Hello Here is the latest OCaml Weekly News, for the week of September 23 to 30, 2025. Table of Contents ───────────────── OCaml security team ocaml-xmlerr 0.08.2 available Contract OCaml Engineer – Terrateam (Remote, 3 months) Mk-man module gil scm .cmd mini-svg version 0.03.13b, of 0.03.13 An efficient priority queue with low integer priorities Cmdliner 2.0.0 Detrow, a command-line calendar rpmfile 0.8.0+ library OCaml compiler office hours? (preparation thread) Other OCaml News Old CWN OCaml security team ═══════════════════ Archive: Hannes Mehnert announced ──────────────────────── Dear everyone, We are starting an effort to push security into OCaml. This is based on discussions in the OCaml Software Foundation with industry partners. The main goal is to have best practises similar to those of other programming language ecosystems. Reporting security issues ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ This entails a point of contact for the security team - which deals with communication between the person who found a security-relevant problem in OCaml software (named "reporter"), who can then contact us - the security team - instead of using a public bug tracker, and the upstream OCaml developer(s). We, the security team, will establish the three-way communication, and since we have a documented security disclosure process (which will be published soon), we will guide everyone through the process and ensure that timelines are met, CVE numbers are assigned, … Team composition ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ The OCaml security team currently consists of individual security experts and individuals representing company sponsors of the OCaml Software Foundation. Individual members participating on a personal capacity may be compensated for their time from the OCaml Software Foundation. The team currently consists of 7 members • Hannes Mehnert - individual, chair • Mindy - individual • Joe - individual • Edwin Török - individual • Nicolás Ojeda Bär - LexiFi • Louis Roché - ahrefs • Maxim Grankin - Bloomberg We're in the process to formalise the responsibilities of the team, our proposed disclosure process, and how to join & leave the team. Funding for security actions ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ In complement to the security disclosure process, we will accept funding requests for projects that make OCaml more secure (including guidelines how to develop OCaml in a secure way/what are common pitfalls; static analysis; dissemination tools; …). The OCaml Software Foundation will provide funding for these security actions. After this summer we will discuss this in more depth with the community. Next steps ╌╌╌╌╌╌╌╌╌╌ We will setup a website (similar to has) soon, and provide an email address for contacting us - security At ocamlDoT org is forwarding to our team. We plan to setup a mailing list for security announcements. But more on that at a later point, this brief post is mainly about the fact that this team starts to exist now, and is working on improving the security story of OCaml. If you have any questions for now, please feel free to discuss them in this announcement. Please be aware that it is vacation time soon, so we may not be very responsive. Hannes Mehnert later added ────────────────────────── Dear everyone, we’ve accomplished several tasks: • is now live • The public mailing list for security advisories is sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements – please subscribe if you’d like to receive security announcements • There’ll be a brief introduction at [Fun OCaml] and a talk at [OCaml workshop (ICFP)] )16:00 - 16:30 • We will have a public meeting for discussions on Oct 22nd 14:00 - 16:00 CEST (online, yet to be announced where) • There’s already the OCaml security advisory database (still empty, we’ll fill it over the next weeks) [Fun OCaml] [OCaml workshop (ICFP)] Hannes Mehnert then said ──────────────────────── We will have a public meeting for discussions on Oct 22nd 14:00 - 16:00 CEST (online, yet to be announced where) – save the date if you’re interested We settled on a platform, and will have the meeting at An agenda will be posted before the meeting. ocaml-xmlerr 0.08.2 available ═════════════════════════════ Archive: Florent Monnier announced ───────────────────────── This is an annouce for ocaml-xmlerr. *ocaml-xmlerr* version *0.08.2* is *available*. This