[Openmcl-devel] asdf-install and asdf in the openmcl distributions

Sven Van Caekenberghe sven at beta9.be
Sun Jan 18 10:57:47 PST 2004 

On 18 Jan 2004, at 19:21, Raffael Cavallaro wrote:

> On Jan 18, 2004, at 9:56 AM, Marco Baringer wrote:
>
>> the point of bundling asdf-install is that you wouldn't need to 
>> bundle anything else. once you have asdf-install any other 
>> interesting things could be distributed as asdf-install'able packages 
>> and getting them would be a simple matter of (install 
>> :silver-bullet). even the examples could be packaged and distributed 
>> this way.
>
> It would be nice if it actually worked this way, but in my experience, 
> asdf-install is broken with the current version of OpenMCL (and 
> probably with other lisps as well). In particular, it chokes when 
> trying to do do GPG signature verification:
>
> Downloading 133549 bytes from 
> http://boinkor.net/lisp/iterate/iterate-current.tar.gz ...
> > Error in process listener(1): GPG warns that the key id 0xNIL () is 
> not fully trusted
> > While executing: ASDF-INSTALL::VERIFY-GPG-SIGNATURE/STRING
> > Type :GO to continue, :POP to abort.
> > If continued: Install the package anyway
>
> same errors for other packages, for example, mk-defsystem, timer, 
> araneida, and for yet other packages, the signature file is simply 
> 404.
>
> I appreciate that some may feel that GPG signature verification is 
> overkill for library installation, but this is, after all, executable 
> code, sometimes being running as an admin user. If these security 
> measures are really unnecessary, why include them, since they are 
> quite consistently broken. I suppose it is possible that I just got 
> extremely unlucky with the eight or ten packages I chose from the 
> CLiki list, but I doubt it. Edi Weitz's tutorial includes a section 
> about the failed GPG verification possibilities, so it's pretty 
> clearly a common problem.
>
> Remember, were talking here about making it easy for newbies to 
> install libraries. I don't think it helps the situation much to 
> provide them with a system that throws an error immediately, and 
> presents them with what amounts to the following choice of restarts:
>
> > Type :GO to continue, :POP to abort
> > if continued: Install potential trojan or virus.
>
> In short, I would recommend not including asdf-install unless and 
> until it just works, without scary messages about failed GPG 
> verification.

I have not yet tried to install anything via asdf-install, I use asdf 
itself and read Edit Weitz's tutorial - I thought it to be very 
interesting/promising. But yes there is a catch-22 problem: even if I 
sign one of my open source projects, your local GPG installation won't 
trust my signature (and it shouldn't, I could be a bad guy) - key and 
trust distribution is just a difficult problem. This is not really a 
problem of asdf-install per se. Every time you download some open 
source package you face the same problem - do you always check their 
signatures ? The trust problem shouldn't stop the adoption of something 
like asdf-install, even (or especially) if they are so honest to warn 
you properly.

Sven

More information about the Openmcl-devel mailing list