Downloads and installs an ASDF or a MK:DEFSYSTEM system or anything else that looks convincingly like one. It updates the ASDF:*CENTRAL-REGISTRY* symlinks for all the toplevel .asd files it contains, and it also MK:ADD-REGISTRY-LOCATION for the appropriate directories for MK:DEFSYSTEM.
Please read this file before use: in particular: this is an automatic tool that downloads and compiles stuff it finds on the internet. Please look at the SECURITY section and be sure you understand the implications
This can be used either from within a CL implementation:
cl-prompt> (load "/path/to/load-asdf-install.lisp")
cl-prompt> (asdf-install:install 'xlunit) ; for example
With SBCL you can also use the standalone command `sbcl-asdf-install' from the shell:
$ sbcl-asdf-install xlunit
Each argument may be -
The name of a cliki page. asdf-install visits that page and finds the download location from the `:(package)' tag
usually rendered as "Download ASDF package from ..."
A URL, which is downloaded directly
A local tar.gz file, which is installed
When you invoke asdf-install, you are asking your CL implementation to download, compile, and install software from some random site on the web. Given that it's indirected through a page on CLiki, any malicious third party doesn't even need to hack the distribution server to replace the package with something else: he can just edit the link.
For this reason, we encourage package providers to crypto-sign their packages (see details at the URL in the PACKAGE CREATION section) and users to check the signatures. asdf-install has three levels of automatic signature checking: "on", "off" and "unknown sites", which can be set using the configuration variables described in CUSTOMIZATION below. The default is "unknown sites", which will expect a GPG signature on all downloads except those from presumed-good sites. The current default presumed-good sites are CCLAN nodes, and two web sites run by SBCL maintainers: again, see below for customization details
If the file $HOME/.asdf-install exists, it is loaded. This can be used to override the default values of exported special variables. Presently these are
*proxy* - defaults to $http_proxy environment variable
*cclan-mirror* - preferred/nearest CCLAN node. See the list at http://ww.telent.net/cclan-choose-mirror
*asdf-install-dirs* - Set from ASDF_INSTALL_DIR environment variable. If you are running SBCL, then *asdf-install-dirs* may be set form the environment variable SBCL_HOME, which should already be correct for whatever SBCL is running, if it's been installed correctly. This is done for backward compatibility with SBCL installations.
*SBCL-HOME* - This is actually a symbol macro for *asdf-install-dirs*
*verify-gpg-signatures* - Verify GPG signatures for the downloaded packages? NIL - no, T - yes, :unknown-locations
only for URLs which aren't in CCLAN and don't begin with one of the prefixes in *safe-url-prefixes*
*locations* - Possible places in the filesystem to install packages into. See default value for format
*safe-url-prefixes* - List of locations for which GPG signature checking won't be done when *verify-gpg-signatures* is :unknown-locations
If you want to create your own packages that can be installed using this loader, see the "Making your package downloadable..." section at http://www.cliki.net/asdf-install
Listen very carefully: I will say this only as often as it
appears to be necessary to say it. asdf-install
is not a
good example of how to write a URL parser, HTTP client, or
anything else, really. Well-written extensible and robust URL
parsers, HTTP clients, FTP clients, etc would definitely be
nice things to have, but it would be nicer to have them in
CCLAN where anyone can use them - after having downloaded
them with asdf-install
- than in SBCL contrib where they're
restricted to SBCL users and can only be updated once a month
via SBCL developers. This is a bootstrap tool, and as such,
will tend to resist changes that make it longer or dependent
on more other packages, unless they also add to its
usefulness for bootstrapping.
gpg signature checking would be better if it actually checked against a list of "trusted to write Lisp" keys, instead of just "trusted to be who they say they are"
nice to have: resume half-done downloads instead of starting from scratch every time. but right now we're dealing in fairly small packages, this is not an immediate concern