[Openmcl-devel] asdf-install and asdf in the openmcl distributions
raffaelcavallaro at mac.com
Sun Jan 18 17:06:26 EST 2004
On Jan 18, 2004, at 1:57 PM, Sven Van Caekenberghe wrote:
> even if I sign one of my open source projects, your local GPG
> installation won't trust my signature (and it shouldn't, I could be a
> bad guy) - key and trust distribution is just a difficult problem.
> This is not really a problem of asdf-install per se. Every time you
> download some open source package you face the same problem - do you
> always check their signatures ? The trust problem shouldn't stop the
> adoption of something like asdf-install, even (or especially) if they
> are so honest to warn you properly.
To be precise, it is a problem of asdf-install's choice of remote
library repository - *anyone* can edit the CLiki site. This is a truly
wacky basis for source distribution, and inherently insecure. One would
have to be naive in the extreme to trust source code from a site which
is world writable. As I'm sure most everyone on this list knows, virus
scanners don't help new users here, because they're downloading source
code. Presumably, they're not knowledgeable enough about lisp to read
the source and detect any malicious code. I don't think that the PGP
checks should need to be there *at all*. It should be the
responsibility of the distribution site to maintain security, not of
the individual, and especially, it should not be the responsibility of
a new user, to know who to trust.
The following is from Edi Weitz's tutorial:
"Note: You might be asking yourself if all this security stuff is
really necessary. Well, CLiki, the website where ASDF-INSTALL looks for
the package URL if you install by name, can be edited by anyone so it
would be fairly easy for a malicious hacker to redirect you to a
library which once it's installed insults your boss by email or
withdraws US$ 100,000 from your bank account."
The answer is for asdf-install to connect to a single, well secured
site. At a minimum, this means putting the asdf/asdf-install downloads
on a site that is not world writable. It would also be nice if the
maintainer(s) of said site only accepted code from authorized
committers. This would mean that anyone else submitting a library would
either have to be approved as a committer, or have his/her code
reviewed by one. Pushing security issues onto users defeats the whole
purpose of asdf-install, which is ease of use. If one has to do a code
review of every line of a library to verify that it isn't malicious,
getting it to install becomes child's play by comparison.
again, just my $.02,
Raffael Cavallaro, Ph.D.
raffaelcavallaro at mac.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 2624 bytes
Desc: not available
Url : http://clozure.com/pipermail/openmcl-devel/attachments/20040118/0ec104a0/attachment-0002.bin
More information about the Openmcl-devel