Once upon a time, there was a hash algorithm (MD5) used widely in the opam-repository. This hash algorithm suffered from cryptographic flaws.
Take a look into the corresponding issue: ocaml/opam-repository#25876
Thanks to the great work in opam itself (esp. opam admin -
https://github.com/hannesm/opam/tree/migrate-extra-files), we wrote some
tooling to move over that weak and brittle period in time. But who'd trust a
programmer?
So, opam-check-checksum takes as input two opam-repositories.
Let's clone 6ed19e3 as old-opam and 2730ed6 as new-opam:
$ git clone https://github.com/ocaml/opam-repository.git old-opam
$ cd old-opam ; git checkout 6ed19e3 ; cd ..
$ git clone https://github.com/hannesm/opam-repository.git new-opam
$ cd new-opam ; git checkout 2730ed6 ; cd ..
Ok, now we can run
$ _build/default/opam_check_checksum.exe --old-opam-repo=`pwd`/old-opam --opam-repo=`pwd`/new-opam
And see the results, mainly whether the old hashes are included in the new ones, and all previously known extra-files now have an entry as extra-source.