Merge of invalid opam file packages/color/color.0.3.0 broke the repo

[shonfeder]

Transferred from ocaml/infrastructure#164

Due to the merge of an invalid opam file packages/color/color.0.3.0 in dd68f43 via #26927, the repo broke. This showed up in CI as

/home/opam: (run (shell "opam repository set-url --strict default opam-repository/"))
[default] Initialised
[ERROR] At /home/opam/.opam/repo/default/packages/color/color.0.3.0/opam:37:5-37:6::
        Parse error
[ERROR] Strict mode: aborting
[ERROR] Could not update repository "default": OpamStd.OpamSys.Exit(30)
[ERROR] Fetching repository default with file:///home/opam/opam-repository fails, reverting to file:///home/opam/opam-repository
"/usr/bin/linux32" "/bin/sh" "-c" "opam repository set-url --strict default opam-repository/" failed with exit status 40
2024-11-25 15:38.46: Job failed: Failed: Build failed
2024-11-25 15:38.46: Log analysis:
2024-11-25 15:38.46: >>> 
[ERROR] At /home/opam/.opam/repo/default/packages/color/color.0.3.0/opam:37:5-37:6::
 (score = 20)
2024-11-25 15:38.46: >>> 
[ERROR] Strict mode: aborting
 (score = 20)
2024-11-25 15:38.46: >>> 
[ERROR] Fetching repository default with file:///home/opam/opam-repository fails, reverting to file:///home/opam/opam-repository
 (score = 20)
2024-11-25 15:38.46: At /home/opam/.opam/repo/default/packages/color/color.0.3.0/opam:37:5-37:6::

https://opam.ci.ocaml.org/github/ocaml/opam-repository/commit/f83c066b82d2cc921f725d5ad7c8b3df17ee1c1a/variant/extras,arm32-ocaml-4.14,caldav.0.1.0

The broken commit was reverted in 23989dd

and a followup fix has been submitted in #26954

I've cancelled the CI jobs that were building on the broken base, and am restarting their CI.

To complete this issue, I think we should figure out how/why we bypassed the CI checks that would have detected the introduction of this breakage and how we can prevent that happening again.

[shonfeder]

@kit-ty-kate pointed out that the invasive breakage we were seeing in CI only shows up because we use the --strict flag in that context. For normal use cases, opam is thankfully more fault tolerant :) She also noted that this would have not have made it to end users yet, given the delay between publication on opam.ocaml.org. So the impacts should be totally limited to the opam-ci, and resolved at this point. Only retro analysis and future prevention remain.

[ElectreAAS]

Very sorry to have inadvertently broken everything!
Do we know why --strict was used here?

[kit-ty-kate]

Do we know why --strict was used here?

precisely to detect this kind of issue early ^^

[shonfeder]

No worries! It is not your fault at all, @ElectreAAS, it's just a vulnerability in our system. This should have been caught by CI to prevent merge. We will fix that. We can probably also make the CI more fault tolerant, so that breakage in unrelated packages are loudly reported, without breaking all the CI for every other package :D