freenode/lisp - IRC Chatlog
Search
17:31:24
gaze___
so being able to tweak things by hand and get instantaneous feedback is just fantastic.
17:32:59
dim
about UIs, nowadays lots/most of them are on the web, so make your program a lisp image that embeds a webserver?
17:33:55
dim
gaze___: also have a look at clasp and CANDO projects where they have a Jupyter Notebook kernel for common lisp full with 3D output support
17:48:06
gaze___
you think so? I have the impression that microsoft is super good about backwards compatibility
17:48:22
gaze___
I'm sure they want to kill win32... but I sorta doubt they'll really kill it any time soon
17:50:35
gaze___
I use a program called Sonnet for doing microwave simulations... the gui is all win32 and the company is really small. Just the sheer amount of software like this that people depend on
21:01:51
jmercouris
are there any exploits in any of the common implementations? how are these handled?
21:16:38
pjb
On the other hand, we're not a prized target. Too much work for too few systems to crack…
21:22:18
sjl_
Quicklisp wants to be a one-file install, without requiring something like OpenSSL or curl be installed on the machine
21:22:52
sjl_
So the options are either 1. Implement a SSL in pure CL. 2. FFI out to some system SSL lib. 3. Not use SSL at all.
21:23:38
sjl_
I think Xach is planning on option 3, by implementing some kind of cryptographic checksum algo in pure CL (which is *much* easier than implementing full TLS) and then validating the packages downloaded to be able to tell if they've been tampered with on the way
21:24:18
sjl_
VPN doesn't help you if the "middle" in "man in the middle attack" is between your VPN endpoint and the Quicklisp servers
21:25:24
sjl_
You can also set up an HTTP proxy and tell quicklisp to use it (the quicklisp servers actually already support ssl) , but last time I tried that I couldn't get it working for some reason. I can't remember why.
21:27:26
sjl_
There's also https://github.com/slime/slime/issues/286 / https://github.com/slime/slime/issues/511 which the slime people probably won't fix unless someone exploits it on their machine
21:29:00
Xach
The quicklisp installer file (quicklisp.lisp) includes an openpgp key and openpgp key signature verifier. it's used to verify fetching the rest of the client. the client includes code to check the sha256 checksum of downloaded archives.
21:29:09
sjl_
Then pay some cryptographers to audit it, etc etc. Checksumming is almost certainly *far* more practical.
21:29:17
Xach
this scheme is not deployed yet. i am still thinking about key management and expiry and stuff.
21:29:21
jmercouris
sjl_: I know about the slime issue with local attackers, but I don't see how that's even an issue really
21:29:44
sjl_
jmercouris: someone is already on your machine -> every web page running javascript ever
21:29:57
Xach
Sometimes I feel like just pushing it out and fixing problems as they come, sometimes I feel like I should test more
21:30:19
sjl_
Xach: can we volunteer to be guinea pigs by downloading a special version of quicklisp?
21:31:08
jmercouris
I don't know, it isn't my software, however I wouldn't feel comfortable making releases on such a critical piece of software without very thorough tests
21:31:57
Xach
sjl_: I did that a while ago and the results were promising, but some of the infrastructure to make it work is not set up - recent releases don't have the checksums published and signed.
21:33:51
jmercouris
sjl_: Why does OpenSSL need 550k lines of code? what is it doing that is so complex?
21:35:09
jmercouris
for example, how could one have written test suites for the exploits on intel chips?
21:43:00
Xach
There are issues involved with implementing eavesdrop-proof communication that are different from implementing signature/checksum verification.
21:43:19
Xach
Maybe it's possible and worthwhile in CL but it is not something that interests me due to my impression of the difficulty.
21:44:28
sjl_
A better comparison might be Go's TLS implementation, which is ~13k lines of code. If you're Google, you can throw money at cryptographers and security engineers to write/audit a TLS library for your language.
21:44:47
sjl_
But in a smaller community without piles of money, that's probably not going to happen.
21:45:27
sjl_
It's much, *much* easier to implement a single checksum algorithm than even a decent subset of TLS.
21:45:36
Xach
I am always on board for implementing something in CL even if it's slower or clunkier because I love to avoid FFI.
21:46:15
sjl_
Checksum is probably the wrong word. You get the initial Quicklisp installer over https, which includes Xach's public key
21:48:00
jmercouris
so the question is, if we can verify a library is what it says it is, what is the advantage of having HTTPS support?
21:49:11
Xach
In my ideal world each CL implementation would provide the right stuff to make secure connections on all supported platforms.
21:49:53
jmercouris
last question, your above statement implies some implementations provide support secure connections
21:49:54
Xach
If all implementations that Quicklisp supports also supported secure communication, things would be done by now.
21:56:42
jgkamat
sjl_: I'm actually planning to write an exploit for that slime issue at some point, chrome has some raw TCP apis exposed to js and I want to give that a shot. I'm super busy though so not sure when I'll get a chance to work on that
21:57:24
sjl_
As long as you're nice and present it as a proof-of-concept, and don't actually exploit anyone's machine, that would be valuable.