OCaml Weekly News
Hello
Here is the latest OCaml Weekly News, for the week of January 06 to 13, 2026.
Table of Contents
camlid: A library for building C stub generators
François Bobot announced
Dear all,
I'm happy to announce the first release of camlid (documentation).
While there are many C stub generators for OCaml, camlid takes a different approach: it is an OCaml library designed to help you build custom C stub generators.
Key Comparisons:
- Vs. Ctypes: Manipulation of C structures stays in C. You don't need to replicate C type descriptions in OCaml, keeping the compilation and maintenance simple.
- Vs. Camlidl/SWIG: The generator is written in pure OCaml. This makes it easier to factorize and customize your bindings without resorting to
m4,sed, or complex external DSLs.
Highlighted Features:
- Library-specific initialization: Easily handle data structure setup.
- Native Optimization: supports
unboxed~/~untaggedparameters in native mode. - Automated Definitions: Automatically generates the C/OCaml definitions your generated code uses. Referencing a generated C function name in your generated OCaml code automatically triggers its generation in the C file.
- Free Variables: Generated functions can contain free variables that are automatically added as formal parameters. This allows you to easily pass a global "context" or "handle" through a generic function without manual boilerplate.
Example Usage: Using the built-in helpers, a generator is as simple as:
open Camlid
open Helper
let () = Generate.to_file
(* Indicates the basename used for the generated files *)
"mylib"
(* Indicates header to include *)
~headers:["alib.h"]
[
func "f_input" [ input int_trunc];
func "f_output" [ output (ptr_ref int_trunc)];
func "f_with_res" [] ~result:int_trunc;
func "f_no_arg_no_result" [];
]
Only the mli of the generated module remains to be written with the documentation. For the first function above, the parameter is correctly marked as untagged (for OCaml versions that support it):
external f_input: (int [@untagged]) -> unit = "camlid_stub_f_input_byte" "camlid_stub_f_input"
A more complex example (converting the flint binding from Ctypes) can be found here.
The API is still experimental, and I would love to hear your feedback on the organization and naming! The package is already in the opam repository.
(The modern-ocaml template is awesome!)
restricted 1.1 - Restrict possible system operations and filesystem view of your program
removewingman announced
Hello,
I would like to announce a new package restricted.
This library lets you limit which system operations and which parts of the filesystem your program can access. Call it as early as possible in your program so that the rest of the code runs with reduced privileges. Currently, actual enforced restrictions are implemented for these operating systems:
- OpenBSD
Even on other operating systems, you can still use restricted to document which privileges your program needs. Users can then test that your program respects these promises with tools such as pledge on Linux. Enjoy ;)
- opam: https://opam.ocaml.org/packages/restricted/
- homepage: https://codeberg.org/removewingman/restricted
- Documented Interface and Examples: https://codeberg.org/removewingman/restricted#usage-and-examples
- License: AGPL
This is my first ocaml library so feel free to give feedback.
OCaml Security Team 2025 End-Of-Year Report
Hannes Mehnert announced
OCaml Security Team 2025 End-Of-Year Report
In May of 2025, the OCaml Software Foundation encouraged the formation of an OCaml Security Team, which would handle issues and provide guidance for improving software security in the OCaml ecosystem. Throughout 2025, the team has been building structure and procedures to accomplish these goals. A regular public update on the team's activity is among many good ideas taken from the Haskell Security Response Team, and we hope the community will find this first public update useful.
The team consists of:
- Hannes Mehnert - @hannesm - individual, robur.coop
- Mindy Preston - @yomimono - individual
- Joe - @cfcs - individual
- Edwin Török - @edwintorok - individual
- Nicolás Ojeda Bär - @nojb - LexiFi
- Louis Roché - @Khady - ahrefs
- Boning Dong - Bloomberg
Until December 2025:
- Maxim Grankin - @maxim092001 - Bloomberg
The newly created website ocaml.org/security gives some guidelines for people finding security issues.
Contact and Disclosure Process
The team established a procedure for reporting security issues as one of its first activities. The security disclosure process is available at https://github.com/ocaml/security-advisories?tab=readme-ov-file#reporting-vulnerabilities . The OCaml Security Team can also be contacted at security@ocaml.org for matters besides vulnerability disclosure. Mails to security@ocaml.org are not public.
The public, announce-only mailing list https://sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements will broadcast information on security advisories.
These procedures were announced in July 2025.
Vulnerability Database
A public vulnerability database for OCaml software is another of the Security Team's goals. We indend to accomplish this by publishing information from the existing, but empty https://github.com/ocaml/security-advisories to the public osv.dev database (again borrowing a good idea from the Haskell SRT). Some work on a pipeline for publishing advisories there and backporting existing advisories is ongoing.
Tool development
An OCaml library that supports the package URL "purl" was developed and released to the opam-repository (https://github.com/hannesm/purl, https://ocaml.org/p/purl/latest). In the process, we propose to make the policy for opam-repository more strict to have immutable packages (where the source is not modified): https://github.com/ocaml/opam-repository/pull/29072. We also propose to integrate opam into the package URL specification https://github.com/package-url/purl-spec/pull/763.
The vulnerability database mentioned above hosts advisories in markdown (with some opam-file-format metadata header). We developed tooling to convert these into json (following the json schema from osv.dev). We also made OCaml/opam known for the schema https://github.com/ossf/osv-schema/pull/473.
Public Meetings and Presentations
On September 15, Hannes Mehnert gave an introduction to the OCaml Security Team at FUN OCaml in Warsaw.
Maxim Grankin gave a talk "Towards a More Secure OCaml Ecosystem" at the OCaml Users and Developers Workshop in October of 2025, which is available at https://www.youtube.com/watch?v=PekeGxGlc3Q .
On October 22 2025, the Security Team held a public meeting, for which the notes are available at https://pad.data.coop/7-Ic5rG6ToynsW02hJsndg?both .
Advisories
A potential clickjacking issue with ocurrent's web interface was reported to the Security Team by Kunal Mhaske was fixed by Mark Elvers in https://github.com/ocurrent/ocurrent/pull/465 .
No other communications with the security team have resulted in publicly available remediation information or advisories.
Future Plans
The Security Team has received a lot of interest in the advisory database mentioned above, and this work is a high priority for the team.
The Security Team also hopes to publish security guides for OCaml programmers and project maintainers.
The OCaml Software Foundation has indicated that some funding may be available for projects that make OCaml more secure. The Security Team is actively developing a process for soliciting and evaluating proposals, as discussed in the October public meeting.
Acknowledgements
The Security Team is an initiative of the OCaml Software Foundation and is grateful to the OCSF and its sponsors for their support.
Lwt.6.0.0 release (direct-style, tracing)
Raphaël Proust announced
Version 6.0.0 of Lwt has been released through opam! This new version of Lwt brings the following notable additions:
- Lwt_direct: a package/library for using Lwt in direct-style. (Contribution from @c-cube)
- Lwt_runtime_events: a package/library for emmitting runtime-events.
Check the release notes for a full changelog), including removal of some deprecated values.
Other OCaml News
From the ocaml.org blog
Old CWN
If you happen to miss a CWN, you can send me a message and I'll mail it to you, or go take a look at the archive or the RSS feed of the archives.
If you also wish to receive it every week by mail, you may subscribe to the caml-list.