[armedbear-devel] ABCL-specific Quicklisp
Zach Beane
xach at xach.com
Tue Mar 22 14:27:49 UTC 2011
Mark Evenson <evenson at panix.com> writes:
> On 3/22/11 14:57 , Zach Beane wrote:
> […]
>
>> Quicklisp has a dist preference mechanism that allows one dist's
>> projects to take precedence over another's. You could use that to create
>> an ABCL dist of projects for which ABCL patches have not yet been
>> applied, and that would selectively override the unpatched projects in
>> the primary Quicklisp dist.
>>
>> I don't like the idea of interceding and patching after download very
>> much.
>
> I presume your objections reside from a security perspective, as an
> exploit that injected by such a mechanism would negatively affect
> Quicklisp's reputation. Is there another angle with which you have
> problems that I miss here?
It just seems like equal hassle to create and maintain a system of patch
fetching and application as it is to create and maintain a system of
modified archives, except the code and infrastructure to support the
modified archives already exists in Quicklisp via the
multiple-dists-with-preference mechanism.
> Are you working on cryptographically signing Quicklisp packaging at all?
> To overcome integrity objections we would either have to securely host
> the ABCL distribution via SSL (this is where quicklisp.org is moving
> right?) or cryptographically authenticate the patches/distribution?
I'm working on using PGP to sign the indexes. The indexes include
cryptographic digest and size information. There will be a CL
implementation of PGP signature verification to validate the integrity
of a dist.
> Do you have any idea what the bandwidth requirements for hosting such a
> distribution? ABCL is certainly a minority CL implementation, but we
> would still have to somehow scrounge bandwidth. Or could you host via
> the S3 quicklisp.org buckets?
I host all Quicklisp archives on S3, and I use their CloudFront content
distribution network to speed up worldwide delivery (S3 by itself is a
little slow outside the USA). I have thousands of downloads per month
and the storage and bandwidth costs have been less than $1/month so
far. It's a pretty good deal.
The dist mechanism isn't fully baked, but I'd rather you wait for an 85%
solution to be finished than start a new solution from scratch.
Zach
More information about the armedbear-devel
mailing list