On Jan 18, 2004, at 9:56 AM, Marco Baringer wrote:
the point of bundling asdf-install is that you wouldn't need
to bundle anything else. once you have asdf-install any other
interesting things could be distributed as asdf-install'able packages
and getting them would be a simple matter of (install :silver-bullet).
even the examples could be packaged and distributed this way.
It would be nice if it actually worked this way, but in my experience,
asdf-install is broken with the current version of OpenMCL (and
probably with other lisps as well). In particular, it chokes when
trying to do do GPG signature verification:
Downloading 133549 bytes from
http://boinkor.net/lisp/iterate/iterate-current.tar.gz ...
> Error in process listener(1): GPG warns that the key id 0xNIL () is
not fully trusted
> While executing: ASDF-INSTALL::VERIFY-GPG-SIGNATURE/STRING
> Type :GO to continue, :POP to abort.
> If continued: Install the package anyway
same errors for other packages, for example, mk-defsystem, timer,
araneida, and for yet other packages, the signature file is simply 404.
I appreciate that some may feel that GPG signature verification is
overkill for library installation, but this is, after all, executable
code, sometimes being running as an admin user. If these security
measures are really unnecessary, why include them, since they are
quite consistently broken. I suppose it is possible that I just got
extremely unlucky with the eight or ten packages I chose from the
CLiki list, but I doubt it. Edi Weitz's tutorial includes a section
about the failed GPG verification possibilities, so it's pretty
clearly a common problem.
Remember, were talking here about making it easy for newbies to
install libraries. I don't think it helps the situation much to
provide them with a system that throws an error immediately, and
presents them with what amounts to the following choice of restarts:
> Type :GO to continue, :POP to abort
> if continued: Install potential trojan or virus.
In short, I would recommend not including asdf-install unless and
until it just works, without scary messages about failed GPG
verification.
just my $.02
raf
HelveticaRaffael Cavallaro, Ph.D.
raffaelcavallaro@mac.com