WIP: add :after method for check-local-archive file#18
WIP: add :after method for check-local-archive file#18echawk wants to merge 10 commits intorudolfochrist:masterfrom
Conversation
This is an initial test of the solution proposed in: rudolfochrist#14 What is odd is that the md5sum checksum succeeds, yet the sha1sum fails.
|
@rudolfochrist I figured out what the issue was. It turns out that ultralisp uses a different sha1 scheme than upstream quicklisp - I have some working code (although it does depend on bringing in The ultralisp implementation of sha1 is here. I already have a check present to see what distribution the archive is from, and will call the correct hash function depending on if it is from quicklisp/ultralisp. Perhaps these could be extracted out to their own systems? Then users could just |
|
@rudolfochrist Right now I'm experimenting to see if I can get this to work the way that I would like it to - if you have any suggestions though I am open to them. |
|
Hi @echawk, thank you for looking into this. I just skimmed the Ultralisp code and I'm not a cryptography specialist, but Ultralisp using a different sha1 scheme sounds not right. This means that quicklisp (without ql-https) can't verify content hashes for Ultralisp releases as well. This should be fixed, but not by ql-https. @svetlyak40wt Perhaps you can give some input here. Thanks. Secondly, I'm feeling a little uneasy having special case handling for different dists. Sure, Ultralisp is public and prominent, but I don't want to have special handling for every arbitrary dist. We should prioritise that every dist works with vanilla quicklisp. Thirdly, I would like to avoid third party dependencies with ql-https. Especially ironclad. Full ironclad takes a while to compile and we pollute every image with ironclad that loads dependencies with quicklisp. I would not like to do that. Perhaps you find a way to bring this feature in while addressing the points above. Thank you 👍 |
ql-https.asd
Outdated
| :version (:read-file-line "version") | ||
| :depends-on ((:require "uiop") (:feature :sbcl :sb-md5)) | ||
| :depends-on ((:require "uiop") | ||
| #+ql-https/ultralisp-check-sha1 (:require "ironclad") |
There was a problem hiding this comment.
Read-time conditionals in system definitions is actually discouraged.
There was a problem hiding this comment.
This could be ameliorated if openssl can be used to compute the sha1 digest - I'm not sure how to emulate the behavior of babel streams that we use for the computation of ultralisp's checksum
ql-https.asd
Outdated
| :depends-on ((:require "uiop") (:feature :sbcl :sb-md5)) | ||
| :depends-on ((:require "uiop") | ||
| #+ql-https/ultralisp-check-sha1 (:require "ironclad") | ||
| #+ql-https/ultralisp-check-sha1 (:require "babel-streams") |
There was a problem hiding this comment.
the (:require ...) clause is unnecessary. ASDF finds "babel-streams" if it is installed to a place where ASDF looks for systems.
|
@rudolfochrist Would you mind testing? It appears to work locally, but I'd appreciate some more testing. Also, I'd appreciate any comments on the implementation itself, since my exposure to streams in CL is rather fresh. EDIT: |
|
Closing in favor of #22 |
2 participants
This is an initial test of the solution proposed in:
#14
What is odd is that the md5sum checksum succeeds, yet the sha1sum fails.