main module of this package is a small module to read xml with errors. The main purpose was not to really read xml with errors, but to read html from the web. At the beginning I wrote in the read-me file that I wrote it in one afternoon, but this is without considering that in fact it was the third time I was trying to make something like this. One of the first attempt even probably took me almost a day. So we can not say that I succeed easily. In the .zip archive of ocaml-xmlerr version 0.08.2, you will find the different modules re-organized with dirs. And there are also two additional commands build on top of the first module. *htmlxtr* is a simple extractor for HTML from a simple template. Please read the man page for more description about how to use it: ┌──── │ $ man ./htmlxtr.1 └──── There is also *htmluxtr* - a simple extractor for .html using a simple un-template / re-template method. Please read the man page for more informations : ┌──── │ $ man ./htmluxtr.1 └──── There is a new example of use provided in the 'using' directory. There is a script to help you writing your pattern matching of xml fragments. The base module providing a list for tags and contents, the pattern matching is not done based on a tree-structure. And there is now an additional module to convert this flat-list structure into a tree structure, inside the addon directory. The report module has not been widely tested yet. This is not professional quality. If I'm not mistaken "amateur" is both pejorative, in both french and in english languages, exept if it's associated with "astronomer". [http://decapode314.free.fr/ocaml/xmlerr/] PS: if you edit my posts, I would prefer you edit the links with normal links (like above), please. PS-2 : I haven't been able to pattern-match all the opam packages with uxtr, the total doesn't match, I only find 38_000. [http://decapode314.free.fr/ocaml/xmlerr/] Contract OCaml Engineer – Terrateam (Remote, 3 months) ══════════════════════════════════════════════════════ Archive: Josh Pollara announced ────────────────────── Terrateam () is looking for an experienced OCaml engineer to join us on a 3-month contract. *About us* Terrateam is an open-source tool for GitOps-based Terraform automation. We are a small, bootstrapped team building infrastructure automation software used by enterprises. *The role* We are extending our OCaml codebase to support new functionality around Terraform state and plan execution. The work is primarily in OCaml, with a focus on systems programming, concurrency, and backend development. You’ll work directly with the founding team on scoped engineering projects and help push forward the internals of how Terraform can be used at scale. *Details* • Contract length: 3 months (with potential extension) • Compensation: competitive, commensurate with experience • Location: remote (EU timezone preferred) • Start date: as soon as possible *Requirements* • Strong background in OCaml development • Experience with systems programming or infrastructure tooling (Terraform or related) is a plus • Ability to work independently in a fast-moving environment If you are interested, please contact me directly at [josh@terrateam.io]. [josh@terrateam.io] Mk-man module ═════════════ Archive: Florent Monnier announced ───────────────────────── Mk-man tries to provide a simple way to write a man page, [http://decapode314.free.fr/ocaml2/mk_man/] and also with a similare module to produce the web page. [http://decapode314.free.fr/ocaml2/mk_man/] gil scm .cmd ════════════ Archive: Florent Monnier announced ───────────────────────── Gil-scm is not really an scm, (source management control), [http://decapode314.free.fr/ocaml2/gil/] it takes its inspiration from an scm, but it should more be considerated as a "snapshot-management-script". It can output an .html interface of the following versions: [example] [http://decapode314.free.fr/ocaml2/gil/] [example] mini-svg version 0.03.13b, of 0.03.13 ═════════════════════════════════════ Archive: Florent Monnier announced ───────────────────────── The release "0.03.13" has been deleted, because chat-gpt informed me that the repository replicating some mondrian art hosted at github has been deleted. The rel-0.03.13 was also containing some pop-art replications, with random additions. So these elements have been deleted, and are not there in "0.03.13b" anymore. Sorry for the inconveniance. PS: [mini-svg] PS2: mini-svg is not professional quality. PS3: To the extent permitted by law, you can use mini-svg with any spdx license. [mini-svg] An efficient priority queue with low integer priorities ═══════════════════════════════════════════════════════ Archive: François Pottier announced ────────────────────────── Hello, I am happy to announce the release of `intPQueue', a package that offers (two variants of) an efficient priority queue, which is restricted to scenarios where the priorities are low integers. See the [documentation]. ┌──── │ opam update && opam install intPQueue └──── Happy queueing, François. [documentation] Cmdliner 2.0.0 ══════════════ Archive: Daniel Bünzli announced ─────────────────────── Hello, It is my pleasure to announce the release of cmdliner 2.0.0. Cmdliner is a library that allows the declarative definition of command line interfaces with outstanding support for command line interface user conventions and standards. The main points of this release are: • ANSI styled error and deprecation messages ([details]) • Support for manpage installation ([details]) • Support for shell auto-completion ([details]) The latter was made possible by good initial [ground work] of @andreypopp who can now claim to have unblocked my mind and the [very first] and 11 years old Cmdliner issue. Many thanks to him! This addition has the following consequences: 1. The problematic feature that allowed you to specify command names, option names and enumerant values by a prefix if the prefix was unambiguous has now been removed. See [this issue] for the rationale. Set `CMDLINER_LEGACY_PREFIXES=true' in your environment if you find yourself in need of a quick backward compatibility fix because one of your scripts is failing due to a prefix being used (but do eventually correct the script!). 2. It finally triggered making the type `Arg.conv' abstract as [announced] it would become in 2017. See [this issue] for details. If you are a user of cmdliner based tools. You may want to have at a look how to [configure your shell] in order to benefit from their completion scripts, especially if said tools are installed via `opam'. After installing `cmdliner' you should be able to check that your configuration works correctly on the new `cmdliner' tool that now gets installed with cmdliner itself. For other changes that may affect you or your users please head to the [release notes] which have many other details. Other than that a full pass was made over the documentation to try to improve and bring it up-to-date with the latest style and additions. Notably the [tutorial] and [examples] were updated to make use of the binding operators; however obscure [let punning] may feel, these are less error prone as your number of cli arguments grow. I also added a [cookbook] which tries to distill in shorter snippets some of cmdliner's features and the experience I gathered over the past 14 years of using cmdliner to define dozens of command line interfaces. It includes [source code structure tips] and a few bootstrapping [blueprints] to cut and paste for when you start your next command line tool. For this release I'm very thankful to a private one-time donation[^1], a grant from the [OCaml software foundation] and, as always, my few but faithfull [donors]. All of which are essential for these releases to eventually get out. They do take quite a bit longer to devise that one would expect :–) Home page: API docs & manuals: or `odig doc cmdliner' Install: `opam install cmdliner' (once [the PR] is merged, may take a few days) Best, Daniel [^1]: Which are as nice as recurring donations ;–) [details] [details] [details] [ground work] [very first] [this issue] [announced] [this issue] [configure your shell] [release notes] [tutorial] [examples] [let punning] [cookbook] [source code structure tips] [blueprints] [OCaml software foundation] [donors] [the PR] Daniel Bünzli later added ───────────────────────── To follow up on the completion feature. It should be stressed that I don't consider it to be fully "done" as it stands. I'm pretty sure the completion API, protocol, features and the generic completion scripts can be improved. The main problem is that it seems shell programmers are more interested in cajoling the look of their prompts than defining sane cross-shell standard protocols for tool/shell interaction. The current completion mecanisms are [broken] beyond imagination. Issues about completion are tagged accordingly in the issue tracker. Do not hesitate to chime in if you have ideas or more knowledge than I do for improvements. I'm also happy to add support for more shells but it's better if you help for that because working with shells makes me want to throw my computer out of the window. Meanwhile I'd like to show two completion feature that I'm quite happy to have support for in this release. [broken] Context sensitive completion ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ The idea here, suggested by @andreypopp, is that completion can depend on a context that is specified via a cmdliner term itself. This is typically useful for configuration dependent completions: you have a cmdliner term that represents your configuration and you access it when doing a completion. For example in the next release of `odig' you can autocomplete package names on `odig doc [PKG]'. The available packages depend on looking up a libdir which can be specified with a command line argument itself. So for example this completes according to the automatic libdir lookup ┌──── │ # Auto discovered libdir │ > odig doc c␉ │ camlp-streams checkseum cmarkit camlpdf cairo2 │ containers cmdliner cpuid cppo cpdf │ cstruct-lwt cstruct ctypes crunch csexp │ ctypes-foreign └──── But the following looks for packages in another switch: ┌──── │ # Explicit libdir │ > odig doc c␉ --lib-dir $(opam var lib --switch=myswitch) │ capitalization cerberus-lib calendar charon │ core_kernel core_unix cmdliner cppo core │ cstruct csexp └──── [The commit] that implements this in `odig' is rather straightforward, it simply reuses the existing `conf' term for the completion context. Also the cookbook has a [simple self-contained example] to start from. [The commit] [simple self-contained example] Compositional completion (restart and raw) ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ The second completion feature is to retain completion on the tools that another tool invokes – commands like `sudo'. For example in the `b0' tool, the build system I'm using for all my developments. The `b0 vcs [OPTION]… -- VCS [ARG]…' command allows to bulk operate the VCSs of the projects you included in a `B0.ml' build description file. Using appopriate cmdliner completion directives the completion of this command first completes the `VCS' enum (which can be `git' or `hg') and then gracefully drops back to the completion of your VCS: ┌──── │ > b0 vcs -- ␉ │ git hg -- │ > b0 vcs -- git sh␉ │ shell -- restricted login shell for GIT-only SSH access │ shortlog -- summarize git log output │ show -- show various types of objects │ show-branch -- show branches and their commits │ show-index -- show packed archive index │ show-ref -- list references in a local repository └──── This is a [restart] completion type. It restarts the completion context as if the cli started after the `--' token. It is the kind of behaviour you want from e.g. `opam exec', though arguably in the case of `opam exec' it will be sligthly misleading since completions will occur using the outer environment rather than the one setup by `opam exec -- TOOL [ARG]…'. Still, sometimes inaccurate completion is better than no completion. Note that this would be quite easy to solve with a good cross-shell completion standard: just invoke `TOOL' in the environment setup by `opam exec' according to the completion standard (e.g. the [cmdliner completion protocol]) and propagate the result back in the completion for `opam exec', but we do not live in that world. Still the API is ready for such a technique to be used, by using a [raw] completion type (I [use this] in `b0' to complete custom, library and user-defined, actions like `b0 -- .opam' or `b0 -- .ocaml'). [restart] [cmdliner completion protocol] [raw] [use this] Detrow, a command-line calendar ═══════════════════════════════ Archive: Florent Monnier announced ───────────────────────── [Detrow] is a command-line calendar which displays the months of a calendar in colomns. (So each days of months are aligned in rows) (With [Detris], months are displayed in a similar way than the cal unix command.) You can download it with the following command: ┌──── │ wget http://decapode314.free.fr/ocaml2/detrow/dl/0.01b/detrow.ml └──── Then you can call it like this: ┌──── │ $ \ocaml detrow.ml └──── It will display the first half of the