, for 
example, the hash of A has changed since B was compiled.

C has only weak checking in comparison.  Sure, you can change a library, 
but you'd better hope for example that some struct in that library 
didn't change the size of one of its fields.  If it did your program 
will still link, but will fail in interesting ways at runtime.

OCaml's checking has the big downside, which is that it goes above and 
beyond what is necessary for just checking compatibility.  For example, 
you can't add more functions to library A, even though such a change is 
probably safe.  Nevertheless, RPM hashes are just enforcing what the 
OCaml linker enforces, and without them you'd be able to install 
incompatible OCaml RPMs which won't actually work together.


Emerging Technologies, Red Hat - http://et.redhat.com/~rjones/
Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod
Street, Windsor, Berkshire, SL4 1TE, United Kingdom.  Registered in
England and Wales under Company Registration No. 03798903
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3237 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-packaging/attachments/20070615/7965be7b/attachment.bin>

More information about the Fedora-packaging mailing list