freenode/#lisp - IRC Chatlog
Search
23:42:03
zigpaw
I think I don't follow, what checksums the attacker? if he can alter the hardcoded checksum inside ql bootstrapping code he can already change anything.
23:43:06
Xach
I have a setup that is nearly ready to be deployed that works like this: download bootstrap via https, bootstrap code verifies fetched client code via openpgp, client code verifies indexes via openpgp, indexes include digests to verify further downloads.
23:48:20
zigpaw
As long as someone can curl/wget the bootstrap code via https, openpgp is even an overkill in my opinion. So congratulations :-)
23:57:29
zigpaw
they always should relay on pulling bootstrap code via https (or indirectly via https from linux/bsd distro package manager), or users should verify checksums manually - which they never do.
0:00:28
zigpaw
a separate problem of sorts, esp. with the history of computer vendors adding their own to the chain, etc. (not applicable to linux/bsd but still)
9:10:20
no-defun-allowed
might be a good time to remind people that despite the clhs being quite restrictively copyrighted you can download the CLHS for personal use, and it's only about 15MB including crappy GIF images and all 2300 HTML files
9:11:38
no-defun-allowed
it's 2mb in the targz you get from lispworks so you can do it any time you're bored or have a minute where you're thinking "what language documentation should i download today?"
9:13:43
jackdaniel
here is even better version which is not copyrighted: http://cvberry.com/tech_writings/notes/common_lisp_standard_draft.html
9:14:27
jackdaniel
you may build your own standard draft, change it, annotated it and put it on the website (also use as a pdf with bookmarks - much better to navigate than clhs directly if you ask me, I'm still sold to l1sp.org though)
9:40:28
flip214
no-defun-allowed: also, please contribute to CLUS: https://github.com/phoe/clus-data
9:51:40
ogamita
More worrying is that lisp logs at ccl have been down since login is required on freenodeā¦
10:13:39
no-defun-allowed
If so, subseq works fine, as long as you check the string isn't shorter than your desired length.