[armedbear-devel] ABCL-specific Quicklisp

Zach Beane xach at xach.com
Tue Mar 22 14:27:49 UTC 2011 

Mark Evenson <evenson at panix.com> writes:

> On 3/22/11 14:57 , Zach Beane wrote:
> […]
>
>> Quicklisp has a dist preference mechanism that allows one dist's
>> projects to take precedence over another's. You could use that to create
>> an ABCL dist of projects for which ABCL patches have not yet been
>> applied, and that would selectively override the unpatched projects in
>> the primary Quicklisp dist.
>>
>> I don't like the idea of interceding and patching after download very
>> much.
>
> I presume your objections reside from a security perspective, as an 
> exploit that injected by such a mechanism would negatively affect 
> Quicklisp's reputation.  Is there another angle with which you have 
> problems that I miss here?

It just seems like equal hassle to create and maintain a system of patch
fetching and application as it is to create and maintain a system of
modified archives, except the code and infrastructure to support the
modified archives already exists in Quicklisp via the
multiple-dists-with-preference mechanism.

> Are you working on cryptographically signing Quicklisp packaging at all? 
>   To overcome integrity objections we would either have to securely host 
> the ABCL distribution via SSL (this is where quicklisp.org is moving 
> right?) or cryptographically authenticate the patches/distribution?

I'm working on using PGP to sign the indexes. The indexes include
cryptographic digest and size information. There will be a CL
implementation of PGP signature verification to validate the integrity
of a dist.

> Do you have any idea what the bandwidth requirements for hosting such a 
> distribution?  ABCL is certainly a minority CL implementation, but we 
> would still have to somehow scrounge bandwidth.  Or could you host via 
> the S3 quicklisp.org buckets?

I host all Quicklisp archives on S3, and I use their CloudFront content
distribution network to speed up worldwide delivery (S3 by itself is a
little slow outside the USA). I have thousands of downloads per month
and the storage and bandwidth costs have been less than $1/month so
far. It's a pretty good deal.

The dist mechanism isn't fully baked, but I'd rather you wait for an 85%
solution to be finished than start a new solution from scratch.

Zach

More information about the armedbear-devel mailing list