[armedbear-devel] ABCL-specific Quicklisp (was Re: Patches for metatilities-base and lift)
Mark Evenson
evenson at panix.com
Tue Mar 22 14:08:37 UTC 2011
On 3/22/11 14:57 , Zach Beane wrote:
[…]
> Quicklisp has a dist preference mechanism that allows one dist's
> projects to take precedence over another's. You could use that to create
> an ABCL dist of projects for which ABCL patches have not yet been
> applied, and that would selectively override the unpatched projects in
> the primary Quicklisp dist.
>
> I don't like the idea of interceding and patching after download very
> much.
I presume your objections reside from a security perspective, as an
exploit that injected by such a mechanism would negatively affect
Quicklisp's reputation. Is there another angle with which you have
problems that I miss here?
Are you working on cryptographically signing Quicklisp packaging at all?
To overcome integrity objections we would either have to securely host
the ABCL distribution via SSL (this is where quicklisp.org is moving
right?) or cryptographically authenticate the patches/distribution?
Do you have any idea what the bandwidth requirements for hosting such a
distribution? ABCL is certainly a minority CL implementation, but we
would still have to somehow scrounge bandwidth. Or could you host via
the S3 quicklisp.org buckets?
--
"A screaming comes across the sky. It has happened before, but there
is nothing to compare to it now."
More information about the armedbear-devel
mailing list