[Openmcl-devel] asdf-install and asdf in the openmcl distributions

Raffael Cavallaro raffaelcavallaro at mac.com
Sun Jan 18 22:06:26 UTC 2004


On Jan 18, 2004, at 1:57 PM, Sven Van Caekenberghe wrote:

> even if I sign one of my open source projects, your local GPG 
> installation won't trust my signature (and it shouldn't, I could be a 
> bad guy) - key and trust distribution is just a difficult problem. 
> This is not really a problem of asdf-install per se. Every time you 
> download some open source package you face the same problem - do you 
> always check their signatures ? The trust problem shouldn't stop the 
> adoption of something like asdf-install, even (or especially) if they 
> are so honest to warn you properly.

To be precise, it is a problem of asdf-install's choice of remote 
library repository - *anyone* can edit the CLiki site. This is a truly 
wacky basis for source distribution, and inherently insecure. One would 
have to be naive in the extreme to trust source code from a site which 
is world writable.  As I'm sure most everyone on this list knows, virus 
scanners don't help new users here, because they're downloading source 
code. Presumably, they're not knowledgeable enough about lisp to read 
the source and detect any malicious code. I don't think that the PGP 
checks should need to be there *at all*. It should be the 
responsibility of the distribution site to maintain security, not of 
the individual, and especially, it should not be the responsibility of 
a new user, to know who to trust.

The following is from Edi Weitz's tutorial:

"Note: You might be asking yourself if all this security stuff is 
really necessary. Well, CLiki, the website where ASDF-INSTALL looks for 
the package URL if you install by name, can be edited by anyone so it 
would be fairly easy for a malicious hacker to redirect you to a 
library which once it's installed insults your boss by email or 
withdraws US$ 100,000 from your bank account."

The answer is for asdf-install to connect to a single, well secured 
site. At a minimum, this means putting the asdf/asdf-install downloads 
on a site that is not world writable. It would also be nice if the 
maintainer(s) of said site only accepted code from authorized 
committers. This would mean that anyone else submitting a library would 
either have to be approved as a committer, or have his/her code 
reviewed by one. Pushing security issues onto users defeats the whole 
purpose of asdf-install, which is ease of use. If one has to do a code 
review of every line of a library to verify that it isn't malicious, 
getting it to install becomes child's play by comparison.

again, just my $.02,
raf

Raffael Cavallaro, Ph.D.
raffaelcavallaro at mac.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2624 bytes
Desc: not available
URL: <http://lists.clozure.com/pipermail/openmcl-devel/attachments/20040118/0ec104a0/attachment.bin>


More information about the Openmcl-devel mailing list