WIP: add :after method for check-local-archive file #18
Conversation
This is an initial test of the solution proposed in: rudolfochrist#14 What is odd is that the md5sum checksum succeeds, yet the sha1sum fails.
|
@rudolfochrist I figured out what the issue was. It turns out that ultralisp uses a different sha1 scheme than upstream quicklisp - I have some working code (although it does depend on bringing in The ultralisp implementation of sha1 is here. I already have a check present to see what distribution the archive is from, and will call the correct hash function depending on if it is from quicklisp/ultralisp. Perhaps these could be extracted out to their own systems? Then users could just |
|
@rudolfochrist Right now I'm experimenting to see if I can get this to work the way that I would like it to - if you have any suggestions though I am open to them. |
|
Hi @echawk, thank you for looking into this. I just skimmed the Ultralisp code and I'm not a cryptography specialist, but Ultralisp using a different sha1 scheme sounds not right. This means that quicklisp (without ql-https) can't verify content hashes for Ultralisp releases as well. This should be fixed, but not by ql-https. @svetlyak40wt Perhaps you can give some input here. Thanks. Secondly, I'm feeling a little uneasy having special case handling for different dists. Sure, Ultralisp is public and prominent, but I don't want to have special handling for every arbitrary dist. We should prioritise that every dist works with vanilla quicklisp. Thirdly, I would like to avoid third party dependencies with ql-https. Especially ironclad. Full ironclad takes a while to compile and we pollute every image with ironclad that loads dependencies with quicklisp. I would not like to do that. Perhaps you find a way to bring this feature in while addressing the points above. Thank you 👍 |
| :version (:read-file-line "version") | ||
| :depends-on ((:require "uiop") (:feature :sbcl :sb-md5)) | ||
| :depends-on ((:require "uiop") | ||
| #+ql-https/ultralisp-check-sha1 (:require "ironclad") |
There was a problem hiding this comment.
Read-time conditionals in system definitions is actually discouraged.
There was a problem hiding this comment.
This could be ameliorated if openssl can be used to compute the sha1 digest - I'm not sure how to emulate the behavior of babel streams that we use for the computation of ultralisp's checksum
| :depends-on ((:require "uiop") (:feature :sbcl :sb-md5)) | ||
| :depends-on ((:require "uiop") | ||
| #+ql-https/ultralisp-check-sha1 (:require "ironclad") | ||
| #+ql-https/ultralisp-check-sha1 (:require "babel-streams") |
There was a problem hiding this comment.
the (:require ...) clause is unnecessary. ASDF finds "babel-streams" if it is installed to a place where ASDF looks for systems.
2 participants
This is an initial test of the solution proposed in:
#14
What is odd is that the md5sum checksum succeeds, yet the sha1sum fails.