ALU Wiki: Securing ASDF

Securing ASDF

(discuss this page)

ASDF-INSTALL as it stands is a useful tool for automating the process of downloading software from the CLiki. It provides a means for the user to check that he is getting what he meant to get, and that is all. This is perfectly sufficient for what it is.

Attempting to design a secure, distributed system for installing general Common Lisp software is not a simple task, not one that is particularly urgent, and is not something that an enthusiastic newbie could do a good job at.

Improve ASDF-INSTALL ease-of-use

As a counter-proposal, enthusiastic newbies should be able to point out the difficulties in understanding key-handling for asdf-install. A better user interface should be designed so that a newbie is aware of what asdf-install is doing. Someone who is already familiar with similar systems based on gpg signatures should write a tutorial on the issue, focusing on how this works with asdf-install.

~~"Securing" ASDF installs~~

Champion

~~Your name here :)~~

Proposal

ASDF-INSTALL is the defacto way to install Lisp software. Currently ASDF-INSTALL references a Wiki page to get the required files. Anyone can change the wiki. Although ASDF-INSTALL checks GPG signatures on packages, there is an option to ignore it. I do not believe that GPG is the full solution because it is too easy to not be diligent & check the signature.

I propose that the Gardeners create a static mirror page of the Wiki, and submit a patch to ASDF-INSTALL that checks both the wiki page and the gardeners page. The patch will then show where the package was found, recommend that it is installed from the Gardeners page because the editing for that page is not public. The patch could also verify that the static page agrees with the Wiki.

~~There will need to be ongoing maintenance of our clone page.~~

Goal

With minimum effort, increase the safety of ASDF-INSTALL's default behaviour. The rational is that by having a cloned static, non-publicly editable page we drastically reduce the change of an ASDF-INSTALLable package being compromised via a Wiki change.

Volunteers

Tasks

~~Anybody~~

To do:

~~Clone the Wiki page to a Gardeners Controlled server~~
~~Patch ASDF-INSTALL & get it merged.~~

Green Thumbs would like to see:

Latest status

Resources

Categories

Gardeners Projects

This page is linked from:

Gardeners Projects

Other pages sharing this page's categories:

Application Builder Common Lisp FAQ Gardeners Reports Package and Resource Directory Perl interface to SLIME Portable Threads Slim-Vim Slim-Vim-Repos Standard Utilities

Last Modified 2006-01-24 02:20:15 PST | Edit this page