Comments on: asdf-install and GPG signatures

By: youngnh

youngnh — Fri, 29 Oct 2010 15:24:40 +0000

I believe that keyring.asc, unlike the pages on cliki is controlled by a trusted human being. I don’t think that it’s a publicly modifiable file.

Also, I haven’t dug into the gpg man page in a while, but I believe it has additional options that you can specify to manually check each key gpg adds when doing an –import.

Ultimately, there is a lot of software on cliki, which is an untrusted platform. Most people just bypass all authenticity checks outright because its fast. The keyring provided an attempt to make verification just as fast.

By: Elena

Elena — Thu, 28 Oct 2010 18:17:48 +0000

Thank you very much for sharing.

However, when you do:

1 wget http://common-lisp.net/keyring.asc
2 gpg –import keyring.asc

aren’t you just importing a file which could have been tampered with? How can you trust it?

By: Alpheus

Alpheus — Sat, 08 May 2010 15:15:20 +0000

Thanks for the pointers! They helped me to install my first ASDF package (lispbuilder-sdl). It makes me wonder why ASDF doesn’t automatically detect when you don’t have your own public/private key pair, though, or why it doesn’t give you the option to create trusting relationships when a key isn’t in the list.

I’ll have to hunt down the creators of ASDF and point this out to them!

By: Philippe Sismondi

Philippe Sismondi — Fri, 08 Jan 2010 23:09:11 +0000

Fantastic. I just spent about three hours struggling with asdf-install with clozure common lisp. This post got me over the last hump, which was the gpg stuff.

Thanks.

- Phil -

By: Erik Winkels

Erik Winkels — Fri, 07 Aug 2009 06:22:45 +0000

Pffff, what a hassle.

Unlike the poster above I actually prefer bare ASDF. Once you’ve got most packages installed the point is moot anyway.

By: j_king

j_king — Thu, 06 Aug 2009 15:34:50 +0000

clbuild is rather handy. It must be built from source which you must use darcs to fetch. It’s also written in a combination of sh and lisp… so it will probably only work on machines where sh is available (ie: probably won’t run natively on Wind0wz).

It’s the best so far, but a pure-lisp manager would be ideal, IMO. I tried lispy and was rather happy with the system but disappointed by the lack of tracked libraries… it needs some time and adoption to grow up me thinks.

good post though. i was always too frustrated with bare asdf when I started learning lisp that I quickly moved on to the other managers like lispy and mudballs before settling on clbuild.

By: youngnh

youngnh — Thu, 06 Aug 2009 03:19:07 +0000

thanks, fixed.

By: Luke J Crook

Luke J Crook — Thu, 06 Aug 2009 01:47:01 +0000

Great post. A minor correction; it is the common-lisp.net developer keyring, not the CLiki developer keyring.