[Openmcl-devel] asdf-install and asdf in the openmcl distributions

Raffael Cavallaro raffaelcavallaro at mac.com
Sun Jan 18 10:21:29 PST 2004

On Jan 18, 2004, at 9:56 AM, Marco Baringer wrote:

> the point of bundling asdf-install is that you wouldn't need to bundle 
> anything else. once you have asdf-install any other interesting things 
> could be distributed as asdf-install'able packages and getting them 
> would be a simple matter of (install :silver-bullet). even the 
> examples could be packaged and distributed this way.

It would be nice if it actually worked this way, but in my experience, 
asdf-install is broken with the current version of OpenMCL (and 
probably with other lisps as well). In particular, it chokes when 
trying to do do GPG signature verification:

Downloading 133549 bytes from 
http://boinkor.net/lisp/iterate/iterate-current.tar.gz ...
 > Error in process listener(1): GPG warns that the key id 0xNIL () is 
not fully trusted
 > Type :GO to continue, :POP to abort.
 > If continued: Install the package anyway

same errors for other packages, for example, mk-defsystem, timer, 
araneida, and for yet other packages, the signature file is simply 404.

I appreciate that some may feel that GPG signature verification is 
overkill for library installation, but this is, after all, executable 
code, sometimes being running as an admin user. If these security 
measures are really unnecessary, why include them, since they are quite 
consistently broken. I suppose it is possible that I just got extremely 
unlucky with the eight or ten packages I chose from the CLiki list, but 
I doubt it. Edi Weitz's tutorial includes a section about the failed 
GPG verification possibilities, so it's pretty clearly a common 

Remember, were talking here about making it easy for newbies to install 
libraries. I don't think it helps the situation much to provide them 
with a system that throws an error immediately, and presents them with 
what amounts to the following choice of restarts:

 > Type :GO to continue, :POP to abort
 > if continued: Install potential trojan or virus.

In short, I would recommend not including asdf-install unless and until 
it just works, without scary messages about failed GPG verification.

just my $.02


Raffael Cavallaro, Ph.D.
raffaelcavallaro at mac.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 2300 bytes
Desc: not available
URL: <https://lists.clozure.com/pipermail/openmcl-devel/attachments/20040118/3de77e4a/attachment.bin>

More information about the Openmcl-devel mailing list