Package otp.0.2.1

[Heyji2]

otp.0.2.1

Time-base One Time Password (OTP) based on RFC6238 with an HMAC-SHA1 algorithm and a 6 digits code in OCAML
It relies on the Cryptokit library for cryptography operations, as well as the Base32
library for base32 encoding. The library generate a QR Code with the qrc library. It is
tested against all test vectors provided in RFC 6238 and the test suite provides as well
a dynamic test which requires the use of an client authenticator (like Google Authenticator
or Microsoft Authenticator) as a final test.

---

• Homepage: https://github.com/Heyji2/otp
• Source repo: git+https://github.com/Heyji2/otp.git
• Bug tracker: https://github.com/Heyji2/otp/issues

---

🐫 Pull-request generated by opam-publish v2.7.0

[Heyji2]

I don't know how checksum are computed, but my feeling is that when I publish my package, the tool does not overwrite the md5 and sha256 checksum which are wrong...and install fails. I am running opam-publish on a windows box.

[jmid]

I've written an explanation here: #28777 (comment)
I hope this helps.

TLDR: I'd suggest not writing checksums by hand into your repository's opam files, but instead let opam-publish compute them for you.

[Heyji2]

My understanding here is that the checks have failed because the checksum provided in the opam file are wrong (hence your recommandation to remove it). I will then remove the checksum from the opam file an publish a new version (0.2.2) which should hopefully pass the tests. Once the tests have passed, you (the maintainers) will merge the request and add the correct checksum to the package...am I right ?

[Heyji2]

Done here : #29004
Shall I close this PR then ?

[jmid]

Once the tests have passed, you (the maintainers) will merge the request and add the correct checksum to the package...am I right ?

We will merge the pull request (with the correct checksums, probably added by opam publish), but no, we won't do more than that. In particular, we won't touch the checksums.

For example, on #29004, opam publish has added the following fields to the opam-file it submitted:

url {
  src: "https://github.com/Heyji2/otp/archive/refs/tags/0.2.2.tar.gz"
  checksum: [
    "md5=358389b8f0869e47ecee646d39ce315b"
    "sha512=46982fc43ecc8ed857ef19add6a3dee6b33309d2fc957faf44d3e9547f173ddbfe137f9307437435d0534f7a999fa9dc4157ab74c4b96a3702805b3f3039ced4"
  ]
}

Have a look for yourself in https://github.com/ocaml/opam-repository/pull/29004/files

Since these are correct (you can confirm yourself with wget https://github.com/Heyji2/otp/archive/refs/tags/0.2.2.tar.gz and sha512sum 0.2.2.tar.gz), this is sufficient as long as the tag 0.2.2 is not altered on the https://github.com/Heyji2/otp repository.

That leaves a otp.opam file here: https://github.com/Heyji2/otp/blob/0.2.2/otp.opam
without url, src, and checksum, but that doesn't matter, because that opam-file is not used by ordinary users installing your package from the opam-repo with opam install otp.

Problems happen when a tag (and a checksum) is changed, because then an installation can fail for users.
It is thus essential that these are immutable, once a package version has been merged and published.
We therefore have a policy not to do alter them.

[jmid]

Done here : #29004 Shall I close this PR then ?

I'll let you decide. If there is no difference in functionality between 0.2.1 and 0.2.2 (I haven't checked), then yes, it is probably best just to publish 0.2.2 and close this one.

[Heyji2]

This PR (0.2.1) is just a mistake. I must be closed.