month, Januray until June. If you want the second half of the year, Jully until December, you can call it again with: ┌──── │ $ \ocaml detrow.ml b └──── The first half, can also be called with the "a" parameter: ┌──── │ $ \ocaml detrow.ml a └──── If you call it like this: ┌──── │ $ \ocaml detrow.ml ann-file 2025 b └──── With the file called "ann-file" containing: ┌──── │ $ cat ann-file │ 2025-09-27: detrow-ann └──── You will see the string `"detrow-ann"` displayed in the calendar in front of the day `"2025-09-27"`. (The number of chars that can be displayed is lower than 8 (`< 8').) [Detrow] [Detris] rpmfile 0.8.0+ library ══════════════════════ Archive: Mikhail announced ───────────────── Hello, I am pleased to announce the next /major/ version of [my library for reading RPM packages], powered by [Angstrom]. ┌──── │ # #require "rpmfile";; │ │ # let pkg = │ In_channel.with_open_bin │ "hello-2.12.2-2.fc43.x86_64.rpm" │ Rpmfile.Reader.of_channel │ |> Result.get_ok;; │ │ # Rpmfile.View.name pkg;; │ - : string = "hello" │ │ # Rpmfile.View.vendor pkg;; │ - : string = "Fedora Project" │ │ # Rpmfile.View.version pkg;; │ - : string = "2.12.2" └──── This release has *broken the previous API* and made it simpler and more compact. Added capture of the payload of the RPM package body. But it is not effective enough. ┌──── │ # pkg.payload;; │ - : string option = None └──── You can implement this functionality manually using [Lwt] and angstrom-lwt-unix or something else. ┌──── │ (* examples/extract_payload_by_lwt.ml *) │ │ let default_tags_selector = │ Rpmfile.Reader. │ { │ predicate_signature_tag = Fun.const true; │ predicate_header_tag = Fun.const true; │ } │ │ let pkg_parser = │ Rpmfile.Reader.make_package_parser ~capture_payload:false │ ~tags_selector:default_tags_selector │ │ let () = │ let open Lwt.Syntax in │ Lwt_main.run │ @@ │ let* ic = Lwt_io.open_file ~mode:Input "hello.rpm" in │ let* _pkg = │ let* b, r = Angstrom_lwt_unix.parse pkg_parser ic in │ let+ _ = Lwt_io.set_position ic (Int64.of_int b.off) in │ Result.get_ok r │ in │ let* payload = Lwt_io.read ic in │ │ (* ... *) └──── … :pie: [my library for reading RPM packages] [Angstrom] [Lwt] OCaml compiler office hours? (preparation thread) ═════════════════════════════════════════════════ Archive: Continuing this thread, gasche announced ──────────────────────────────────────── Given the current votes, I propose to pick *Friday October 10th* UTC 11:00 – UTC 12:30* as the time slot for this test run of OCaml compiler office hours. Save the date! I propose to try [This online meeting room] (this is a BigBlueButton instance hosted by the French government for public workers), and take notes on [this collaborative pad]. I am planning to join audio-only to save bandwidth, but people are free to do as they prefer. A reminder on the format, topic: Format: a synchronous remote meeting (voice with optional video), backed by a collaborative pad to record questions, take notes, share links etc. People can join and leave at any time during the office hours. Topic: anything related to the development of the OCaml compiler, that is, the github/ocaml/ocaml project. (All topics and questions are welcome, at all levels of knowledge and familiarity with the compiler.) [This online meeting room] [this collaborative pad] Other OCaml News ════════════════ >From the ocaml.org blog ─────────────────────── Here are links from many OCaml blogs aggregated at [the ocaml.org blog]. • [A second foray into agentic coding] • [Model Validation & Time Utilities Sprint: From Basic Models to Proper Validation Layer] • [Parsimoni Joins Techstars' Autumn 2025 Programme!] • [Retrofitting a build system into a compiler] • [Caching opam solutions - part 2] • [Upcoming OCaml Events] [the ocaml.org blog] [A second foray into agentic coding] [Model Validation & Time Utilities Sprint: From Basic Models to Proper Validation Layer] [Parsimoni Joins Techstars' Autumn 2025 Programme!] [Retrofitting a build system into a compiler] [Caching opam solutions - part 2] [Upcoming OCaml Events] Old CWN ═══════ If you happen to miss a CWN, you can [send me a message] and I'll mail it to you, or go take a look at [the archive] or the [RSS feed of the archives]. If you also wish to receive it every week by mail, you may subscribe to the [caml-list]. [Alan Schmitt] [send me a message] [the archive] [RSS feed of the archives] [caml-list] [Alan Schmitt]