HTTPS for Quicklisp (and a rant about package managers)

2024/07/19

I used a HTTP to HTTPS proxy written in Python. These steps work on Debian.

  1. Install the prerequisites:

      apt-get install python3-requests python3-http-parser python3
    
  2. Download and run the proxy:

      git clone https://software.mcgoron.com/peter/http2https
      cd http2https
      python3 http2https.py
    
  3. Load quicklisp into your Common Lisp interpreter:

      cl --load quicklisp.lisp
    
  4. Install quicklisp using the proxy:

      (quicklisp-quickstart:install :path "~/.local/quicklisp" :proxy "http://localhost:8080")
    
  5. Set quicklisp to always use the proxy:

      (setf (ql-config:config-value "proxy-url") "http://localhost:8080")
    

c programmer yells at package managers

Why does every programming language needs its own package manager? The best part about Linux is centralized software management, which is a breath of fresh air from the Windows model (every piece of software handles itself).

Now I need to know and trust pip and rustup and cargo and julia Pkg and whatever flavor of the month Javascript package manager is hot right now.

Not only do these package managers ruin the concept of unified package management, they also suck. Now I have to worry about packages disappearing or becoming malware, if they weren’t so in the first place.

Debian has maintainers that have some scrutinty, and updates are tested before they are pushed to stable. It’s not just some guy with code on Github. Debian has package signing and repository versions. Quicklisp doesn’t even support HTTPS, much less cryptographic signatures. I don’t even know if it checks hashes. (Quicklisp, to its credit, does release things in versions.)

Copying code off of random people on Github is like picking up abandonded crap left outside.1 You have no idea what’s been done to it. Nobody knows whats been done to it. If something goes wrong with it, you are on your own. It could be useful, or it could be moldy and infested with cockroaches. As XKCD put it, “our entire field is bad at what we do, and if you rely on us, everyone will die.”

Package management is a must for modern development. I need to able to run software that has different versions of a package, install packages without manually installing the correct dependencies, and update software without it breaking. These package managers do this with a structure made up of duct tape, bubblegum, and prayers.

I guess if security is an issue, we can always use Docker.


  1. Given that I just told you to run some random Python script I whipped together in an hour, this statement is pretty rich. (It’s still a true statement.) The script is pretty short, though, so you should be able to verify for yourself that I am not trying to steal your credit card information or snoop on your webcam. ↩︎