Mark Evenson evenson@panix.com writes:
On 3/22/11 14:57 , Zach Beane wrote: […]
Quicklisp has a dist preference mechanism that allows one dist's projects to take precedence over another's. You could use that to create an ABCL dist of projects for which ABCL patches have not yet been applied, and that would selectively override the unpatched projects in the primary Quicklisp dist.
I don't like the idea of interceding and patching after download very much.
I presume your objections reside from a security perspective, as an exploit that injected by such a mechanism would negatively affect Quicklisp's reputation. Is there another angle with which you have problems that I miss here?
It just seems like equal hassle to create and maintain a system of patch fetching and application as it is to create and maintain a system of modified archives, except the code and infrastructure to support the modified archives already exists in Quicklisp via the multiple-dists-with-preference mechanism.
Are you working on cryptographically signing Quicklisp packaging at all? To overcome integrity objections we would either have to securely host the ABCL distribution via SSL (this is where quicklisp.org is moving right?) or cryptographically authenticate the patches/distribution?
I'm working on using PGP to sign the indexes. The indexes include cryptographic digest and size information. There will be a CL implementation of PGP signature verification to validate the integrity of a dist.
Do you have any idea what the bandwidth requirements for hosting such a distribution? ABCL is certainly a minority CL implementation, but we would still have to somehow scrounge bandwidth. Or could you host via the S3 quicklisp.org buckets?
I host all Quicklisp archives on S3, and I use their CloudFront content distribution network to speed up worldwide delivery (S3 by itself is a little slow outside the USA). I have thousands of downloads per month and the storage and bandwidth costs have been less than $1/month so far. It's a pretty good deal.
The dist mechanism isn't fully baked, but I'd rather you wait for an 85% solution to be finished than start a new solution from scratch.
Zach