[asdf-install-devel] prevent loading signature filse when *verify-gpg-signatures* is nil

[Gary King]

Hi again,

I'm going to use the following patch instead of yours. The only  
difference is that I place the if statement before multiple-value- 
bind call instead of after. This should go out tomorrow as ASDF- 
Install 0.6.7.

thanks again,

> --- old-asdf-install/asdf-install/installer.lisp        2007-03-11  
> 22:23:27.0000000
> 00 -0400
> +++ new-asdf-install/asdf-install/installer.lisp        2007-03-11  
> 22:23:27.0000000
> 00 -0400
> @@ -156,12 +156,13 @@
>    (multiple-value-bind (package-url package-file)
>        (download-url-to-temporary-file
>         (download-link-for-package package-name-or-url))
> -    (multiple-value-bind (signature-url signature-file)
> -       (download-url-to-temporary-file
> -        (download-link-for-signature package-url))
> -      (declare (ignore signature-url))
> -      (values
> -       package-file signature-file))))
> +    (if (verify-gpg-signatures-p package-name-or-url)
> +       (multiple-value-bind (signature-url signature-file)
> +           (download-url-to-temporary-file
> +            (download-link-for-signature package-url))
> +         (declare (ignore signature-url))
> +         (values package-file signature-file))
> +       (values package-file nil))))



On Mar 10, 2007, at 6:54 AM, Vodonosov Anton wrote:

> Hello!
>
> I would like to suggest to add a line to asdf-install source code  
> to prevent loading signature files when *verify-gpg-signatures* is  
> nil.
>
> I'm installing Edi Weitz' hunchentoot, which depends on Kevin  
> Rosenberg's md5, but md5-1.8.5.tar.gz.asc file isn't provided for  
> md5. The version of asdf-install I'm using is just downloaded from  
> http://common-lisp.net/project/asdf-install/asdf- 
> install_latest.tar.gz.
>
> We could change it like this:
>
> File installer.lisp, function download-files-for-package. Note  
> (when (verify-gpg-signatures-p...
>
> (defun download-files-for-package (package-name-or-url)
>   (multiple-value-bind (package-url package-file)
>       (download-url-to-temporary-file
>        (download-link-for-package package-name-or-url))
>     (multiple-value-bind (signature-url signature-file)
>        ;; this WHEN ensures that signature files are not downloaded
>        ;; if *verify-gpg-signatures* is nil
>        (when (verify-gpg-signatures-p package-name-or-url)
>  	  (download-url-to-temporary-file
> 	    (download-link-for-signature package-url)))
>       (declare (ignore signature-url))
>       (values
>        package-file signature-file))))
>
>
> Regards,
> -Anton
> _______________________________________________
> asdf-install-devel mailing list
> asdf-install-devel at common-lisp.net
> http://common-lisp.net/cgi-bin/mailman/listinfo/asdf-install-devel

--
Gary Warren King, metabang.com
Cell: (413) 885 9127
Fax: (206) 338-4052
gwkkwg on Skype * garethsan on AIM