Hello Here is the latest OCaml Weekly News, for the week of January 06 to 13, 2026. Table of Contents ───────────────── camlid: A library for building C stub generators restricted 1.1 - Restrict possible system operations and filesystem view of your program OCaml Security Team 2025 End-Of-Year Report Lwt.6.0.0 release (direct-style, tracing) Other OCaml News Old CWN camlid: A library for building C stub generators ════════════════════════════════════════════════ Archive: François Bobot announced ──────────────────────── Dear all, I'm happy to announce the first release of [camlid] ([documentation]). While there are many C stub generators for OCaml, **camlid** takes a different approach: it is an OCaml library designed to help you build custom C stub generators. *Key Comparisons*: • Vs. *Ctypes*: Manipulation of C structures stays in C. You don't need to replicate C type descriptions in OCaml, keeping the compilation and maintenance simple. • Vs. *Camlidl/SWIG*: The generator is written in pure OCaml. This makes it easier to factorize and customize your bindings without resorting to `m4', `sed', or complex external DSLs. *Highlighted Features*: • *Library-specific initialization*: Easily handle data structure setup. • *Native Optimization*: supports `unboxed~/~untagged' parameters in native mode. • *Automated Definitions*: Automatically generates the C/OCaml definitions your generated code uses. Referencing a generated C function name in your generated OCaml code automatically triggers its generation in the C file. • *Free Variables*: Generated functions can contain free variables that are automatically added as formal parameters. This allows you to easily pass a global "context" or "handle" through a generic function without manual boilerplate. *Example Usage*: Using the built-in helpers, a generator is as simple as: ┌──── │ open Camlid │ open Helper │ │ let () = Generate.to_file │ (* Indicates the basename used for the generated files *) │ "mylib" │ (* Indicates header to include *) │ ~headers:["alib.h"] │ [ │ func "f_input" [ input int_trunc]; │ func "f_output" [ output (ptr_ref int_trunc)]; │ func "f_with_res" [] ~result:int_trunc; │ func "f_no_arg_no_result" []; │ ] └──── Only the `mli' of the generated module remains to be written with the documentation. For the first function above, the parameter is correctly marked as `untagged' (for OCaml versions that support it): ┌──── │ external f_input: (int [@untagged]) -> unit = "camlid_stub_f_input_byte" "camlid_stub_f_input" └──── A more complex example (converting the `flint' binding from Ctypes) can be found [here]. The API is still experimental, and I would love to hear your feedback on the organization and naming! The package is already in the opam repository. (The [modern-ocaml] template is awesome!) [camlid] [documentation] [here] [modern-ocaml] restricted 1.1 - Restrict possible system operations and filesystem view of your program ════════════════════════════════════════════════════════════════════════════════════════ Archive: removewingman announced ─────────────────────── Hello, I would like to announce a new package [restricted]. This library lets you limit which system operations and which parts of the filesystem your program can access. Call it as early as possible in your program so that the rest of the code runs with reduced privileges. Currently, actual enforced restrictions are implemented for these operating systems: • OpenBSD Even on other operating systems, you can still use `restricted' to document which privileges your program needs. Users can then test that your program respects these promises with tools such as [pledge on Linux]. Enjoy ;) • opam: • homepage: • Documented Interface and Examples: • License: [AGPL] This is my first ocaml library so feel free to give feedback. [restricted] [pledge on Linux] [AGPL] OCaml Security Team 2025 End-Of-Year Report ═══════════════════════════════════════════ Archive: Hannes Mehnert announced ──────────────────────── OCaml Security Team 2025 End-Of-Year Report ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ In May of 2025, the OCaml Software Foundation encouraged the formation of an OCaml Security Team, which would handle issues and provide guidance for improving software security in the OCaml ecosystem. Throughout 2025, the team has been building structure and procedures to accomplish these goals. A regular public update on the team's activity is among many good ideas taken from the Haskell Security Response Team, and we hope the community will find this first public update useful. The team consists of: • Hannes Mehnert - @hannesm - individual, robur.coop • Mindy Preston - @yomimono - individual • Joe - @cfcs - individual • Edwin Török - @edwintorok - individual • Nicolás Ojeda Bär - @nojb - LexiFi • Louis Roché - @Khady - ahrefs • Boning Dong - Bloomberg Until December 2025: • Maxim Grankin - @maxim092001 - Bloomberg The newly created website [ocaml.org/security] gives some guidelines for people finding security issues. [ocaml.org/security] Contact and Disclosure Process ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ The team established a procedure for reporting security issues as one of its first activities. The security disclosure process is available at . The OCaml Security Team can also be contacted at security@ocaml.org for matters besides vulnerability disclosure. Mails to security@ocaml.org are not public. The public, announce-only mailing list will broadcast information on security advisories. These procedures were [announced in July 2025]. [announced in July 2025] Vulnerability Database ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ A public vulnerability database for OCaml software is another of the Security Team's goals. We indend to accomplish this by publishing information from the existing, but empty to the public [osv.dev] database (again borrowing a good idea from the Haskell SRT). Some work on a pipeline for publishing advisories there and backporting existing advisories is ongoing. [osv.dev] Tool development ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ An OCaml library that supports the [package URL] "purl" was developed and released to the opam-repository (, ). In the process, we propose to make the policy for opam-repository more strict to have immutable packages (where the source is not modified): . We also propose to integrate opam into the package URL specification . The vulnerability database mentioned above hosts advisories in markdown (with some opam-file-format metadata header). We developed [tooling] to convert these into json (following the json schema from osv.dev). We also made OCaml/opam known for the schema . [package URL] [tooling] Public Meetings and Presentations ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ On September 15, Hannes Mehnert gave an introduction to the OCaml Security Team at [FUN OCaml] in Warsaw. Maxim Grankin gave a talk ["Towards a More Secure OCaml Ecosystem"] at the OCaml Users and Developers Workshop in October of 2025, which is available at . On October 22 2025, the Security Team held a public meeting, for which the notes are available at . [FUN OCaml] ["Towards a More Secure OCaml Ecosystem"] Advisories ╌╌╌╌╌╌╌╌╌╌ A potential clickjacking issue with ocurrent's web interface was reported to the Security Team by Kunal Mhaske was fixed by Mark Elvers in . No other communications with the security team have resulted in publicly available remediation information or advisories. Future Plans ╌╌╌╌╌╌╌╌╌╌╌╌ The Security Team has received a lot of interest in the advisory database mentioned above, and this work is a high priority for the team. The Security Team also hopes to publish security guides for OCaml programmers and project maintainers. The OCaml Software Foundation has indicated that some funding may be available for projects that make OCaml more secure. The Security Team is actively developing a process for soliciting and evaluating proposals, as discussed in the October public meeting. Acknowledgements ╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌╌ The Security Team is an initiative of the OCaml Software Foundation and is grateful to the OCSF and its sponsors for their support. Lwt.6.0.0 release (direct-style, tracing) ═════════════════════════════════════════ Archive: Raphaël Proust announced ──────────────────────── Version 6.0.0 of Lwt has been [released] through opam! This new version of Lwt brings the following notable additions: • Lwt_direct: a package/library for using Lwt in direct-style. (Contribution from @c-cube) • Lwt_runtime_events: a package/library for emmitting runtime-events. Check the [release notes] for a full changelog), including removal of some deprecated values. [released] [release notes] Other OCaml News ════════════════ >From the ocaml.org blog ─────────────────────── Here are links from many OCaml blogs aggregated at [the ocaml.org blog]. • [OCaml Roundup: December 2025] • [Opam 104: Sharing Your Code] • [Devcontainer for using O(x)Caml and Claude in your projects] • [What would make OCaml serverless ready?] • [Fun with Algebraic Effects - from Toy Examples to Hardcaml Simulations] [the ocaml.org blog] [OCaml Roundup: December 2025] [Opam 104: Sharing Your Code] [Devcontainer for using O(x)Caml and Claude in your projects] [What would make OCaml serverless ready?] [Fun with Algebraic Effects - from Toy Examples to Hardcaml Simulations] Old CWN ═══════ If you happen to miss a CWN, you can [send me a message] and I'll mail it to you, or go take a look at [the archive] or the [RSS feed of the archives]. If you also wish to receive it every week by mail, you may subscribe to the [caml-list]. [Alan Schmitt] [send me a message] [the archive] [RSS feed of the archives] [caml-list] [Alan Schmitt]